Skip to content

Instantly share code, notes, and snippets.

View C0axx's full-sized avatar

Curtis Ringwald C0axx

71 followers · 109 following
View GitHub Profile
@EvanMcBroom
EvanMcBroom / sms-crypto-unobfuscate-string.c
Last active January 24, 2024 23:48
SCCM Credential Recovery for Network Access Accounts
/*
* Research by Evan McBroom and Chris Thompson (@_Mayyhem)
* Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered.
* Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/
* Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code.
*/
#include <Windows.h>
#include <stdio.h>
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active May 26, 2025 21:01
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@mgraeber-rc
mgraeber-rc / AMSITools.psm1
Created November 10, 2021 18:41
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
filter Send-AmsiContent {
<#
.SYNOPSIS
Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.
Author: Matt Graeber
Company: Red Canary
.DESCRIPTION
@klezVirus
klezVirus / EtwStartWebClient.cs
Last active April 27, 2025 10:23
A PoC in C# to enable WebClient Programmatically
using System.Runtime.InteropServices;
using System;
/*
* Simple C# PoC to enable WebClient Service Programmatically
* Based on the C++ version from @tirannido (James Forshaw)
* Twitter: https://twitter.com/tiraniddo
* URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html
*
* Compile with:
@mbierman
mbierman / logspeed.sh
Last active January 25, 2024 14:26
Log speedtest results on Firewalla
#!/bin/bash
# https://gist.github.com/mbierman/6a32df2909202c373a6a39063181dc40
# v 0.4.1
BASEDIR=$(dirname $0)
IFTTTKEY="$(cat $BASEDIR/IFTTT.data | grep IFTTTKEY| cut -f2 -d "=" )"
EVENT="FWspeedtest"
log=/data/logs/logspeed.log
@MHaggis
MHaggis / conti.cna
Created August 9, 2021 14:15
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 17, 2025 03:05
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@Acebond
Acebond / bh_split2.py
Last active October 3, 2023 17:39
Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations.
#!/usr/bin/python3
# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
# pip install simplejson
import simplejson
import sys
def splitfile(file_name, object_limit):
print(f"[*] Loading {file_name}")
with open(file_name) as f:
data = simplejson.load(f)
@knavesec
knavesec / poc.html
Last active October 6, 2024 10:25
External Email Warning Bypass
<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">
body {
display: none !important;
background:#FFFFFF !important;
}
@MHaggis
MHaggis / malleable_c2_profiles
Last active July 1, 2024 18:55
spawnto
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/kvcallfield/Cobalt-Strike-C2-profiles/cae44634d57c0d8a099e50f6d4e9b73acaaab9d6/amazon2.profile
https://raw.githubusercontent.com/KevinCooper/24AF-CyberChallenge/67f531777f7912c7129f633f43e06fba79c5f3e2/CobaltStrike/cobalt.profile
https://raw.githubusercontent.com/webcoderz/agressor-scripts-/950064776853cf4dd7403d0f75b5306fe275fcc3/Malleable-C2-Profiles-master/APT/meterpreter.profile
https://raw.githubusercontent.com/hadesangel/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/ianxtianxt/Malleable-C2-Profiles/07fd3b45c4166c9aecdcfa54cddc905c22f6ff85/APT/meterpreter.profile
https://raw.githubusercontent.com/seclib/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/390937aec01e0bcdaf2331227