With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
InvokeThreatGuy invokethreatguy
invokethreatguy
/ template_injection.yara
Created
May 27, 2020 02:42
— forked from JohnLaTwC/template_injection.yara
Word OXML Template Injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule gen_injected_template_Word | |
| { | |
| meta: | |
| description = "Detects injected templates in DOCX" | |
| author = "John Lambert @JohnLaTwC" | |
| date = "2020-05-03" | |
| hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063" | |
| hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89" | |
| hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83" | |
| file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)" |
invokethreatguy
/ oauthServer.go
Created
June 7, 2020 19:33
— forked from staaldraad/oauthServer.go
A mini OAuth server for Azure
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/tls" | |
| "fmt" | |
| "io/ioutil" | |
| "net/http" | |
| "net/url" | |
| "strings" | |
| ) |
invokethreatguy
/ kerberos_attacks_cheatsheet.md
Created
June 13, 2020 06:32
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
invokethreatguy
/ clr_via_native.c
Created
June 23, 2020 02:47
— forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
invokethreatguy
/ VAC_Parasite.BAS
Created
July 4, 2020 22:21
— forked from glinares/VAC_Parasite.BAS
Visual Basic For Applications Air Gap Communication Module (VAC-Parasite)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Attribute VB_Name = "VAC_Parasite" | |
| ' VBA AIRGAP COMMUNICATION (VAC-Parasite) MODULE - Color Shapes | |
| ' Created By: Laughing_Mantis 7.4.2020 | |
| ' Version 1.0 | |
| ' This will create a square in the top left of the document that will change colors | |
| ' in order to communicate via morse code via airgapped machines | |
| ' BLUE = . | |
| ' RED = - |
invokethreatguy
/ Domain Enumeration Commands
Created
July 14, 2020 16:57
— forked from its-a-feature/Domain Enumeration Commands
Common Domain Enumeration commands in Windows, Mac, and LDAP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Domain: TEST.local | |
| User Enumeration: | |
| Windows: | |
| net user | |
| net user /domain | |
| net user [username] | |
| net user [username] /domain | |
| wmic useraccount | |
| Mac: | |
| dscl . ls /Users |
invokethreatguy
/ MuteSysmon.cs
Created
July 14, 2020 17:09
— forked from Flangvik/MuteSysmon.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Text; | |
| namespace MuteSysmon | |
| { | |
| class Program |
invokethreatguy
/ CreateRemoteThreadDInvoke.cs
Created
July 28, 2020 22:48
— forked from Flangvik/CreateRemoteThreadDInvoke.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace InjectionTest | |
| { | |
| public class DELEGATES | |
| { |
invokethreatguy
/ _notes.md
Created
August 5, 2020 18:01
— forked from byt3bl33d3r/_notes.md
AppDomainManager Injection
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
invokethreatguy
/ EndpointSecurityDemo.m
Created
September 11, 2020 19:46
— forked from Omar-Ikram/EndpointSecurityDemo.m
A demo of using Apple's new EndpointSecurity framework - tested on macOS Catalina 10.15 (19A583)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // main.m | |
| // EndpointSecurityDemo | |
| // | |
| // Created by Omar Ikram on 17/06/2019 - Catalina 10.15 Beta 1 (19A471t) | |
| // Updated by Omar Ikram on 15/08/2019 - Catalina 10.15 Beta 5 (19A526h) | |
| // Updated by Omar Ikram on 01/12/2019 - Catalina 10.15 (19A583) | |
| // | |
| #import <Foundation/Foundation.h> |
OlderNewer