Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
@WindowsHackingLibrary
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Understanding and Evading Get-InjectedThread
One of the many areas of this field that I really enjoy is the "cat and mouse" game played between RedTeam and BlueTeam, each forcing the other to up their game. Often we see some awesome tools being released to help defenders detect malware or shellcode…
PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
https://github.com/Mr-Un1k0d3r/PowerLessShell
@WindowsHackingLibrary
https://github.com/Mr-Un1k0d3r/PowerLessShell
@WindowsHackingLibrary
GitHub
GitHub - Mr-Un1k0d3r/PowerLessShell: Run PowerShell command without invoking powershell.exe
Run PowerShell command without invoking powershell.exe - Mr-Un1k0d3r/PowerLessShell
Dumping Clear-Text Credentials
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
@WindowsHackingLibrary
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/
@WindowsHackingLibrary
Penetration Testing Lab
Dumping Clear-Text Credentials
Passwords in clear-text that are stored in a Windows host can allow penetration testers to perform lateral movement inside an internal network and eventually fully compromise it. Therefore in a sys…
Office365 ActiveSync Username Enumeration
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
@WindowsHackingLibrary
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
@WindowsHackingLibrary
Sec-1 Labs
Office365 ActiveSync Username Enumeration - Sec-1 Labs
Summary There is a simple username enumeration issue in Office365’s ActiveSync, Microsoft do not consider this a vulnerability so Sec-1 do not expect this issue to be fixed. Sec-1 Penetration Tester Oliver Morton has written a script to exploit this which…
This script will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
@WindowsHackingLibrary
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
@WindowsHackingLibrary
GitHub
Adding GetNPUsers.py script · SecureAuthCorp/impacket@bada8a7
This script will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with ...
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with ...
NTLMv1 Multitool
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
@WindowsHackingLibrary
GitHub
GitHub - evilmog/ntlmv1-multi: NTLMv1 Multitool
NTLMv1 Multitool. Contribute to evilmog/ntlmv1-multi development by creating an account on GitHub.
Invoke-Phant0m
This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
@WindowsHackingLibrary
This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
@WindowsHackingLibrary
Dumping Active Directory Domain Info – with PowerUpSQL!
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
@WindowsHackingLibrary
https://blog.netspi.com/dumping-active-directory-domain-info-with-powerupsql/
@WindowsHackingLibrary
NetSPI Blog
Dumping Active Directory Domain Info - with PowerUpSQL!
This blog walks through some new Active Directory recon functions in PowerUpSQL. The PowerUpSQL functions use the OLE DB ADSI provider to query Active Directory for domain users, computers, and other configuration information through SQL Server queries.
15 Ways to Bypass the PowerShell Execution Policy
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
@WindowsHackingLibrary
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
@WindowsHackingLibrary
NetSPI
15 Ways to Bypass the PowerShell Execution Policy
NetSPI security expert Scott Sutherland covers 15 ways to bypass the PowerShell execution policy without having local administrator rights on the system.
Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques
https://github.com/rootm0s/WinPwnage
@WindowsHackingLibrary
https://github.com/rootm0s/WinPwnage
@WindowsHackingLibrary
GitHub
GitHub - rootm0s/WinPwnage: UAC bypass, Elevate, Persistence methods
UAC bypass, Elevate, Persistence methods. Contribute to rootm0s/WinPwnage development by creating an account on GitHub.
Abusing DCOM For Yet Another Lateral Movement Technique
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
@WindowsHackingLibrary
https://bohops.com/2018/04/28/abusing-dcom-for-yet-another-lateral-movement-technique
@WindowsHackingLibrary
bohops
Abusing DCOM For Yet Another Lateral Movement Technique
TL;DR This post discusses an alternate DCOM lateral movement discovery and payload execution method. The primary gist is to locate DCOM registry key/values that point to the path of a binary on th…
Invoke-WMILM
This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
@WindowsHackingLibrary
This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
@WindowsHackingLibrary
GitHub
Cybereason/Invoke-WMILM
Contribute to Cybereason/Invoke-WMILM development by creating an account on GitHub.
[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)
https://www.abatchy.com/2018/01/kernel-exploitation-7
@WindowsHackingLibrary
https://www.abatchy.com/2018/01/kernel-exploitation-7
@WindowsHackingLibrary
Abatchy
[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)
This post discusses what an arbitrary overwrite (or write-what-where) vulnerability is and how it can be exploited.
Active Directory as a C2 (Command & Control)
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
@WindowsHackingLibrary
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
@WindowsHackingLibrary
Akijosberry
Active Directory as a C2 (Command & Control)
Active Directory as a C2 Really ? I was amazed when i read a blog post on AD as a C2 on @Harmj0y’s blog. Curiosity grew into me and wanted to explore it in my lab setup. Why AD as a C2? Activ…
Bypassing Device Guard with .NET Assembly Compilation Methods
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
@WindowsHackingLibrary
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
@WindowsHackingLibrary
Exploit-Monday
Bypassing Device Guard with .NET Assembly Compilation Methods
Tl;dr This post will describe a Device Guard user mode code integrity (UMCI) bypass (or any other application whitelisting solution ...
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
@WindowsHackingLibrary
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
@WindowsHackingLibrary
bohops
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
[Source: blog.microsoft.com] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction. This tool was…
Jumping Network Segregation with RDP
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
@WindowsHackingLibrary
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
@WindowsHackingLibrary
PowerShell Shellcode Injection on Win 10 (v1803)
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
@WindowsHackingLibrary
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
@WindowsHackingLibrary
Empire Web v2 Launched, A Web Interface to Powershell empire.
https://github.com/interference-security/empire-web
@WindowsHackingLibrary
https://github.com/interference-security/empire-web
@WindowsHackingLibrary
GitHub
GitHub - interference-security/empire-web: PowerShell Empire Web Interface
PowerShell Empire Web Interface. Contribute to interference-security/empire-web development by creating an account on GitHub.