Skip to content

Instantly share code, notes, and snippets.

View sassdawe's full-sized avatar
💭
Playing PowerShell

David Sass sassdawe

💭
Playing PowerShell
36 followers · 52 following
View GitHub Profile
@sassdawe
sassdawe / IRQL.md
Created May 5, 2026 17:54 — forked from ddamenova/IRQL.md

IRQL - Incident Response Query Language

A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect. IRQL encapsulates query logic in repeatable chunks, hides cluster/database locations and join keys, and projects disparate source schemas into a single, predictable schema. In addition, it represents query logic as their semantic intent via function naming. These functions were created by Saar Ron, John Lambert, and Diana Damenova.

These functions were authored alongside the Lift to Graph functions (Lift_To_Graph, Graph_Render_View, Graph_Fold_By_Property) and are designed to compose with them. Many of the IRQL primitives have a tabular form and a graph-lifted form, so the same logic drives both relational hunts and visual graph investigations.

Why IRQL?

KQL is a phenomenal tool for analyzing large quantities of data, but queries can get verbose quickly:

@sassdawe
sassdawe / PSGet Publisher Checks.md
Created December 2, 2025 15:03 — forked from jborean93/PSGet Publisher Checks.md
Behaviour of signed PowerShell scripts

PSGet Code Signing

This is to try and document the behaviour around PowerShellGet/PSResourceGet code signing publisher behaviour.

Setup

The following code can be used to set up this scenario. This must be run as an administrator in Windows PowerShell.

Note: PowerShell uses implicit remoting for the New-SelfSignedCertificate which breaks the constains serialization. You must run this on Windows PowerShell.

@sassdawe
sassdawe / PSGet Publisher Checks.md
Created December 2, 2025 15:03 — forked from jborean93/PSGet Publisher Checks.md
Behaviour of signed PowerShell scripts

PSGet Code Signing

This is to try and document the behaviour around PowerShellGet/PSResourceGet code signing publisher behaviour.

Setup

The following code can be used to set up this scenario. This must be run as an administrator in Windows PowerShell.

Note: PowerShell uses implicit remoting for the New-SelfSignedCertificate which breaks the constains serialization. You must run this on Windows PowerShell.

@sassdawe
sassdawe / ThrowStdOutErrors.ps1
Created November 15, 2022 10:22 — forked from JustinGrote/ThrowStdOutErrors.ps1
Catch only specific errors coming from native commands
filter ThrowStdOutErrors($messageFilter,[Parameter(ValueFromPipeline)]$obj) {
if ($obj -is [Management.Automation.ErrorRecord]) {
if ($obj -match $messageFilter) {
throw $obj
} else {
Write-Error $obj
return
}
}
$obj
@sassdawe
sassdawe / Write-FunctionError.ps1
Created July 4, 2022 06:09 — forked from JustinGrote/Write-FunctionError.ps1
Write an Error within a function in a nice way that displays the context of the function rather than the "Write-Error" context
using namespace System.Management.Automation
using namespace Microsoft.PowerShell.Commands
function Write-FunctionError {
<#
.SYNOPSIS
Writes an error within the context of the containing CmdletBinding() function. Makes error displays prettier
.NOTES
ScriptStackTrace will still show Write-FunctionError, so its not completely transparent. There's no way to "edit" or "replace" this stacktrace that I can find.
.EXAMPLE
function test {
@sassdawe
sassdawe / ms-msdt.MD
Created May 30, 2022 14:34 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@sassdawe
sassdawe / Trace-AICommand.ps1
Created May 23, 2022 12:00 — forked from JustinGrote/Trace-AICommand.ps1
Report the results and performance of any scriptblock to Azure Application Insights
#requires -version 7
#You can load this script with $(iwr https://tinyurl.com/TraceAICommand | iex)
using namespace Microsoft.ApplicationInsights
using namespace Microsoft.ApplicationInsights.Extensibility
using namespace Microsoft.ApplicationInsights.DataContracts
using namespace System.Management.Automation
using namespace System.Collections.Generic
using namespace System.Net
#Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/console
@sassdawe
sassdawe / webcam.ps1
Created April 19, 2022 19:06 — forked from quantumcore/webcam.ps1
Powershell Script to Record Webcam and output the .AVI file to a base64 file.
# Taken from : https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py
function Start-WebcamRecorder
{
<#
.SYNOPSIS
This function utilizes the DirectX and DShowNET assemblies to record video from the host's webcam.
Author: Chris Ross (@xorrior)
License: BSD 3-Clause
.DESCRIPTION
This function will capture video output from the hosts webcamera. Note that if compression is available, there isn't
@sassdawe
sassdawe / bytearray2exe.cs
Created October 22, 2021 18:58 — forked from decay88/bytearray2exe.cs
Execute base64 encoded byte array from memory without wrting to disk as a disguised process
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
namespace ByteArrayExec
{
@sassdawe
sassdawe / defenderwatch.ps1
Created June 7, 2021 05:32 — forked from svch0stz/defenderwatch.ps1
WMI Watcher for Windows Defender RealtimeMonitoring
$WMI = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
#$Global:Data = $Event
Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI