Skip to content

Instantly share code, notes, and snippets.

View brimstone's full-sized avatar

Matt Robinson brimstone

282 followers · 101 following
View GitHub Profile
@iDigitalFlame
iDigitalFlame / os_windows.go
Created January 18, 2023 21:34
Patched Windows runtime for Go1.10.8 to work with MinGW 12.2.0
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package runtime
import (
"runtime/internal/atomic"
"unsafe"
)
@paralax
paralax / com.mylaptop.watchhostconfig.plist
Created January 3, 2023 21:12
OSX plist marrying WatchPaths and Canarytokens to monitor for persistence attempts
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- "https://malware.news/t/20-common-tools-techniques-used-by-macos-threat-actors-malware/46801" -->
<!-- "https://objective-see.org/blog/blog_0x71.html" -->
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.mylaptop.watchhostconfig</string>
<key>ProgramArguments</key>
<array>
@muesli
muesli / .golangci.yml
Created January 8, 2022 07:00
Extensive golangci-lint config
run:
tests: false
issues:
include:
- EXC0001
- EXC0005
- EXC0011
- EXC0012
- EXC0013
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active April 25, 2024 13:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@ajpc500
ajpc500 / log-forwarding-with-etw.ps1
Last active June 29, 2023 01:31
Quick-and-dirty PowerShell script to install Sysmon (SwiftOnSecurity config), SilkService and Winlogbeat, and forward logs to HELK based on IP set in environment variable "HELK_IP" (see Line 224).
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient
if (!(Test-Path "C:\Tools")) {
New-Item -Path "C:\" -Name "Tools" -ItemType "directory"
}
# SYSMON
# Download Sysmon
$SysmonDirectory = "C:\Tools\Sysmon\"
@svch0stz
svch0stz / defenderwatch.ps1
Last active November 18, 2022 01:03
WMI Watcher for Windows Defender RealtimeMonitoring
$WMI = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
#$Global:Data = $Event
Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI
@mgraeber-rc
mgraeber-rc / EventDiff.ps1
Created May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
# Log the time prior to executing the action.
# This will be used as parth of an event log XPath filter.
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)
# Do the thing now that you want to see potential relevant events surface...
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly
# Allow a moment to allow events to populate
Start-Sleep -Seconds 5
@mubix
mubix / Get-CSharp.ps1
Created November 30, 2020 05:13
Powershell Get-CSharp
function Get-CSharpProcess {
$proclist = Get-Process
foreach($proc in $proclist) {
foreach($mod in $proc.Modules)
{
if($mod.ModuleName -imatch "mscoree")
{
Write-Output(".NET Found in:`t" + $proc.Name)
}
}
@psifertex
psifertex / public-slack.md
Last active September 22, 2020 20:36
Notes on running a "public" slack

My recommended settings for setting up a slack that you plan to allow public access to. Methods for adding public users include third-party utilities like slackin (https://github.com/emedvedev/slackin-extended) which enable active user badges, or simpler methods such as using the Share Invite Link from slack itself.

SUPER IMPORTANT

If you only do two things, make it these two: Make sure to disable all app integrations. There's a bunch that aren't secure for public slacks. Either deny all, or require review by an admin: https://YOURSLACK.slack.com/apps/manage/permissions Second, disable email in the profile view: https://binaryninja.slack.com/admin/settings#display_email_addresses

The reset are optional settings that may or may not be required depending on the slack:

@ahhh
ahhh / binjection_example.go
Created July 2, 2020 00:04
Using the binject/binjection library programatically
package main
import(
"io/ioutil"
"fmt"
"github.com/Binject/binjection/bj"
)
var (
example_path = "example.exe"