| #!/usr/bin/env bash | |
| DARKGREEN=$'\e[00;32m' | |
| GREEN=$'\e[01;32m' | |
| TEAL=$'\e[00;36m' | |
| DARKGREY=$'\e[01;30m' | |
| CYAN=$'\e[01;36m' | |
| LIGHTGREY=$'\e[00;37m' | |
| RED=$'\e[00;31m' | |
| PINK=$'\e[01;31m' |
| #!/usr/bin/env bash | |
| DARKGREEN=$'\e[00;32m' | |
| GREEN=$'\e[01;32m' | |
| TEAL=$'\e[00;36m' | |
| DARKGREY=$'\e[01;30m' | |
| CYAN=$'\e[01;36m' | |
| LIGHTGREY=$'\e[00;37m' | |
| RED=$'\e[00;31m' | |
| PINK=$'\e[01;31m' |
| # Function for getting an MS Graph Token | |
| Function Get-MSGraphToken { | |
| <# | |
| .DESCRIPTION | |
| Requests a token from STS with the MS Graph specified as the resource/intended audience | |
| #> | |
| [cmdletbinding()] | |
| param( | |
| [Parameter(Mandatory = $True)] | |
| [string] |
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
| /* | |
| VEH using process enumerator for Microsoft Windows | |
| Released as open source by NCC Group Plc - http://www.nccgroup.com/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com | |
| Released under AGPL see LICENSE for more information | |
| */ |
| // | |
| // MEMGUARD.cpp : Simulate a process we want to dump | |
| // | |
| // Dump early with MEMGUARDDump then | |
| // - strings.exe memguard.dmp | findstr HiLo | |
| // HiLo - %d | |
| // | |
| // Dump later with MEMGUARDDump then | |
| // - | |
| // HiLo - %d |
I want to use lsasrv!LsaProtectMemory() inside the LSASS process to encrypt a block of memory and return the ciphertext. It's part of the LsapLsasrvIfTable interface in lsasrv.dll, but unless I'm mistaken can only be accessed by another LSA extension using the lsasrv!QueryLsaInterface() function. The following text is some basic information about the internal structures.
LsapLsasrvIfTable:
dq offset LsaProtectMemory
dq offset LsaUnprotectMemory
dq offset LsaIFreeReturnBuffer
Some golden links when you are having issues: https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Download and install Certi
This document now exists on the official ASP.NET core docs page.
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.