With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Fabian Bader f-bader
aaronshaf
/ bookmarklet-expanded.js
Last active
May 13, 2024 14:35
Copy text from Amazon's Cloud Reader. Helpful for students that need block quotes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript: (function () { | |
| new_window = window.open(); | |
| new_window.document.body.innerHTML = $("iframe") | |
| .contents() | |
| .find("iframe") | |
| .contents() | |
| .find("body") | |
| .get(1).innerHTML; | |
| new_window.document.body.querySelector("#content-overlays").remove(); | |
| })(); |
plentz
/ nginx.conf
Last active
October 22, 2025 16:10
Best nginx configuration for improved security(and performance)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # to generate your dhparam.pem file, run in the terminal | |
| openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 |
Sarafian
/ Disconnect-RemoteSessions.ps1
Last active
June 15, 2018 12:21
This scripts uses the quser to scan for session on a remote computer and then rwinsta to disconnect it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Disconnects your user from remote computers | |
| .DESCRIPTION | |
| This scripts uses the quser to scan for session on a remote computer and then rwinsta to disconnect it | |
| .NOTES | |
| .LINK |
bandrel
/ check_hashes.py
Last active
November 5, 2024 06:12
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller | |
| #Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH::: | |
| # ./check_hashes.py <hash_dump> | |
| import argparse | |
| import re | |
| parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords") |
OmerMicrosoft
/ Create-ClientsWithNoAssociatedSiteReport.ps1
Last active
July 3, 2023 18:37
Create Clients With No Associated Site Report
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Get Domain Controllers for current domain | |
| $DCs = Get-ADGroupMember "Domain Controllers" | |
| #Initiate the clients array | |
| $Clients = @() | |
| Foreach ($DC in $DCs) { | |
| #Define the netlogon.log path | |
| $NetLogonFilePath = "\\" + $DC.Name + "\C$\Windows\debug\netlogon.log" | |
| #Reading the content of the netlogon.log file | |
| try {$NetLogonFile = Get-Content -Path $NetLogonFilePath -ErrorAction Stop} | |
| catch {"Error reading $NetLogonFilePath"} |
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
alexverboon
/ DeviceNetworkEvents_Iana.kql
Created
May 27, 2021 06:55
Enrich DeviceNetworkEvents with the port number Service name information
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Enrich DeviceNetworkEvents with the port number Servicename information | |
| let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"] | |
| with (format="txt",ignoreFirstRecord=true)) | |
| //iana_port_assignments | |
| // Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes | |
| | extend data = parse_csv(entry) | |
| | extend ServiceName = tostring(data[0]) | |
| | extend PortNumber = toint(data[1]) | |
| | project ServiceName, PortNumber | |
| | summarize any(ServiceName) by PortNumber |
olafhartong
/ 2021-1675-spooler-imageloads.kql
Last active
November 2, 2024 13:39
2021-1675 - PrintNightmare KQL - MDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let serverlist=DeviceInfo | |
| | where DeviceType != "Workstation" | |
| | distinct DeviceId; | |
| let suspiciousdrivers=DeviceImageLoadEvents | |
| | where DeviceId in (serverlist) | |
| | where FolderPath startswith @"c:\windows\system32\spool\drivers" | |
| | distinct SHA1 | |
| | invoke FileProfile(SHA1, 1000) | |
| | where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid"; | |
| suspiciousdrivers |
gladiatx0r
/ Workstation-Takeover.md
Last active
August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
alexverboon
/ c2threadview_io_kql.md
Last active
February 13, 2025 23:17
C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,CommentOlderNewer