c0de-sin / DeobfuscateByteArrayInlineAsm.cpp

Created March 15, 2024 09:02 — forked from WKL-Sec/DeobfuscateByteArrayInlineAsm.cpp

This C++ code snippet demonstrates a method for deobfuscating a byte array using inline assembly. It intricately applies a series of bitwise NOT, decrement, and XOR operations on each byte of the array.

	// White Knight Labs - Offensive Development Course
	// String Deobfuscation with Inline-Assembly

	// Based on - https://gist.github.com/WKL-Sec/e24830ebfafabc283bd9329e79f71164

	#include <iostream>
	#include <string>
	#include <sstream>
	#include <vector>

c0de-sin / GetProcAddressAlternative.cpp

Created February 29, 2024 08:14 — forked from WKL-Sec/GetProcAddressAlternative.cpp

Efficiently locates API addresses within modules without relying on GetProcAddress, enhancing stealth in payload deployment.

	// White Knight Labs - Offensive Development Course
	// GetProcAddress Replacement

	#include <windows.h>
	#include <iostream>

	typedef FARPROC (*pAPIFinder)(IN HMODULE modHandle, IN LPCSTR apiName);

	FARPROC APIFinder(IN HMODULE modHandle, IN LPCSTR apiName) {
	PBYTE baseAddr = (PBYTE)modHandle;

c0de-sin / T1112.yaml

Created September 15, 2023 05:35 — forked from MHaggis/T1112.yaml

Atomic Red Team Test - https://twitter.com/M_haggis/status/1699056847154725107?s=20. Grab one, submit a PR! Be quick, whoever submits first gets a shirt + sticker :)

	- name: Modify Internet Zone Protocol Defaults in Current User Registry - cmd
	description: \|
	This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed.

	To verify the effects of the test:
	1. Open the Registry Editor (regedit.exe).
	2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
	3. Check for the presence of the "http" and "https" DWORD values set to `0`.
	Or run:
	```batch

c0de-sin / certifried_with_krbrelayup.md

Created July 23, 2023 15:41 — forked from S3cur3Th1sSh1t/certifried_with_krbrelayup.md

Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

c0de-sin / Ransomware Victims on Shodan

Created March 28, 2023 13:39 — forked from BushidoUK/Ransomware Victims on Shodan

	Loki
	https://www.shodan.io/search?query=%22Loki+Locker%22

	BlackBit
	https://www.shodan.io/search?query=%22Encrypted+by+BlackBit%22

	BlackHunt
	https://www.shodan.io/search?query=%22Your+Network+Infected+with+BlackHunt+Ransomware+Team%22

	Amelia, Proxima

c0de-sin / api_hashing.cs

Created November 26, 2021 10:21

Proof of Concept Windows API Hashing in C#

	using System;
	using System.Runtime.InteropServices;


	namespace API_Hashing
	{
	class Program
	{
	[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
	static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);

Futur3 c0de-sin

Certifried combined with KrbRelayUp