Drake von Duck drakevonduck
drakevonduck
/ Rotate_Passwd.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/Rotate_Passwd.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $user = "erochester" ; | |
| $newPass = "[New-Password-Please]"; | |
| #Change password twice. | |
| #First can be junk password, second time can be real new password | |
| Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "6;wB3yj9cI8X" -Force) -verbose | |
| Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force) -verbose | |
| #If the machine is not connected to AD, or account is a local one use this instead |
drakevonduck
/ remove_user_from_group.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/remove_user_from_group.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remove-adgroupmember -identity Administrators -members "erochester" -verbose -confirm:$false |
drakevonduck
/ rdp_log_investigate.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/rdp_log_investigate.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-winevent -logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | | |
| ? id -match 1149 | | |
| sort Time* -descending | | |
| fl time*, message |
drakevonduck
/ Terminate_RDP.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/Terminate_RDP.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #show the users' session | |
| qwinsta | |
| #target their session id | |
| logoff 3 /v |
drakevonduck
/ Pull_logs_and_zip.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/Pull_logs_and_zip.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
drakevonduck
/ PsExec_Registry_Check.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/PsExec_Registry_Check.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # stupid overengineered solution | |
| $ErrorActionPreference= 'silentlycontinue'; | |
| $value = gp "REGISTRY::HKEY_USERS\*\Software\Sysinternals\PsExec"; | |
| $SID = $value.PsPath -split '\',4,'SimpleMatch' | select-string -pattern "S-" | % { $_.Line } | |
| $NAME = gwmi win32_useraccount | ? SID -match $SID | select -expandproperty Name; | |
| if ($value.EulaAccepted -eq 0){} else { write-host -NoNewline "`n Registry confirms PsExec used by "; write-host "$Name`n" -ForegroundColor magenta} |
drakevonduck
/ Query_Bam.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/Query_Bam.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download and use script | |
| wget -usebasicparsing https://raw.githubusercontent.com/mgreen27/Invoke-LiveResponse/master/Content/Other/Get-BAMParser.ps1 -outfile Get-BAMParser.ps1; | |
| ./Get-BAMParser.ps1 | out-string | |
| # run and look at BAM manually | |
| reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s |
drakevonduck
/ SID_2_User.ps1
Created
April 6, 2023 22:18
— forked from Purp1eW0lf/SID_2_User.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gwmi win32_useraccount | | |
| select Name, SID | | |
| ? SID -match "" #insert SID between quotes |
drakevonduck
/ Registry_Collect.ps1
Created
April 6, 2023 22:17
— forked from Purp1eW0lf/Registry_Collect.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2023 January 7th | |
| Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. | |
| Notes: | |
| Will trigger AV as it's technically credential dumping. | |
| Also relies on having internet access, to wget TSCopy | |
| Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy |
drakevonduck
/ Registry_Schtask_query.ps1
Created
April 6, 2023 22:17
— forked from Purp1eW0lf/Registry_Schtask_query.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Make the schtask for the test | |
| schtasks /create /tn "Find_Me" /tr calc.exe /sc minute /mo 100 /k | |
| # Loop and parse \Taskcache\Tasks Registry location for scheduled tasks | |
| ## Parses Actions to show the underlying binary / commands for the schtask | |
| ## Could replace Actions with Trigggers on line 10, after ExpandedProperty | |
| (Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\*").PSChildName | | |
| Foreach-Object { | |
| write-host "----Schtask ID is $_---" -ForegroundColor Magenta ; | |
| $hexstring = (Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\$_" | Select -ExpandProperty Actions) -join ',' ; |
NewerOlder