w0rk3r's Windows Hacking Library
Abusing Exchange: One API call away from Domain Admin https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin @WindowsHackingLibrary
[PrivExchange] From user to domain admin in less than 60sec
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec
@WindowsHackingLibrary
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec
@WindowsHackingLibrary
Exploiting Malwarebytes Anti-Exploit
https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit
@WindowsHackingLibrary
https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit
@WindowsHackingLibrary
Round of use Winrm code execution XML
https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31
@WindowsHackingLibrary
https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31
@WindowsHackingLibrary
Medium
Round of use Winrm code execution XML
Introduction This beginning alludes to give point simple concept related to using Winrm.vbs to do code executed by XML file so I could…
PoC: Using CloudFlare as an HTTP C2 with PowerShell Empire
https://holdmybeersecurity.com/2019/02/07/poc-using-cloudflare-as-an-http-c2-with-powershell-empire
@WindowsHackingLibrary
https://holdmybeersecurity.com/2019/02/07/poc-using-cloudflare-as-an-http-c2-with-powershell-empire
@WindowsHackingLibrary
Entering a Covenant: .NET Command and Control
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
@WindowsHackingLibrary
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
@WindowsHackingLibrary
Medium
Entering a Covenant: .NET Command and Control
I’ve slowly been open sourcing .NET tradecraft that I’ve been working on for some time, including the SharpSploit, SharpGen, and…
External C2, IE COM Objects and how to use them for Command and Control
https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control
@WindowsHackingLibrary
MDSec
External C2, IE COM Objects and how to use them for Command and Control - MDSec
Background Cobalt Strike 3.6 introduced a powerful new feature called External C2, providing an interface for custom Command and Control channels. Being a fan of custom C2 channels I started...
Bypasses Microsoft's Anti-Malware Scan Interface for a PowerShell session process started through the "Start-Job" cmdlet, the PID of which is accessed using "Enter-PSHostProcess"
https://github.com/securemode/Bypass-AMSI9000
@WindowsHackingLibrary
https://github.com/securemode/Bypass-AMSI9000
@WindowsHackingLibrary
Getting PowerShell Empire Past Windows Defender
https://www.blackhillsinfosec.com/getting-powershell-empire-past-windows-defender
@WindowsHackingLibrary
https://www.blackhillsinfosec.com/getting-powershell-empire-past-windows-defender
@WindowsHackingLibrary
Black Hills Information Security
Getting PowerShell Empire Past Windows Defender - Black Hills Information Security
Carrie Roberts //* (Updated 2/12/2020) ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential […]
Azure AD Connect for Red Teamers
https://blog.xpnsec.com/azuread-connect-for-redteam
@WindowsHackingLibrary
https://blog.xpnsec.com/azuread-connect-for-redteam
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Azure AD Connect for Red Teamers
With clients increasingly relying on cloud services from Azure, one of the technologies that has been my radar for a while is Azure AD. For those who have not had the opportunity to work with this, the concept is simple, by extending authentication beyond…
“Relaying” Kerberos - Having fun with unconstrained delegation
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit
@WindowsHackingLibrary
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit
@WindowsHackingLibrary
dirkjanm.io
“Relaying” Kerberos - Having fun with unconstrained delegation
There have been some interesting new developments recently to abuse Kerberos in Active Directory, and after my dive into Kerberos across trusts a few months ago, this post is about a relatively unknown (from attackers perspective), but dangerous feature:…
w0rk3r's Windows Hacking Library
“Relaying” Kerberos - Having fun with unconstrained delegation https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit @WindowsHackingLibrary
Krbrelayx - Unconstrained delegation abuse toolkit
https://github.com/dirkjanm/krbrelayx
@WindowsHackingLibrary
https://github.com/dirkjanm/krbrelayx
@WindowsHackingLibrary
GitHub
GitHub - dirkjanm/krbrelayx: Kerberos unconstrained delegation abuse toolkit
Kerberos unconstrained delegation abuse toolkit. Contribute to dirkjanm/krbrelayx development by creating an account on GitHub.
Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study
https://gosecure.net/2019/02/20/abusing-unsafe-defaults-in-active-directory
@WindowsHackingLibrary
https://gosecure.net/2019/02/20/abusing-unsafe-defaults-in-active-directory
@WindowsHackingLibrary
GoSecure
Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study - GoSecure
Combine a bug in Antidote, a popular enterprise spellchecker, and unsafe defaults in Active Directory, and you get more NTLM hashes than you can deal with.
Trust? Years to earn, seconds to break (T2A4D)
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break
@WindowsHackingLibrary
powershellveryless
== Constrained Language Mode + AMSI bypass all in one ==
https://github.com/decoder-it/powershellveryless
@WindowsHackingLibrary
== Constrained Language Mode + AMSI bypass all in one ==
https://github.com/decoder-it/powershellveryless
@WindowsHackingLibrary
GitHub
GitHub - decoder-it/powershellveryless: Constrained Language Mode + AMSI bypass all in one
Constrained Language Mode + AMSI bypass all in one - decoder-it/powershellveryless
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
@WindowsHackingLibrary
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
@WindowsHackingLibrary
Posts By SpecterOps Team Members
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
Whether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms…
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
https://blog.netspi.com/exporting-azure-runas-certificates
@WindowsHackingLibrary
https://blog.netspi.com/exporting-azure-runas-certificates
@WindowsHackingLibrary
NetSPI Blog
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
Logging in with RunAs certificates is a great way for maintaining access in an Azure environment during a penetration test. See how we export the PFX files.
A Case Study in Wagging the Dog: Computer Takeover
https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
@WindowsHackingLibrary
https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
@WindowsHackingLibrary
Medium
A Case Study in Wagging the Dog: Computer Takeover
Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory…
Remote Code Execution — Gaining Domain Admin due to a typo
https://medium.com/@DanielC7/remote-code-execution-gaining-domain-admin-privileges-due-to-a-typo-dbf8773df767
@WindowsHackingLibrary
https://medium.com/@DanielC7/remote-code-execution-gaining-domain-admin-privileges-due-to-a-typo-dbf8773df767
@WindowsHackingLibrary
Medium
Remote Code Execution — Gaining Domain Admin due to a typo
CVE-2018–9022