mgeeky

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
	WorkerFactoryTimeout, // LARGE_INTEGER

xpn

using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;

awakecoding

function Get-RdpLogonEvent
{
    [CmdletBinding()]
    param(
        [Int32] $Last = 10
    )

    $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ProviderName='Microsoft-Windows-Security-Auditing'

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

tyranid

Param(
    [Parameter(Mandatory, Position = 0)]
    [string]$HostDrive,
    [Parameter(Mandatory, Position = 1)]
    [string]$LocalDrive
)

# Script to map a host drive inside a Windows Docker Server Container
# You need to be an admin in the container for this to work.
# Use as .\map_host_drive C: X:

xpn

#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143

#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>

djhohnstein

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

seajaysec

{
    "queries": [{
            "name": "List all owned users",
            "queryList": [{
                "final": true,
                "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
            }]
        },
        {
            "name": "List all owned computers",

smagnani96

Linux - Nvidia switchable setup guide

The aim of this guide is to provide a working strategy to make your dedicated graphic card turn on/off correctly in a Linux environment (with xorg).

The following scripts have been created by tyrells and this guide is a remake of Graff's one.

Required Packages

The following two packages are stricly required: