MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
// Dumps the bytes at the mouse cursor's position as a GUID string | |
// | |
// Usage: | |
// 1. Click on the GUID's "Data1" field in Ida | |
// 2. Run the script (File -> Script File..., or hit Alt+F7) | |
// 3. When you load the script, it'll display the GUID in Ida's output window. | |
// After it's loaded, you can run it again anytime by executing the | |
// function `get_guid_at_cursor()` in Ida's IDC REPL prompt. | |
#include <idc.idc> |
from cryptography.hazmat.backends import default_backend | |
from cryptography.hazmat.primitives import serialization | |
from cryptography.hazmat.primitives.asymmetric import rsa | |
from cryptography import x509 | |
from cryptography.x509.extensions import ExtensionType | |
from cryptography.x509.oid import NameOID | |
from cryptography.hazmat.primitives import hashes | |
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName | |
import base64 | |
import pyasn1 |
Install-Module NtObjectManager | |
Import-Module NtObjectManager | |
$Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
-DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
$client = Get-RpcClient -Server $EfsInterace | |
$client.Connect() |
DllShortName Dll Export MethodReturnType Method DeclaringType Assembly | |
"" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertDuplicateCertificateContext(_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll | |
"" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertEnumCertificatesInStore(System.Void* , _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll | |
"" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertFindCert |
# Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 | |
PS C:\> Import-Module TLGMetadataParser.psm1 | |
PS C:\> $Info = Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | |
PS C:\> $Info.Providers | |
ProviderGUID ProviderName ProviderGroupGUID | |
------------ ------------ ----------------- | |
05f02597-fe85-4e67-8542-69567ab8fd4f MSAClientTraceLoggingProvider 4f50731a-89cf-4782-b3e0-dce8c90476ba |
# Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 | |
PS C:\> Import-Module TLGMetadataParser.psm1 | |
PS C:\> Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | ConvertTo-Json | |
{ | |
"FilePath": "C:\\Windows\\system32\\MicrosoftAccountTokenProvider.dll", | |
"Providers": [ | |
{ | |
"ProviderGUID": "05f02597-fe85-4e67-8542-69567ab8fd4f", |
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.3.7</VersionEx> | |
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> | |
<Rule> |
MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
<?xml version="1.0" encoding="utf-8"?> | |
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" > | |
<xsd:annotation> | |
<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved. | |
Searchable setting content file schema. | |
</xsd:documentation> | |
</xsd:annotation> | |
<xsd:element name="SearchableContent" type="ac:SearchableContentType"/> | |
<xsd:complexType name="SearchableContentType"> | |
<xsd:sequence> |
I hereby claim:
To claim this, I am signing this object: