Skip to content

Instantly share code, notes, and snippets.

View leechristensen's full-sized avatar

Lee Chagolla-Christensen leechristensen

View GitHub Profile
@leechristensen
leechristensen / CES.py
Last active December 13, 2023 01:39
Crude example of how to build a CSR and issue an HTTP request a certificate via AD CS's Certificate Enrollment Web Service's SOAP endpoint
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.extensions import ExtensionType
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
import base64
import pyasn1
Install-Module NtObjectManager
Import-Module NtObjectManager
$Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll `
-DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll'
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' }
$client = Get-RpcClient -Server $EfsInterace
$client.Connect()
@leechristensen
leechristensen / PInvoked.tsv
Last active May 6, 2021 21:49
PInvoked Functions and their origins on a Windows 10.0.19041 Sandbox machine
We can't make this file beautiful and searchable because it's too large.
DllShortName Dll Export MethodReturnType Method DeclaringType Assembly
"" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertDuplicateCertificateContext(_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll
"" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertEnumCertificatesInStore(System.Void* , _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll
"" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertFindCert
# Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658
PS C:\> Import-Module TLGMetadataParser.psm1
PS C:\> $Info = Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll
PS C:\> $Info.Providers
ProviderGUID ProviderName ProviderGroupGUID
------------ ------------ -----------------
05f02597-fe85-4e67-8542-69567ab8fd4f MSAClientTraceLoggingProvider 4f50731a-89cf-4782-b3e0-dce8c90476ba
@leechristensen
leechristensen / MicrosoftAccountTokenProvider.dll ETW Providers.txt
Created July 11, 2020 00:46
MicrosoftAccountTokenProvider.dll ETW Providers
# Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658
PS C:\> Import-Module TLGMetadataParser.psm1
PS C:\> Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | ConvertTo-Json
{
"FilePath": "C:\\Windows\\system32\\MicrosoftAccountTokenProvider.dll",
"Providers": [
{
"ProviderGUID": "05f02597-fe85-4e67-8542-69567ab8fd4f",
@leechristensen
leechristensen / 2020.04.12-WDAG_SIPolicy.xml
Last active April 13, 2020 03:09
Windows Defender Application Guard CI Policy - Used by Edge's container for code integrity. SIPolicy.p7b parsed using Matt Graeber's ConvertTo-WDACCodeIntegrityPolicy https://github.com/mattifestation/WDACTools/tree/dbd11b3c3f5578c635b3e6a0b71c42e24e37a18c
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.3.7</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
@leechristensen
leechristensen / FindingComputersWithLocalAdmin.md
Created August 30, 2019 22:51
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

@leechristensen
leechristensen / settingcontent-ms.xsd
Created June 22, 2017 01:43
.settingcontent-ms XML Schema (embedded in shell.dll)
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" >
<xsd:annotation>
<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved.
Searchable setting content file schema.
</xsd:documentation>
</xsd:annotation>
<xsd:element name="SearchableContent" type="ac:SearchableContentType"/>
<xsd:complexType name="SearchableContentType">
<xsd:sequence>

Keybase proof

I hereby claim:

  • I am leechristensen on github.
  • I am tifkin (https://keybase.io/tifkin) on keybase.
  • I have a public key whose fingerprint is 91F2 D977 5912 0E51 AD40 0C64 2217 7C8E 7D5A 102D

To claim this, I am signing this object:

@leechristensen
leechristensen / NukePSLogging.cpp
Created March 17, 2017 09:20
Nuke PS Logging
void Payload() {
DWORD threadId;
CreateThread(
NULL, // default security attributes
0, // use default stack size
MyThreadFunction, // thread function name
NULL, // argument to thread function
0, // use default creation flags
&threadId);
}