Skip to content

Instantly share code, notes, and snippets.

Avatar

Fabian Bader f-bader

View GitHub Profile
View PowerShell Script Block Merge in Kusto
Event
| where EventID == "4104"
| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
| extend ScriptBlockElement = iff(
strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
ParsedEvent.root.Param[2]["#text"],
ParsedEvent.root.Param[2])
| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])
@potatoqualitee
potatoqualitee / hugo.yml
Created Feb 20, 2022
github actions / hugo
View hugo.yml
name: github pages
on:
push:
branches:
- blog # Set a branch to deploy
pull_request:
jobs:
deploy:
@jborean93
jborean93 / KDCProxy.ps1
Last active Mar 11, 2022
Functions to help set up a KDC proxy server and add client proxy servers - https://syfuhs.net/kdc-proxy-for-remote-access
View KDCProxy.ps1
# Copyright: (c) 2022, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
Function Install-KDCProxyServer {
<#
.SYNOPSIS
Set up a KDC Proxy server.
.DESCRIPTION
Sets up the KDC proxy server on the current host.
@sbasu7241
sbasu7241 / findhooks.cs
Last active Jun 6, 2022
Find hooked API's using C#
View findhooks.cs
using System;
using System.Runtime.InteropServices;
/* References
* 1. https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
* 2. https://github.com/Mr-Un1k0d3r/EDRs
*/
namespace SharpHookCheck
{
View AuditAppRoles.ps1
## Find dangerous API permissions as a user
$AzureTenantID = '<Your tenant ID>'
$AccountName = '<Username>@<Domain.com>'
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID
function Get-AzureGraphToken
{
View c2threadview_io_kql.md

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io

https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment

Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/

// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active Aug 14, 2022
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
View Workstation-Takeover.md

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@olafhartong
olafhartong / 2021-1675-spooler-imageloads.kql
Last active Aug 3, 2021
2021-1675 - PrintNightmare KQL - MDE
View 2021-1675-spooler-imageloads.kql
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
@alexverboon
alexverboon / DeviceNetworkEvents_Iana.kql
Created May 27, 2021
Enrich DeviceNetworkEvents with the port number Service name information
View DeviceNetworkEvents_Iana.kql
// Enrich DeviceNetworkEvents with the port number Servicename information
let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
with (format="txt",ignoreFirstRecord=true))
//iana_port_assignments
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
| extend data = parse_csv(entry)
| extend ServiceName = tostring(data[0])
| extend PortNumber = toint(data[1])
| project ServiceName, PortNumber
| summarize any(ServiceName) by PortNumber
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: