Abusing Group Policy Caching
https://decoder.cloud/2020/09/23/abusing-group-policy-caching
@WindowsHackingLibrary
https://decoder.cloud/2020/09/23/abusing-group-policy-caching
@WindowsHackingLibrary
Decoder's Blog
Abusing Group Policy Caching
In this post I will show you how I discovered a severe vulnerability in the so-called “Group Policy Caching” which was fixed (among other GP vulnerabilities) in CVE-2020-1317 A standard…
A different way of abusing Zerologon (CVE-2020-1472)
Using the Printer Bug with zerologon to relay to DSRUAPI and DCSYNC (No password reset needed)
https://dirkjanm.io/a-different-way-of-abusing-zerologon
@WindowsHackingLibrary
Using the Printer Bug with zerologon to relay to DSRUAPI and DCSYNC (No password reset needed)
https://dirkjanm.io/a-different-way-of-abusing-zerologon
@WindowsHackingLibrary
dirkjanm.io
A different way of abusing Zerologon (CVE-2020-1472)
In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most straightforward…
Sysmon Internals - From File Delete Event to Kernel Code Execution
https://undev.ninja/sysmon-internals-from-file-delete-event-to-kernel-code-execution
@WindowsHackingLibrary
https://undev.ninja/sysmon-internals-from-file-delete-event-to-kernel-code-execution
@WindowsHackingLibrary
undev.ninja
Sysmon Internals - From File Delete Event to Kernel Code Execution
Sysmon File Delete Event Internals and Kernel Code Execution
Evading Static Machine Learning Malware Detection Models – Part 1: The Black-Box Approach
https://blog.compass-security.com/2020/10/evading-static-machine-learning-malware-detection-models-the-black-box-approach
@WindowsHackingLibrary
https://blog.compass-security.com/2020/10/evading-static-machine-learning-malware-detection-models-the-black-box-approach
@WindowsHackingLibrary
Powershell Logging: Obfuscation and some New(ish) Bypasses
Part1:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1
Part2:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2
@WindowsHackingLibrary
Part1:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1
Part2:
https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2
@WindowsHackingLibrary
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative
@WindowsHackingLibrary
https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative
@WindowsHackingLibrary
bohops
Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative
Introduction If you have followed this blog over the last few years, many of the posts focus on techniques for bypassing application control solutions such as Windows Defender Application Control (…
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Introduction to Threat Intelligence ETW
A quick look into ETW capabilities against malicious API calls.
https://undev.ninja/introduction-to-threat-intelligence-etw
@BlueTeamLibrary
A quick look into ETW capabilities against malicious API calls.
https://undev.ninja/introduction-to-threat-intelligence-etw
@BlueTeamLibrary
undev.ninja
Introduction to Threat Intelligence ETW
A quick look into ETW capabilities against malicious API calls.
Active Directory (AD) Attacks & Enumeration at the Network Layer
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer
@WindowsHackingLibrary
https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer
@WindowsHackingLibrary
Lares
Active Directory (AD) Attacks & Enumeration at the Network Layer
Intro Defending an Active Directory environment, particularly a large one, is a daunting task. Telemetry generated by Active Directory itself as well as the hosts connected to it are critical…
Process Herpaderping:
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
https://jxy-s.github.io/herpaderping
@WindowsHackingLibrary
Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself.
https://jxy-s.github.io/herpaderping
@WindowsHackingLibrary
herpaderping
Process Herpaderping
Detection Evasion Exploit
Using and detecting C2 printer pivoting
https://labs.f-secure.com/blog/print-c2
@WindowsHackingLibrary
https://labs.f-secure.com/blog/print-c2
@WindowsHackingLibrary
Using Custom Covenant Listener Profiles & Grunt Templates to Elude AV
https://offensivedefence.co.uk/posts/covenant-profiles-templates
@WindowsHackingLibrary
https://offensivedefence.co.uk/posts/covenant-profiles-templates
@WindowsHackingLibrary
offensivedefence.co.uk
Using Custom Covenant Listener Profiles & Grunt Templates to Elude AV
Whenever we download an offensive tool from the Internet, it comes as no surprise when it gets snapped up by an anti-virus solution. AV vendors are certainly keeping a keen eye on tools posted publicly (insert conspiracy theory about Microsoft owning GitHub)…
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
@WindowsHackingLibrary
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
@WindowsHackingLibrary
Google Cloud Blog
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques | Mandiant | Google Cloud Blog
Windows RpcEptMapper Service Insecure Registry Permissions EoP
https://itm4n.github.io/windows-registry-rpceptmapper-eop
@WindowsHackingLibrary
https://itm4n.github.io/windows-registry-rpceptmapper-eop
@WindowsHackingLibrary
itm4n’s blog
Windows RpcEptMapper Service Insecure Registry Permissions EoP
If you follow me on Twitter, you probably know that I developed my own Windows privilege escalation enumeration script - PrivescCheck - which is a sort of updated and extended version of the famous PowerUp. If you have ever run this script on Windows 7 or…
Gnome is a module to load your signed driver stealthily. The driver is extracted from the Gnome loader, dropped to disk and loaded using NtLoadDriver instead of the usual service creation driver loading which can be noisy and leaves large forensic artefacts behind such as service creation, service start/stop logs etc.
https://github.com/slaeryan/AQUARMOURY/tree/master/Gnome
@WindowsHackingLibrary
https://github.com/slaeryan/AQUARMOURY/tree/master/Gnome
@WindowsHackingLibrary
GitHub
AQUARMOURY/Gnome at master · slaeryan/AQUARMOURY
My musings in C and offensive tooling. Contribute to slaeryan/AQUARMOURY development by creating an account on GitHub.
Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less!
https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less
@WindowsHackingLibrary
https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less
@WindowsHackingLibrary
Forging malicious DOC, undetected by all VirusTotal static engines
https://arielkoren.com/blog/2020/12/24/forging-malicious-doc
@WindowsHackingLibrary
https://arielkoren.com/blog/2020/12/24/forging-malicious-doc
@WindowsHackingLibrary
A Modern Exploration of Windows Memory Corruption Exploits - Part I: Stack Overflows
https://www.forrest-orr.net/post/a-modern-exploration-of-windows-memory-corruption-exploits-part-i-stack-overflows
@WindowsHackingLibrary
https://www.forrest-orr.net/post/a-modern-exploration-of-windows-memory-corruption-exploits-part-i-stack-overflows
@WindowsHackingLibrary
ForrestOrr
A Modern Exploration of Windows Memory Corruption Exploits - Part I: Stack Overflows
IntroductionThe topic of memory corruption exploits can be a difficult one to initially break in to. When I first began to explore this topic on the Windows OS I was immediately struck by the surprising shortage of modern and publicly available information…