Skip to content

Instantly share code, notes, and snippets.

View jaredcatkinson's full-sized avatar

Jared Atkinson jaredcatkinson

View GitHub Profile
@jaredcatkinson
jaredcatkinson / esxadmins.cypher
Last active August 3, 2024 23:33
Find Attack Paths to the ESX ADMINS group
MATCH p=shortestPath((n:User{domain:'SEVENKINGDOMS.LOCAL'})-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor*1..]->(m:Group {name:"ESX ADMINS@SEVENKINGDOMS.LOCAL"}))
RETURN p
@jaredcatkinson
jaredcatkinson / ContextualEditDistance.ps1
Last active February 24, 2024 15:15
This Gist is meant to be associated with a twitter thread describing a new approach to selecting the optimal set of variations given a finite set of tests. Make sure each of the associated scripts are loaded into you PowerShell session.
function ContextualEditDistance
{
<#
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.600.3601&rep=rep1&type=pdf
https://github.com/chrislit/abydos/blob/344346a5fceb6acc631b3d24e16b73a303cece2c/abydos/distance/_higuera_mico.py
#>
[CmdletBinding()]
param(
[string]
---
title: T1208 - Kerberoasting
description:
header :
name : T1208 - Kerberoasting
colspan : 5
background-color : #DCDCDC
rows:
- Row1 :
name : Tools
function Collect-SOData
{
param
(
[Parameter(Mandatory = $true)]
[string]
$FilePath
)
$hostname = $env:COMPUTERNAME
Add-Type -AssemblyName System.ServiceModel
$BF = [Reflection.BindingFlags]::NonPublic -bor [Reflection.BindingFlags]::Static
$C1 = [ServiceModel.PeerNode].Assembly.GetType('System.ServiceModel.Channels.AppContainerInfo')
$C2 = [ServiceModel.PeerNode].Assembly.GetType('System.ServiceModel.Activation.Utility')
$M1 = $C1.GetMethod('GetCurrentProcessToken', $BF)
$M2 = $C2.GetMethod('GetTokenInformation', $BF)
$hT = $M1.Invoke($null, @())
$b = New-Object -TypeName byte[](28)
$M2.Invoke($null, @($hT, 25, [byte[]]$b))
$IL = [Security.Principal.SecurityIdentifier]::new($b, 16).Value
Update-TypeData -TypeName Object -MemberType ScriptMethod -MemberName SizeOf -Value {
param()
if($this -is [type]) {
$SizeOf = [System.Runtime.InteropServices.Marshal].GetMethod('SizeOf',[type[]]@([type]))
}
else {
$SizeOf = [System.Runtime.InteropServices.Marshal].GetMethod('SizeOf',[type[]]@([Object]))
}
return $SizeOf.Invoke($null,@($this.psobject.BaseObject))
function ConvertFrom-EpochTime
{
param
(
[Parameter(Mandatory = $true)]
[Double]
$EpochTime
)
$epochstart = Get-Date -Date 1/1/1970
@jaredcatkinson
jaredcatkinson / Add-ACECertificate.ps1
Last active February 24, 2024 15:17
PowerShell script to query the ACE Certificate Authority (CA) for the CA's public key and add the public key to the system's local cert store
function Add-ACERootCertificate
{
param
(
[Parameter(Mandatory = $true)]
[string]
$ServerIp,
[Parameter()]
[Int32]
function Get-SOHostData
{
begin
{
try
{
Get-System
}
catch
{
function Get-RegistryValue
{
[CmdletBinding(DefaultParameterSetName = 'HKLM')]
param
(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string[]]
$Key,
[Parameter()]