SMB Named Pipe Pivoting in Meterpreter
https://medium.com/@petergombos/smb-named-pipe-pivoting-in-meterpreter-462580fd41c5
@WindowsHackingLibrary
https://medium.com/@petergombos/smb-named-pipe-pivoting-in-meterpreter-462580fd41c5
@WindowsHackingLibrary
Medium
SMB Named Pipe Pivoting in Meterpreter
A hidden feature of Metasploit, is the ability to add SMB Named Pipe listeners in a meterpreter session to pivot on an internal network…
On-the-Run with Empire
https://posts.specterops.io/on-the-run-with-empire-67ddde01270c
@WindowsHackingLibrary
https://posts.specterops.io/on-the-run-with-empire-67ddde01270c
@WindowsHackingLibrary
Posts By SpecterOps Team Members
On-the-Run with Empire.
During my study time for mobile application testing, I came to the realization that there are a lot of bad coding practices taking place…
Reversing ALPC: Where are your windows bugs and sandbox escapes?
https://sandboxescaper.blogspot.com/2018/10/reversing-alpc-where-are-your-windows.html
@WindowsHackingLibrary
https://sandboxescaper.blogspot.com/2018/10/reversing-alpc-where-are-your-windows.html
@WindowsHackingLibrary
Abusing PowerShell Desired State Configuration for Lateral Movement
https://posts.specterops.io/abusing-powershell-desired-state-configuration-for-lateral-movement-ca42ddbe6f06
@WindowsHackingLibrary
https://posts.specterops.io/abusing-powershell-desired-state-configuration-for-lateral-movement-ca42ddbe6f06
@WindowsHackingLibrary
Medium
Abusing PowerShell Desired State Configuration for Lateral Movement
Lateral Movement Technique Denoscription
How to bypass AMSI and execute ANY malicious Powershell code
https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
@WindowsHackingLibrary
zc00l blog
How to bypass AMSI and execute ANY malicious Powershell code
Hello again. In my previous posts I detailed how to manually get SYSTEM shell from Local Administrators users. That’s interesting but very late game during a penetration assessment as it is presumed that you already owned the target machine.
A C# penetration testing tool to discover low-haning web fruit via web requests
https://github.com/rvrsh3ll/SharpFruit
@WindowsHackingLibrary
https://github.com/rvrsh3ll/SharpFruit
@WindowsHackingLibrary
GitHub
GitHub - rvrsh3ll/SharpFruit: A C# penetration testing tool to discover low-haning web fruit via web requests.
A C# penetration testing tool to discover low-haning web fruit via web requests. - rvrsh3ll/SharpFruit
RunDLL32 your .NET (AKA DLL exports from .NET)
https://blog.xpnsec.com/rundll32-your-dotnet
@WindowsHackingLibrary
https://blog.xpnsec.com/rundll32-your-dotnet
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - RunDLL32 your .NET (AKA DLL exports from .NET)
In this post I wanted to look at a technique which is by no means new to .NET developers, but may prove useful to redteamers crafting their tools... exporting .NET static methods within a DLL... AKA using RunDLL32 to launch your .NET assembly.
Playing with Relayed Credentials
https://www.secureauth.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
https://www.secureauth.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
Operational Challenges in Offensive C#
https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200
@WindowsHackingLibrary
https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200
@WindowsHackingLibrary
Medium
Operational Challenges in Offensive C#
As offensive toolsets continue to move towards using C# as the language of choice for post-exploitation, I thought it’d be useful to think…
Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html
@WindowsHackingLibrary
zc00l blog
Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
Introduction
Oh No! AMSI blocked the AMSI Bypass! What Now?
https://0x00-0x00.github.io/research/2018/11/09/Oh-No!-Amsi-blocked-the-bypass.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/11/09/Oh-No!-Amsi-blocked-the-bypass.html
@WindowsHackingLibrary
zc00l blog
Oh No! AMSI blocked the AMSI Bypass! What now?
Introduction
Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-microsoft-xoml-workflows-protection-mechanisms-using-deserialisation-of-untrusted-data
@WindowsHackingLibrary
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-microsoft-xoml-workflows-protection-mechanisms-using-deserialisation-of-untrusted-data
@WindowsHackingLibrary
More than One Way to Skin a Hack
An Example in Getting Around CrowdStrike Endpoint Protection
https://link.medium.com/rnyWKqUNOR
@WindowsHackingLibrary
An Example in Getting Around CrowdStrike Endpoint Protection
https://link.medium.com/rnyWKqUNOR
@WindowsHackingLibrary
Medium
More than One Way to Skin a Hack
An Example in Getting Around CrowdStrike Endpoint Protection
Microsoft Build Engine Compromise - Part One
http://subt0x11.blogspot.com/2018/11/microsoft-build-engine-compromise-part_13.html
@WindowsHackingLibrary
http://subt0x11.blogspot.com/2018/11/microsoft-build-engine-compromise-part_13.html
@WindowsHackingLibrary
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Hardening Hyper-V through Offensive Security Research
https://www.youtube.com/watch?v=025r8_TrV8I
@SecTalks
https://www.youtube.com/watch?v=025r8_TrV8I
@SecTalks
YouTube
Hardening Hyper-V through Offensive Security Research
Virtualization technology is fast becoming the backbone of the security strategy for modern computing platforms. Hyper-V, Microsoft's virtualization stack, is no exception and is therefore held to a high security standard, as is demonstrated by its $250,000…
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
https://www.youtube.com/watch?v=R5IEyoFpZq0
@SecTalks
https://www.youtube.com/watch?v=R5IEyoFpZq0
@SecTalks
YouTube
Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their…
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
https://www.exploit-db.com/exploits/45893
@WindowsHackingLibrary
https://www.exploit-db.com/exploits/45893
@WindowsHackingLibrary
Exploit Database
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation. CVE-2018-8550 . local exploit for Windows platform
Not A Security Boundary: Breaking Forest Trusts
https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
@WindowsHackingLibrary
https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
@WindowsHackingLibrary
Posts By SpecterOps Team Members
Not A Security Boundary: Breaking Forest Trusts
For years Microsoft has stated that the forest was the security boundary in Active Directory. For example, Microsoft’s “What Are Domains and Forests?” document (last updated in 2014) has a “Forests…