Watson watson0x90
watson0x90
/ WindowsSecurityEventHTTPQuery.ps1
Last active
March 7, 2016 15:30
Query Windows Security Event Log via PowerShell HTTP Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -Version 2 | |
| $header = @" | |
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> | |
| <html><head><title>Windows Event Logs</title> | |
| <meta charset="utf-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <style type="text/css"> | |
| <!- | |
watson0x90
/ Test.txt
Created
March 18, 2016 17:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is nothign but a test document. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################## | |
| # Gnuradio Python Flow Graph | |
| # Title: Top Block | |
| # Generated: Sat Mar 19 12:29:45 2016 | |
| ################################################## | |
| from gnuradio import analog | |
| from gnuradio import audio | |
| from gnuradio import blocks |
watson0x90
/ MoveMosePos.ps1
Created
July 18, 2017 23:44
Move mouse to bottom right corner... Why?... Wouldn't you like to know...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -AssemblyName System.Windows.Forms;$screen = [System.Windows.Forms.SystemInformation]::VirtualScreen;[Windows.Forms.Cursor]::Position = "$($screen.Width),$($screen.Height)" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -AssemblyName System.Windows.Forms | |
| $screen = [System.Windows.Forms.SystemInformation]::VirtualScreen | |
| [Windows.Forms.Cursor]::Position = "$($screen.Width),$($screen.Height)" | |
| function Click-MouseButton | |
| { | |
| $signature=@' | |
| [DllImport("user32.dll",CharSet=CharSet.Auto, CallingConvention=CallingConvention.StdCall)] | |
| public static extern void mouse_event(long dwFlags, long dx, long dy, long cButtons, long dwExtraInfo); | |
| '@ |
watson0x90
/ Invoke-QueryDowngrade.ps1
Last active
August 23, 2017 16:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $hostlist = "","" | |
| $userSearch = "" | |
| $ErrorActionPreference = "SilentlyContinue" | |
| function Invoke-QueryDowngrade{ | |
| $downgradeXML = @" |
watson0x90
/ wmicCommands.txt
Last active
January 11, 2018 10:52
WMIC commands from https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #WMIC Commands from https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/ | |
| wmic baseboard get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon | |
| wmic bios get name, version, serialnumber | |
| wmic bootconfig get BootDirectory, Caption, TempDirectory, Lastdrive | |
| wmic cdrom get Name, Drive, Volumename | |
| wmic computersystem get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list | |
| wmic cpu get Name, Caption, MaxClockSpeed, DeviceID, status | |
| wmic datafile where name=’c:\boot.ini’ get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version | |
| wmic dcomapp get Name, AppID /format:list | |
| wmic desktop get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
watson0x90
/ CompileInMemory.cs
Created
July 23, 2019 20:55
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Text; | |
| using System.CodeDom.Compiler; | |
| using Microsoft.CSharp; | |
| using System.IO; | |
| using System.Reflection; | |
| namespace InMemoryCompiler | |
| { | |
| class Program |
watson0x90
/ Get-InjectedThread.ps1
Last active
April 29, 2020 23:07
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
OlderNewer