techris techris45

## ejectusb.py
#!/usr/bin/python3

# From DOS commandline, run this as follows:-
#        python3 ejectusb.py
# -or- create C:\windows\ejectusb.bat to do the above in fewer characters.
#
# From WSL bash, run it as follows:-
#        cmd.exe /c start python3 C:\\windows\\ejectusb.py
# -or- create /usr/local/bin/ejectusb to do the above in fewer characters.

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## RMM-detection.md

      
              3 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                techris45
                / RMM-detection.md
            
            
              Created
              September 19, 2024 16:00
                — forked from brokensound77/RMM-detection.md
            
              
                Detection Engineering: RMM analysis 
              
          
    Detecting RMM

ℹ️ This was duplicated to this blog for readability and reference

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

  
## TaskManagerSecret.c
/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.

## backup-servername.sh
#!/bin/sh
#
# This script is used on a QNAP TS-269 PRO. https://www.en0ch.se/qnap-and-rsync/
#
# You have to change:
# 1. $SHAREUSR
# 2. $EXCLUDES (if you want o change the name of the file servername.excludes)
# 3. $SOURCE & $DESTINATION
# 4. user@yourserver.se for the mysqldump
# 5. --password=SUPERSECRET

## imaway
#!/usr/bin/python

import dbus
import dbus.glib
import gobject
import subprocess


def lock():
    print "Screen saver turned on"

## how-to-copy-aws-rds-to-local.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                techris45
                / how-to-copy-aws-rds-to-local.md
            
            
              Created
              December 7, 2021 04:36
                — forked from syafiqfaiz/how-to-copy-aws-rds-to-local.md
            
              
                How to copy production database on AWS RDS(postgresql) to local development database.
              
          
Change your database RDS instance security group to allow your machine to access it.

Add your ip to the security group to acces the instance via Postgres.


Make a copy of the database using pg_dump

$ pg_dump -h <public dns> -U <my username> -f <name of dump file .sql> <name of my database>
you will be asked for postgressql password.
a dump file(.sql) will be created


Restore that dump file to your local database.

but you might need to drop the database and create it first
$ psql -U <postgresql username> -d <database name> -f <dump file that you want to restore>


the database is restored


## postgres_queries_and_commands.sql
-- show running queries (pre 9.2)
SELECT procpid, age(clock_timestamp(), query_start), usename, current_query
FROM pg_stat_activity
WHERE current_query != '<IDLE>' AND current_query NOT ILIKE '%pg_stat_activity%'
ORDER BY query_start desc;

-- show running queries (9.2)
SELECT pid, age(clock_timestamp(), query_start), usename, query
FROM pg_stat_activity
WHERE query != '<IDLE>' AND query NOT ILIKE '%pg_stat_activity%'

## windows_and_office_kms_setup.adoc

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              3 stars
            
          
                techris45
                / windows_and_office_kms_setup.adoc
            
            
              Created
              December 2, 2021 03:33
                — forked from jerodg/windows_and_office_kms_setup.adoc
            
              
                Activate Windows and Office Using KMS Server
              
          
    Microsoft Windows and Office KMS Setup


## Workstation-Takeover.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                techris45
                / Workstation-Takeover.md
            
            
              Created
              October 10, 2021 22:29
                — forked from gladiatx0r/Workstation-Takeover.md
            
              
                From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
              
          
    Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
	#!/usr/bin/python3

	# From DOS commandline, run this as follows:-
	# python3 ejectusb.py
	# -or- create C:\windows\ejectusb.bat to do the above in fewer characters.
	#
	# From WSL bash, run it as follows:-
	# cmd.exe /c start python3 C:\\windows\\ejectusb.py
	# -or- create /usr/local/bin/ejectusb to do the above in fewer characters.
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	/*
	TaskManagerSecret

	Author: @splinter_code

	This is a very ugly POC for a very unreliable UAC bypass through some UI hacks.
	The core of this hack is stealing and using a token containing the UIAccess flag set.
	A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html
	From there it uses a task manager "feature" to run a new High IL cmd.exe.
	This has been developed only for fun and shouldn't be used due to its high unreliability.
	#!/bin/sh
	#
	# This script is used on a QNAP TS-269 PRO. https://www.en0ch.se/qnap-and-rsync/
	#
	# You have to change:
	# 1. $SHAREUSR
	# 2. $EXCLUDES (if you want o change the name of the file servername.excludes)
	# 3. $SOURCE & $DESTINATION
	# 4. user@yourserver.se for the mysqldump
	# 5. --password=SUPERSECRET
	#!/usr/bin/python

	import dbus
	import dbus.glib
	import gobject
	import subprocess


	def lock():
	print "Screen saver turned on"
	-- show running queries (pre 9.2)
	SELECT procpid, age(clock_timestamp(), query_start), usename, current_query
	FROM pg_stat_activity
	WHERE current_query != '<IDLE>' AND current_query NOT ILIKE '%pg_stat_activity%'
	ORDER BY query_start desc;

	-- show running queries (9.2)
	SELECT pid, age(clock_timestamp(), query_start), usename, query
	FROM pg_stat_activity
	WHERE query != '<IDLE>' AND query NOT ILIKE '%pg_stat_activity%'