How to: Kerberoast like a boss
https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss
@WindowsHackingLibrary
https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss
@WindowsHackingLibrary
Building and Attacking an Active Directory lab with PowerShell (Because everyone needs a lab)
https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell
@WindowsHackingLibrary
https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell
@WindowsHackingLibrary
1337red
Building and Attacking an Active Directory lab with PowerShell
Let me open this with a few questions Do you have your own penetration testing lab? Have you installed Windows Server 2016 before? Do you have Active Directory at home? What version of PowerShell a…
Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe
https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
@WindowsHackingLibrary
https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
@WindowsHackingLibrary
Medium
Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe
A dive into Windows processes, access tokens, SACLs, WinAPI and access token manipulation.
Security Denoscriptor Auditing Methodology: Investigating Event Log Security
https://posts.specterops.io/security-denoscriptor-auditing-methodology-investigating-event-log-security-d64f4289965d
@WindowsHackingLibrary
https://posts.specterops.io/security-denoscriptor-auditing-methodology-investigating-event-log-security-d64f4289965d
@WindowsHackingLibrary
Medium
Security Denoscriptor Auditing Methodology: Investigating Event Log Security
Upon gaining access to a system, what level of access is granted to an attacker who has yet to elevate their privileges?
Staying Hidden on the Endpoint: Evading Detection with Shellcode
https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
GitHub:
https://github.com/fireeye/DueDLLigence
@WindowsHackingLibrary
https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
GitHub:
https://github.com/fireeye/DueDLLigence
@WindowsHackingLibrary
Google Cloud Blog
Staying Hidden on the Endpoint: Evading Detection with Shellcode | Mandiant | Google Cloud Blog
Exploiting RegEdit for Invisible Persistence and Binary Storage
https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
#Repost
@WindowsHackingLibrary
https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
#Repost
@WindowsHackingLibrary
GitHub
InvisiblePersistence/InvisibleRegValues_Whitepaper.pdf at master · ewhitehats/InvisiblePersistence
Persisting in the Windows registry "invisibly". Contribute to ewhitehats/InvisiblePersistence development by creating an account on GitHub.
w0rk3r's Windows Hacking Library
Exploiting RegEdit for Invisible Persistence and Binary Storage https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf #Repost @WindowsHackingLibrary
SharpHide
Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key.
https://github.com/outflanknl/SharpHide
@WindowsHackingLibrary
Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key.
https://github.com/outflanknl/SharpHide
@WindowsHackingLibrary
GitHub
GitHub - outflanknl/SharpHide: Tool to create hidden registry keys.
Tool to create hidden registry keys. Contribute to outflanknl/SharpHide development by creating an account on GitHub.
Covenant: Developing Custom C2 Communication Protocols
https://posts.specterops.io/covenant-developing-custom-c2-communication-protocols-895587e7f325
@WindowsHackingLibrary
https://posts.specterops.io/covenant-developing-custom-c2-communication-protocols-895587e7f325
@WindowsHackingLibrary
Medium
Covenant: Developing Custom C2 Communication Protocols
As of Covenant v0.4, Covenant provides options that allow developers to integrate custom C2 communication protocols into an operation…
Protecting Your Malware with blockdlls and ACG
https://blog.xpnsec.com/protecting-your-malware
@WindowsHackingLibrary
https://blog.xpnsec.com/protecting-your-malware
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Protecting Your Malware with blockdlls and ACG
In Cobalt Strike, blockdlls was introduced to allow protection of spawned processes from non-Microsoft signed DLL's. In this post I will show just how this works, and look at an additional process security option which could help us to deter endpoint security…
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients
https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients
@WindowsHackingLibrary
MDSec
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients - MDSec
Introduction Remote Desktop is one of the most widely used tools for managing Windows Servers. Admins love using RDP and so do attackers. Often the credentials that are used to...
Ghost Potato (NTLM Reflection)
https://shenaniganslabs.io/2019/11/12/Ghost-Potato.html
@WindowsHackingLibrary
https://shenaniganslabs.io/2019/11/12/Ghost-Potato.html
@WindowsHackingLibrary
Shenanigans Labs
Ghost Potato
Halloween has come and gone, and yet NTLM reflection is back from the dead to haunt MSRC once again. This post describes a deceptively simple bug that has existed in Windows for 15 years.
NTLM reflection is still possible through a highly reliable timing…
NTLM reflection is still possible through a highly reliable timing…
[Paper] Injecting .NET Ransomware into Unmanaged Process
https://exploit-db.com/docs/47680
@WindowsHackingLibrary
https://exploit-db.com/docs/47680
@WindowsHackingLibrary
w0rk3r's Windows Hacking Library
[Paper] Injecting .NET Ransomware into Unmanaged Process https://exploit-db.com/docs/47680 @WindowsHackingLibrary
[Tool] DNCI - Dot Net Code Injector
DNCI allows the injection of .Net code (.exe or .dll) remotely in unmanaged processes in windows.
https://github.com/guibacellar/DNCI
@WindowsHackingLibrary
DNCI allows the injection of .Net code (.exe or .dll) remotely in unmanaged processes in windows.
https://github.com/guibacellar/DNCI
@WindowsHackingLibrary
GitHub
GitHub - guibacellar/DNCI: DNCI - Dot Net Code Injector
DNCI - Dot Net Code Injector. Contribute to guibacellar/DNCI development by creating an account on GitHub.
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Unrestricted Release of Offensive Security Tools
Uncontrolled proliferation of Offensive Security Tools is an unnecessary contribution to real threat actor’s computer network operations.
https://medium.com/@QW5kcmV3/misconceptions-unrestricted-release-of-offensive-security-tools-789299c72afe
@BlueTeamLibrary
Uncontrolled proliferation of Offensive Security Tools is an unnecessary contribution to real threat actor’s computer network operations.
https://medium.com/@QW5kcmV3/misconceptions-unrestricted-release-of-offensive-security-tools-789299c72afe
@BlueTeamLibrary
Medium
Misconceptions: Unrestricted Release of Offensive Security Tools
Uncontrolled proliferation of Offensive Security Tools is an unnecessary contribution to real threat actor’s computer network operations.
Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start
https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass
@WindowsHackingLibrary
https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass
@WindowsHackingLibrary
Matteomalvica
Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start
Cobalt Strike 4.0 – Bring Your Own Weaponization
https://blog.cobaltstrike.com/2019/12/05/cobalt-strike-4-0-bring-your-own-weaponization
@WindowsHackingLibrary
https://blog.cobaltstrike.com/2019/12/05/cobalt-strike-4-0-bring-your-own-weaponization
@WindowsHackingLibrary
Cobalt Strike
Resources - Cobalt Strike
[...]Read More... from Resources
SCshell: Fileless Lateral Movement Using Service Manager
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/
[Github]
https://github.com/SpiderLabs/SCShell
@WindowsHackingLibrary
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/
[Github]
https://github.com/SpiderLabs/SCShell
@WindowsHackingLibrary
Trustwave
SCshell: Fileless Lateral Movement Using Service Manager
During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In…
Reversing Windows Internals (Part 1) – Digging Into Handles, Callbacks & ObjectTypes
https://rayanfam.com/topics/reversing-windows-internals-part1
@WindowsHackingLibrary
https://rayanfam.com/topics/reversing-windows-internals-part1
@WindowsHackingLibrary
Rayanfam Blog
Reversing Windows Internals (Part 1) - Digging Into Handles, Callbacks & ObjectTypes
We write about Windows Internals, Hypervisors, Linux, and Networks.
Updating adconnectdump - a journey into DPAPI
https://dirkjanm.io/updating-adconnectdump-a-journey-into-dpapi
@WindowsHackingLibrary
https://dirkjanm.io/updating-adconnectdump-a-journey-into-dpapi
@WindowsHackingLibrary
dirkjanm.io
Updating adconnectdump - a journey into DPAPI
Last year when I started playing with Azure I looked into Azure AD connect and how it stores its high privilege credentials. When I was revisiting this topic a few weeks ago, it turned out that some things had changed and my previous method of dumping credentials…