Analyzing ARP to Discover & Exploit Stale Network Address Configurations
https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations
@WindowsHackingLibrary
https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations
@WindowsHackingLibrary
Black Hills Information Security, Inc.
Analyzing ARP to Discover & Exploit Stale Network Address Configurations - Black Hills Information Security, Inc.
Justin Angel// Introduction In penetration testing, ARP is most commonly discussed in terms of poisoning attacks where an attacker achieves a man-in-the-middle (MITM) position between victim nodes by contaminating the […]
Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin
https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin
@WindowsHackingLibrary
https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin
@WindowsHackingLibrary
dirkjanm.io
Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin
Earlier this week, Microsoft issued patches for CVE-2019-1040, which is a vulnerability that allows for bypassing of NTLM relay mitigations. The vulnerability was discovered by Marina Simakov and Yaron Zinar (as well as several others credited in the Microsoft…
Modern Red Team Infrastructure
https://silentbreaksecurity.com/modern-red-team-infrastructure
@WindowsHackingLibrary
https://silentbreaksecurity.com/modern-red-team-infrastructure
@WindowsHackingLibrary
Hijacking Administrative Templates
https://sdmsoftware.com/group-policy-blog/security-related/hijacking-administrative-templates
@WindowsHackingLibrary
https://sdmsoftware.com/group-policy-blog/security-related/hijacking-administrative-templates
@WindowsHackingLibrary
Evading Sysmon DNS Monitoring
https://blog.xpnsec.com/evading-sysmon-dns-monitoring
@WindowsHackingLibrary
https://blog.xpnsec.com/evading-sysmon-dns-monitoring
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Evading Sysmon DNS Monitoring
In a recent update to Sysmon, a new feature was introduced allowing the ability to log DNS events. While this gives an excellent datapoint for defenders (shout out to the SysInternals team for continuing to provide and support these awesome tools for free)…
Sliver: A general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS.
https://github.com/BishopFox/sliver
@WindowsHackingLibrary
https://github.com/BishopFox/sliver
@WindowsHackingLibrary
GitHub
GitHub - BishopFox/sliver: Adversary Emulation Framework
Adversary Emulation Framework. Contribute to BishopFox/sliver development by creating an account on GitHub.
Anti-VM Techniques with MSAcpi_ThermalZoneTemperature
https://medium.com/@DebugActiveProcess/anti-vm-techniques-with-msacpi-thermalzonetemperature-32cfeecda802
@WindowsHackingLibrary
https://medium.com/@DebugActiveProcess/anti-vm-techniques-with-msacpi-thermalzonetemperature-32cfeecda802
@WindowsHackingLibrary
Medium
Anti-VM Techniques with MSAcpi_ThermalZoneTemperature
The Win32_TemperatureProbe WMI class represents the properties of a temperature sensor (electronic thermometer).
Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr
@WindowsHackingLibrary
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr
@WindowsHackingLibrary
Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel
https://www.coalfire.com/The-Coalfire-Blog/June-2019/Introducing-Slackor
Tool:
https://github.com/Coalfire-Research/Slackor
@WindowsHackingLibrary
https://www.coalfire.com/The-Coalfire-Blog/June-2019/Introducing-Slackor
Tool:
https://github.com/Coalfire-Research/Slackor
@WindowsHackingLibrary
Coalfire
Introducing Slackor
Slackor is a remote access tool using Slack as a C2 channel. Learn more on this page.
In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass
@WindowsHackingLibrary
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass
@WindowsHackingLibrary
McAfee Blog
Cybersecurity News and Insights to Stay Safe Online | McAfee Blog
Welcome to the McAfee Blog, where we share posts about security solutions and products to keep you and your connected family safe online.
Stealthy & Targeted Implant Loaders
https://attactics.org/2019/06/21/stealthy-targeted-implant-loaders
@WindowsHackingLibrary
https://attactics.org/2019/06/21/stealthy-targeted-implant-loaders
@WindowsHackingLibrary
DACL Permissions Overwrite Vulnerability in Check Point VPN
https://bordplate.no/blog/en/post/check-point-file-permissions-overwrite
@WindowsHackingLibrary
https://bordplate.no/blog/en/post/check-point-file-permissions-overwrite
@WindowsHackingLibrary
UNC Path Injection with Microsoft Access
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unc-path-injection-with-microsoft-access
@WindowsHackingLibrary
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unc-path-injection-with-microsoft-access
@WindowsHackingLibrary
Trustwave
UNC Path Injection with Microsoft Access
Steve Borosh is a Principal Security Consultant for Trustwave and Trustwave Government Solutions, specializing in offensive security service for both commercial and federal customers.
CVE-2019-1040 scanner
Checks for CVE-2019-1040 vulnerability over SMB. The noscript will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx.
Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
https://github.com/fox-it/cve-2019-1040-scanner
@WindowsHackingLibrary
Checks for CVE-2019-1040 vulnerability over SMB. The noscript will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx.
Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
https://github.com/fox-it/cve-2019-1040-scanner
@WindowsHackingLibrary
GitHub
GitHub - fox-it/cve-2019-1040-scanner
Contribute to fox-it/cve-2019-1040-scanner development by creating an account on GitHub.
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
https://ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs
@WindowsHackingLibrary
https://ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs
@WindowsHackingLibrary
www.ired.team
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs | Red Team Notes