benheise

sing System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
 
  
/*
Author: Casey Smith, Twitter: @subTee

benheise

using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;


public class Program
{
    public static void Main()
    {

benheise

using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;


public sealed class MyAppDomainManager : AppDomainManager
{
  
    public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
    {

benheise

#include <stdint.h>
#include <inttypes.h>
#include <winsock2.h>
#include <windns.h>
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

benheise

#include <wdm.h>
#include <ntddkbd.h>

//
// Per-device object extension
//
typedef struct _DEVICE_EXTENSTION
{
  //
  // Driver must not be deleted as long as there is a pending IRP

benheise

This guide assumes the DigitalOcean provider will be used, and a droplet will be generated on a Windows 10/11 host with WSL2 installed, using a Debian VM. Terraform and Ansible will be used to create and destroy the VPN droplet. After that, the Wireguard client configuration in "wg0.conf" can be used on your desktop, laptop, mobile device, etc. You should generate a new Wireguard client per each device, rather than reusing the same one across multiple.

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install unzip wget git apt-add-repository software-properties-common gnupg
wget https://releases.hashicorp.com/terraform/1.0.11/terraform_1.0.11_linux_amd64.zip -O terraform.zip; unzip terraform.zip
sudo mv terraform /usr/local/bin; rm terraform.zip
sudo apt-add-repository ppa:ansible/ansible
git clone https://github.com/P0ssuidao/terraguard.git
cd terraguard/DigitalOcean/
terraform init

benheise

#!/usr/bin/env python3
from ldap3 import ALL, Server, Connection, NTLM, extend, SUBTREE
import argparse

parser = argparse.ArgumentParser(description='Dump LAPS Passwords')
parser.add_argument('-u','--username',  help='username for LDAP', required=True)
parser.add_argument('-p','--password',  help='password for LDAP (or LM:NT hash)',required=True)
parser.add_argument('-l','--ldapserver', help='LDAP server (or domain)', required=False)
parser.add_argument('-d','--domain', help='Domain', required=True)
parser.add_argument('-t', '--target', help="Target Domain", required=False)

benheise

// quick and dirty C++ execution guardrail on executing process file name, inspired by @0xHop av evasion post
// https://0xhop.github.io/evasion/2021/04/19/evasion-pt1/


#include <Windows.h>
#include <string>

#define MAX_PATH 512

// check if our program has been renamed, if so may be in a sandbox or being analyzed

benheise

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}

benheise

Keybase proof

I hereby claim:

• I am benheise on github.
• I am benheise (https://keybase.io/benheise) on keybase.
• I have a public key whose fingerprint is ECCE D854 CEAB 2375 7573 72EE 7B44 EE76 3D3E 6E0E

To claim this, I am signing this object: