Skip to content

Instantly share code, notes, and snippets.

View bohops's full-sized avatar

bohops

357 followers · 10 following
View GitHub Profile
@bohops
bohops / Deploy-EnforcedWDACScanPolicy.ps1
Created March 22, 2024 01:39
Restrictive (with caveats) WDAC Policy for research purposes
Write-Host "
==============================================================================================================================
*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)
*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line
@bohops
bohops / Deploy-EnforcedWDACDefaultPolicy.ps1
Created March 22, 2024 01:38
Restrictive WDAC Policy for research purposes
Write-Host "
==============================================================================================================================
*Quickly Deploy an Enforced Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)
*Focus: Permit Windows signed applications (e.g. what comes with the OS).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with the Default Enforced Rules
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line
==============================================================================================================================
@bohops
bohops / AccCheckConsole.txt
Last active February 28, 2024 19:15
AccChecker LOLBIN [AccCheckConsole.exe]
*Purpose
- UI Accessibility Checker
- Verifies UI accessibility requirements
*LOLBIN Functionality/Steps
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
2) Add proper assembly references (e.g. AccCheck.dll)
3) Insert your C# code under a target method such as Execute()
4) Compile to a .NET managed library (DLL)
5) Invoke the code
@bohops
bohops / test.sct
Created February 24, 2018 18:12
.SCT for testing (++++ @subTee)
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@bohops
bohops / Dynamic_PInvoke_Shellcode.cs
Last active September 25, 2023 17:44
Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs
using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
namespace ShellcodeLoader
{
class Program
@bohops
bohops / env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
Last active July 21, 2023 13:07
env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
// I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'.
// This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process
// Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs:
// https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503
// https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
//
// Applicable detection guidance (with a few possible tweaks) can be found here:
// https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
//
@bohops
bohops / Application_Guard_WDAC_Policy.xml
Created July 21, 2021 03:17
Microsoft Defender Application Guard WDAC policy (for Edge). Converted using @mattifestation's ConvertTo-CIPolicy PowerShell Script [https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e]
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.3.14</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@bohops
bohops / dsdbutil.exe
Last active February 21, 2023 14:29
yet another native AD database extraction utility
DSDButil
========
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
@bohops
bohops / RDP_Eavesdropping_Hijacking
Last active December 31, 2022 05:04
RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
that is not very new...
===========
Inspiration
===========
As you may already know...
@bohops
bohops / gethelp.cs
Created May 13, 2019 15:20
Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause