RE: Evading Autoruns PoCs on Windows 10
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
@WindowsHackingLibrary
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
@WindowsHackingLibrary
Medium
RE: Evading Autoruns PoCs on Windows 10
Last September, Chris Bisnett and I presented research at DerbyCon which highlighted a handful of techniques and bugs we discovered that…
Feature, not bug: DNSAdmin to DC compromise in one line
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
@WindowsHackingLibrary
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
@WindowsHackingLibrary
Medium
Feature, not bug: DNSAdmin to DC compromise in one line
Background
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://blog.netspi.com/exploiting-adidns
@WindowsHackingLibrary
https://blog.netspi.com/exploiting-adidns
@WindowsHackingLibrary
NetSPI
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
Exploiting weaknesses in name resolution protocols is a common technique for performing man-in-the-middle (MITM) attacks. This blog dives into two particularly vulnerable name resolution protocols: Link-Local Multicast Name Resolution (LLMNR) and NetBIOS…
w0rk3r's Windows Hacking Library
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS https://blog.netspi.com/exploiting-adidns @WindowsHackingLibrary
GitHub
Powermad/README.md at master · Kevin-Robertson/Powermad
PowerShell MachineAccountQuota and DNS exploit tools - Powermad/README.md at master · Kevin-Robertson/Powermad
Domain Access With Write Access on the Domain NC Head
https://sdmsoftware.com/group-policy-blog/security-policy/elevating-ad-domain-access-with-write-access-on-the-domain-nc-head
@WindowsHackingLibrary
https://sdmsoftware.com/group-policy-blog/security-policy/elevating-ad-domain-access-with-write-access-on-the-domain-nc-head
@WindowsHackingLibrary
SDM Software
Elevating AD Domain Access With Write Access on the Domain NC Head - SDM Software
With this post and my last post, I guess I'm on a path of finding interesting ways to "break" AD. The last post related to AD denial of service and this Write access to the Domain object could allow domain admin access.
Extracting User Password Data with Mimikatz DCSync
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
@WindowsHackingLibrary
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
@WindowsHackingLibrary
Stealthbits Technologies
Extracting User Password Data with Mimikatz DCSync
Using the Mimikatz DCSync command to compromise credentials by replicating information with Directory Replication Service Remote Protocol MS-DRSR.
Passing-the-Hash to NTLM Authenticated Web Applications
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
@WindowsHackingLibrary
Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
@WindowsHackingLibrary
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
@WindowsHackingLibrary
Medium
Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
Bypass Technique Denoscription
Veil Payloads and Veil-Ordnance
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
@WindowsHackingLibrary
FortyNorth Security Blog
Explaining Veil Payloads and Invoking Veil-Ordnance
In order to effectively use cyber security tools we need to know, in detail, how they work. Only then we are able to leverage them to the best of their capabilities. In this post we will dive into Veil-Evasion and learn its payload naming scheme, different…
Clear all your logs in linux/windows servers
https://github.com/Rizer0/Log-killer
@WindowsHackingLibrary
https://github.com/Rizer0/Log-killer
@WindowsHackingLibrary
GitHub
GitHub - Rizer0/Log-killer: Clear all your logs in [linux/windows] servers 🛡️
Clear all your logs in [linux/windows] servers 🛡️. Contribute to Rizer0/Log-killer development by creating an account on GitHub.
Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
@WindowsHackingLibrary
PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
https://github.com/NetSPI/PESecurity
@WindowsHackingLibrary
https://github.com/NetSPI/PESecurity
@WindowsHackingLibrary
GitHub
GitHub - NetSPI/PESecurity: PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH…
PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode. - NetSPI/PESecurity
Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
@WindowsHackingLibrary
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
@WindowsHackingLibrary
Anonymously Enumerating Azure File Resources
https://blog.netspi.com/anonymously-enumerating-azure-file-resources
@WindowsHackingLibrary
https://blog.netspi.com/anonymously-enumerating-azure-file-resources
@WindowsHackingLibrary
NetSPI
Anonymously Enumerating Azure File Resources
Much like publicly exposed S3 buckets, Microsoft's Azure platform can suffer from similar data exposure issues via its Blob file storage service.
Weaponize PDF with embedding SettingContent-ms inside PDF.
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
@WindowsHackingLibrary
Via: @InfosecN1nja
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
@WindowsHackingLibrary
Via: @InfosecN1nja
GitHub
DidierStevensSuite/make-pdf-embedded.py at master · DidierStevens/DidierStevensSuite
Please no pull requests for this repository. Thanks! - DidierStevens/DidierStevensSuite
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe
@WindowsHackingLibrary
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe
@WindowsHackingLibrary
Oddvar Moe's Blog
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – C…
Compromising a Azure Windows 2008 R2 SP1 VM
https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm
@WindowsHackingLibrary
https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm
@WindowsHackingLibrary
Ashish Gupta
Compromising an Azure Windows 2008 R2 SP1 VM
TL;DR (Too long Didn’t Read)If you stand up a windows 2008 R2 VM in Azure with a random user name and password, Its very easy to know that user name and depending on the complexity of the chosen pa…
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
https://adsecurity.org/?p=3164
@WindowsHackingLibrary
https://adsecurity.org/?p=3164
@WindowsHackingLibrary
PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting
https://github.com/GhostPack
@WindowsHackingLibrary
https://github.com/GhostPack
@WindowsHackingLibrary
GitHub
GhostPack
A collection of security related toolsets. GhostPack has 18 repositories available. Follow their code on GitHub.
Pass the Hash with Kerberos
https://malicious.link/post/2018/pass-the-hash-with-kerberos/
@WindowsHackingLibrary
https://malicious.link/post/2018/pass-the-hash-with-kerberos/
@WindowsHackingLibrary
w0rk3r's Windows Hacking Library
PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting https://github.com/GhostPack @WindowsHackingLibrary
Medium
GhostPack
Anyone who has followed myself or my teammates at SpecterOps for a while knows that we’re fairly big fans of PowerShell. I’ve been involved in offensive PowerShell for about 4 years, @mattifestation…