I hereby claim:
- I am jaredcatkinson on github.
- I am jaredcatkinson (https://keybase.io/jaredcatkinson) on keybase.
- I have a public key whose fingerprint is E36F 8790 CAFF 1865 40C6 E2D5 2D79 10BE 8FC6 F83E
To claim this, I am signing this object:
Jared Atkinson jaredcatkinson
jaredcatkinson
/ Get-Hash.ps1
Last active
March 15, 2024 17:05
PowerShell v2 port of the Get-FileHash function. This version of Get-Hash supports hashing files and strings.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Hash | |
| { | |
| <# | |
| .SYNOPSIS | |
| Get-Hash is a PowerShell Version 2 port of Get-FileHash that supports hashing files, as well as, strings. | |
| .PARAMETER InputObject | |
| This is the actual item used to calculate the hash. This value will support [Byte[]] or [System.IO.Stream] objects. |
jaredcatkinson
/ Resolve-CommandLineToFilePath.ps1
Last active
February 24, 2024 15:18
Script to derive a File Path from a Command Line string
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Resolve-CommandLineToFilePath | |
| { | |
| <# | |
| .SYNOPSIS | |
| The Resolve-CommandLineToFilePath function takes an arbitrary Command Line and resolves the called application/file's path. | |
| .PARAMETER CommandLine | |
| The CommandLine that you want to convert to a file path. |
jaredcatkinson
/ Test-Ticket.ps1
Created
September 20, 2017 21:51
Script to test if a Ticket Granting Ticket (TGT) is forged (a Golden Ticket).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Test-Condition | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [bool] | |
| $Result, | |
| [Parameter(Mandatory = $true)] | |
| [string] |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
July 19, 2025 16:52
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
jaredcatkinson
/ Get-AccessToken.ps1
Last active
March 18, 2025 14:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-AccessToken | |
| { | |
| param | |
| ( | |
| [Parameter()] | |
| [System.Diagnostics.Process[]] | |
| $Process | |
| ) | |
| begin |
jaredcatkinson
/ ConvertFrom-Base64.ps1
Created
August 16, 2017 23:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertFrom-Base64 | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
| [string] | |
| $Base64String | |
| ) | |
| $stringBytes = [System.Convert]::FromBase64String($Base64String) |
jaredcatkinson
/ Get-ExtendedAttribute.ps1
Last active
February 24, 2024 15:21
Get-ExtendedAttribute is a function to iterate through the C:\ volume looking for files with Extended Attributes. This code is beta and meant only for the purpose of a blog post on detection methodology.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time. | |
| function Get-ExtendedAttribute | |
| { | |
| foreach($file in (Get-ChildItem -Path C:\ -Recurse)) | |
| { | |
| $obj = Get-ExtendedAttribute -FilePath $file.FullName | Where-Object {$_ -ne $null} | |
| $obj | Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName | |
| Write-Output $obj | |
| } |
jaredcatkinson
/ Get-StructureOffset.ps1
Last active
February 24, 2024 15:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-StructureOffset | |
| { | |
| <# | |
| .SYNOPSIS | |
| Returns the field offset of the unmanaged form of the managed structure. | |
| .DESCRIPTION | |
| Wraps the Marshal class' OffsetOf method to return the offset for all fields in the specified Structure. |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
October 14, 2025 02:45
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
jaredcatkinson
/ keybase.md
Created
August 18, 2016 13:15