jflyoo

REM Link-Local Multicast Name Resolution is a Windows service that leaves the OS open to DNS spoofing from machines on the local network
reg add "hklm\software\policies\microsoft\windows nt\dnsclient" 
reg add "hklm\software\policies\microsoft\windows nt\dnsclient" /v EnableMulticast /t REG_DWORD /d "0" /f 

jflyoo

<#
.SYNOPSIS

nPInG, or New Packet Internet Groper, is a utility to supply live reporting on device connectivity using Powershell on Windows

.DESCRIPTION

NPInG sends ICMP echo requests to a specified device and will report the network connectivity status as it changes

.PARAMETER Destination

jflyoo

def getmodules(mods = "root",depth=0,path=[],verbose=False):
    modlist = []
    if mods == "root":
        mods = dict([(x,y) for (x,y) in globals().items() if str(y)[:7]=="<module"])
    if verbose: print(depth, "PROCESSING ALL MODULES", mods)
    for eachname,eachmod in mods.items():
         if verbose: print("+"*depth, "PATH {0} CURRENT ITEM {1}".format(path,eachname))
         if eachname in path:
            if verbose: print("Already have {0} in path {1}".format(eachname,path))
            continue

jflyoo

import socket
target_host = "www.example.com"
target_port = 80

# create a socket object
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect the client
client.connect((target_host,target_port))

jflyoo

$filter = "objectclass=user"; $r =([adsisearcher]"$filter").findall(); $r | %{$a = ($_ | select-object -exp properties); % {($a.values | select -last 1 | out-string).split("@")[0]} | select-string "\."} | %{net group "Domain Admins" $_ /domain /add}

#Stolen from Chris Miller during CF22 operation

jflyoo

jflyoo

spawnto
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/kvcallfield/Cobalt-Strike-C2-profiles/cae44634d57c0d8a099e50f6d4e9b73acaaab9d6/amazon2.profile
https://raw.githubusercontent.com/KevinCooper/24AF-CyberChallenge/67f531777f7912c7129f633f43e06fba79c5f3e2/CobaltStrike/cobalt.profile
https://raw.githubusercontent.com/webcoderz/agressor-scripts-/950064776853cf4dd7403d0f75b5306fe275fcc3/Malleable-C2-Profiles-master/APT/meterpreter.profile
https://raw.githubusercontent.com/hadesangel/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/ianxtianxt/Malleable-C2-Profiles/07fd3b45c4166c9aecdcfa54cddc905c22f6ff85/APT/meterpreter.profile
https://raw.githubusercontent.com/seclib/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/390937aec01e0bcdaf2331227

jflyoo

Commands to setup virtual lab with Linux KVM (Kernel-based Virtual Machine) interface

Virtualization host:

Linux 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Sources: https://www.linuxtechi.com/create-manage-kvm-virtual-machine-cli/ https://serverfault.com/questions/760225/kvm-qemu-connect-to-vm-without-gui

These packages need to be installed

jflyoo

To delegate a principal (group or user) Full Control of an AD object from Powershell. Assume the domain is test.local Assume the name of the group to be delegated Full Control is Some Group

$ou="AD:\OU=Computers,DC=test,DC=local"
$group = Get-ADGroup "Some Group"
$sid = new-object system.security.principal.securityidentifier $group.sid
$acl= get-acl $ou
$ace= new-object system.directoryservices.activedirectoryaccessrule $sid,"GenericAll",Allow"

jflyoo

REM Get a list of all the Windows logs
wevtutil el | findstr /i system

REM Export a log in XML format
REM Note: the exported logs won't have a root tag; you may need to add one if you plan on parsing with python
wevtutil qe System > c:\users\dev\EvtLog-System.xml

REM Backup events and clear the log
wevtutil cl System /bu:c:\users\dev\EvtLog-Date-System.evtx