p4yl0ad

#include <iostream>
#include <Windows.h>

int main(
	int argc, 
	char *argv[]
){
	PROCESS_INFORMATION pi = {};
	STARTUPINFOEXA si = {};
	SIZE_T attributeSize = 0;

p4yl0ad

<#
.Synopsis
	Create 'FEDERATED.LOCAL' domain on domaincontroller 

.DESCRIPTION
	Install Active Directory with PowerShell, along with DNS and DHCP to create a domain controller
	Tested on Windows Server 2019 Version 1809 (OS Build 17763.5329)

.NOTE
	Author p4 @ WithSecure Labs

p4yl0ad

Write-Host '# UTC Always'
Set-TimeZone -Id "UTC"

Write-Host '# Power Plan Settings'
Write-Host '# Ultimate Power Plan'
powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61

Write-Host '# Set standby / timeout / hibernate'
powercfg -change -monitor-timeout-ac 0
powercfg -change -monitor-timeout-dc 0

p4yl0ad

// security error -9999
// -67030 = Error: 0xFFFEFA2A -67030 invalid Info.plist (plist or signature have been modified
// -67050 = Error: 0xFFFEFA16 -67050 code failed to satisfy specified code requirement(s)
// -67062 = Error: 0xFFFEFA0A -67062 code object is not signed at all
// -67065 = Error: 0xFFFEFA07 -67065 host has no guest with the requested attributes

p4yl0ad

/* gcc -framework Foundation hardlinktest.m -o hardlinktest */
#import <Foundation/Foundation.h>

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        if (argc < 2) {
            NSLog(@"Usage: hardlinktest <path>");
            return 1; // Indicate error
        }

p4yl0ad

sudo mv /Library/LaunchDaemons/com.microsoft.autoupdate.helper.plist /Library/LaunchDaemons/old.com.microsoft.autoupdate.helper.plist
sudo mv /Library/LaunchDaemons/com.microsoft.dlp.install_monitor.plist /Library/LaunchDaemons/old.com.microsoft.dlp.install_monitor.plist
sudo mv /Library/LaunchDaemons/com.microsoft.fresno.plist /Library/LaunchDaemons/old.com.microsoft.fresno.plist
sudo mv /Library/LaunchDaemons/com.microsoft.fresno.uninstall.plist /Library/LaunchDaemons/old.com.microsoft.fresno.uninstall.plist

sudo launchctl bootout system/com.microsoft.fresno.uninstall
sudo launchctl bootout system/com.microsoft.dlp.install_monitor
sudo launchctl bootout system/com.microsoft.fresno
sudo launchctl bootout system/com.microsoft.fresno.uninstall
sudo launchctl bootout system/com.microsoft.autoupdate.helper

p4yl0ad

#!/usr/sbin/dtrace -s
/*
 * newproc.d - snoop new processes as they are executed. DTrace OneLiner.
 *
 * This is a DTrace OneLiner from the DTraceToolkit.
 *
 * 15-May-2005  Brendan Gregg   Created this.
 */

/*

p4yl0ad

# chsh -s /bin/bash
# Settings -> Users & Groups -> Right Click User -> 

# MISC ALIAS COMMANDS
alias dir='ls -lah'
alias ls='ls -lah'
alias ipconfig='ifconfig'
alias cls='clear'

# MISC USEFUL SHORTCUTS

p4yl0ad

$searchterm = "IID_IWSCProductList"

$dumpbinpath = "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\dumpbin.exe"

$x64_pathtosearch = "C:\Windows\System32\"
$x86_pathtosearch = "C:\Windows\SysWOW64\"

$stamp = (Get-Date).ToString("yyyy-mm-dd_HH-mm-ss")
$logpath = "C:\Users\user\Desktop\Initialize_hunt-$stamp.log"

p4yl0ad

# https://csandker.io/2021/02/21/Offensive-Windows-IPC-2-RPC.html#rpc-servers
Get-ChildItem -Path "C:\Windows\System32\" -Filter "*.exe" -Recurse -ErrorAction SilentlyContinue | % { $out=$(C:\"Program Files (x86)"\"Microsoft Visual Studio 14.0"\VC\bin\dumpbin.exe /IMPORTS:rpcrt4.dll $_.VersionInfo.FileName); If($out -like "*RpcServerListen*"){ Write-Host "[+] Exe starting RPC Server: $($_.VersionInfo.FileName)"; Write-Output "[+] $($_.VersionInfo.FileName)`n`n $($out|%{"$_`n"})" | Out-File -FilePath EXEs_RpcServerListen.txt -Append } }