This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
"ProviderName": "AccEventTool", | |
"ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
"AssociatedFilenames": [ | |
"accevent.exe", | |
"inspect.exe", | |
"narrator.exe", | |
"srh.dll" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$AutoLoggerName = 'MyAMSILogger' | |
$AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$dotnetpath = "/usr/local/share/dotnet/dotnet"; | |
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll"; | |
$temppath = "/tmp/"; | |
beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n"); | |
alias sharpgen{ | |
$executionId = "sharpgen_" . int(rand() * 100000); | |
$temporaryCsharp = $temppath . $executionId . ".cs"; | |
$executableFilename = $temppath . $executionId . ".exe"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer | |
RETURN u.name | |
That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership | |
--------------- | |
MATCH | |
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) | |
WITH | |
U.name as n, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
int main() | |
{ | |
ICLRMetaHost *metaHost = NULL; | |
IEnumUnknown *runtime = NULL; | |
ICLRRuntimeInfo *runtimeInfo = NULL; | |
ICLRRuntimeHost *runtimeHost = NULL; | |
IUnknown *enumRuntime = NULL; | |
LPWSTR frameworkName = NULL; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo MFIwUKADAgEAMEkwRzBFMAkGBSsOAwIaBQAEFNHxtXb57sDBD3r8fDEkqcNiXXxhBBTqTnzUgC3lFYGGJoyCbcCYpM+XDwIMPVGgldv/1vnVuWtZ | base64 --decode > ocsp.req | |
# Print OCSP request | |
openssl ocsp -text -reqin ocsp.req | |
# Make OCSP request | |
curl -v -o ocsp.resp --data-binary @ocsp.req -H "Content-Type: application/ocsp-request" --url http://ocsp.example.com/ca1 --header "Host: ocsp.example.com" | |
# Print OCSP response | |
openssl ocsp -noverify -text -respin ocsp.resp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'. It may be located in SYSTEM32. | |
Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways. | |
Here are a few examples that you may or may not find useful - | |
1) Replace ComSpec Variable | |
set comspec=c:\windows\system32\calc.exe | |
cscript manage-bde.wsf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Author: Matt Graeber, SpecterOps | |
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % { | |
try { | |
$Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName) | |
if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') { | |
$_.FullName | |
} | |
} catch {} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] | |
@="AtomicRedTeam" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] | |
@="{00000001-0000-0000-0000-0000FEEDACDC}" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] | |
@="AtomicRedTeam" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] | |
@="{00000001-0000-0000-0000-0000FEEDACDC}" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function New-ActiveScriptEventConsumerClass { | |
<# | |
.SYNOPSIS | |
Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing. | |
.DESCRIPTION | |
New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing. |
NewerOlder