Folder tree update

2023-11-19 10:38:58 +01:00 · 2023-11-19 10:38:58 +01:00 · 24fe926630
parent 1285fd980b
commit 24fe926630
37 changed files with 67 additions and 25 deletions
--- a/docs/cheatsheets/bind-shell-cheatsheet.md
+++ b/docs/cheatsheets/bind-shell-cheatsheet.md
--- a/docs/cheatsheets/escape-breakout.md
+++ b/docs/cheatsheets/escape-breakout.md
--- a/docs/cheatsheets/hash-cracking.md
+++ b/docs/cheatsheets/hash-cracking.md
--- a/docs/cheatsheets/mimikatz-cheatsheet.md
+++ b/docs/cheatsheets/mimikatz-cheatsheet.md
--- a/docs/cheatsheets/miscellaneous-tricks.md
+++ b/docs/cheatsheets/miscellaneous-tricks.md
--- a/docs/cheatsheets/mssql-server-cheatsheet.md
+++ b/docs/cheatsheets/mssql-server-cheatsheet.md
--- a/docs/cheatsheets/network-discovery.md
+++ b/docs/cheatsheets/network-discovery.md
--- a/docs/cheatsheets/powershell-cheatsheet.md
+++ b/docs/cheatsheets/powershell-cheatsheet.md
--- a/docs/cheatsheets/reverse-shell-cheatsheet.md
+++ b/docs/cheatsheets/reverse-shell-cheatsheet.md
--- a/docs/cheatsheets/source-code-management-ci.md
+++ b/docs/cheatsheets/source-code-management-ci.md
--- a/docs/cloud/azure/azure-access-and-token.md
+++ b/docs/cloud/azure/azure-access-and-token.md
@ -69,21 +69,21 @@ roadtx gettokens --refresh-token <refresh-token> -c 04b07795-8ddb-461a-bbee-02f9
 ```

 ```
-scope                                       resource                                                          client                              
-.default                                    04b07795-8ddb-461a-bbee-02f9e1bf7b46                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
-                                            1950a258-227b-4e31-a9cf-717495945fc2                              1950a258-227b-4e31-a9cf-717495945fc2
-                                            https://graph.microsoft.com                                       00b41c95-dab0-4487-9791-b9d2c32c80f2
-                                                                                                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
-                                            https://graph.windows.net                                         00b41c95-dab0-4487-9791-b9d2c32c80f2
-                                                                                                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
-                                            https://outlook.office.com                                        00b41c95-dab0-4487-9791-b9d2c32c80f2
-                                                                                                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
-Files.Read.All                              d3590ed6-52b3-4102-aeff-aad2292ab01c                              d3590ed6-52b3-4102-aeff-aad2292ab01c
-                                            https://graph.microsoft.com                                       d3590ed6-52b3-4102-aeff-aad2292ab01c
-                                            https://outlook.office.com                                        1fec8e78-bce4-4aaf-ab1b-5451cc387264
-Mail.ReadWrite.All                          https://graph.microsoft.com                                       00b41c95-dab0-4487-9791-b9d2c32c80f2
-                                            https://outlook.office.com                                        00b41c95-dab0-4487-9791-b9d2c32c80f2
-                                            https://outlook.office365.com                                     00b41c95-dab0-4487-9791-b9d2c32c80f2
+scope               resource                                client                              
+.default            04b07795-8ddb-461a-bbee-02f9e1bf7b46    04b07795-8ddb-461a-bbee-02f9e1bf7b46
+                    1950a258-227b-4e31-a9cf-717495945fc2    1950a258-227b-4e31-a9cf-717495945fc2
+                    https://graph.microsoft.com             00b41c95-dab0-4487-9791-b9d2c32c80f2
+                                                            04b07795-8ddb-461a-bbee-02f9e1bf7b46
+                    https://graph.windows.net               00b41c95-dab0-4487-9791-b9d2c32c80f2
+                                                            04b07795-8ddb-461a-bbee-02f9e1bf7b46
+                    https://outlook.office.com              00b41c95-dab0-4487-9791-b9d2c32c80f2
+                                                            04b07795-8ddb-461a-bbee-02f9e1bf7b46
+Files.Read.All      d3590ed6-52b3-4102-aeff-aad2292ab01c    d3590ed6-52b3-4102-aeff-aad2292ab01c
+                    https://graph.microsoft.com             3590ed6-52b3-4102-aeff-aad2292ab01c
+                    https://outlook.office.com              1fec8e78-bce4-4aaf-ab1b-5451cc387264
+Mail.ReadWrite.All  https://graph.microsoft.com             00b41c95-dab0-4487-9791-b9d2c32c80f2
+                    https://outlook.office.com              00b41c95-dab0-4487-9791-b9d2c32c80f2
+                    https://outlook.office365.com           00b41c95-dab0-4487-9791-b9d2c32c80f2
 ```


--- a/docs/cloud/azure/azure-devices-users-services.md
+++ b/docs/cloud/azure/azure-devices-users-services.md
@ -11,6 +11,15 @@
 ```ps1
 ```

+* Add user to a group
+    ```ps1
+    $groupid = "<group-id>"
+    $targetmember = "<user-id>"
+    $group = Get-MgGroup -GroupId $groupid
+    $members = Get-MgGroupMember -GroupId $groupid
+    New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember
+    ```
+

 ## Devices

--- a/docs/cloud/azure/azure-enumeration.md
+++ b/docs/cloud/azure/azure-enumeration.md
@ -22,10 +22,13 @@ Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
    ```


-## Azure AD - Conditionnal Access
+## Azure AD - Conditionnal Access Policy

 Enumerate Conditionnal Access Policies: `roadrecon plugin policies`

+
+
+
 ## Azure AD - MFA

 * [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
--- a/docs/cloud/azure/azure-phishing.md
+++ b/docs/cloud/azure/azure-phishing.md
@ -5,10 +5,11 @@
 > The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. 

 Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole`
-* **Disable user consent** : Users cannot grant permissions to applications.
-* **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant
-* **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent,
-* **Custom app consent policy**
+
+* **Disable user consent** : Users cannot grant permissions to applications.   
+* **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant    
+* **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent.    
+* **Custom app consent policy**   

 ### Register Application

--- a/docs/cloud/azure/azure-services.md
+++ b/docs/cloud/azure/azure-services.md
@ -22,9 +22,27 @@ Runbook must be SAVED and PUBLISHED before running it.
    ```


+## Microsoft Intune
+
+* LAPS
+    ```ps1
+    #requires -modules Microsoft.Graph.Authentication
+    #requires -modules Microsoft.Graph.Intune
+    #requires -modules LAPS
+    #requires -modules ImportExcel
+
+    $DaysBack = 30
+    Connect-MgGraph
+    Get-IntuneManagedDevice -Filter "Platform eq 'Windows'" |
+        Foreach-Object {Get-LapsAADPassword -DevicesIds $_.DisplayName} |
+            Where-Object {$_.PasswordExpirationTime -lt (Get-Date).AddDays(-$DaysBack)} |
+                Export-Excel -Path "c:\temp\lapsdata.xlsx" - ClearSheet -AutoSize -Show
+    ```
+
+
 ## Office 365

-### Extracting Microsoft Teams Messages
+### Microsoft Teams Messages

 ```ps1
 TokenTacticsV2> RefreshTo-MSTeamsToken -domain domain.local
@ -32,15 +50,26 @@ AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token |
 ```


-## Outlook
+## Outlook Mails

-* Read user messages
+* Read user mails
    ```ps1
    Get-MgUserMessage -UserId <user-id> | ft
    Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id>
    ```

+## OneDrive Files
+
+```ps1
+$userId = "<user-id>"
+Import-Module Microsoft.Graph.Files
+Get-MgUserDefaultDrive -UserId $userId
+Get-MgUserDrive -UserId $UserId  -Debug
+Get-MgDrive -top 1
+```
+

 ## References

-* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)
+* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)
+* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)
--- a/docs/command-control/cobalt-strike.md
+++ b/docs/command-control/cobalt-strike.md
--- a/docs/command-control/metasploit.md
+++ b/docs/command-control/metasploit.md
--- a/docs/containers/docker-containers.md
+++ b/docs/containers/docker-containers.md
--- a/docs/containers/kubernetes-containers.md
+++ b/docs/containers/kubernetes-containers.md
--- a/docs/methodology/bug-hunting-methodology.md
+++ b/docs/methodology/bug-hunting-methodology.md
@ -1,4 +1,4 @@
-# Bug Hunting Methodology and Enumeration
+# Bug Hunting Methodology

 ## Summary

--- a/docs/methodology/vulnerability-reports.md
+++ b/docs/methodology/vulnerability-reports.md
--- a/docs/pentest/.gitkeep
+++ b/docs/pentest/.gitkeep
--- a/docs/redteam/access/attack-surface-enumeration.md
+++ b/docs/redteam/access/attack-surface-enumeration.md
--- a/docs/redteam/access/html-smuggling.md
+++ b/docs/redteam/access/html-smuggling.md
--- a/docs/redteam/access/initial-access.md
+++ b/docs/redteam/access/initial-access.md
--- a/docs/redteam/access/office-attacks.md
+++ b/docs/redteam/access/office-attacks.md
--- a/docs/redteam/access/windows-download-execute.md
+++ b/docs/redteam/access/windows-download-execute.md
--- a/docs/redteam/access/windows-using-credentials.md
+++ b/docs/redteam/access/windows-using-credentials.md
--- a/docs/redteam/escalation/linux-privilege-escalation.md
+++ b/docs/redteam/escalation/linux-privilege-escalation.md
--- a/docs/redteam/escalation/windows-privilege-escalation.md
+++ b/docs/redteam/escalation/windows-privilege-escalation.md
--- a/docs/redteam/evasion/linux-evasion.md
+++ b/docs/redteam/evasion/linux-evasion.md
--- a/docs/redteam/evasion/windows-amsi-bypass.md
+++ b/docs/redteam/evasion/windows-amsi-bypass.md
--- a/docs/redteam/evasion/windows-defenses.md
+++ b/docs/redteam/evasion/windows-defenses.md
--- a/docs/redteam/evasion/windows-dpapi.md
+++ b/docs/redteam/evasion/windows-dpapi.md
--- a/docs/redteam/persistence/linux-persistence.md
+++ b/docs/redteam/persistence/linux-persistence.md
--- a/docs/redteam/persistence/windows-persistence.md
+++ b/docs/redteam/persistence/windows-persistence.md
--- a/docs/redteam/pivoting/network-pivoting-techniques.md
+++ b/docs/redteam/pivoting/network-pivoting-techniques.md