This doc describes how to install Kali Linux on WSLv2.
Jesse Moore jessefmoore
jessefmoore
/ GPPDecrypt.ps1
Created
October 31, 2020 22:30
— forked from andreafortuna/GPPDecrypt.ps1
Group Policy Preferences Decoder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param ( | |
| [string]$cpassword | |
| ) | |
| function Get-DecryptedCpassword { | |
| [CmdletBinding()] | |
| Param ( | |
| [string] $Cpassword | |
| ) |
jessefmoore
/ gadget2jscriptQueueAPCInject.cs
Created
November 10, 2020 19:51
— forked from rvrsh3ll/gadget2jscriptQueueAPCInject.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Net; | |
| using System.IO.Compression; | |
| public class Payload | |
| { |
jessefmoore
/ Non_Microsoft_UserMode_Load_Audit.xml
Created
March 1, 2021 17:48
— forked from mgraeber-rc/Non_Microsoft_UserMode_Load_Audit.xml
A WDAC audit-mode policy that will log all non-Windows-signed PE loads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.1.0</VersionEx> | |
| <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
| <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule><Option>Enabled:Unsigned System Integrity Policy</Option></Rule> | |
| <Rule><Option>Enabled:Audit Mode</Option></Rule> | |
| <Rule><Option>Enabled:Advanced Boot Options Menu</Option></Rule> |
jessefmoore
/ Git Creds.md
Created
May 3, 2021 14:45
— forked from int0x80/Git Creds.md
Finding creds in git repos is awesome.
$ for commit in $(seq 1 $(git reflog | wc -l)); do git diff HEAD@{$commit} 2>/dev/null | grep password; done
-spring.datasource.password=g!'301T%y%xT@uL`
+spring.datasource.password=4AT&G;[H@&'\^uDK
-spring.datasource.password=UmAnR=-v|{2=gyx?
+spring.datasource.password=4AT&G;[H@&'\^uDK
...
jessefmoore
/ SysmonStartup.bat
Last active
May 17, 2021 20:01
— forked from silentbreaksec/SysmonStartup.bat
Windows batch file to deploy Sysmon using a startup script via GPO
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| :: Author: Ryan Watson | |
| :: Twitter: @gentlemanwatson | |
| :: Version: 1.0 | |
| :: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point | |
| :: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/ | |
| :: ** IMPORTANT ** | |
| :: 1) Create a Sysmon folder with the SYSVOL share on your domain controller | |
| :: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in |
jessefmoore
/ defenderwatch.ps1
Created
June 6, 2021 22:36
— forked from svch0stz/defenderwatch.ps1
WMI Watcher for Windows Defender RealtimeMonitoring
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $WMI = @{ | |
| Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True" | |
| Action = { | |
| #$Global:Data = $Event | |
| Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")" | |
| } | |
| Namespace = 'root\microsoft\windows\defender' | |
| SourceIdentifier = "Defender.DisableRealtimeMonitoring" | |
| } | |
| $Null = Register-WMIEvent @WMI |
jessefmoore
/ linux-gui.yml
Created
July 1, 2021 15:05
— forked from jeffbrl/linux-gui.yml
Linux Bastion with GUI - CloudFormation template
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: >- | |
| AWS CloudFormation template to create a linux bastion host with a GUI that can | |
| be accessed via x2go. | |
| Parameters: | |
| KeyName: | |
| Description: Name of an existing EC2 KeyPair to enable SSH access to the instances | |
| Type: String | |
| VPC: |
jessefmoore
/ PrintNightmareValidation.ps1
Created
July 14, 2021 23:08
— forked from mdjx/PrintNightmareValidation.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function PNValidate { | |
| $Results = [PSCustomObject]@{ | |
| Spooler = $null | |
| PatchInstalled = $false | |
| RestrictDriverInstallationToAdministrators = $null | |
| NoWarningNoElevationOnInstall = $null | |
| UpdatePromptSettings = $null | |
| Expoitable = $true | |
| Explanation = $null | |
| } |
jessefmoore
/ Workstation-Takeover.md
Created
July 31, 2021 21:14
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.