w0rk3r's Windows Hacking Library
“Relaying” Kerberos - Having fun with unconstrained delegation https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit @WindowsHackingLibrary
Krbrelayx - Unconstrained delegation abuse toolkit
https://github.com/dirkjanm/krbrelayx
@WindowsHackingLibrary
https://github.com/dirkjanm/krbrelayx
@WindowsHackingLibrary
GitHub
GitHub - dirkjanm/krbrelayx: Kerberos relaying and unconstrained delegation abuse toolkit
Kerberos relaying and unconstrained delegation abuse toolkit - dirkjanm/krbrelayx
Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study
https://gosecure.net/2019/02/20/abusing-unsafe-defaults-in-active-directory
@WindowsHackingLibrary
https://gosecure.net/2019/02/20/abusing-unsafe-defaults-in-active-directory
@WindowsHackingLibrary
GoSecure
Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study - GoSecure
Combine a bug in Antidote, a popular enterprise spellchecker, and unsafe defaults in Active Directory, and you get more NTLM hashes than you can deal with.
Trust? Years to earn, seconds to break (T2A4D)
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break
@WindowsHackingLibrary
powershellveryless
== Constrained Language Mode + AMSI bypass all in one ==
https://github.com/decoder-it/powershellveryless
@WindowsHackingLibrary
== Constrained Language Mode + AMSI bypass all in one ==
https://github.com/decoder-it/powershellveryless
@WindowsHackingLibrary
GitHub
GitHub - decoder-it/powershellveryless: Constrained Language Mode + AMSI bypass all in one
Constrained Language Mode + AMSI bypass all in one - decoder-it/powershellveryless
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
@WindowsHackingLibrary
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
@WindowsHackingLibrary
Posts By SpecterOps Team Members
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
Whether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms…
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
https://blog.netspi.com/exporting-azure-runas-certificates
@WindowsHackingLibrary
https://blog.netspi.com/exporting-azure-runas-certificates
@WindowsHackingLibrary
NetSPI Blog
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
Logging in with RunAs certificates is a great way for maintaining access in an Azure environment during a penetration test. See how we export the PFX files.
A Case Study in Wagging the Dog: Computer Takeover
https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
@WindowsHackingLibrary
https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
@WindowsHackingLibrary
Medium
A Case Study in Wagging the Dog: Computer Takeover
Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory…
Remote Code Execution — Gaining Domain Admin due to a typo
https://medium.com/@DanielC7/remote-code-execution-gaining-domain-admin-privileges-due-to-a-typo-dbf8773df767
@WindowsHackingLibrary
https://medium.com/@DanielC7/remote-code-execution-gaining-domain-admin-privileges-due-to-a-typo-dbf8773df767
@WindowsHackingLibrary
Medium
Remote Code Execution — Gaining Domain Admin due to a typo
CVE-2018–9022
SirepRAT - RCE as SYSTEM on Windows IoT Core
https://github.com/SafeBreach-Labs/SirepRAT
@WindowsHackingLibrary
https://github.com/SafeBreach-Labs/SirepRAT
@WindowsHackingLibrary
GitHub
GitHub - SafeBreach-Labs/SirepRAT: Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3)
Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3) - SafeBreach-Labs/SirepRAT
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation
@WindowsHackingLibrary
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation
@WindowsHackingLibrary
dirkjanm.io
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
After my in-depth post last month about unconstrained delegation, this post will discuss a different type of Kerberos delegation: resource-based constrained delegation. The content in this post is based on Elad Shamir’s Kerberos research and combined with…
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings
https://blog.netspi.com/machineaccountquota-is-useful-sometimes
@WindowsHackingLibrary
https://blog.netspi.com/machineaccountquota-is-useful-sometimes
@WindowsHackingLibrary
NetSPI
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings
Learn about what MAQ is and beyond in our blog ennoscriptd MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings.
Silencing Cylance: A Case Study in Modern EDRs
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs
@WindowsHackingLibrary
MDSec
Silencing Cylance: A Case Study in Modern EDRs - MDSec
As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in...
Dynamic Shellcode Execution
https://countercept.com/blog/dynamic-shellcode-execution
@WindowsHackingLibrary
https://countercept.com/blog/dynamic-shellcode-execution
@WindowsHackingLibrary
WEF Logging Bypass for Elastic's Winlogbeat
https://blog.neu5ron.com/2019/03/wef-logging-bypass-for-elastics.html
@WindowsHackingLibrary
https://blog.neu5ron.com/2019/03/wef-logging-bypass-for-elastics.html
@WindowsHackingLibrary
Neu5Ron
WEF Logging Bypass for Elastic's Winlogbeat
Background On 2019-02-26 3:27am EST, I alerted Elastic to a reliable bypass for Winlogbeat. Thankfully, it is now fixed as of 6.6.2 I ...
Fileless UAC Bypass in Windows Store Binary
https://www.activecyber.us/activelabs/windows-uac-bypass
@WindowsHackingLibrary
https://www.activecyber.us/activelabs/windows-uac-bypass
@WindowsHackingLibrary
Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)
https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command
@WindowsHackingLibrary
https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command
@WindowsHackingLibrary
Red Team Telemetry: Empire Edition
https://www.lares.com/red-team-telemetry-empire-edition
@WindowsHackingLibrary
https://www.lares.com/red-team-telemetry-empire-edition
@WindowsHackingLibrary
Kerbrute
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
https://github.com/ropnop/kerbrutehttps://github.com/ropnop/kerbrute
@WindowsHackingLibrary
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
https://github.com/ropnop/kerbrutehttps://github.com/ropnop/kerbrute
@WindowsHackingLibrary
Faction C2 Framework
A modern, flexible C2 framework
https://github.com/factionc2
@WindowsHackingLibrary
A modern, flexible C2 framework
https://github.com/factionc2
@WindowsHackingLibrary
GitHub
Faction C2 Framework
A modern, flexible C2 framework (currently very beta) - Faction C2 Framework