Skip to content

Instantly share code, notes, and snippets.

View EvanMcBroom's full-sized avatar

Evan McBroom EvanMcBroom

193 followers · 206 following
View GitHub Profile
@EvanMcBroom
EvanMcBroom / sleepy.md
Last active December 14, 2023 20:39
Sleepy - Python Tooling for Sleep

Sleepy - Python Tooling for Sleep

Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the SpecterOps Blog.

TL;DR: You can use sleepy to automate common tasks when working with Sleep code.

Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications and has been used in few projects; most notably Cobalt Strike.

@EvanMcBroom
EvanMcBroom / lsa-whisperer.md
Last active December 24, 2024 19:10
LSA Whisperer

LSA Whisperer

Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on the SpecterOps Blog.

What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers.

Special thanks are needed to Elad, Lee, Will, Daniel, and Kai. Elad, Lee, and Will have contributed several ideas to the project, which are documented here, and have each spent multiple days testing the tool. Daniel has answered all of my inevitable questions about AzureAD (whoops, now Ent

@EvanMcBroom
EvanMcBroom / exec_remote_process.cpp
Last active August 8, 2025 03:33
Examples of using an impersonation token instead of explicit credentials to create a process on a remote host via DCOM and MS-WMI.
// Copyright (C) 2024 Evan McBroom
#include <Windows.h>
#include <iostream>
#include <vector>
#include <WbemCli.h>
#include <atlbase.h>
#include <iomanip>
// The modified, compiled IDL file from:
@EvanMcBroom
EvanMcBroom / unlock_ldr.cpp
Last active August 11, 2025 12:43
Example code that may be used in DllMain to unlock the loader lock.
// Copyright (C) 2023 Evan McBroom
// Originally authored October 19th, 2023.
//
// Geoff Chappell first documented the format of the loader lock cookie on November 26th, 2008.
// His work is applied here to unlock the loader lock without knowing the original cookie that
// LdrLockLoaderLock returned. This same example code may be safely used in DllMain to unlock
// the loader lock and execute code that would otherwise deadlock the loader.
// Sources:
// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/lockloaderlock.htm
// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/unlockloaderlock.htm
@EvanMcBroom
EvanMcBroom / decrypt_cluster_resourcedata.cpp
Last active August 14, 2025 17:42
Decryption code for Windows Server failover cluster ResourceData.
// Copyright (C) 2025 Evan McBroom and Garrett Foster
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in