With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
javascript: (function () { | |
new_window = window.open(); | |
new_window.document.body.innerHTML = $("iframe") | |
.contents() | |
.find("iframe") | |
.contents() | |
.find("body") | |
.get(1).innerHTML; | |
new_window.document.body.querySelector("#content-overlays").remove(); | |
})(); |
# to generate your dhparam.pem file, run in the terminal | |
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 |
<# | |
.Synopsis | |
Disconnects your user from remote computers | |
.DESCRIPTION | |
This scripts uses the quser to scan for session on a remote computer and then rwinsta to disconnect it | |
.NOTES | |
.LINK |
#!/usr/bin/env python3 | |
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller | |
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH::: | |
# ./check_hashes.py <hash_dump> | |
import argparse | |
import re | |
parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords") |
#Get Domain Controllers for current domain | |
$DCs = Get-ADGroupMember "Domain Controllers" | |
#Initiate the clients array | |
$Clients = @() | |
Foreach ($DC in $DCs) { | |
#Define the netlogon.log path | |
$NetLogonFilePath = "\\" + $DC.Name + "\C$\Windows\debug\netlogon.log" | |
#Reading the content of the netlogon.log file | |
try {$NetLogonFile = Get-Content -Path $NetLogonFilePath -ErrorAction Stop} | |
catch {"Error reading $NetLogonFilePath"} |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
// Enrich DeviceNetworkEvents with the port number Servicename information | |
let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"] | |
with (format="txt",ignoreFirstRecord=true)) | |
//iana_port_assignments | |
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes | |
| extend data = parse_csv(entry) | |
| extend ServiceName = tostring(data[0]) | |
| extend PortNumber = toint(data[1]) | |
| project ServiceName, PortNumber | |
| summarize any(ServiceName) by PortNumber |
let serverlist=DeviceInfo | |
| where DeviceType != "Workstation" | |
| distinct DeviceId; | |
let suspiciousdrivers=DeviceImageLoadEvents | |
| where DeviceId in (serverlist) | |
| where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| distinct SHA1 | |
| invoke FileProfile(SHA1, 1000) | |
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
suspiciousdrivers |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment