Its unfortunately extremely common for customers and enterprises operating in AWS to have chosen a workload/storage bearing account (more than likely, the main production account) as the Organization Management Account (formerly known Organization "Master" account, before AWS adopted better naming).
Many customers and companies operating in AWS made this decision in 2018 or so and its unforunately not something that can be easily changes as of today (2024). Many customers have requests to AWS to make a friendly path for rehoming the Org Management account but last I heard it is still not prioritized. Thus, we as customers are left to go through the nerve-wracking, if not dangerous process of migrating to a new AWS Organization in order to align with modern best practices and reduce common privilege escalation and account to account lateral movement concerns (made worse if you happen to have enabled things like Cloudformation Stacksets, Control Tower, or other powerful services in the s
Nicolas Vincent nclv
🖥️
ForensicITGuy
/ 7zip_motw_propagation_extract.reg
Created
May 29, 2024 16:53
Enable 7-ZIP Mark of the Web (MOTW) Propagation on Extract
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\7-Zip\Options] | |
| "WriteZoneIdExtract"=dword:00000001 |
houey
/ aws_organizations_migration_notes.md
Last active
May 28, 2024 13:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # See https://halu.lu/%E6%9D%82%E8%B0%88/cloudflare-warp/ | |
| # Depolyed at https://warp.halu.lu/ | |
| // Change keys if needed | |
| const keys = [ | |
| "9WO41D5p-6OP8xj27-36gQG75D", | |
| "R65K12Up-aU907O2e-4nuvD581", | |
| "06LM94EJ-1nl0V2d7-V847va5y", | |
| ] |
WKL-Sec
/ KillDateProtect.cpp
Created
January 24, 2024 16:14
Example of DLL code designed for protecting C2 payloads by disabling them after a predefined 'kill date', ensuring secure and time-controlled operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <iostream> | |
| #include <chrono> | |
| #include <ctime> | |
| #include <sstream> | |
| // White Knight Labs - Offensive Development Course | |
| // DLL Kill Date Example | |
| bool parseDate(const std::string& dateStr, std::tm& date) { |
testanull
/ SharePwn_public.py
Created
December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
milesrichardson
/ result.md
Created
November 16, 2023 12:51
OpenAI generated this code from a UX mockup at https://makereal.tldraw.com/
antonioCoco
/ TaskManagerSecret.c
Created
August 29, 2023 01:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| TaskManagerSecret | |
| Author: @splinter_code | |
| This is a very ugly POC for a very unreliable UAC bypass through some UI hacks. | |
| The core of this hack is stealing and using a token containing the UIAccess flag set. | |
| A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html | |
| From there it uses a task manager "feature" to run a new High IL cmd.exe. | |
| This has been developed only for fun and shouldn't be used due to its high unreliability. |
imaami
/ create_passphrase.sh
Last active
August 30, 2023 12:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| word_max=9 # Exclude words longer than this | |
| nphrases=3 # Generate this many passphrases | |
| defwords=4 # Default number of words/phrase | |
| pls() { | |
| local -i n=${#1} r=$2 | |
| local s | |
| printf -v s -- ' %s%*s%s\n' \ |
0xdevalias
/ _deobfuscating-unminifying-obfuscated-web-app-code.md
Last active
June 24, 2024 20:44
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code
MaxBWMinRTT
/ writeup.md
Last active
November 3, 2023 08:44
Some quick notes about the CVE-2023-3079(V8 type confusion), no PoC yet.
Official patch: https://chromium-review.googlesource.com/c/v8/v8/+/4584248
Patch come from KeyedStoreIC::StoreElementHandler(), it returns fast path code(Turbofan builtin) for keyed store depends on "receiver_map" and "store_mode". Based on the content of this function is all about element STORE, I personally believe that this is an OOB writes vulnerability.
If we divide the PoC exploration into two parts based on this func, they are:
NewerOlder