Powershell Logging: Obfuscation and some New(ish) Bypasses
Part1:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1
Part2:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2
@WindowsHackingLibrary
Part1:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1
Part2:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2
@WindowsHackingLibrary
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative
@WindowsHackingLibrary
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative
@WindowsHackingLibrary
bohops
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
Introduction If you have followed this blog over the last few years, many of the posts focus on techniques for bypassing application control solutions such as Windows Defender Application Control (…
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Introduction to Threat Intelligence ETW
A quick look into ETW capabilities against malicious API calls.
https://undev.ninja/introduction-to-threat-intelligence-etw
@BlueTeamLibrary
A quick look into ETW capabilities against malicious API calls.
https://undev.ninja/introduction-to-threat-intelligence-etw
@BlueTeamLibrary
undev.ninja
Introduction to Threat Intelligence ETW
A quick look into ETW capabilities against malicious API calls.
Active Directory (AD) Attacks & Enumeration at the Network Layer
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer
@WindowsHackingLibrary
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer
@WindowsHackingLibrary
Lares
Active Directory (AD) Attacks & Enumeration at the Network Layer
Intro Defending an Active Directory environment, particularly a large one, is a daunting task. Telemetry generated by Active Directory itself as well as the hosts connected to it are critical…
Process Herpaderping:
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
https://jxy-s.github.io/herpaderping
@WindowsHackingLibrary
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
https://jxy-s.github.io/herpaderping
@WindowsHackingLibrary
herpaderping
Process Herpaderping
Detection Evasion Exploit
Using and detecting C2 printer pivoting
https://labs.f-secure.com/blog/print-c2
@WindowsHackingLibrary
https://labs.f-secure.com/blog/print-c2
@WindowsHackingLibrary
Using Custom Covenant Listener Profiles & Grunt Templates to Elude AV
https://offensivedefence.co.uk/posts/covenant-profiles-templates
@WindowsHackingLibrary
https://offensivedefence.co.uk/posts/covenant-profiles-templates
@WindowsHackingLibrary
offensivedefence.co.uk
Using Custom Covenant Listener Profiles & Grunt Templates to Elude AV
Whenever we download an offensive tool from the Internet, it comes as no surprise when it gets snapped up by an anti-virus solution. AV vendors are certainly keeping a keen eye on tools posted publicly (insert conspiracy theory about Microsoft owning GitHub)…
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
@WindowsHackingLibrary
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
@WindowsHackingLibrary
Google Cloud Blog
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques | Mandiant | Google Cloud Blog
Windows RpcEptMapper Service Insecure Registry Permissions EoP
https://itm4n.github.io/windows-registry-rpceptmapper-eop
@WindowsHackingLibrary
https://itm4n.github.io/windows-registry-rpceptmapper-eop
@WindowsHackingLibrary
itm4n’s blog
Windows RpcEptMapper Service Insecure Registry Permissions EoP
If you follow me on Twitter, you probably know that I developed my own Windows privilege escalation enumeration noscript - PrivescCheck - which is a sort of updated and extended version of the famous PowerUp. If you have ever run this noscript on Windows 7 or…
Gnome is a module to load your signed driver stealthily. The driver is extracted from the Gnome loader, dropped to disk and loaded using NtLoadDriver instead of the usual service creation driver loading which can be noisy and leaves large forensic artefacts behind such as service creation, service start/stop logs etc.
https://github.com/slaeryan/AQUARMOURY/tree/master/Gnome
@WindowsHackingLibrary
https://github.com/slaeryan/AQUARMOURY/tree/master/Gnome
@WindowsHackingLibrary
GitHub
AQUARMOURY/Gnome at master · slaeryan/AQUARMOURY
My musings in C and offensive tooling. Contribute to slaeryan/AQUARMOURY development by creating an account on GitHub.
Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less!
https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less
@WindowsHackingLibrary
https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less
@WindowsHackingLibrary
Forging malicious DOC, undetected by all VirusTotal static engines
https://arielkoren.com/blog/2020/12/24/forging-malicious-doc
@WindowsHackingLibrary
https://arielkoren.com/blog/2020/12/24/forging-malicious-doc
@WindowsHackingLibrary
A Modern Exploration of Windows Memory Corruption Exploits - Part I: Stack Overflows
https://www.forrest-orr.net/post/a-modern-exploration-of-windows-memory-corruption-exploits-part-i-stack-overflows
@WindowsHackingLibrary
https://www.forrest-orr.net/post/a-modern-exploration-of-windows-memory-corruption-exploits-part-i-stack-overflows
@WindowsHackingLibrary
ForrestOrr
A Modern Exploration of Windows Memory Corruption Exploits - Part I: Stack Overflows
IntroductionThe topic of memory corruption exploits can be a difficult one to initially break in to. When I first began to explore this topic on the Windows OS I was immediately struck by the surprising shortage of modern and publicly available information…
R.I.P ROP: CET Internals in Windows 20H1
http://windows-internals.com/cet-on-windows
@WindowsHackingLibrary
http://windows-internals.com/cet-on-windows
@WindowsHackingLibrary
Breaking The Browser – A tale of IPC, credentials and backdoors
https://www.mdsec.co.uk/2021/01/breaking-the-browser-a-tale-of-ipc-credentials-and-backdoors
@WindowsHackingLibrary
https://www.mdsec.co.uk/2021/01/breaking-the-browser-a-tale-of-ipc-credentials-and-backdoors
@WindowsHackingLibrary
Offensive Windows IPC Internals 1: Named Pipes
https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html
@WindowsHackingLibrary
https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html
@WindowsHackingLibrary
Using Spotify Playlists as Malware CDN | C2Tify
https://kaganisildak.com/2021/01/14/using-spotify-playlists-as-malware-cdn-c2tify
Github repo: https://github.com/kaganisildak/c2tify
@WindowsHackingLibrary
https://kaganisildak.com/2021/01/14/using-spotify-playlists-as-malware-cdn-c2tify
Github repo: https://github.com/kaganisildak/c2tify
@WindowsHackingLibrary
BitLocker Lockscreen bypass
https://secret.club/2021/01/15/bitlocker-bypass.html
@WindowsHackingLibrary
https://secret.club/2021/01/15/bitlocker-bypass.html
@WindowsHackingLibrary
secret club
BitLocker Lockscreen bypass
BitLocker is a modern data protection feature that is deeply integrated in the Windows kernel. It is used by many corporations as a means of protecting company secrets in case of theft. Microsoft recommends that you have a Trusted Platform Module which can…