Casey secdev02

## gist:e904144bfd9c37e51694691a001c7df1
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

		Author: Casey Smith, Twitter: @subTee

		License: BSD 3-Clause


## rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1

# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami

# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"

## notes.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                secdev02
                / notes.md
            
            
              Created
              August 26, 2024 16:36
                — forked from ergot86/notes.md
            
          
    What to debug?

Hyper-v worker process


User mode debugging (easy).
Symbols available.
Attack surface: mostly Gen-1 VMs, device emulation, x86 emulation (for MMIO accesses).

Debugging options:


Attach to running process with WinDbg.


## krbrelay_privesc_howto.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                secdev02
                / krbrelay_privesc_howto.md
            
            
              Created
              August 14, 2024 21:52
                — forked from tothi/krbrelay_privesc_howto.md
            
              
                Privilege Escalation using KrbRelay and RBCD
              
          
    KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:

LDAP signing not required on Domain Controller (default!)


## dump_wallet_addresses.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# ---------------------------------------------------------------------------
# This software is in the public domain, furnished "as is", without technical
# support, and with no warranty, express or implied, as to its usefulness for
# any purpose.
#
# Usage:
# ./dump_wallet_addresses.py <wallet binary>
#

## MyAppDomainManager.cs
using System;
using System.IO;
using System.Reflection;
using System.Runtime.Hosting;

public sealed class MyAppDomainManager : AppDomainManager
{

    public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
    {

## apiserver.py
# very simple RPC server in python

import sys, json
from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse as urlparse
import threading
import logging
log = logging.getLogger(__name__)

class ApiError(Exception):

## DllLoadAnythingViaScript
#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

# Sample DLL To inject here
# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> 	<file name="Anyname.dll.anything">     	<comClass         	description="Any Description HERE"         	clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both"         	progid="JustMakeSomethingUp"/> 	</file>  </assembly>';
$ax = new-object -Com "Microsoft.Windows.ActCtx"
$ax.ManifestText = $manifest;
$DWX = $ax.CreateObject("JustMakeSomethingUp");

## ProjectedFSLib.cs
using System;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;

namespace ProjectedFSLib
{
    static class Native
    {
        public static T? PtrToStructure<T>(IntPtr ptr) where T : struct
            => ptr == IntPtr.Zero ? default : Marshal.PtrToStructure<T>(ptr);

## allthesysmon.xml
<Sysmon schemaversion="4.90">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <DnsLookup>False</DnsLookup>
    <CheckRevocation>False</CheckRevocation>
    <ArchiveDirectory>sysmon</ArchiveDirectory>
    <EventFiltering>
        <!--Event ID 1: Process creation-->
        <ProcessCreate onmatch="exclude"></ProcessCreate>
        <!--Event ID 2: A process changed a file creation time-->
        <FileCreateTime onmatch="exclude"></FileCreateTime>
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

	Author: Casey Smith, Twitter: @subTee

	License: BSD 3-Clause
	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# ---------------------------------------------------------------------------
	# This software is in the public domain, furnished "as is", without technical
	# support, and with no warranty, express or implied, as to its usefulness for
	# any purpose.
	#
	# Usage:
	# ./dump_wallet_addresses.py <wallet binary>
	#
	using System;
	using System.IO;
	using System.Reflection;
	using System.Runtime.Hosting;

	public sealed class MyAppDomainManager : AppDomainManager
	{

	public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
	{
	# very simple RPC server in python

	import sys, json
	from http.server import BaseHTTPRequestHandler, HTTPServer
	import urllib.parse as urlparse
	import threading
	import logging
	log = logging.getLogger(__name__)

	class ApiError(Exception):
	#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

	# Sample DLL To inject here
	# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

	$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>';
	$ax = new-object -Com "Microsoft.Windows.ActCtx"
	$ax.ManifestText = $manifest;
	$DWX = $ax.CreateObject("JustMakeSomethingUp");
	using System;
	using System.Runtime.InteropServices;
	using Microsoft.Win32.SafeHandles;

	namespace ProjectedFSLib
	{
	static class Native
	{
	public static T? PtrToStructure<T>(IntPtr ptr) where T : struct
	=> ptr == IntPtr.Zero ? default : Marshal.PtrToStructure<T>(ptr);
	<Sysmon schemaversion="4.90">
	<HashAlgorithms>md5,sha256</HashAlgorithms>
	<DnsLookup>False</DnsLookup>
	<CheckRevocation>False</CheckRevocation>
	<ArchiveDirectory>sysmon</ArchiveDirectory>
	<EventFiltering>
	<!--Event ID 1: Process creation-->
	<ProcessCreate onmatch="exclude"></ProcessCreate>
	<!--Event ID 2: A process changed a file creation time-->
	<FileCreateTime onmatch="exclude"></FileCreateTime>