LethalHTA - A new lateral movement technique using DCOM and HTA
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
@WindowsHackingLibrary
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
@WindowsHackingLibrary
Blogspot
CODE WHITE | Blog: LethalHTA - A new lateral movement technique using DCOM and HTA
The following blog post introduces a new lateral movement technique that combines the power of DCOM and HTA. The research on this t...
What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
@WindowsHackingLibrary
@BlueTeamLibrary
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
@WindowsHackingLibrary
@BlueTeamLibrary
Medium
What is it that Makes a Microsoft Executable a Microsoft Executable?
What exactly is it that separates arbitrary code from code that originates from Microsoft? I would wager that the reaction of most people…
Powershell noscript to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes.
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
@WindowsHackingLibrary
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
@WindowsHackingLibrary
Gist
Enumerate executables with auto-elevation enabled
Enumerate executables with auto-elevation enabled. GitHub Gist: instantly share code, notes, and snippets.
Using a SCF File to gather Hashes
https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
@WindowsHackingLibrary
https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
@WindowsHackingLibrary
1337red
Using a SCF file to Gather Hashes
Have you ever been on a internal network assessment and discovered an unauthenticated writable Windows-based file share? Well, in addition to finding potentially sensitive information, you can abus…
A Guide to Attacking Domain Trusts
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
@WindowsHackingLibrary
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
@WindowsHackingLibrary
RE: Evading Autoruns PoCs on Windows 10
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
@WindowsHackingLibrary
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
@WindowsHackingLibrary
Medium
RE: Evading Autoruns PoCs on Windows 10
Last September, Chris Bisnett and I presented research at DerbyCon which highlighted a handful of techniques and bugs we discovered that…
Feature, not bug: DNSAdmin to DC compromise in one line
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
@WindowsHackingLibrary
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
@WindowsHackingLibrary
Medium
Feature, not bug: DNSAdmin to DC compromise in one line
Background
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://blog.netspi.com/exploiting-adidns
@WindowsHackingLibrary
https://blog.netspi.com/exploiting-adidns
@WindowsHackingLibrary
NetSPI
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
Exploiting weaknesses in name resolution protocols is a common technique for performing man-in-the-middle (MITM) attacks. This blog dives into two particularly vulnerable name resolution protocols: Link-Local Multicast Name Resolution (LLMNR) and NetBIOS…
w0rk3r's Windows Hacking Library
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS https://blog.netspi.com/exploiting-adidns @WindowsHackingLibrary
GitHub
Powermad/README.md at master · Kevin-Robertson/Powermad
PowerShell MachineAccountQuota and DNS exploit tools - Powermad/README.md at master · Kevin-Robertson/Powermad
Domain Access With Write Access on the Domain NC Head
https://sdmsoftware.com/group-policy-blog/security-policy/elevating-ad-domain-access-with-write-access-on-the-domain-nc-head
@WindowsHackingLibrary
https://sdmsoftware.com/group-policy-blog/security-policy/elevating-ad-domain-access-with-write-access-on-the-domain-nc-head
@WindowsHackingLibrary
SDM Software
Elevating AD Domain Access With Write Access on the Domain NC Head - SDM Software
With this post and my last post, I guess I'm on a path of finding interesting ways to "break" AD. The last post related to AD denial of service and this Write access to the Domain object could allow domain admin access.
Extracting User Password Data with Mimikatz DCSync
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
@WindowsHackingLibrary
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
@WindowsHackingLibrary
Stealthbits Technologies
Extracting User Password Data with Mimikatz DCSync
Using the Mimikatz DCSync command to compromise credentials by replicating information with Directory Replication Service Remote Protocol MS-DRSR.
Passing-the-Hash to NTLM Authenticated Web Applications
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
@WindowsHackingLibrary
Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
@WindowsHackingLibrary
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
@WindowsHackingLibrary
Medium
Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
Bypass Technique Denoscription
Veil Payloads and Veil-Ordnance
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
@WindowsHackingLibrary
FortyNorth Security Blog
Explaining Veil Payloads and Invoking Veil-Ordnance
In order to effectively use cyber security tools we need to know, in detail, how they work. Only then we are able to leverage them to the best of their capabilities. In this post we will dive into Veil-Evasion and learn its payload naming scheme, different…
Clear all your logs in linux/windows servers
https://github.com/Rizer0/Log-killer
@WindowsHackingLibrary
https://github.com/Rizer0/Log-killer
@WindowsHackingLibrary
GitHub
GitHub - Rizer0/Log-killer: Clear all your logs in [linux/windows] servers 🛡️
Clear all your logs in [linux/windows] servers 🛡️. Contribute to Rizer0/Log-killer development by creating an account on GitHub.
Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
@WindowsHackingLibrary
PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
https://github.com/NetSPI/PESecurity
@WindowsHackingLibrary
https://github.com/NetSPI/PESecurity
@WindowsHackingLibrary
GitHub
GitHub - NetSPI/PESecurity: PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH…
PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode. - NetSPI/PESecurity
Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
@WindowsHackingLibrary
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
@WindowsHackingLibrary
Anonymously Enumerating Azure File Resources
https://blog.netspi.com/anonymously-enumerating-azure-file-resources
@WindowsHackingLibrary
https://blog.netspi.com/anonymously-enumerating-azure-file-resources
@WindowsHackingLibrary
NetSPI
Anonymously Enumerating Azure File Resources
Much like publicly exposed S3 buckets, Microsoft's Azure platform can suffer from similar data exposure issues via its Blob file storage service.
Weaponize PDF with embedding SettingContent-ms inside PDF.
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
@WindowsHackingLibrary
Via: @InfosecN1nja
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
@WindowsHackingLibrary
Via: @InfosecN1nja
GitHub
DidierStevensSuite/make-pdf-embedded.py at master · DidierStevens/DidierStevensSuite
Please no pull requests for this repository. Thanks! - DidierStevens/DidierStevensSuite
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe
@WindowsHackingLibrary
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe
@WindowsHackingLibrary
Oddvar Moe's Blog
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
TL;DR – Found a technique to execute any binary file after another application is closed without being detected by Autoruns.exe. – Requires administrator rights and does not belong in userland. – C…