Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr
@WindowsHackingLibrary
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr
@WindowsHackingLibrary
Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel
https://www.coalfire.com/The-Coalfire-Blog/June-2019/Introducing-Slackor
Tool:
https://github.com/Coalfire-Research/Slackor
@WindowsHackingLibrary
https://www.coalfire.com/The-Coalfire-Blog/June-2019/Introducing-Slackor
Tool:
https://github.com/Coalfire-Research/Slackor
@WindowsHackingLibrary
Coalfire
Introducing Slackor
Slackor is a remote access tool using Slack as a C2 channel. Learn more on this page.
In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass
@WindowsHackingLibrary
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass
@WindowsHackingLibrary
McAfee Blog
Cybersecurity News and Insights to Stay Safe Online | McAfee Blog
Welcome to the McAfee Blog, where we share posts about security solutions and products to keep you and your connected family safe online.
Stealthy & Targeted Implant Loaders
https://attactics.org/2019/06/21/stealthy-targeted-implant-loaders
@WindowsHackingLibrary
https://attactics.org/2019/06/21/stealthy-targeted-implant-loaders
@WindowsHackingLibrary
DACL Permissions Overwrite Vulnerability in Check Point VPN
https://bordplate.no/blog/en/post/check-point-file-permissions-overwrite
@WindowsHackingLibrary
https://bordplate.no/blog/en/post/check-point-file-permissions-overwrite
@WindowsHackingLibrary
UNC Path Injection with Microsoft Access
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unc-path-injection-with-microsoft-access
@WindowsHackingLibrary
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unc-path-injection-with-microsoft-access
@WindowsHackingLibrary
Trustwave
UNC Path Injection with Microsoft Access
Steve Borosh is a Principal Security Consultant for Trustwave and Trustwave Government Solutions, specializing in offensive security service for both commercial and federal customers.
CVE-2019-1040 scanner
Checks for CVE-2019-1040 vulnerability over SMB. The noscript will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx.
Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
https://github.com/fox-it/cve-2019-1040-scanner
@WindowsHackingLibrary
Checks for CVE-2019-1040 vulnerability over SMB. The noscript will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx.
Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
https://github.com/fox-it/cve-2019-1040-scanner
@WindowsHackingLibrary
GitHub
GitHub - fox-it/cve-2019-1040-scanner
Contribute to fox-it/cve-2019-1040-scanner development by creating an account on GitHub.
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
https://ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs
@WindowsHackingLibrary
https://ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs
@WindowsHackingLibrary
www.ired.team
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs | Red Team Notes
CVE-2019–13382: Local Privilege Escalation in SnagIt
https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349
@WindowsHackingLibrary
https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349
@WindowsHackingLibrary
Medium
CVE-2019–13382: Local Privilege Escalation in SnagIt
Version: Snagit 2019.1.2 Build 3596 Operating System tested on: Windows 10 1803 (x64) Vulnerability: SnagIt Relay Classic Recorder Local…
Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO)
https://clement.notin.org/blog/2019/07/03/credential-theft-without-admin-or-touching-lsass-with-kekeo-by-abusing-credssp-tspkg-rdp-sso
@WindowsHackingLibrary
https://clement.notin.org/blog/2019/07/03/credential-theft-without-admin-or-touching-lsass-with-kekeo-by-abusing-credssp-tspkg-rdp-sso
@WindowsHackingLibrary
clement.notin.org
Credential theft without admin or touching LSASS with Kekeo by abusing CredSSP / TSPKG (RDP SSO) | Clément Notin | Blog
If you have compromised a Windows host, and cannot or do not want to, dump clear-text passwords using traditional techniques (e.g. mimikatz’s sekurlsa::logon...
Analysing RPC With Ghidra and Neo4j
https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j
@WindowsHackingLibrary
https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Analysing RPC With Ghidra and Neo4j
Hunting for new lateral movement techniques or interesting ways to execute code can be a nice way to sink some free time. With Windows spawning numerous RPC services on boot, finding unusual execution techniques is sometimes as simple as scratching just below…
Introducing Pingback Payloads
https://blog.rapid7.com/2019/08/01/introducing-pingback-payloads
@WindowsHackingLibrary
https://blog.rapid7.com/2019/08/01/introducing-pingback-payloads
@WindowsHackingLibrary
Rapid7
Introducing Pingback Payloads | Rapid7 Blog
The Metasploit team added a new feature to Framework that improves safety and offers another avenue in MSF for novel evasion techniques: pingback payloads.
Hide *Exploitable* Extended-Rights (including DCSync privs) to remain persistence
https://medium.com/@huykha/hide-exploitable-extended-rights-to-remain-persistence-92a2e1d3670d
@WindowsHackingLibrary
https://medium.com/@huykha/hide-exploitable-extended-rights-to-remain-persistence-92a2e1d3670d
@WindowsHackingLibrary
Reverse RDP Attack: The Hyper-V Connection
https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection
@WindowsHackingLibrary
https://research.checkpoint.com/reverse-rdp-the-hyper-v-connection
@WindowsHackingLibrary
Check Point Research
Reverse RDP Attack: The Hyper-V Connection - Check Point Research
Research by: Eyal Itkin Overview Earlier this year, we published our research on the Reverse RDP Attack. In our previous blog post, we described how we found numerous critical vulnerabilities in popular Remote Desktop Protocol (RDP) clients. However, our…
How to Bypass WDAC with dbgsrv.exe
https://www.fortynorthsecurity.com/how-to-bypass-wdac-with-dbgsrv-exe
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/how-to-bypass-wdac-with-dbgsrv-exe
@WindowsHackingLibrary
Local Privilege Escalation on Windows through the lock screen, NTLM relay, and RBCD 🤯
https://shenaniganslabs.io/2019/08/08/Lock-Screen-LPE.html
@WindowsHackingLibrary
https://shenaniganslabs.io/2019/08/08/Lock-Screen-LPE.html
@WindowsHackingLibrary
Shenanigans Labs
Gone to the Dogs
Just in time for our DEF CON workshop “Constructing Kerberos Attacks with Delegation Primitives”, Microsoft failed to meet the disclosure deadline, and so we publish another primitive that can be abused to achieve Windows Local Privilege Escalation (LPE).…
Constructing Kerberos Attacks with Delegation Primitives - Defcon Workshop
From Kerberos 101 to advanced attack chains
https://shenaniganslabs.io/media/Constructing%20Kerberos%20Attacks%20with%20Delegation%20Primitives.pdf
@WindowsHackingLibrary
From Kerberos 101 to advanced attack chains
https://shenaniganslabs.io/media/Constructing%20Kerberos%20Attacks%20with%20Delegation%20Primitives.pdf
@WindowsHackingLibrary