I'm back in da booth...posting more frequently now on ;)
Invoking System Calls and Windows Debugger Engine
https://modexp.wordpress.com/2020/06/01/syscalls-disassembler/
@WindowsHackingLibrary
https://modexp.wordpress.com/2020/06/01/syscalls-disassembler/
@WindowsHackingLibrary
modexp
Invoking System Calls and Windows Debugger Engine
Introduction Quick post about Windows System calls that I forgot about working on after the release of Dumpert by Cn33liz last year, which is described in this post. Typically, EDR and AV set hooks…
Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
https://itm4n.github.io/chimichurri-reloaded
@WindowsHackingLibrary
https://itm4n.github.io/chimichurri-reloaded
@WindowsHackingLibrary
itm4n’s blog
Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
This is a kind of follow-up to my last post, in which I discussed a technique that can be used for elevating privileges to SYSTEM when you have impersonation capabilities. In the last part, I explained how this type of vulnerability could be fixed and I even…
AppDomainManager Injection and Detection
https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection
@WindowsHackingLibrary
https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection
@WindowsHackingLibrary
Pentest Laboratories
AppDomainManager Injection and Detection
Microsoft .NET framework is being heavily utilized by threat actors and red teams for defense evasion and staying off the radar during operations. Every .NET binary contains application domains whe…
Detecting and Advancing In-Memory .NET Tradecraft
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft
@WindowsHackingLibrary
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft
@WindowsHackingLibrary
MDSec
Detecting and Advancing In-Memory .NET Tradecraft - MDSec
Introduction In-memory tradecraft is becoming more and more important for remaining undetected during a red team operation, with it becoming common practice for blue teams to peek in to running...
Understanding and Abusing Process Tokens — Part I
https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa
Understanding and Abusing Access Tokens — Part II
https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962
@WindowsHackingLibrary
https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa
Understanding and Abusing Access Tokens — Part II
https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962
@WindowsHackingLibrary
Medium
Understanding and Abusing Process Tokens — Part I
Introduction
NINA: x64 Process Injection: (No Injection, No Allocation x64 Process Injection Technique.)
https://undev.ninja/nina-x64-process-injection
@WindowsHackingLibrary
https://undev.ninja/nina-x64-process-injection
@WindowsHackingLibrary
undev.ninja
NINA: x64 Process Injection
NINA: No Injection, No Allocation x64 Process Injection Technique.
Abusing Windows Telemetry for Persistence
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
@WindowsHackingLibrary
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
@WindowsHackingLibrary
TrustedSec
Abusing Windows Telemetry for Persistence
When CompatTelRunner.exe runs (current version as of May 2020), it first checks that a few conditions pass before continuing its telemetry quest. After…
Group Policies Going Rogue
GPSVC exposes all domain-joined Windows machines to an escalation of privileges (EoP) vulnerability.
https://www.cyberark.com/resources/threat-research-blog/group-policies-going-rogue
@WindowsHackingLibrary
GPSVC exposes all domain-joined Windows machines to an escalation of privileges (EoP) vulnerability.
https://www.cyberark.com/resources/threat-research-blog/group-policies-going-rogue
@WindowsHackingLibrary
Cyberark
Group Policies Going Rogue
This blog –part of a year-long research project that uncovered 60 different vulnerabilities across major vendors – discusses a vulnerability in the Windows group policy object (GPO) mechanism....
"Heresy's Gate": Kernel Zw*/NTDLL Scraping +
"Work Out": Ring 0 to Ring 3 via Worker Factories
https://zerosum0x0.blogspot.com/2020/06/heresys-gate-kernel-zwntdll-scraping.html
@WindowsHackingLibrary
"Work Out": Ring 0 to Ring 3 via Worker Factories
https://zerosum0x0.blogspot.com/2020/06/heresys-gate-kernel-zwntdll-scraping.html
@WindowsHackingLibrary
Blogspot
"Heresy's Gate": Kernel Zw*/NTDLL Scraping + <br />"Work Out": Ring 0 to Ring 3 via Worker Factories
Introduction Heresy's Gate Closing Nebbett's Gate Meltdown KVA Shadow Page Fault Loop NTDLL ...
Engineering antivirus evasion
https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion
@WindowsHackingLibrary
https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion
@WindowsHackingLibrary
Persistence: “the continued or prolonged existence of something” Series
Part 1 – Microsoft Office
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office
Part 2 – COM Hijacking
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking
Part 3 – WMI Event Subnoscription
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subnoscription
@WindowsHackingLibrary
Part 1 – Microsoft Office
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office
Part 2 – COM Hijacking
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking
Part 3 – WMI Event Subnoscription
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subnoscription
@WindowsHackingLibrary
MDSec
Persistence: "the continued or prolonged existence of something": Part 1 - Microsoft Office - MDSec
During a red team engagement, one of the first things you may want to do after obtaining initial access is establish reliable persistence on the endpoint. Being able to streamline...
A Guide to Reversing and Evading EDRs
Part 1: Introduction
http://jackson-t.ca/edr-reversing-evading-01.html
Part 2: Sensor Reconnaissance
http://jackson-t.ca/edr-reversing-evading-02.html
Part 3: Diverting EDR Telemetry to Private Infrastructure
http://jackson-t.ca/edr-reversing-evading-03.html
@WindowsHackingLibrary
Part 1: Introduction
http://jackson-t.ca/edr-reversing-evading-01.html
Part 2: Sensor Reconnaissance
http://jackson-t.ca/edr-reversing-evading-02.html
Part 3: Diverting EDR Telemetry to Private Infrastructure
http://jackson-t.ca/edr-reversing-evading-03.html
@WindowsHackingLibrary
SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
@WindowsHackingLibrary
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
@WindowsHackingLibrary
Check Point Research
SIGRed - Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers - Check Point Research
Research by: Sagi Tzadik Introduction DNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Because it is such a core component of the internet, there are…
Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
@WindowsHackingLibrary
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
@WindowsHackingLibrary
Red Cursor
Bypassing LSA Protection without Mimikatz on Windows 10 - Red Cursor
Starting with Windows 8.1 (and Server 2012 R2) Microsoft introduced a feature termed LSA Protection. This feature is based on the ...
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra, Jupyter Notebooks and Graphframes
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd
@WindowsHackingLibrary
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd
@WindowsHackingLibrary
Medium
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra 🐉, Jupyter Notebooks 📓 and Graphframes…
A few weeks ago, I was going over some of the research topics in my to-do list, and the one that sounded interesting to work on during 4th…
Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
GitHub
GitHub - jthuraisamy/TelemetrySourcerer: Enumerate and disable common sources of telemetry used by AV/EDR.
Enumerate and disable common sources of telemetry used by AV/EDR. - jthuraisamy/TelemetrySourcerer