Skip to content

Instantly share code, notes, and snippets.

View leechristensen's full-sized avatar

Lee Chagolla-Christensen leechristensen

707 followers · 0 following
View GitHub Profile
@leechristensen
leechristensen / MicrosoftAccountTokenProvider.dll ETW Providers.txt
Created July 11, 2020 00:46
MicrosoftAccountTokenProvider.dll ETW Providers
# Download from TLGMetadataParser.psm1 from https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658
PS C:\> Import-Module TLGMetadataParser.psm1
PS C:\> Get-TraceLoggingMetadata -Path C:\Windows\system32\MicrosoftAccountTokenProvider.dll | ConvertTo-Json
{
"FilePath": "C:\\Windows\\system32\\MicrosoftAccountTokenProvider.dll",
"Providers": [
{
"ProviderGUID": "05f02597-fe85-4e67-8542-69567ab8fd4f",
@leechristensen
leechristensen / 2020.04.12-WDAG_SIPolicy.xml
Last active April 13, 2020 03:09
Windows Defender Application Guard CI Policy - Used by Edge's container for code integrity. SIPolicy.p7b parsed using Matt Graeber's ConvertTo-WDACCodeIntegrityPolicy https://github.com/mattifestation/WDACTools/tree/dbd11b3c3f5578c635b3e6a0b71c42e24e37a18c
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.3.7</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
@leechristensen
leechristensen / FindingComputersWithLocalAdmin.md
Created August 30, 2019 22:51
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

@leechristensen
leechristensen / Get-KerberoastHash.ps1
Created October 16, 2017 06:08
# load up the slightly-stripped BouncyCastle library, adapted from https://github.com/bcgit/bc-csharp
# Copyright (c) 2000 - 2015 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org)
# see LICENSE_Bouncy_Castles for license information
try {
$null = [Org.BouncyCastle.Asn1.Asn1InputStream]
} catch {
$EncodedCompressedFile = 'xL0LnBxFtT/e293Tj3nsTu/sds/uZnc2j12amdlHZiEsAZIoBCHyJuDsxmSTzRLYBTI4E0ATs8QXokIkuKA3xuiNwL1yRb2IiMhLVFTeRhEFCQjIQ+Wh8Ptdvdcb/uecqurHzCwE7/9///lktqu+51TVqapTVedUV3efOHqlpEiSpMLvzTcl6VaJ/Vsmvf2/bfBrzNzWKN1sPjj31oYTHpy78pzJSvcF5dLZ5XXnd69ft3FjaVP3+Fnd5Qs3dk9u7D7m5NO7zy9NnNWfSEQX8DxOWS5JJzQo0o2XbC6KfJ+W5nXHGgYlSWuVJINh249rkaRuFKwVo0kKy0xuSfKv0rZWwsvrWqFeyz6BrPjfv3oX+nck5HuyxPI9QZVq/61tleIH0BY1/7o90emfAfHjAvH+TWd9cBNcfxRpZfXSmNxVWaztL1fK6yFMsmHdNcysNcS3DP73l886rwSMcS4z5dVYw/fuajEvwHaVmGyyFJEOWR+VLnvOlMwqvtvf00L9/Xb/9k03QGf0ZV1bkqIlB/+k8U8b/NmGJEaPTreHgGyX7HYAktWyo7IyJDtZOa8ofbKdlRU3BrWuA8frwwmE50FAw0BqUJV6QS4oxJK3T0Y1ZftkPzDasVyj5oxEdVnboWg71q2NaX2v6vb+hjo5NtYvqInlr0gZart
@leechristensen
leechristensen / cmd_spoolss.c
Created September 17, 2017 20:27
addprinternotification
/*
Unix SMB/CIFS implementation.
RPC pipe client
Copyright (C) Gerald Carter 2001-2005
Copyright (C) Tim Potter 2000
Copyright (C) Andrew Tridgell 1992-1999
Copyright (C) Luke Kenneth Casson Leighton 1996-1999
Copyright (C) Guenther Deschner 2009
@leechristensen
leechristensen / settingcontent-ms.xsd
Created June 22, 2017 01:43
.settingcontent-ms XML Schema (embedded in shell.dll)
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" >
<xsd:annotation>
<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved.
Searchable setting content file schema.
</xsd:documentation>
</xsd:annotation>
<xsd:element name="SearchableContent" type="ac:SearchableContentType"/>
<xsd:complexType name="SearchableContentType">
<xsd:sequence>
@leechristensen
leechristensen / keybase.md
Created April 24, 2017 23:00

Keybase proof

I hereby claim:

  • I am leechristensen on github.
  • I am tifkin (https://keybase.io/tifkin) on keybase.
  • I have a public key whose fingerprint is 91F2 D977 5912 0E51 AD40 0C64 2217 7C8E 7D5A 102D

To claim this, I am signing this object:

@leechristensen
leechristensen / NukePSLogging.cpp
Created March 17, 2017 09:20
Nuke PS Logging
void Payload() {
DWORD threadId;
CreateThread(
NULL, // default security attributes
0, // use default stack size
MyThreadFunction, // thread function name
NULL, // argument to thread function
0, // use default creation flags
&threadId);
}
@leechristensen
leechristensen / PInvokedMethodsV2.txt
Created January 21, 2017 01:08
PowerShell 2.0 PInvoke'd Methods
Name Dll DeclaringType
---- --- -------------
GetCurrentThreadId kernel32.dll System.AppDomain
VarCyFromDec oleaut32.dll System.StubHelpers.StubHelpers
VarDecFromCy oleaut32.dll System.StubHelpers.StubHelpers
CreateActContext mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
CreateCMSFromXml mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
ParseManifest mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
GetUserStore mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
@leechristensen
leechristensen / EnableWebDAV.md
Last active December 14, 2016 01:51

1) Enable WebDAV

sudo a2enmod dav
sudo a2enmod dav_fs

mkdir -p /var/www/webdav
touch /var/www/DavLock
chown www-data:www-data /var/www/webdav /var/www/DavLock

2) vim /etc/apache2/sites-available/000-default.conf