From XML External Entity to NTLM Domain Hashes
https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/
Windows Privilege Escalation Guide
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Absolomb
Windows Privilege Escalation Guide
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can…
Windows oneliners to download remote payload and execute arbitrary code
https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/
https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/
arno0x0x
Windows oneliners to download remote payload and execute arbitrary code
In the wake of the recent buzz and trend in using DDE for executing arbitrary command lines and eventually compromising a system, I asked myself « what are the coolest command lines an a…
Passing the hash with native RDP client (mstsc.exe)
https://michael-eder.net/post/2018/native_rdp_pass_the_hash/
https://michael-eder.net/post/2018/native_rdp_pass_the_hash/
Escalating privileges with ACLs in Active Directory
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
https://github.com/fox-it/Invoke-ACLPwn
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
https://github.com/fox-it/Invoke-ACLPwn
Fox-IT International blog
Escalating privileges with ACLs in Active Directory
Researched and written by Rindert Kramer and Dirk-jan Mollema Introduction During internal penetration tests, it happens quite often that we manage to obtain Domain Administrative access within a f…
Skip Cracking Responder Hashes and Relay Them
http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them
http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them
Threat Blog
Skip Cracking Responder Hashes and Relay Them
Background Responder is a go-to tool for most pentesters. We use it quite often on pentests to quickly gain access to a client’s domain. However, when clients enforce strong password policies and their users don’t choose passwords like 'Ilovemykids2017!'…
Exchange-AD-Privesc. Repository of Exchange privilege escalations to Active Directory
This repository provides a few techniques and noscripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
https://github.com/gdedrouas/Exchange-AD-Privesc
This repository provides a few techniques and noscripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
https://github.com/gdedrouas/Exchange-AD-Privesc
GitHub
GitHub - gdedrouas/Exchange-AD-Privesc: Exchange privilege escalations to Active Directory
Exchange privilege escalations to Active Directory - gdedrouas/Exchange-AD-Privesc
WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html
https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html
Blogspot
WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
tl;dr WMIC can invoke XSL (eXtensible Stylesheet Language) noscripts, either locally or from a URL. Local File wmic process list /FO...
Hiding Metasploit Shellcode to Evade Windows Defender
https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
Rapid7
Hiding Metasploit Shellcode to Evade Windows Defender | Rapid7 Blog
If malware development is a cat-and-mouse game, then I would say that the industry creates some of the most terrifying hunters. Learn more.
Detecting hypervisor presence on windows 10
https://revers.engineering/detecting-hypervisor-presence-on-windows-10/
@windowshackinglibrary
https://revers.engineering/detecting-hypervisor-presence-on-windows-10/
@windowshackinglibrary
Reverse Engineering
Detecting Hypervisor Presence on Windows 10 - Reverse Engineering
Detecting a hypervisor on Windows 10 is relatively simple, but due to the simplistic nature of the currently published detection vectors it’s likely that they are also relatively simple to spoof or remove. In this article we’ll detail a few ways of detecting…
Blue Cloud of Death: Red Teaming Azure
https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
@windowshackinglibrary
https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
@windowshackinglibrary
Speaker Deck
Blue Cloud of Death: Red Teaming Azure
BSides Denver Presentation on May 11 2018
On-demand IT services are being publicized as the “new normal”, but often times these services are misunder…
On-demand IT services are being publicized as the “new normal”, but often times these services are misunder…
Ring +3 Malwares: Few tricks
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
@windowshackinglibrary
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
@windowshackinglibrary
Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
@windowshackinglibrary
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
@windowshackinglibrary
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-noscripts
@windowshackinglibrary
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-noscripts
@windowshackinglibrary
bohops
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
Introduction Last week, I was hunting around the Windows Operating System for interesting noscripts and binaries that may be useful for future penetration tests and Red Team engagements. With increa…
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Not a Security Boundary: Bypassing User Account Control
Matt Nelson at Derbycon 2017
Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
https://youtu.be/c8LgqtATAnE
@SecTalks
Matt Nelson at Derbycon 2017
Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
https://youtu.be/c8LgqtATAnE
@SecTalks
YouTube
T114 Not a Security Boundary Bypassing User Account Control Matt Nelson
These are the videos from Derbycon 7 (2017):http://www.irongeek.com/i.php?page=videos/derbycon7/mainlist
Windows Userland Persistence Fundamentals
http://www.fuzzysecurity.com/tutorials/19.html
@WindowsHackingLibrary
http://www.fuzzysecurity.com/tutorials/19.html
@WindowsHackingLibrary
DLL Hijacking via URL files
https://insert-noscript.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
@WindowsHackingLibrary
https://insert-noscript.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
@WindowsHackingLibrary
Blogspot
DLL Hijacking via URL files
This blogpost describes how I got annoyed by vulnerabilities in 3rd party Windows applications, which allowed to execute local files but wi...