Skip to content

Instantly share code, notes, and snippets.

View jsecurity101's full-sized avatar

Jonathan Johnson jsecurity101

302 followers · 17 following
View GitHub Profile
@jsecurity101
jsecurity101 / LDAPQueries.md
Created October 25, 2023 15:05
List of known LDAP queries used by attackers

List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

  • Kerberoasting
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
  • Attributes with passwords
  • (userpassword=*)
@jsecurity101
jsecurity101 / gist:dc8bfc035cdaa42f87b2937dd2cef83b
Created September 11, 2023 16:28
MACRO_STATUS Enum for IDA
enum MACRO_STATUS : __int64
{
STATUS_WAIT_0 = 0x0,
STATUS_SEVERITY_INFORMATIONAL = 0x1,
STATUS_SEVERITY_WARNING = 0x2,
STATUS_SEVERITY_ERROR = 0x3,
STATUS_SUCCESS = 0x0,
STATUS_WAIT_1 = 0x1,
STATUS_WAIT_2 = 0x2,
STATUS_WAIT_3 = 0x3,
@jsecurity101
jsecurity101 / LOLDriverConfig.ps1
Last active October 31, 2023 13:45
PowerShell script that creates an audit or block Sysmon config based off of LOLDrivers
#Author: Jonathan Johnson (@jsecurity101)
function New-DriverConfig {
<#
.EXAMPLE
New-DriverConfig -Block
Creates driver block config in the current directory
.EXAMPLE
@jsecurity101
jsecurity101 / NtfsControlFile.md
Created April 27, 2023 13:18

@jsecurity101
jsecurity101 / Threat-Intelligence-Events.csv
Created March 4, 2023 16:35
EventId Event Description
1 THREATINT_ALLOCVM_REMOTE
2 THREATINT_PROTECTVM_REMOTE
3 THREATINT_MAPVIEW_REMOTE
4 THREATINT_QUEUEUSERAPC_REMOTE
5 THREATINT_SETTHREADCONTEXT_REMOTE
6 THREATINT_ALLOCVM_LOCAL
7 THREATINT_PROTECTVM_LOCAL
8 THREATINT_MAPVIEW_LOCAL
11 THREATINT_READVM_LOCAL
@jsecurity101
jsecurity101 / LogonSessionProcesses.ps1
Created September 27, 2022 21:40
Updated version of Lee Christensen's (@tifkin_) Get-LogonSessionProcesses script which will obtain information regarding processes tied to a given LogonID and with it any network connections that process may have.
if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
$TypeDef = @'
using System;
using System.Runtime.InteropServices;
namespace TokenInformation {
[Flags]
public enum ProcessAccess {
All = 0x001FFFFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
@jsecurity101
jsecurity101 / Privileges.txt
Created July 23, 2022 01:00
System privileges and their values
Author: Jonathan Johnson
Data pulled via winnt.h / LookupPrivilegeValue
SE_CREATE_TOKEN_NAME / SeCreateTokenPrivilege / 2
SE_ASSIGNPRIMARYTOKEN_NAME / SeAssignPrimaryTokenPrivilege / 3
SE_LOCK_MEMORY_NAME / SeLockMemoryPrivilege / 4
SE_INCREASE_QUOTA_NAME / SeIncreateQuotoPrivilege / 5
SE_MACHINE_ACCOUNT_NAME / SeMachineAccountPrivilege / 6
SE_TCB_NAME / SeTcbPrivilege / 7
SE_SECURITY_NAME / SeSecurityPrivilege/ 8
@jsecurity101
jsecurity101 / KerberosCorrelation.ipynb
Last active June 18, 2023 17:03
Kerberos Detection/Investigation
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@jsecurity101
jsecurity101 / ProtectionChecks.ps1
Last active July 31, 2023 00:00
Powershell script that will pull whether a process or service is running as protected (PPL).
#Author: Jonthan Johnson (@jsecurity101)
if (-not ('ProtectedObjects.ProcessNativeMethods' -as [Type])) {
$TypeDef = @'
using System;
using System.Runtime.InteropServices;
namespace ProtectedObjects {
[Flags]
public enum ProcessAccess {
@jsecurity101
jsecurity101 / Get-IntegrityLevel.ps1
Last active May 11, 2023 05:54
if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
$TypeDef = @'
using System;
using System.Runtime.InteropServices;
namespace TokenInformation {
[Flags]
public enum ProcessAccess {
All = 0x001FFFFF,
Terminate = 0x00000001,