Skip to content

Instantly share code, notes, and snippets.

View f-bader's full-sized avatar

Fabian Bader f-bader

310 followers · 31 following
View GitHub Profile
@LeeHolmes
LeeHolmes / PowerShell Script Block Merge in Kusto
Created March 9, 2022 19:40
Event
| where EventID == "4104"
| extend ParsedEvent = parse_xml(strcat("<root>", ParameterXml, "</root>"))
| extend MessageNumber = tolong(ParsedEvent.root.Param[0])
| extend MessageTotal = tolong(ParsedEvent.root.Param[1])
| extend ScriptBlockElement = iff(
strlen(tostring(ParsedEvent.root.Param[2]["#text"])) > 0,
ParsedEvent.root.Param[2]["#text"],
ParsedEvent.root.Param[2])
| extend ScriptBlockId = tostring(ParsedEvent.root.Param[3])
@potatoqualitee
potatoqualitee / hugo.yml
Created February 20, 2022 20:12
github actions / hugo
name: github pages
on:
push:
branches:
- blog # Set a branch to deploy
pull_request:
jobs:
deploy:
@jborean93
jborean93 / KDCProxy.ps1
Last active November 13, 2024 01:59
Functions to help set up a KDC proxy server and add client proxy servers - https://syfuhs.net/kdc-proxy-for-remote-access
# Copyright: (c) 2022, Jordan Borean (@jborean93) <[email protected]>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
Function Install-KDCProxyServer {
<#
.SYNOPSIS
Set up a KDC Proxy server.
.DESCRIPTION
Sets up the KDC proxy server on the current host.
@andyrobbins
andyrobbins / AuditAppRoles.ps1
Created November 16, 2021 22:39
Audit app roles
## Find dangerous API permissions as a user
$AzureTenantID = '<Your tenant ID>'
$AccountName = '<Username>@<Domain.com>'
$Password = ConvertTo-SecureString '<Your password>' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential($AccountName, $Password)
Connect-AzAccount -Credential $Credential -TenantID $AzureTenantID
function Get-AzureGraphToken
{
@mttaggart
mttaggart / make-lnk.ps1
Last active September 23, 2023 20:15
make-lnk.ps1
param ( [string]$SourceExe, [string]$DestinationPath, [string]$IconPath)
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($DestinationPath)
$Shortcut.RelativePath = "..\..\..\..\..\..\..\..\..\$SourceExe"
$Shortcut.IconLocation = $IconPath
$Shortcut.TargetPath = $SourceExe
$Shortcut.Save()
@alexverboon
alexverboon / c2threadview_io_kql.md
Last active February 13, 2025 23:17

C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io

https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment

Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/

// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active March 17, 2025 03:05
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@olafhartong
olafhartong / 2021-1675-spooler-imageloads.kql
Last active November 2, 2024 13:39
2021-1675 - PrintNightmare KQL - MDE
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
@alexverboon
alexverboon / DeviceNetworkEvents_Iana.kql
Created May 27, 2021 06:55
Enrich DeviceNetworkEvents with the port number Service name information
// Enrich DeviceNetworkEvents with the port number Servicename information
let iana_port_assignments = (externaldata(entry: string ) [@"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.csv"]
with (format="txt",ignoreFirstRecord=true))
//iana_port_assignments
// Service Name,Port Number,Transport Protocol,Description,Assignee,Contact,Registration Date,Modification Date,Reference,Service Code,Unauthorized Use Reported,Assignment Notes
| extend data = parse_csv(entry)
| extend ServiceName = tostring(data[0])
| extend PortNumber = toint(data[1])
| project ServiceName, PortNumber
| summarize any(ServiceName) by PortNumber
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: