Skip to content

Instantly share code, notes, and snippets.

View sassdawe's full-sized avatar
💭
Playing PowerShell

David Sass sassdawe

💭
Playing PowerShell
23 followers · 38 following
View GitHub Profile
@sassdawe
sassdawe / ThrowStdOutErrors.ps1
Created November 15, 2022 10:22 — forked from JustinGrote/ThrowStdOutErrors.ps1
Catch only specific errors coming from native commands
filter ThrowStdOutErrors($messageFilter,[Parameter(ValueFromPipeline)]$obj) {
if ($obj -is [Management.Automation.ErrorRecord]) {
if ($obj -match $messageFilter) {
throw $obj
} else {
Write-Error $obj
return
}
}
$obj
@sassdawe
sassdawe / Write-FunctionError.ps1
Created July 4, 2022 06:09 — forked from JustinGrote/Write-FunctionError.ps1
Write an Error within a function in a nice way that displays the context of the function rather than the "Write-Error" context
using namespace System.Management.Automation
using namespace Microsoft.PowerShell.Commands
function Write-FunctionError {
<#
.SYNOPSIS
Writes an error within the context of the containing CmdletBinding() function. Makes error displays prettier
.NOTES
ScriptStackTrace will still show Write-FunctionError, so its not completely transparent. There's no way to "edit" or "replace" this stacktrace that I can find.
.EXAMPLE
function test {
@sassdawe
sassdawe / ms-msdt.MD
Created May 30, 2022 14:34 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@sassdawe
sassdawe / Trace-AICommand.ps1
Created May 23, 2022 12:00 — forked from JustinGrote/Trace-AICommand.ps1
Report the results and performance of any scriptblock to Azure Application Insights
#requires -version 7
#You can load this script with $(iwr https://tinyurl.com/TraceAICommand | iex)
using namespace Microsoft.ApplicationInsights
using namespace Microsoft.ApplicationInsights.Extensibility
using namespace Microsoft.ApplicationInsights.DataContracts
using namespace System.Management.Automation
using namespace System.Collections.Generic
using namespace System.Net
#Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/console
@sassdawe
sassdawe / webcam.ps1
Created April 19, 2022 19:06 — forked from quantumcore/webcam.ps1
Powershell Script to Record Webcam and output the .AVI file to a base64 file.
# Taken from : https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py
function Start-WebcamRecorder
{
<#
.SYNOPSIS
This function utilizes the DirectX and DShowNET assemblies to record video from the host's webcam.
Author: Chris Ross (@xorrior)
License: BSD 3-Clause
.DESCRIPTION
This function will capture video output from the hosts webcamera. Note that if compression is available, there isn't
@sassdawe
sassdawe / bytearray2exe.cs
Created October 22, 2021 18:58 — forked from decay88/bytearray2exe.cs
Execute base64 encoded byte array from memory without wrting to disk as a disguised process
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
namespace ByteArrayExec
{
@sassdawe
sassdawe / defenderwatch.ps1
Created June 7, 2021 05:32 — forked from svch0stz/defenderwatch.ps1
WMI Watcher for Windows Defender RealtimeMonitoring
$WMI = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
#$Global:Data = $Event
Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI
@sassdawe
sassdawe / Implement-a-Serverless-Azure-Logic-App-Contact-Form.md
Created January 18, 2021 06:32
Implement a Serverless Azure Logic App Contact Form

Step By Step: Implement a Serverless Azure Logic App Contact Form

Pre-requisites

  1. An Azure Account, there are free and paid options
  2. A SendGrid account, there are free trial, free and paid options
  3. Code from this post!
  4. Approximately X time to implement and test
  5. Optional: A custom domain for the contact form html and Azure function Application Program Interface (API)

**Securing your Azure and Sendgrid accounts with Two Factor Authentication (2FA) is recommended. 2FA will not have an effect on how the Azure function or Sendgrid API works.

@sassdawe
sassdawe / DeleteListItems.ps1
Created August 29, 2020 17:01 — forked from cakriwut/DeleteListItems.ps1
PowerShell to delete SharePoint list items in batch mode.
function DeleteListItems{
<#
.SYNOPSIS
Deletes SharePoint List Items in batch
.DESCRIPTION
Deleted SharePoint List items in batch and provide sleep between batch. By default, it will delete all List Items.
You can delete List Items based on the CAML Query input parameter.
.PARAMETER ListUrl
@sassdawe
sassdawe / About OutWithOut.md
Created August 25, 2020 06:36 — forked from Jaykul/About OutWithOut.md
You can redirect the other output streams like *>&1 | Out-String.ps1 and these commands will capture them labelled (and optionally, in color), e.g. for | more or | less

PowerShell has a problem with it's extra output streams. The actual content of the Warning, Verbose, Debug, Information, and even Error streams doesn't have the label text like "WARNING: " or "VERBOSE: " that we're used to seeing in the host. That label is actually added by the host (hopefully, in a culture-aware way). However, this means that when you attempt to redirect all of this output, for example by redirecting all output streams to stdout, with *>&1, you don't get labels on them at all, which is confusing, and can make the output difficult to comprehend.

Take for example a function that writes in a loop:

if ($i % 5 -eq 0) {
    Write-Output $i
} else {
    Write-Verbose $i
}