Skip to content

Instantly share code, notes, and snippets.

View jessefmoore's full-sized avatar

Jesse Moore jessefmoore

86 followers · 474 following
View GitHub Profile
@jessefmoore
jessefmoore / hashSearch.ps1
Created November 13, 2021 17:50
# 10-02-2021 -dfir-jesseee
# For CyberForce 2021
# Get-FileHash to find a MD5 hash to put in $BadHash
# EXAMPLE:
# Get-FileHash -Algorithm MD5 .\Canary_Token_password.docx
#
$ASCII = @"
_ _ _ _____ _
| | | | | | / ____| | |
| |__| | __ _ ___| |__ | (___ ___ __ _ _ __ ___| |__
@jessefmoore
jessefmoore / installSysmon.ps1
Last active January 13, 2023 23:22
# 10-02-2021 DFIR-Jesseee
# For CyberForce 2021
# Reference https://textkool.com/en/ascii-art-generator?hl=default&vl=default&font=Red%20Phoenix&text=Install%20Sysmon
#
# To download the installSysmon.ps1 so you can manually run it from $Env:temp
# Invoke-WebRequest https://gist.githubusercontent.com/jessefmoore/d0a6325b4133b05a9a18096fdc8a8c78/raw/82ca1f46bbe711c1577c93b34d78356386ad998c/installSysmon.ps1 -OutFile "$env:tmp/installSysmon.ps1" -ErrorAction SilentlyContinue
#
# To run installSysmon.ps1 from memory
# powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/jessefmoore/d0a6325b4133b05a9a18096fdc8a8c78/raw/fd489ab49506409faf8c75bd3dc975a0b5b20f91/installSysmon.ps1'); installSysmon.ps1"
$ASCII = @"
@jessefmoore
jessefmoore / README.md
Last active October 31, 2022 14:36
Build a custom Windows AMI on AWS using Packer

Windows AWS Packer example

DFIR-Jesseee 2021-2022 WRCCDC

An example of building a Windows Server 2019 AMI on AWS with Packer. The AMI will include Firefox, Putty, VSCode and extensions.

This is heavily based on the AWS Windows examples from https://www.packer.io/docs/builders/amazon/ebs

  1. Configure your environment with some AWS credentials
  2. Run packer build custom-windows.pkr.hcl
@jessefmoore
jessefmoore / Writeup.md
Created October 2, 2021 23:45
Intelligence HackTheBox Machine Writeup !!

Enumeration

NMAP

# Nmap scan as: nmap -A -v -T4 -Pn -oN intial.nmap intelligence.htb
Increasing send delay for 10.129.80.199 from 0 to 5 due to 25 out of 61 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of 10052524 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 10052524 microseconds.  Ignoring time.
Increasing send delay for 10.129.80.199 from 5 to 10 due to 14 out of 34 dropped probes since last increase.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
@jessefmoore
jessefmoore / run.c
Created August 11, 2021 18:10 — forked from Mr-Un1k0d3r/run.c
spawn an invisible process
// To compile: gcc64.exe run.c -o run.exe
// To run: run.exe cmd.exe "/c whoami"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char **argv) {
CHAR cDesktop[] = "hiddendesktop";
HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL);
@jessefmoore
jessefmoore / Workstation-Takeover.md
Created July 31, 2021 21:14 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@jessefmoore
jessefmoore / PrintNightmareValidation.ps1
Created July 14, 2021 23:08 — forked from mdjx/PrintNightmareValidation.ps1
function PNValidate {
$Results = [PSCustomObject]@{
Spooler = $null
PatchInstalled = $false
RestrictDriverInstallationToAdministrators = $null
NoWarningNoElevationOnInstall = $null
UpdatePromptSettings = $null
Expoitable = $true
Explanation = $null
}
@jessefmoore
jessefmoore / linux-gui.yml
Created July 1, 2021 15:05 — forked from jeffbrl/linux-gui.yml
Linux Bastion with GUI - CloudFormation template
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation template to create a linux bastion host with a GUI that can
be accessed via x2go.
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: String
VPC:
@jessefmoore
jessefmoore / defenderwatch.ps1
Created June 6, 2021 22:36 — forked from svch0stz/defenderwatch.ps1
WMI Watcher for Windows Defender RealtimeMonitoring
$WMI = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
#$Global:Data = $Event
Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI
@jessefmoore
jessefmoore / SysmonStartup.bat
Last active May 17, 2021 20:01 — forked from silentbreaksec/SysmonStartup.bat
Windows batch file to deploy Sysmon using a startup script via GPO
@echo off
:: Author: Ryan Watson
:: Twitter: @gentlemanwatson
:: Version: 1.0
:: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point
:: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/
:: ** IMPORTANT **
:: 1) Create a Sysmon folder with the SYSVOL share on your domain controller
:: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in