Rethinking Credential Theft
https://labs.f-secure.com/blog/rethinking-credential-theft
@WindowsHackingLibrary
https://labs.f-secure.com/blog/rethinking-credential-theft
@WindowsHackingLibrary
CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)
https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs
@WindowsHackingLibrary
https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs
@WindowsHackingLibrary
MDSec
CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS) - MDSec
SQL Server Reporting Services (SSRS) provides a set of on-premises tools and services that create, deploy, and manage mobile and paginated reports. Functionality within the SSRS web application allowed low privileged...
Bypass Windows 10 User Group Policy (and more) with this One Weird Trick
https://medium.com/tenable-techblog/bypass-windows-10-user-group-policy-and-more-with-this-one-weird-trick-552d4bc5cc1b
@WindowsHackingLibrary
https://medium.com/tenable-techblog/bypass-windows-10-user-group-policy-and-more-with-this-one-weird-trick-552d4bc5cc1b
@WindowsHackingLibrary
Medium
Bypass Windows 10 User Group Policy (and more) with this One Weird Trick
I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting…
[PT-BR]
CVE-2020-0668 Windows LPE - Análise e Exploração
https://youtu.be/KiqvlIc-cxY
@WindowsHackingLibrary
CVE-2020-0668 Windows LPE - Análise e Exploração
https://youtu.be/KiqvlIc-cxY
@WindowsHackingLibrary
YouTube
CVE-2020-0668 - Windows LPE - Análise e Exploração
A CVE-2020-0668, divulgada 11/02/2020, é uma vulnerabilidade que explora o Windows Service Tracing, possibilitando a Escalação de Privilégio Local (LPE). Nesse vídeo é possível entender como a falha funciona e como explorá-la.
Coloquei todos os comandos…
Coloquei todos os comandos…
Kerberosity Killed the Domain: An Offensive Kerberos Overview
https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61
@WindowsHackingLibrary
https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61
@WindowsHackingLibrary
Medium
Kerberosity Killed the Domain: An Offensive Kerberos Overview
Kerberos is the preferred way of authentication in a Windows domain, with NTLM being the alternative. Kerberos authentication is a very…
LDAPFragger: Command and Control over LDAP attributes
https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes
@WindowsHackingLibrary
https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes
@WindowsHackingLibrary
Fox-IT International blog
LDAPFragger: Command and Control over LDAP attributes
Written by Rindert Kramer Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to t…
Windows Server 2008R2-2019 NetMan DLL Hijacking
https://itm4n.github.io/windows-server-netman-dll-hijacking
@WindowsHackingLibrary
https://itm4n.github.io/windows-server-netman-dll-hijacking
@WindowsHackingLibrary
itm4n’s blog
Windows Server 2008R2-2019 NetMan DLL Hijacking
What if I told you that all editions of Windows Server, from 2008R2 to 2019, are prone to a DLL Hijacking in the %PATH% directories? What if I also told you that the impacted service runs as NT AUTHORITY\SYSTEM and that the DLL loading can be triggered by…
Process Injection Part 1 | CreateRemoteThread()
https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread
Process Injection Part 2 | QueueUserAPC()
https://sevrosecurity.com/2020/04/13/process-injection-part-2-queueuserapc
@WindowsHackingLibrary
https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread
Process Injection Part 2 | QueueUserAPC()
https://sevrosecurity.com/2020/04/13/process-injection-part-2-queueuserapc
@WindowsHackingLibrary
I'm back in da booth...posting more frequently now on ;)
Invoking System Calls and Windows Debugger Engine
https://modexp.wordpress.com/2020/06/01/syscalls-disassembler/
@WindowsHackingLibrary
https://modexp.wordpress.com/2020/06/01/syscalls-disassembler/
@WindowsHackingLibrary
modexp
Invoking System Calls and Windows Debugger Engine
Introduction Quick post about Windows System calls that I forgot about working on after the release of Dumpert by Cn33liz last year, which is described in this post. Typically, EDR and AV set hooks…
Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
https://itm4n.github.io/chimichurri-reloaded
@WindowsHackingLibrary
https://itm4n.github.io/chimichurri-reloaded
@WindowsHackingLibrary
itm4n’s blog
Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
This is a kind of follow-up to my last post, in which I discussed a technique that can be used for elevating privileges to SYSTEM when you have impersonation capabilities. In the last part, I explained how this type of vulnerability could be fixed and I even…
AppDomainManager Injection and Detection
https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection
@WindowsHackingLibrary
https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection
@WindowsHackingLibrary
Pentest Laboratories
AppDomainManager Injection and Detection
Microsoft .NET framework is being heavily utilized by threat actors and red teams for defense evasion and staying off the radar during operations. Every .NET binary contains application domains whe…
Detecting and Advancing In-Memory .NET Tradecraft
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft
@WindowsHackingLibrary
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft
@WindowsHackingLibrary
MDSec
Detecting and Advancing In-Memory .NET Tradecraft - MDSec
Introduction In-memory tradecraft is becoming more and more important for remaining undetected during a red team operation, with it becoming common practice for blue teams to peek in to running...
Understanding and Abusing Process Tokens — Part I
https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa
Understanding and Abusing Access Tokens — Part II
https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962
@WindowsHackingLibrary
https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa
Understanding and Abusing Access Tokens — Part II
https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962
@WindowsHackingLibrary
Medium
Understanding and Abusing Process Tokens — Part I
Introduction
NINA: x64 Process Injection: (No Injection, No Allocation x64 Process Injection Technique.)
https://undev.ninja/nina-x64-process-injection
@WindowsHackingLibrary
https://undev.ninja/nina-x64-process-injection
@WindowsHackingLibrary
undev.ninja
NINA: x64 Process Injection
NINA: No Injection, No Allocation x64 Process Injection Technique.
Abusing Windows Telemetry for Persistence
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
@WindowsHackingLibrary
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
@WindowsHackingLibrary
TrustedSec
Abusing Windows Telemetry for Persistence
Abusing Windows Telemetry for Persistence by Christopher Paschen: Learn how to exploit Windows telemetry for persistence, requiring local admin rights,…
Group Policies Going Rogue
GPSVC exposes all domain-joined Windows machines to an escalation of privileges (EoP) vulnerability.
https://www.cyberark.com/resources/threat-research-blog/group-policies-going-rogue
@WindowsHackingLibrary
GPSVC exposes all domain-joined Windows machines to an escalation of privileges (EoP) vulnerability.
https://www.cyberark.com/resources/threat-research-blog/group-policies-going-rogue
@WindowsHackingLibrary
Cyberark
Group Policies Going Rogue
This blog –part of a year-long research project that uncovered 60 different vulnerabilities across major vendors – discusses a vulnerability in the Windows group policy object (GPO) mechanism....