I hereby claim:
- I am leechristensen on github.
- I am tifkin (https://keybase.io/tifkin) on keybase.
- I have a public key whose fingerprint is 91F2 D977 5912 0E51 AD40 0C64 2217 7C8E 7D5A 102D
To claim this, I am signing this object:
Lee Chagolla-Christensen leechristensen
leechristensen
/ keybase.md
Created
April 24, 2017 23:00
leechristensen
/ settingcontent-ms.xsd
Created
June 22, 2017 01:43
.settingcontent-ms XML Schema (embedded in shell.dll)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" > | |
| <xsd:annotation> | |
| <xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved. | |
| Searchable setting content file schema. | |
| </xsd:documentation> | |
| </xsd:annotation> | |
| <xsd:element name="SearchableContent" type="ac:SearchableContentType"/> | |
| <xsd:complexType name="SearchableContentType"> | |
| <xsd:sequence> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Unix SMB/CIFS implementation. | |
| RPC pipe client | |
| Copyright (C) Gerald Carter 2001-2005 | |
| Copyright (C) Tim Potter 2000 | |
| Copyright (C) Andrew Tridgell 1992-1999 | |
| Copyright (C) Luke Kenneth Casson Leighton 1996-1999 | |
| Copyright (C) Guenther Deschner 2009 |
leechristensen
/ Get-KerberoastHash.ps1
Created
October 16, 2017 06:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # load up the slightly-stripped BouncyCastle library, adapted from https://github.com/bcgit/bc-csharp | |
| # Copyright (c) 2000 - 2015 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org) | |
| # see LICENSE_Bouncy_Castles for license information | |
| try { | |
| $null = [Org.BouncyCastle.Asn1.Asn1InputStream] | |
| } catch { | |
| $EncodedCompressedFile = 'xL0LnBxFtT/e293Tj3nsTu/sds/uZnc2j12amdlHZiEsAZIoBCHyJuDsxmSTzRLYBTI4E0ATs8QXokIkuKA3xuiNwL1yRb2IiMhLVFTeRhEFCQjIQ+Wh8Ptdvdcb/uecqurHzCwE7/9///lktqu+51TVqapTVedUV3efOHqlpEiSpMLvzTcl6VaJ/Vsmvf2/bfBrzNzWKN1sPjj31oYTHpy78pzJSvcF5dLZ5XXnd69ft3FjaVP3+Fnd5Qs3dk9u7D7m5NO7zy9NnNWfSEQX8DxOWS5JJzQo0o2XbC6KfJ+W5nXHGgYlSWuVJINh249rkaRuFKwVo0kKy0xuSfKv0rZWwsvrWqFeyz6BrPjfv3oX+nck5HuyxPI9QZVq/61tleIH0BY1/7o90emfAfHjAvH+TWd9cBNcfxRpZfXSmNxVWaztL1fK6yFMsmHdNcysNcS3DP73l886rwSMcS4z5dVYw/fuajEvwHaVmGyyFJEOWR+VLnvOlMwqvtvf00L9/Xb/9k03QGf0ZV1bkqIlB/+k8U8b/NmGJEaPTreHgGyX7HYAktWyo7IyJDtZOa8ofbKdlRU3BrWuA8frwwmE50FAw0BqUJV6QS4oxJK3T0Y1ZftkPzDasVyj5oxEdVnboWg71q2NaX2v6vb+hjo5NtYvqInlr0gZart |
leechristensen
/ FindingComputersWithLocalAdmin.md
Created
August 30, 2019 22:51
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup
leechristensen
/ 2020.04.12-WDAG_SIPolicy.xml
Last active
April 13, 2020 03:09
Windows Defender Application Guard CI Policy - Used by Edge's container for code integrity. SIPolicy.p7b parsed using Matt Graeber's ConvertTo-WDACCodeIntegrityPolicy https://github.com/mattifestation/WDACTools/tree/dbd11b3c3f5578c635b3e6a0b71c42e24e37a18c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.3.7</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> |
leechristensen
/ MicrosoftAccountTokenProvider.dll ETW Providers.txt
Created
July 11, 2020 00:46
MicrosoftAccountTokenProvider.dll ETW Providers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 | |
| PS C:\> Import-Module TLGMetadataParser.psm1 | |
| PS C:\> Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | ConvertTo-Json | |
| { | |
| "FilePath": "C:\\Windows\\system32\\MicrosoftAccountTokenProvider.dll", | |
| "Providers": [ | |
| { | |
| "ProviderGUID": "05f02597-fe85-4e67-8542-69567ab8fd4f", |
leechristensen
/ Exploring TraceLogging metadata in C:\Windows\system32\MicrosoftAccountTokenProvider.dll.txt
Created
July 14, 2020 18:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 | |
| PS C:\> Import-Module TLGMetadataParser.psm1 | |
| PS C:\> $Info = Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | |
| PS C:\> $Info.Providers | |
| ProviderGUID ProviderName ProviderGroupGUID | |
| ------------ ------------ ----------------- | |
| 05f02597-fe85-4e67-8542-69567ab8fd4f MSAClientTraceLoggingProvider 4f50731a-89cf-4782-b3e0-dce8c90476ba |
leechristensen
/ Find-MisconfiguredCertificateTemplates.ps1
Last active
November 15, 2024 19:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author: Lee Christensen (@tifkin_) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Usage Example: | |
| 1. On a Linux or OS X machine with ldapsearch installed, run the following replacing "DC=domain,DC=local" with the DN of the organization's domain: | |
| ldapsearch -o ldif-wrap=no -h dc.domain.local -p 389 -D '[email protected]' -w P@ssw0rd -E 'pr=1000/noprompt' -E '!1.2.840.113556.1.4.801=::MAMCAQc=' -b 'CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local' > ldap_dump.txt |
leechristensen
/ PInvoked.tsv
Last active
May 6, 2021 21:49
PInvoked Functions and their origins on a Windows 10.0.19041 Sandbox machine
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DllShortName Dll Export MethodReturnType Method DeclaringType Assembly | |
| "" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertDuplicateCertificateContext(_CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll | |
| "" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertEnumCertificatesInStore(System.Void* , _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* ) <Module> C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll | |
| "" "" _CERT_CONTEXT modopt(System.Runtime.CompilerServices.IsConst)* modopt(System.Runtime.CompilerServices.CallConvCdecl) CertFindCert |