| <# | |
| .Synopsis | |
| Grant logon as a service right to the defined user. | |
| .Parameter computerName | |
| Defines the name of the computer where the user right should be granted. | |
| Default is the local computer on which the script is run. | |
| .Parameter username | |
| Defines the username under which the service should run. | |
| Use the form: domain\username. | |
| Default is the user under which the script is run. |
| <# | |
| .SYNOPSIS | |
| Enable PowerShell Remoting on a remote host and connect to a PsSession | |
| .DESCRIPTION | |
| This script requires PsExec.exe in ./Tools local to where the script is run from. It will utilize PsExec to enable | |
| Powershell Remoting, and then it will use PsSession to enter an interactive session. When the PsSession is closed, the | |
| script will use PsExec again to disable Powershell Remoting. |
| <# | |
| .SYNOPSIS | |
| Script to create a new Dev Drive | |
| .DESCRIPTION | |
| This script will create a new Dev Drive on a Windows system. By default, it will create a 100GB dynamically sized VHDX file located in C:\ProgramData\Custom Dev Drive\drive.vhdx that will be mounted to the V: letter drive. For more information about Dev Drives, please see https://learn.microsoft.com/en-us/windows/dev-drive/ | |
| .EXAMPLE | |
| .\New-DevDrive.ps1 |
| #!/usr/bin/env python3 | |
| import argparse | |
| import grequests | |
| import random | |
| import requests | |
| import string | |
| import sys | |
| from urllib.request import urlopen |
Internet connection and DNS routing are broken from WSL2 instances, when some VPNs are active. The workaround breaks down into two problems:
This problem is tracked in multiple microsoft/WSL issues including, but not limited to:
| // Advanced Hunting custom function | |
| // ------------------------------------ | |
| // DeviceUsers() | |
| // This function enriches a table with the users who use each device including full name, email, job title, etc. | |
| // Example usage: | |
| // ... | |
| // | invoke DeviceUsers() | |
| // ------------------------------------ | |
| let DeviceUsers = (T:(DeviceName:string)) { | |
| T |
| // credit to mRr3b00t @UK_Daniel_Card for the idea and starting point | |
| // Globally Rare Service Installation | |
| // Matches service executables to their file info and looks at global prevalence | |
| let PrevalenceThreshold = 1000; // adjust as needed | |
| DeviceEvents | |
| | where ActionType == "ServiceInstalled" | |
| | where FileName != "" // Defender not capturing service executable sometimes -- needs investigation | |
| //-- false positives | |
| | where not ( | |
| (FileName startswith "svchost.exe -k " // lots of these |
| #!/usr/bin/env bash | |
| # Author: C.J. May @lawndoc | |
| # Usage: cloc-gh <username> | |
| # Prereqs: cloc gh | |
| cloc_repo () { | |
| gh repo clone "$1" temp-linecount-repo -- --depth 1 > /dev/null 2>&1 && | |
| cloc temp-linecount-repo | grep SUM | awk '{ print $5 }' >> line_count.txt && | |
| rm -rf temp-linecount-repo |
| DeviceProcessEvents | |
| | where FileName =~ "PAD.MachineRegistration.Silent.exe" |
| #change permissions and delete shadows | |
| $checkPermissions = icacls c:\Windows\System32\config\sam | |
| if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') { | |
| icacls c:\windows\system32\config\*.* /inheritance:e | |
| vssadmin delete shadows /quiet /all | |
| $vulnerable = $true | |
| } | |
| else { | |
| $vulnerable = $false | |
| } |
