Dirk-jan dirkjanm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get Hello cert | |
| $certs = get-childitem Cert:\CurrentUser\My\ | where { $_.subject -like "*login.windows.net*" } | |
| $cert = $certs[0]; | |
| $targetuser = $cert.Subject.Split('/')[-1] | |
| Write-Host Found cert with $cert.Subject | |
| $signature = @" | |
| [DllImport("Crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)] | |
| public static extern bool CertGetCertificateContextProperty( | |
| IntPtr pCertContext, |
dirkjanm
/ identitybackdoor.kql
Last active
March 14, 2023 23:39
KQL query to monitor or hunt for users modifying their own identities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Users changing their own identities hunting | |
| // Query by @_dirkjan / Outsider Security - released as CC BY (https://creativecommons.org/licenses/by/2.0/) | |
| AuditLogs | |
| | where OperationName =~ "Update user" | |
| | where Result =~ "success" | |
| | mv-expand target = TargetResources | |
| | extend targetUPN = tostring(TargetResources[0].userPrincipalName) | |
| | extend targetId = tostring(TargetResources[0].id) | |
| | extend targetType = tostring(TargetResources[0].type) | |
| | extend modifiedProps = TargetResources[0].modifiedProperties |
dirkjanm
/ guestinvite.kql
Last active
August 17, 2022 23:50
KQL query to hunt for guest invite abuse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Guest invite abuse hunting | |
| // Query by @_dirkjan / Outsider Security - released as CC BY (https://creativecommons.org/licenses/by/2.0/) | |
| AuditLogs | |
| | where OperationName =~ "Update user" | |
| | where Result =~ "success" | |
| | mv-expand target = TargetResources | |
| | where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@" | |
| | extend targetUPN = tostring(TargetResources[0].userPrincipalName) | |
| | extend targetId = tostring(TargetResources[0].id) | |
| | extend targetType = tostring(TargetResources[0].type) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #################### | |
| # | |
| # Copyright (c) 2022 Dirk-jan Mollema (@_dirkjan) | |
| # | |
| # Permission is hereby granted, free of charge, to any person obtaining a copy | |
| # of this software and associated documentation files (the "Software"), to deal | |
| # in the Software without restriction, including without limitation the rights | |
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| # copies of the Software, and to permit persons to whom the Software is |
dirkjanm
/ krbhttp.py
Created
September 20, 2021 08:05
Small Kerberos tool to use a service ticket in HTTP context
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import os | |
| import datetime | |
| import base64 | |
| from binascii import unhexlify | |
| from pyasn1.type.univ import noValue | |
| from pyasn1.codec.der import decoder, encoder | |
| from ldap3 import Server, Connection, NTLM, ALL, SASL, KERBEROS | |
| from ldap3.core.results import RESULT_STRONGER_AUTH_REQUIRED | |
| from ldap3.operation.bind import bind_operation |
dirkjanm
/ PRTKeyDerivation.cpp
Created
August 5, 2020 18:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // PRTKeyDerivation.cpp : This file contains the 'main' function. Program execution begins and ends there. | |
| // | |
| #include "pch.h" | |
| #include <iostream> | |
| #include "ntstatus.h" | |
| #include "windows.h" | |
| #include "bcrypt.h" | |
| int main(int argc, char* argv[], char* envp[]) |
dirkjanm
/ getloggedon.py
Created
September 15, 2018 19:27
Simple script that uses impacket to enumerate logged on users as admin using NetrWkstaUserEnum and impacket
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Copyright (c) 2012-2018 CORE Security Technologies | |
| # | |
| # This software is provided under under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. | |
| # | |
| # Gets logged on users via NetrWkstaUserEnum (requires admin on targets). | |
| # Mostly adapted from netview.py and lookupsid.py | |
| # |
dirkjanm
/ ntsecdesctest.py
Created
April 13, 2018 10:08
Test Security Descriptor encoding/decoding in impacket
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #################### | |
| # | |
| # Copyright (c) 2018 Dirk-jan Mollema - Fox-IT | |
| # | |
| # Permission is hereby granted, free of charge, to any person obtaining a copy | |
| # of this software and associated documentation files (the "Software"), to deal | |
| # in the Software without restriction, including without limitation the rights | |
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| # copies of the Software, and to permit persons to whom the Software is |