MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
Lee Chagolla-Christensen leechristensen
leechristensen
/ print_guid.idc
Last active
July 3, 2024 19:16
Ida IDC script that dumps the bytes at the mouse cursor's position as a GUID string
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Dumps the bytes at the mouse cursor's position as a GUID string | |
| // | |
| // Usage: | |
| // 1. Click on the GUID's "Data1" field in Ida | |
| // 2. Run the script (File -> Script File..., or hit Alt+F7) | |
| // 3. When you load the script, it'll display the GUID in Ida's output window. | |
| // After it's loaded, you can run it again anytime by executing the | |
| // function `get_guid_at_cursor()` in Ida's IDC REPL prompt. | |
| #include <idc.idc> |
leechristensen
/ CES.py
Last active
December 13, 2023 01:39
Crude example of how to build a CSR and issue an HTTP request a certificate via AD CS's Certificate Enrollment Web Service's SOAP endpoint
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from cryptography.hazmat.backends import default_backend | |
| from cryptography.hazmat.primitives import serialization | |
| from cryptography.hazmat.primitives.asymmetric import rsa | |
| from cryptography import x509 | |
| from cryptography.x509.extensions import ExtensionType | |
| from cryptography.x509.oid import NameOID | |
| from cryptography.hazmat.primitives import hashes | |
| from cryptography.x509.general_name import GeneralName, IPAddress, OtherName | |
| import base64 | |
| import pyasn1 |
leechristensen
/ PetitPotam.ps1
Created
July 30, 2021 21:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install-Module NtObjectManager | |
| Import-Module NtObjectManager | |
| $Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
| -DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
| $EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
| $client = Get-RpcClient -Server $EfsInterace | |
| $client.Connect() |
leechristensen
/ PInvoked.tsv
Last active
May 6, 2021 21:49
PInvoked Functions and their origins on a Windows 10.0.19041 Sandbox machine
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DllShortName Dll Export MethodReturnType Method DeclaringType Assembly | |
| "" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertDuplicateCertificateContext(_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll | |
| "" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertEnumCertificatesInStore(System.Void* , _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll | |
| "" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertFindCert |
leechristensen
/ Exploring TraceLogging metadata in C:\Windows\system32\MicrosoftAccountTokenProvider.dll.txt
Created
July 14, 2020 18:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 | |
| PS C:\> Import-Module TLGMetadataParser.psm1 | |
| PS C:\> $Info = Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | |
| PS C:\> $Info.Providers | |
| ProviderGUID ProviderName ProviderGroupGUID | |
| ------------ ------------ ----------------- | |
| 05f02597-fe85-4e67-8542-69567ab8fd4f MSAClientTraceLoggingProvider 4f50731a-89cf-4782-b3e0-dce8c90476ba |
leechristensen
/ MicrosoftAccountTokenProvider.dll ETW Providers.txt
Created
July 11, 2020 00:46
MicrosoftAccountTokenProvider.dll ETW Providers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 | |
| PS C:\> Import-Module TLGMetadataParser.psm1 | |
| PS C:\> Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | ConvertTo-Json | |
| { | |
| "FilePath": "C:\\Windows\\system32\\MicrosoftAccountTokenProvider.dll", | |
| "Providers": [ | |
| { | |
| "ProviderGUID": "05f02597-fe85-4e67-8542-69567ab8fd4f", |
leechristensen
/ 2020.04.12-WDAG_SIPolicy.xml
Last active
April 13, 2020 03:09
Windows Defender Application Guard CI Policy - Used by Edge's container for code integrity. SIPolicy.p7b parsed using Matt Graeber's ConvertTo-WDACCodeIntegrityPolicy https://github.com/mattifestation/WDACTools/tree/dbd11b3c3f5578c635b3e6a0b71c42e24e37a18c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.3.7</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> |
leechristensen
/ FindingComputersWithLocalAdmin.md
Created
August 30, 2019 22:51
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
leechristensen
/ settingcontent-ms.xsd
Created
June 22, 2017 01:43
.settingcontent-ms XML Schema (embedded in shell.dll)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" > | |
| <xsd:annotation> | |
| <xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved. | |
| Searchable setting content file schema. | |
| </xsd:documentation> | |
| </xsd:annotation> | |
| <xsd:element name="SearchableContent" type="ac:SearchableContentType"/> | |
| <xsd:complexType name="SearchableContentType"> | |
| <xsd:sequence> |
leechristensen
/ keybase.md
Created
April 24, 2017 23:00
I hereby claim:
- I am leechristensen on github.
- I am tifkin (https://keybase.io/tifkin) on keybase.
- I have a public key whose fingerprint is 91F2 D977 5912 0E51 AD40 0C64 2217 7C8E 7D5A 102D
To claim this, I am signing this object:
NewerOlder