Skip to content

Instantly share code, notes, and snippets.

View adamziaja's full-sized avatar

Adam Ziaja adamziaja

View GitHub Profile
function Get-Doppelgangers
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
mattifestation / GetCatalogHashes.ps1
Created December 16, 2017 16:48
Sample code used to extract catalog hashes from a mounted Windows image
Import-Module CatalogTools
# install.wim was mounted to C:\Mount with Mount-WindowsImage
$SystemCatalogEntries = ls -Path C:\Mount -Include '*.cat' -Recurse | % {
$CatalogInfo = Get-CatalogFile -Path $_.FullName
$FilePath = 'C:' + $CatalogInfo.FilePath.Path.Substring(8)
$CatalogInfo.CatalogMembers | ? { $_.HashInfo.Algorithm -and $_.HashInfo.FileHash } | % {
$Hint = $null
mattifestation / TrustedHashes.csv
Created December 16, 2017 16:44
All catalog hashes extracted from a mounted install.wim from en_windows_10_multi-edition_vl_version_1709_updated_sept_2017_x64_dvd_100090741.iso
We can't make this file beautiful and searchable because it's too large.
Mr-Un1k0d3r /
Created November 7, 2017 16:14
Lazy website cloning
echo "Cloning $1"
wget $1 -O index.html &> /dev/null
TAG="<base href=\"$1\"/></head>"
sed '/<\/head>/i\'"$TAG" index.html | tee index.html &> /dev/null
echo "index.html was saved and modified"
ropnop /
Last active June 6, 2021 18:23
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
# Title:
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
file_get_contents("", false, stream_context_create($context));
mubix /
Last active August 30, 2024 19:42
How to start in Infosec
exp0se / logparser.ps1
Created March 13, 2016 09:22
Logparser log parsing
# Logparser
# Security Log
# Find Event id
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'"
exp0se / powershell_eventlog_parsing.ps1
Last active July 21, 2024 21:36
Powershell log parsing
#Security log
#4624 - Logon & Logoff events successful
#4625 - Logon unsucceful
# Get usernames
Get-WinEvent -path .\Security.evtx | Where {$ -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique
# Get domains