How to bypass AMSI and execute ANY malicious Powershell code
https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
@WindowsHackingLibrary
zc00l blog
How to bypass AMSI and execute ANY malicious Powershell code
Hello again. In my previous posts I detailed how to manually get SYSTEM shell from Local Administrators users. That’s interesting but very late game during a penetration assessment as it is presumed that you already owned the target machine.
A C# penetration testing tool to discover low-haning web fruit via web requests
https://github.com/rvrsh3ll/SharpFruit
@WindowsHackingLibrary
https://github.com/rvrsh3ll/SharpFruit
@WindowsHackingLibrary
GitHub
GitHub - rvrsh3ll/SharpFruit: A C# penetration testing tool to discover low-haning web fruit via web requests.
A C# penetration testing tool to discover low-haning web fruit via web requests. - rvrsh3ll/SharpFruit
RunDLL32 your .NET (AKA DLL exports from .NET)
https://blog.xpnsec.com/rundll32-your-dotnet
@WindowsHackingLibrary
https://blog.xpnsec.com/rundll32-your-dotnet
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - RunDLL32 your .NET (AKA DLL exports from .NET)
In this post I wanted to look at a technique which is by no means new to .NET developers, but may prove useful to redteamers crafting their tools... exporting .NET static methods within a DLL... AKA using RunDLL32 to launch your .NET assembly.
Playing with Relayed Credentials
https://www.secureauth.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
https://www.secureauth.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
Operational Challenges in Offensive C#
https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200
@WindowsHackingLibrary
https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200
@WindowsHackingLibrary
Medium
Operational Challenges in Offensive C#
As offensive toolsets continue to move towards using C# as the language of choice for post-exploitation, I thought it’d be useful to think…
Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html
@WindowsHackingLibrary
zc00l blog
Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
Introduction
Oh No! AMSI blocked the AMSI Bypass! What Now?
https://0x00-0x00.github.io/research/2018/11/09/Oh-No!-Amsi-blocked-the-bypass.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/11/09/Oh-No!-Amsi-blocked-the-bypass.html
@WindowsHackingLibrary
zc00l blog
Oh No! AMSI blocked the AMSI Bypass! What now?
Introduction
Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-microsoft-xoml-workflows-protection-mechanisms-using-deserialisation-of-untrusted-data
@WindowsHackingLibrary
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-microsoft-xoml-workflows-protection-mechanisms-using-deserialisation-of-untrusted-data
@WindowsHackingLibrary
More than One Way to Skin a Hack
An Example in Getting Around CrowdStrike Endpoint Protection
https://link.medium.com/rnyWKqUNOR
@WindowsHackingLibrary
An Example in Getting Around CrowdStrike Endpoint Protection
https://link.medium.com/rnyWKqUNOR
@WindowsHackingLibrary
Medium
More than One Way to Skin a Hack
An Example in Getting Around CrowdStrike Endpoint Protection
Microsoft Build Engine Compromise - Part One
http://subt0x11.blogspot.com/2018/11/microsoft-build-engine-compromise-part_13.html
@WindowsHackingLibrary
http://subt0x11.blogspot.com/2018/11/microsoft-build-engine-compromise-part_13.html
@WindowsHackingLibrary
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Hardening Hyper-V through Offensive Security Research
https://www.youtube.com/watch?v=025r8_TrV8I
@SecTalks
https://www.youtube.com/watch?v=025r8_TrV8I
@SecTalks
YouTube
Hardening Hyper-V through Offensive Security Research
Virtualization technology is fast becoming the backbone of the security strategy for modern computing platforms. Hyper-V, Microsoft's virtualization stack, is no exception and is therefore held to a high security standard, as is demonstrated by its $250,000…
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
https://www.youtube.com/watch?v=R5IEyoFpZq0
@SecTalks
https://www.youtube.com/watch?v=R5IEyoFpZq0
@SecTalks
YouTube
Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology
While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their…
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
https://www.exploit-db.com/exploits/45893
@WindowsHackingLibrary
https://www.exploit-db.com/exploits/45893
@WindowsHackingLibrary
Exploit Database
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation. CVE-2018-8550 . local exploit for Windows platform
Not A Security Boundary: Breaking Forest Trusts
https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
@WindowsHackingLibrary
https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d
@WindowsHackingLibrary
Posts By SpecterOps Team Members
Not A Security Boundary: Breaking Forest Trusts
For years Microsoft has stated that the forest was the security boundary in Active Directory. For example, Microsoft’s “What Are Domains and Forests?” document (last updated in 2014) has a “Forests…
w0rk3r's Windows Hacking Library
Detections:
Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
@BlueTeamLibrary
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
@BlueTeamLibrary
Medium
Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
During DerbyCon 2018 this past October, my teammates @tifkin_, @enigma0x3 and @harmj0y gave an awesome presentation noscriptd “The Unintended…
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
An ACE in the Hole Stealthy Host Persistence via Security Denoscriptors
https://www.youtube.com/watch?v=ExO535CITXs
@SecTalks
https://www.youtube.com/watch?v=ExO535CITXs
@SecTalks
YouTube
An ACE in the Hole Stealthy Host Persistence via Security Denoscriptors [Corrected Audio]
Presented at DerbyCon 7.0: Legacy in Lousville, Kentucky in 2017.
SpecterOps: https://www.specterops.io
SpecterOps: https://www.specterops.io
Pass-the-Cache to Domain Compromise
https://medium.com/@jamie.shaw/pass-the-cache-to-domain-compromise-320b6e2ff7da
@WindowsHackingLibrary
https://medium.com/@jamie.shaw/pass-the-cache-to-domain-compromise-320b6e2ff7da
@WindowsHackingLibrary
Medium
Pass-the-Cache to Domain Compromise
This post is going to go over a very quick domain compromise by abusing cached Kerberos tickets discovered on a Linux-based jump-box…
Microsoft Powerpoint as Malware Dropper
https://marcoramilli.blogspot.com/2018/11/microsoft-powerpoint-as-malware-dropper.html
@WindowsHackingLibrary
https://marcoramilli.blogspot.com/2018/11/microsoft-powerpoint-as-malware-dropper.html
@WindowsHackingLibrary