| title | LDAP Search Filter Cheatsheet |
|---|---|
| author | Jon LaBelle |
| date | January 4, 2021 |
| source | https://jonlabelle.com/snippets/view/markdown/ldap-search-filter-cheatsheet |
| notoc | true |
S sunnyneo
sunnyneo
/ ldap_search_filter_cheatsheet.md
Created
November 7, 2022 16:02
— forked from jonlabelle/ldap_search_filter_cheatsheet.md
LDAP Search Filter Cheatsheet
The following script is designed to create artifacts that teams can use to hunt, new or interesting capabilities.
The following table top is based on the code here: https://github.com/code-scrap/DynamicWrapperDotNet
This script is self-contained. It should dynamically write a DLL to disk and load it in to cscript.exe
To Invoke cscript.exe stranger_things.js
This example expects a 64bit system.
sunnyneo
/ no_strings.hpp
Created
July 31, 2022 03:41
— forked from EvanMcBroom/no_strings.hpp
Encrypt Strings at Compile Time
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Copyright (C) 2022 Evan McBroom | |
| // If you are using Visual Studio, you will need to disable the "Edit and Continue" feature. | |
| // Prng based off of Parker Miller's | |
| // "Multiplicative Linear Congruential Generator" | |
| // https://en.wikipedia.org/wiki/Lehmer_random_number_generator | |
| namespace mlcg { | |
| constexpr uint32_t modulus() { | |
| return 0x7fffffff; | |
| } |
sunnyneo
/ certifried_with_krbrelayup.md
Last active
May 17, 2022 04:54
— forked from tothi/certifried_with_krbrelayup.md
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
sunnyneo
/ cheatsheet-elasticsearch.md
Created
April 7, 2022 01:53
— forked from evert0n/cheatsheet-elasticsearch.md
Elasticsearch Cheatsheet
(still a work-in-progress)
sunnyneo
/ RecoveryCallbackToShellcode.cs
Created
March 27, 2022 04:24
— forked from Wra7h/RecoveryCallbackToShellcode.cs
RegisterApplicationRecoveryCallback Shellcode Execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // IMPORTANT NOTE: | |
| // It seems like when this is compiled with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, the crash is handled more gracefully than v3.5. | |
| // So you'll have to find another way to cause an _unexpected_ crash to use with v4.0.30319. | |
| //Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\RecoveryCallbackToShellcode.cs | |
| //Usage: .\RecoveryCallbackToShellcode.exe <path to shellcode> | |
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; |
sunnyneo
/ _notes.md
Created
February 10, 2022 08:37
— forked from byt3bl33d3r/_notes.md
AppDomainManager Injection
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
sunnyneo
/ ReflectedDll.c
Created
December 16, 2021 17:17
— forked from Cracked5pider/ReflectedDll.c
Get output from injected reflected dll
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //===============================================================================================// | |
| // This is a stub for the actuall functionality of the DLL. | |
| //===============================================================================================// | |
| #include "ReflectiveLoader.h" | |
| #include <stdio.h> | |
| // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are | |
| // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own | |
| // DllMain and use the LoadRemoteLibraryR() API to inject this DLL. |
sunnyneo
/ mainc.c
Created
November 30, 2021 13:10
— forked from jackullrich/mainc.c
Single Step Encryption/Decryption
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo); | |
| typedef VOID(__stdcall* Shellcode)(); | |
| LPBYTE ShellcodeBuffer; | |
| ULONG_PTR PreviousOffset; | |
| ULONG_PTR CurrentOffset; | |
| ULONGLONG InstructionCount; | |
| DWORD dwOld; |
sunnyneo
/ privileged.ps1
Created
November 22, 2021 22:46
— forked from wdormann/privileged.ps1
List privileged services that don't come with Windows 10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
| 'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', | |
| 'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv', | |
| 'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv', | |
| 'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc', | |
| 'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService', | |
| 'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange', | |
| 'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService', | |
| 'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService', |