mttaggart

param ( [string]$SourceExe, [string]$DestinationPath, [string]$IconPath)

$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($DestinationPath)
$Shortcut.RelativePath =  "..\..\..\..\..\..\..\..\..\$SourceExe"
$Shortcut.IconLocation = $IconPath
$Shortcut.TargetPath = $SourceExe
$Shortcut.Save()

azurekid

<#
.SYNOPSIS
    Generates a GUID from a given string value using MD5 hashing.

.PARAMETER Value
    The string value to generate a GUID from.

.EXAMPLE
    Get-Guid -Value "example string"
    Returns a GUID generated from the string "example string".

awakecoding

Add-Type -TypeDefinition @'
using System;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;

public enum DSREG_JOIN_TYPE {
    DSREG_UNKNOWN_JOIN = 0,
    DSREG_DEVICE_JOIN = 1,
    DSREG_WORKPLACE_JOIN = 2
}

awakecoding

function Get-RdpLogonEvent
{
    [CmdletBinding()]
    param(
        [Int32] $Last = 10
    )

    $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ProviderName='Microsoft-Windows-Security-Auditing'

aaronshaf

javascript: (function () {
  new_window = window.open();
  new_window.document.body.innerHTML = $("iframe")
    .contents()
    .find("iframe")
    .contents()
    .find("body")
    .get(1).innerHTML;
  new_window.document.body.querySelector("#content-overlays").remove();
})();

HackingLZ

### Original script and research by commial 
### https://github.com/commial/experiments/tree/master/windows-defender
### Set LUADec_Path to binary 
### https://github.com/viruscamp/luadec
import struct
import argparse
import sys
import os
import io
import subprocess

andyrobbins

## Find dangerous API permissions as a user

$AzureTenantID = '<Your tenant ID>'
$AccountName = '<Username>@<Domain.com>'
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID

function Get-AzureGraphToken
{

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

plentz

# to generate your dhparam.pem file, run in the terminal
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.