Skip to content

Instantly share code, notes, and snippets.


Fabian Bader f-bader

View GitHub Profile
View PowerShell Script Block Merge in Kusto
| where EventID == "4104"
| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
| extend ScriptBlockElement = iff(
strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])
potatoqualitee / hugo.yml
Created Feb 20, 2022
github actions / hugo
View hugo.yml
name: github pages
- blog # Set a branch to deploy
jborean93 / KDCProxy.ps1
Last active Mar 11, 2022
Functions to help set up a KDC proxy server and add client proxy servers -
View KDCProxy.ps1
# Copyright: (c) 2022, Jordan Borean (@jborean93) <>
# MIT License (see LICENSE or
Function Install-KDCProxyServer {
Set up a KDC Proxy server.
Sets up the KDC proxy server on the current host.
sbasu7241 / findhooks.cs
Last active Jun 6, 2022
Find hooked API's using C#
View findhooks.cs
using System;
using System.Runtime.InteropServices;
/* References
* 1.
* 2.
namespace SharpHookCheck
View AuditAppRoles.ps1
## Find dangerous API permissions as a user
$AzureTenantID = '<Your tenant ID>'
$AccountName = '<Username>@<>'
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID
function Get-AzureGraphToken

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by IP,Date of Detection,Host,Protocol,Beacon Config,Comment


// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
gladiatx0r /
Last active Aug 14, 2022
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

olafhartong / 2021-1675-spooler-imageloads.kql
Last active Aug 3, 2021
2021-1675 - PrintNightmare KQL - MDE
View 2021-1675-spooler-imageloads.kql
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
alexverboon / DeviceNetworkEvents_Iana.kql
Created May 27, 2021
Enrich DeviceNetworkEvents with the port number Service name information
View DeviceNetworkEvents_Iana.kql
// Enrich DeviceNetworkEvents with the port number Servicename information
let iana_port_assignments = (externaldata(entry: string ) [@""]
with (format="txt",ignoreFirstRecord=true))
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
| extend data = parse_csv(entry)
| extend ServiceName = tostring(data[0])
| extend PortNumber = toint(data[1])
| project ServiceName, PortNumber
| summarize any(ServiceName) by PortNumber
TarlogicSecurity /
Created May 14, 2019
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet



python -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: