Active Directory forest trusts part 1 - How does SID filtering work?
https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work
@WindowsHackingLibrary
https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work
@WindowsHackingLibrary
dirkjanm.io
Active Directory forest trusts part 1 - How does SID filtering work?
This is the first post in a series on cross-forest Active Directory trusts. It will explain what exactly Forest trusts are and how they are protected with SID filtering. If you’re new to Active Directory trusts, I recommend you start by reading harmj0y’s…
Offensive Windows IPC Internals 1: Named Pipes
https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html
@WindowsHackingLibrary
https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html
@WindowsHackingLibrary
Endpoint Detection and Response: How Hackers Have Evolved
https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved
@WindowsHackingLibrary
https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved
@WindowsHackingLibrary
w0rk3r's Windows Hacking Library
Endpoint Detection and Response: How Hackers Have Evolved https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved @WindowsHackingLibrary
EDR and Blending In: How Attackers Avoid Getting Caught
Part 2 of the series
https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught
@WindowsHackingLibrary
Part 2 of the series
https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught
@WindowsHackingLibrary
Farming for Red Teams: Harvesting NetNTLM
https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm
@WindowsHackingLibrary
https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm
@WindowsHackingLibrary
MDSec
Farming for Red Teams: Harvesting NetNTLM - MDSec
Overview In the ActiveBreach red team, we’re always looking for innovative approaches for lateral movement and privilege escalation. For many of the environments we operate in, focusing on the classic...
Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation
https://bohops.com/2017/12/02/trust-direction-an-enabler-for-active-directory-enumeration-and-trust-exploitation
@WindowsHackingLibrary
https://bohops.com/2017/12/02/trust-direction-an-enabler-for-active-directory-enumeration-and-trust-exploitation
@WindowsHackingLibrary
bohops
Trust Direction: An Enabler for Active Directory Enumeration and Trust Exploitation
Introduction Active Directory (AD) Trusts have been a hot topic as of late. @harmj0y posted a recent entry about domain trusts [A Guide to Attacking Domain Trusts]. It provides a great understand…
Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed
https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred
@WindowsHackingLibrary
https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred
@WindowsHackingLibrary
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
YouTube
[English] You Do (Not) Understand Kerberos
Understanding how Kerberos works, but also WHY it works the way it does
From the creator of AdFind, AdMod!
https://blog.joeware.net/2021/03/17/6030
Tool Link: http://www.joeware.net/freetools/tools/admod
@WindowsHackingLibrary
https://blog.joeware.net/2021/03/17/6030
Tool Link: http://www.joeware.net/freetools/tools/admod
@WindowsHackingLibrary
The Power of SeImpersonation
https://micahvandeusen.com/the-power-of-seimpersonation
@WindowsHackingLibrary
https://micahvandeusen.com/the-power-of-seimpersonation
@WindowsHackingLibrary
Micah Van Deusen’s Blog
The Power of SeImpersonation
SeImpersonate is a powerful privilege that allows the ability to impersonate any token it can acquire a handle on. This is an already well researched privilege as there are a whole slew of privilege escalations that utilize this privilege and amazing articles…
Do You Really Know About LSA Protection (RunAsPPL)?
https://itm4n.github.io/lsass-runasppl
@WindowsHackingLibrary
https://itm4n.github.io/lsass-runasppl
@WindowsHackingLibrary
itm4n’s blog
Do You Really Know About LSA Protection (RunAsPPL)?
When it comes to protecting against credentials theft on Windows, enabling LSA Protection (a.k.a. RunAsPPL) on LSASS may be considered as the very first recommendation to implement. But do you really know what a PPL is? In this post, I want to cover some…
w0rk3r's Windows Hacking Library
Do You Really Know About LSA Protection (RunAsPPL)? https://itm4n.github.io/lsass-runasppl @WindowsHackingLibrary
Bypassing LSA Protection in Userland
https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland
Tool: https://github.com/itm4n/PPLdump
@WindowsHackingLibrary
https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland
Tool: https://github.com/itm4n/PPLdump
@WindowsHackingLibrary
GitHub
GitHub - itm4n/PPLdump: Dump the memory of a PPL with a userland exploit
Dump the memory of a PPL with a userland exploit. Contribute to itm4n/PPLdump development by creating an account on GitHub.
Abusing Replication: Stealing AD FS Secrets Over the Network
https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html
@WindowsHackingLibrary
https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html
@WindowsHackingLibrary
Google Cloud Blog
Abusing AD FS Replication | Stealing Secrets Over the Network | Google Cloud Blog
Abusing AD FS Replication. We demonstrate how a threat actor can extract the encrypted Token Signing Certificate from anywhere on an internal network.
Bypassing EDR real-time injection detection logic
https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
Tool: https://github.com/xinbailu/DripLoader
@WindowsHackingLibrary
https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
Tool: https://github.com/xinbailu/DripLoader
@WindowsHackingLibrary
Data Only Attack: Neutralizing EtwTi Provider
https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider
@WindowsHackingLibrary
https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider
@WindowsHackingLibrary
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Malware researchers - Beware of GetProcAddress spoofing via manipulation of PE format in memory
https://dennisbabkin.com/blog/?t=malware-researchers-beware-of-getprocaddress-spoofing
@BlueTeamLibrary
https://dennisbabkin.com/blog/?t=malware-researchers-beware-of-getprocaddress-spoofing
@BlueTeamLibrary
www.dennisbabkin.com
Deep Dive Into Windows PE Format - GetProcAddress Spoofing
Deep Dive Into Windows PE Format - GetProcAddress Spoofing - Malware researchers - Beware of GetProcAddress spoofing via manipulation of PE format in memory.
How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying Attacks
https://www.praetorian.com/blog/how-to-exploit-active-directory-acl-attack-paths-through-ldap-relaying-attacks
@WindowsHackingLibrary
https://www.praetorian.com/blog/how-to-exploit-active-directory-acl-attack-paths-through-ldap-relaying-attacks
@WindowsHackingLibrary
Praetorian
How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying Attacks
Overview This article describes methods by which an attacker can induce a victim user into authenticating using the NT Lan Manager (NTLM) Authentication Protocol to an attacker-controlled “Intranet” site, even in instances where that site points to an external…
Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege
https://www.tiraniddo.dev/2021/05/dumping-stored-credentials-with.html
@WindowsHackingLibrary
https://www.tiraniddo.dev/2021/05/dumping-stored-credentials-with.html
@WindowsHackingLibrary
www.tiraniddo.dev
Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege
I've been going through the various token privileges on Windows trying to find where they're used. One which looked interesting is SeTruste...
Primer to DInvokes Injection API and a tale of token duplication and command-line spoofing on the cheap
https://redteamer.tips/primer-to-dinvokes-injection-api-and-a-tale-of-token-duplication-and-command-line-spoofing-on-the-cheap
@WindowsHackingLibrary
https://redteamer.tips/primer-to-dinvokes-injection-api-and-a-tale-of-token-duplication-and-command-line-spoofing-on-the-cheap
@WindowsHackingLibrary
Leveraging from PE parsing technique to write x86 shellcode
https://mohamed-fakroud.gitbook.io/t3nb3w/shellcoding/leveraging-from-pe-parsing-technique-to-write-x86-shellcode
@WindowsHackingLibrary
https://mohamed-fakroud.gitbook.io/t3nb3w/shellcoding/leveraging-from-pe-parsing-technique-to-write-x86-shellcode
@WindowsHackingLibrary
mohamed-fakroud.gitbook.io
Leveraging from PE parsing technique to write x86 shellcode | Red Teaming's Dojo