PowerShell noscript which allows pausing\unpausing Win32/64 exes
https://github.com/besimorhino/Pause-Process
@WindowsHackingLibrary
https://github.com/besimorhino/Pause-Process
@WindowsHackingLibrary
GitHub
GitHub - besimorhino/Pause-Process: PowerShell noscript which allows pausing\unpausing Win32/64 exes
PowerShell noscript which allows pausing\unpausing Win32/64 exes - besimorhino/Pause-Process
ASP.NET resource files (.RESX) and deserialisation issues
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
@WindowsHackingLibrary
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
@WindowsHackingLibrary
Exploiting XXE Vulnerabilities in IIS/.NET
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
@WindowsHackingLibrary
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
@WindowsHackingLibrary
pen-testing.sans.org
SANS Penetration Testing | Exploiting XXE Vulnerabilities in IIS/.NET | SANS Institute
SANS Penetration Testing blog pertaining to Exploiting XXE Vulnerabilities in IIS/.NET
When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
@WindowsHackingLibrary
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
@WindowsHackingLibrary
SEI Blog
When
As a vulnerability analyst at the CERT Coordination Center, I am interested not only in software vulnerabilities themselves, but also exploits and exploit mitigations....
Capturing NetNTLM Hashes with Office [DOT] XML Documents
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents
@WindowsHackingLibrary
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents
@WindowsHackingLibrary
bohops
Capturing NetNTLM Hashes with Office [DOT] XML Documents
TL;DR An Office XML (.xml) document can call a remote XSL stylesheet over SMB. If this occurs against an attacker controlled server, the net-NTLM authentication hash (challenge/response) of t…
Copying Files via WMI and PowerShell
https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell
@WindowsHackingLibrary
Using WinRM Through Meterpreter
https://www.trustedsec.com/2017/09/using-winrm-meterpreter
@WindowsHackingLibrary
https://www.trustedsec.com/2017/09/using-winrm-meterpreter
@WindowsHackingLibrary
TrustedSec
Cybersecurity Education from the Experts | TrustedSec Blog Posts
Learn more about how to safeguard your company through our educational blog posts on everything from updated tech to the newest scams infiltrating organizations today.
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
TBAL: an (accidental?) DPAPI Backdoor for local users
https://vztekoverflow.com/2018/07/31/tbal-dpapi-backdoor
@BlueTeamLibrary
https://vztekoverflow.com/2018/07/31/tbal-dpapi-backdoor
@BlueTeamLibrary
VztekOverflow
TBAL: an (accidental?) DPAPI Backdoor for local users
a.k.a how a convenience feature undermined a security feature
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
YouTube
TBAL: an (accidental?) DPAPI Backdoor for local users
The Data Protection API (DPAPI) provided by Windows is a way of protecting secrets used by a lot of popular software solutions, most famously by Google Chrome when storing passwords and cookies. A lot has been said recently about the security of this API…
P0wnedShell:
PowerShell Runspace Post Exploitation Toolkit
https://github.com/Cn33liz/p0wnedShell
@WindowsHackingLibrary
PowerShell Runspace Post Exploitation Toolkit
https://github.com/Cn33liz/p0wnedShell
@WindowsHackingLibrary
GitHub
GitHub - Cn33liz/p0wnedShell: PowerShell Runspace Post Exploitation Toolkit
PowerShell Runspace Post Exploitation Toolkit. Contribute to Cn33liz/p0wnedShell development by creating an account on GitHub.
mimiDbg:
PowerShell oneliner to retrieve wdigest passwords from the memory
https://github.com/giMini/mimiDbg
@WindowsHackingLibrary
PowerShell oneliner to retrieve wdigest passwords from the memory
https://github.com/giMini/mimiDbg
@WindowsHackingLibrary
GitHub
GitHub - giMini/mimiDbg: PowerShell oneliner to retrieve wdigest passwords from the memory
PowerShell oneliner to retrieve wdigest passwords from the memory - giMini/mimiDbg
Golden Ticket Attack Execution Against AD-Integrated SSO providers
https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso
@WindowsHackingLibrary
https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso
@WindowsHackingLibrary
Fractalindustries
GT Attacks and SSO - Fractal Industries
Cloud and SaaS offerings have accelerated the need to understand Golden Ticket Attacks and Single Sign-On issues, as well as the ways to quickly solve these problems at scale
BloodHound 2.0 released!
https://github.com/BloodHoundAD/BloodHound/releases/tag/2.0
@WindowsHackingLibrary
https://github.com/BloodHoundAD/BloodHound/releases/tag/2.0
@WindowsHackingLibrary
GitHub
Release BloodHound 2.0 · BloodHoundAD/BloodHound
This is a major feature release for BloodHound, introducing several new features, optimizations, and bugfixes. For a full changelog, see the blog post at https://blog.cptjesus.com/posts/bloodhound2...
Windows Privilege Escalation Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html
@WindowsHackingLibrary
http://www.fuzzysecurity.com/tutorials/16.html
@WindowsHackingLibrary
Disabling AMSI in JScript with One Simple Trick
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jnoscript-with-one.html
@WindowsHackingLibrary
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jnoscript-with-one.html
@WindowsHackingLibrary
www.tiraniddo.dev
Disabling AMSI in JScript with One Simple Trick
This blog contains a very quick and dirty way to disable AMSI in the context of Windows Scripting Host which doesn't require admin privilege...
Unstoppable Service:
A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
https://github.com/malcomvetter/UnstoppableService
@WindowsHackingLibrary
A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
https://github.com/malcomvetter/UnstoppableService
@WindowsHackingLibrary
GitHub
GitHub - malcomvetter/UnstoppableService: A pattern for a self-installing Windows service in C# with the unstoppable attributes…
A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#. - malcomvetter/UnstoppableService
Driver loader for bypassing Windows x64 Driver Signature Enforcement
https://github.com/hfiref0x/TDL
@WindowsHackingLibrary
https://github.com/hfiref0x/TDL
@WindowsHackingLibrary
GitHub
GitHub - hfiref0x/TDL: Driver loader for bypassing Windows x64 Driver Signature Enforcement
Driver loader for bypassing Windows x64 Driver Signature Enforcement - hfiref0x/TDL
Subverting Sysmon:
Application of a Formalized Security Product Evasion Methodology
Code:
https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code
Slides:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf
Whitepaper:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
@WindowsHackingLibrary
Application of a Formalized Security Product Evasion Methodology
Code:
https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code
Slides:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf
Whitepaper:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
@WindowsHackingLibrary
GitHub
BHUSA2018_Sysmon/Code at master · mattifestation/BHUSA2018_Sysmon
All materials from our Black Hat 2018 "Subverting Sysmon" talk - mattifestation/BHUSA2018_Sysmon