Vay3t vay3t
🏴☠️
ThePirateWhoSmellsOfSunflowers
/ netrlogonsamlogonwithflags.py
Created
December 12, 2024 23:03
Perform a netrlogonsamlogonwithflags (LogonNetworkTransitive) with a server account, it uses netlogon as SSP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify, hexlify | |
| from struct import pack, unpack | |
| from random import randbytes | |
| import sys | |
| # Perform a netrlogonsamlogonwithflags with a server account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # RC4 is used here because to use AES, impacket must be patched |
Jasemalsadi
/ commands.ps1
Created
April 22, 2024 09:53
Azure PT commands cheat sheet, from both CARTP and CARTE courses
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Connect | |
| $passwd = ConvertTo-SecureString "NewUserSSecret@Pass61" -AsPlainText -Force | |
| $creds = New-Object System.Management.Automation.PSCredential ("AS-5945632460@oilcorptarsands.onmicrosoft.com", $passwd) | |
| Connect-AzAccount -Credential $creds | |
| #Connect-AzureAD -Credential $creds | |
| Connect-MgGraph -ClientSecretCredential $creds -TenantId bcdc6c96-4f80-4b10-8228-2e6477c71851 | |
| ## 1. Unauthenticated Recon: | |
| #Get if Azure tenant is in use, tenant name and Federation | |
| https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME@DOMAIN]&xml=1 |
killshot13
/ pokemon.txt
Last active
October 29, 2025 10:06
The names of all 1025 species of Pokémon currently known to exist, formatted as a wordlist to be used for password cracking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bulbasaur | |
| ivysaur | |
| venusaur | |
| charmander | |
| charmeleon | |
| charizard | |
| squirtle | |
| wartortle | |
| blastoise | |
| caterpie |
MHaggis
/ HVC_LOLDrivers_check_csv.ps1
Created
November 21, 2023 02:44
Based on Trail of Bits HVCI LOLDrivers Check script - just outputs to csv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Compares the HVCI block list on the current system against the list of | |
| vulnerable and malicious drivers from loldrivers.io | |
| Company: Trail of Bits | |
| Author: Michael Lin | |
| Contributors: Yarden Shafir | |
| License: Apache 2 |
donkeysharp
/ gist:57c558ef84dddc29a4a7280570564633
Created
June 9, 2023 02:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - Correr todo el proyecto y probar localmente | |
| - Destriparlo y dejar solo lo necesario para la parte de canary tokens http | |
| - Abstraer la logica de canary tokens de manera que sea golang idiomatic | |
| - Despues de abstraer, portar la logica de http a golang | |
| - Inicialmente hacer un cli y la funcionalidad http trabaje correctamente | |
| - Comenzar a portar los demás tipos de canary token | |
| - Diseñar nuevo sistema de notificaciones (slack, telegram, etc.) | |
| - Crear interfaz web | |
| Nice to have features: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Original script and research by commial | |
| ### https://github.com/commial/experiments/tree/master/windows-defender | |
| ### Set LUADec_Path to binary | |
| ### https://github.com/viruscamp/luadec | |
| import struct | |
| import argparse | |
| import sys | |
| import os | |
| import io | |
| import subprocess |
xpn
/ LAPSDecrypt.cs
Last active
January 26, 2026 10:29
Quick POC looking at how encryption works for LAPS (v2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.DirectoryServices.Protocols; | |
| using System.Globalization; | |
| using System.Linq; | |
| using System.Runtime.InteropServices; | |
| using System.Runtime.InteropServices.ComTypes; | |
| using System.Security.Policy; | |
| using System.Security.Principal; | |
| using System.Text; |
HarmJ0y
/ CIPolicyParser.ps1
Created
July 12, 2022 21:36
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
qtc-de
/ DynWin32-ShellcodeProcessHollowing.ps1
Created
January 29, 2022 15:17
PowerShell implementation of shellcode based Process Hollowing that only relies on dynamically resolved Win32 API functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| DynWin32-ShellcodeProcessHollowing.ps1 performs shellcode based process hollowing using | |
| dynamically looked up Win32 API calls. The script obtains the methods GetModuleHandle, | |
| GetProcAddress and CreateProcess by using reflection. Afterwards it utilizes GetModuleHandle | |
| and GetProcAddress to obtain the addresses of the other required Win32 API calls. | |
| When all required Win32 API calls are looked up, it starts svchost.exe in a suspended state | |
| and overwrites the entrypoint with the specified shellcode. Afterwards, the thread is resumed | |
| and the shellcode is executed enveloped within the trusted svchost.exe process. |
NewerOlder