Skip to content

Instantly share code, notes, and snippets.

View xpn's full-sized avatar

Adam Chester xpn

1.7k followers · 5 following
View GitHub Profile
@xpn
xpn / sccmdecryptpoc.cs
Last active September 30, 2023 11:51
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
{
internal class Program
@xpn
xpn / tasks.cs
Created August 19, 2019 13:56
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
View tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@xpn
xpn / clr_via_native.c
Created April 11, 2018 21:34
A quick example showing loading CLR via native code
View clr_via_native.c
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@xpn
xpn / azuread_decrypt_msol_v2.ps1
Created April 11, 2020 01:34
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
View azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
@xpn
xpn / getsystem_parent.cpp
Created November 20, 2017 00:11
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
View getsystem_parent.cpp
#include "stdafx.h"
BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
@xpn
xpn / wannacry_file_extensions.txt
Created May 12, 2017 23:41
A list of file extensions searched and encrypted by the WannaCry ransomware
View wannacry_file_extensions.txt
.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw
@xpn
xpn / dotnet_unhook_etw.cs
Created March 17, 2020 21:00
View dotnet_unhook_etw.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace test
{
class Win32
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
@xpn
xpn / DogFoodExec.cs
Created May 3, 2021 23:10
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
View DogFoodExec.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Linq;
namespace NautilusProject
{
internal class CombinedExec
{
public static IntPtr AllocMemory(int length)
@xpn
xpn / dotnet_etw.c
Created March 16, 2020 19:25
A demo of how to collect information on basic .NET events from ETW.
View dotnet_etw.c
#define AssemblyDCStart_V1 155
#define MethodLoadVerbose_V1 143
#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
@xpn
xpn / LAPSDecrypt.cs
Last active May 17, 2023 20:53
Quick POC looking at how encryption works for LAPS (v2)
View LAPSDecrypt.cs
using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;