Skip to content

Instantly share code, notes, and snippets.

View jlawhon's full-sized avatar

JL jlawhon

20 followers · 37 following
View GitHub Profile
@jlawhon
jlawhon / Get-ADUserAudit.ps1
Created February 17, 2024 20:15 — forked from jdhitsolutions/Get-ADUserAudit.ps1
A PowerShell function and format file for getting Active Directory user management events from the security event logs on domain controllers.
#requires -version 5.1
#requires -module ActiveDirectory
#you might need to increase the size of the Security eventlog
# limit-eventlog -LogName security -ComputerName dom2,dom1 -MaximumSize 1024MB
Function Get-ADUserAudit {
[cmdletbinding()]
Param(
[Parameter(Position=0,HelpMessage = "Specify one or more domain controllers to query.")]
@jlawhon
jlawhon / 20211210-TLP-WHITE_LOG4J.md
Created December 13, 2021 02:30 — forked from SwitHak/20211210-TLP-WHITE_LOG4J.md
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2204 UTC

Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great ressources

@jlawhon
jlawhon / download-latest-release.ps1
Created September 10, 2021 07:09 — forked from MarkTiedemann/download-latest-release.ps1
Download latest GitHub release via Powershell
# Download latest dotnet/codeformatter release from github
$repo = "dotnet/codeformatter"
$file = "CodeFormatter.zip"
$releases = "https://api.github.com/repos/$repo/releases"
Write-Host Determining latest release
$tag = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].tag_name
@jlawhon
jlawhon / apk_relative_links.txt
Created August 13, 2021 00:15 — forked from nullenc0de/apk_relative_links.txt
@jlawhon
jlawhon / macOS-IR-Forensics.md
Created August 3, 2021 07:25 — forked from 0xmachos/macOS-IR-Forensics.md
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
@jlawhon
jlawhon / Find-VulnerableSchemas.ps1
Created July 31, 2021 06:31 — forked from IISResetMe/Find-VulnerableSchemas.ps1
Find-VulnerableSchemas.ps1
# Dictionary to hold superclass names
$superClass = @{}
# List to hold class names that inherit from container and are allowed to live under computer object
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()
# Resolve schema naming context
$schemaNC = (Get-ADRootDSE).schemaNamingContext
# Enumerate all class schemas
@jlawhon
jlawhon / Workstation-Takeover.md
Created July 25, 2021 23:42 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@jlawhon
jlawhon / JavascriptRecon.md
Created July 25, 2021 23:42
My Javascript Recon Process - BugBounty

Description

This is a simple guide to perform javascript recon in the bugbounty

Steps

  • The first step is to collect possibly several javascript files (more files = more paths,parameters -> more vulns)
@jlawhon
jlawhon / offsec.md
Created May 17, 2020 07:56 — forked from jivoi/offsec.md
Penetrating Testing/Assessment Workflow

Penetrating Testing/Assessment Workflow & other fun infosec stuff

https://github.com/jivoi/pentest

My feeble attempt to organize (in a somewhat logical fashion) the vast amount of information, tools, resources, tip and tricks surrounding penetration testing, vulnerability assessment, and information security as a whole*

@jlawhon
jlawhon / Invoke-Procdump.ps1
Last active November 28, 2019 05:38 — forked from dmaasland/Invoke-Procdump.ps1
$Source = @"
using System;
using System.Runtime.InteropServices;
namespace ProcDump {
public static class DbgHelp {
[DllImport("Dbghelp.dll")]
public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
}
}