Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
GitHub
GitHub - jthuraisamy/TelemetrySourcerer: Enumerate and disable common sources of telemetry used by AV/EDR.
Enumerate and disable common sources of telemetry used by AV/EDR. - jthuraisamy/TelemetrySourcerer
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon
@WindowsHackingLibrary
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon
@WindowsHackingLibrary
Death from Above: Lateral Movement from Azure to On-Prem AD
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
Medium
Death from Above: Lateral Movement from Azure to On-Prem AD
I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what…
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking
@WindowsHackingLibrary
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking
@WindowsHackingLibrary
MDSec
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking - MDSec
Introduction During red team engagements, it is not uncommon to encounter Endpoint Defence & Response (EDR) / Prevention (EDP) products that implement user-land hooks to gain insight in to a...
Death from Above: Lateral Movement from Azure to On-Prem AD
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
Medium
Death from Above: Lateral Movement from Azure to On-Prem AD
I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what…
Pwning Windows Event Logging with YARA rules
https://blog.dylan.codes/pwning-windows-event-logging
@WindowsHackingLibrary
https://blog.dylan.codes/pwning-windows-event-logging
@WindowsHackingLibrary
Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)
https://www.secura.com/pathtoimg.php?id=2055
@WindowsHackingLibrary
https://www.secura.com/pathtoimg.php?id=2055
@WindowsHackingLibrary
English
404 Page
Unfortunately, this page cannot be found.
w0rk3r's Windows Hacking Library
Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) https://www.secura.com/pathtoimg.php?id=2055 @WindowsHackingLibrary
Test tool: https://github.com/SecuraBV/CVE-2020-1472
PoC: https://github.com/dirkjanm/CVE-2020-1472
@WindowsHackingLibrary
PoC: https://github.com/dirkjanm/CVE-2020-1472
@WindowsHackingLibrary
GitHub
GitHub - SecuraBV/CVE-2020-1472: Test tool for CVE-2020-1472
Test tool for CVE-2020-1472. Contribute to SecuraBV/CVE-2020-1472 development by creating an account on GitHub.
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Mitre's Center Releases FIN6 Adversary Emulation Plan
Blogpost: https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b
Github: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
@BlueTeamLibrary
Blogpost: https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b
Github: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
@BlueTeamLibrary
Medium
Center Releases FIN6 Adversary Emulation Plan
Written by Jon Baker and Forrest Carver.
Weaponizing Group Policy Objects (GPO) Access
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
@WindowsHackingLibrary
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
@WindowsHackingLibrary
TrustedSec
Weaponizing Group Policy Objects Access
Goal: Use Group Policy to pull down a file from our attack machine to the Domain Controllers. It may work that way in some cases, but in our scenario, we…
Abusing Group Policy Caching
https://decoder.cloud/2020/09/23/abusing-group-policy-caching
@WindowsHackingLibrary
https://decoder.cloud/2020/09/23/abusing-group-policy-caching
@WindowsHackingLibrary
Decoder's Blog
Abusing Group Policy Caching
In this post I will show you how I discovered a severe vulnerability in the so-called “Group Policy Caching” which was fixed (among other GP vulnerabilities) in CVE-2020-1317 A standard…
A different way of abusing Zerologon (CVE-2020-1472)
Using the Printer Bug with zerologon to relay to DSRUAPI and DCSYNC (No password reset needed)
https://dirkjanm.io/a-different-way-of-abusing-zerologon
@WindowsHackingLibrary
Using the Printer Bug with zerologon to relay to DSRUAPI and DCSYNC (No password reset needed)
https://dirkjanm.io/a-different-way-of-abusing-zerologon
@WindowsHackingLibrary
dirkjanm.io
A different way of abusing Zerologon (CVE-2020-1472)
In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most straightforward…
Sysmon Internals - From File Delete Event to Kernel Code Execution
https://undev.ninja/sysmon-internals-from-file-delete-event-to-kernel-code-execution
@WindowsHackingLibrary
https://undev.ninja/sysmon-internals-from-file-delete-event-to-kernel-code-execution
@WindowsHackingLibrary
undev.ninja
Sysmon Internals - From File Delete Event to Kernel Code Execution
Sysmon File Delete Event Internals and Kernel Code Execution
Evading Static Machine Learning Malware Detection Models – Part 1: The Black-Box Approach
https://blog.compass-security.com/2020/10/evading-static-machine-learning-malware-detection-models-the-black-box-approach
@WindowsHackingLibrary
https://blog.compass-security.com/2020/10/evading-static-machine-learning-malware-detection-models-the-black-box-approach
@WindowsHackingLibrary
Powershell Logging: Obfuscation and some New(ish) Bypasses
Part1:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1
Part2:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2
@WindowsHackingLibrary
Part1:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1
Part2:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2
@WindowsHackingLibrary
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative
@WindowsHackingLibrary
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative
@WindowsHackingLibrary
bohops
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
Introduction If you have followed this blog over the last few years, many of the posts focus on techniques for bypassing application control solutions such as Windows Defender Application Control (…
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Introduction to Threat Intelligence ETW
A quick look into ETW capabilities against malicious API calls.
https://undev.ninja/introduction-to-threat-intelligence-etw
@BlueTeamLibrary
A quick look into ETW capabilities against malicious API calls.
https://undev.ninja/introduction-to-threat-intelligence-etw
@BlueTeamLibrary
undev.ninja
Introduction to Threat Intelligence ETW
A quick look into ETW capabilities against malicious API calls.
Active Directory (AD) Attacks & Enumeration at the Network Layer
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer
@WindowsHackingLibrary
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer
@WindowsHackingLibrary
Lares
Active Directory (AD) Attacks & Enumeration at the Network Layer
Intro Defending an Active Directory environment, particularly a large one, is a daunting task. Telemetry generated by Active Directory itself as well as the hosts connected to it are critical…
Process Herpaderping:
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
https://jxy-s.github.io/herpaderping
@WindowsHackingLibrary
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
https://jxy-s.github.io/herpaderping
@WindowsHackingLibrary
herpaderping
Process Herpaderping
Detection Evasion Exploit