Writing a Hyper-V “Bridge” for Fuzzing — Part 1: WDF
http://www.alex-ionescu.com/?p=377
@WindowsHackingLibrary
http://www.alex-ionescu.com/?p=377
@WindowsHackingLibrary
Hunting the Delegation Access
https://www.notsosecure.com/hunting-the-delegation-access
@WindowsHackingLibrary
https://www.notsosecure.com/hunting-the-delegation-access
@WindowsHackingLibrary
NotSoSecure
Hunting the Delegation Access
Active Directory (AD) delegation is a fascinating subject, and we have previously discussed it in a blog post and later in a webinar. To summarize, Active Directory has a capability to delegate
Bypass EDR’s memory protection, introduction to hooking
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
@WindowsHackingLibrary
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
@WindowsHackingLibrary
Medium
Bypass EDR’s memory protection, introduction to hooking
Abusing Office Web Add-ins (for fun and limited profit)
https://www.mdsec.co.uk/2019/01/abusing-office-web-add-ins-for-fun-and-limited-profit
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/01/abusing-office-web-add-ins-for-fun-and-limited-profit
@WindowsHackingLibrary
MDSec
Abusing Office Web Add-ins (for fun and limited profit) - MDSec
Background The Office add-ins platform allows developers to extend Office applications and interact with document content. Add-ins are built using HTML, CSS and JavaScript, with JavaScript being used to interact...
Abusing Exchange: One API call away from Domain Admin
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin
@WindowsHackingLibrary
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin
@WindowsHackingLibrary
dirkjanm.io
Abusing Exchange: One API call away from Domain Admin
In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently I came across a blog from the ZDI, in which they detail…
Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Escalation
https://www.illumant.com/blog/2019/01/16/check-point-anti-virus-technical-white-paper
@WindowsHackingLibrary
https://www.illumant.com/blog/2019/01/16/check-point-anti-virus-technical-white-paper
@WindowsHackingLibrary
illumant llc
Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Escalation
Introduction Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate privileges to SYSTEM-level with the anti-virus software enabled. The vulnerability is…
Local Admin Access and Group Policy Don’t Mix
https://www.trustedsec.com/2019/01/local-admin-access-and-group-policy-dont-mix
@WindowsHackingLibrary
https://www.trustedsec.com/2019/01/local-admin-access-and-group-policy-dont-mix
@WindowsHackingLibrary
TrustedSec
Cybersecurity Education from the Experts | TrustedSec Blog Posts
Learn more about how to safeguard your company through our educational blog posts on everything from updated tech to the newest scams infiltrating organizations today.
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
@WindowsHackingLibrary
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
@WindowsHackingLibrary
Shenanigans Labs
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was…
Too much % makes Event Viewer drunk
http://www.hexacorn.com/blog/2019/01/27/too-much-makes-event-viewer-drunk
@WindowsHackingLibrary
http://www.hexacorn.com/blog/2019/01/27/too-much-makes-event-viewer-drunk
@WindowsHackingLibrary
How to Argue like Cobalt Strike
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike
@WindowsHackingLibrary
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - How to Argue like Cobalt Strike
In Cobalt Strike 3.13, the argue command was introduced as a way of taking advantage of argument spoofing. I was first made aware of the concept while watching Will Burgess's awesome talk RedTeaming in the EDR Age, with Will crediting Casey Smith who presented…
w0rk3r's Windows Hacking Library
Abusing Exchange: One API call away from Domain Admin https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin @WindowsHackingLibrary
[PrivExchange] From user to domain admin in less than 60sec
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec
@WindowsHackingLibrary
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec
@WindowsHackingLibrary
Exploiting Malwarebytes Anti-Exploit
https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit
@WindowsHackingLibrary
https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit
@WindowsHackingLibrary
Round of use Winrm code execution XML
https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31
@WindowsHackingLibrary
https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31
@WindowsHackingLibrary
Medium
Round of use Winrm code execution XML
Introduction This beginning alludes to give point simple concept related to using Winrm.vbs to do code executed by XML file so I could…
PoC: Using CloudFlare as an HTTP C2 with PowerShell Empire
https://holdmybeersecurity.com/2019/02/07/poc-using-cloudflare-as-an-http-c2-with-powershell-empire
@WindowsHackingLibrary
https://holdmybeersecurity.com/2019/02/07/poc-using-cloudflare-as-an-http-c2-with-powershell-empire
@WindowsHackingLibrary
Entering a Covenant: .NET Command and Control
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
@WindowsHackingLibrary
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
@WindowsHackingLibrary
Medium
Entering a Covenant: .NET Command and Control
I’ve slowly been open sourcing .NET tradecraft that I’ve been working on for some time, including the SharpSploit, SharpGen, and…
External C2, IE COM Objects and how to use them for Command and Control
https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control
@WindowsHackingLibrary
MDSec
External C2, IE COM Objects and how to use them for Command and Control - MDSec
Background Cobalt Strike 3.6 introduced a powerful new feature called External C2, providing an interface for custom Command and Control channels. Being a fan of custom C2 channels I started...
Bypasses Microsoft's Anti-Malware Scan Interface for a PowerShell session process started through the "Start-Job" cmdlet, the PID of which is accessed using "Enter-PSHostProcess"
https://github.com/securemode/Bypass-AMSI9000
@WindowsHackingLibrary
https://github.com/securemode/Bypass-AMSI9000
@WindowsHackingLibrary