mrpnkt mrpnkt

## suspension-reversals.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              40 stars
            
          
                travisbrown
                / suspension-reversals.md
            
            
              Last active
              March 25, 2023 18:32
            
              
                Updated version with additional data: https://github.com/travisbrown/unsuspensions
              
          
    Elon Musk's suspension reversals

The tables below show notable Twitter suspension reversals for each day since Elon Musk took over as owner and CEO.
All dates indicate when the suspension or reversal was detected, and the actual suspension or reversal may have been earlier.
For most English-language accounts with large followings, this lag will generally not be longer than a few hours,
but for accounts that have a small number of followers or that are outside the networks we are tracking, the difference can be larger,
and in some cases an account on the list may have had its suspension reversed before 27 October 2022.
These dates will get more precise as we refine the report.
Because of these limitations, this report should be considered a starting point for investigation, not a definitive list of suspension reversals.

  
## Get-RdpLogonEvent.ps1
function Get-RdpLogonEvent
{
    [CmdletBinding()]
    param(
        [Int32] $Last = 10
    )

    $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ProviderName='Microsoft-Windows-Security-Auditing'

## ms-msdt.MD

      
              1 file
            
          
              56 forks
            
          
              24 comments
            
          
              153 stars
            
          
                tothi
                / ms-msdt.MD
            
            
              Last active
              April 18, 2024 02:22
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## Sysmon_Lab.ps1
<#
Meta
    Date: 2022 March 28th
    Updated: 2023 October 6th
    Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
#>

################################################################################################################

## AccCheckConsole.txt
*Purpose
 - UI Accessibility Checker
 - Verifies UI accessibility requirements

*LOLBIN Functionality/Steps
 1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
 2) Add proper assembly references (e.g. AccCheck.dll)
 3) Insert your C# code under a target method such as Execute()
 4) Compile to a .NET managed library (DLL)
 5) Invoke the code

## DecompressExecute.cs
//Decompressing shellcode and execution via callback
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\DecompressExecute.cs
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor

// Step 1: generate shellcode
//         Msfvenom: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin

// Step 2: Compress the shellcode with my compress.cs gist here: https://gist.github.com/Wra7h/4d56791c2d0b5c1f27a67f3bc0ab924d
//         Compression command: .\compress.exe -in C:\path\to\calc.bin -out .\LZMScalc.bin -alg 5

## deobfuscator.py
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re

vbaparser = VBA_Parser(sys.argv[1])

replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)

regex_url = "http(s)?://[^,\"]+"

## memBruteforce.cpp
// memBruteforce.cpp by aaaddress1@chroot.org
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)

bool isMemExist(size_t addr) {
    int retv;
    __asm {

## Workstation-Takeover.md

      
              1 file
            
          
              89 forks
            
          
              9 comments
            
          
              249 stars
            
          
                gladiatx0r
                / Workstation-Takeover.md
            
            
              Last active
              April 25, 2024 13:23
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

  
## 2021-1675-spooler-imageloads.kql
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'
	<#
	Meta
	Date: 2022 March 28th
	Updated: 2023 October 6th
	Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb)
	Company: Huntress Labs
	Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab.
	#>

	################################################################################################################
	*Purpose
	- UI Accessibility Checker
	- Verifies UI accessibility requirements

	*LOLBIN Functionality/Steps
	1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
	2) Add proper assembly references (e.g. AccCheck.dll)
	3) Insert your C# code under a target method such as Execute()
	4) Compile to a .NET managed library (DLL)
	5) Invoke the code
	//Decompressing shellcode and execution via callback
	//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\DecompressExecute.cs
	//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
	//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor

	// Step 1: generate shellcode
	// Msfvenom: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin

	// Step 2: Compress the shellcode with my compress.cs gist here: https://gist.github.com/Wra7h/4d56791c2d0b5c1f27a67f3bc0ab924d
	// Compression command: .\compress.exe -in C:\path\to\calc.bin -out .\LZMScalc.bin -alg 5
	from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
	import sys
	import re

	vbaparser = VBA_Parser(sys.argv[1])

	replace_regex = r"\s([^=]+)\s=\sReplace\(\s([^,]+)\s,\s\"([^,])\"\s,\s\"([^,])\"\s*\)"
	replace = re.compile(replace_regex, re.MULTILINE)

	regex_url = "http(s)?://[^,\"]+"
	// memBruteforce.cpp by aaaddress1@chroot.org
	// brute search loaded moudules in memory
	// rewrite from https://www.exploit-db.com/exploits/45293
	#include <Windows.h>
	#include <iostream>
	#pragma warning(disable:4996)

	bool isMemExist(size_t addr) {
	int retv;
	__asm {
	let serverlist=DeviceInfo
	\| where DeviceType != "Workstation"
	\| distinct DeviceId;
	let suspiciousdrivers=DeviceImageLoadEvents
	\| where DeviceId in (serverlist)
	\| where FolderPath startswith @"c:\windows\system32\spool\drivers"
	\| distinct SHA1
	\| invoke FileProfile(SHA1, 1000)
	\| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
	suspiciousdrivers