Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
@WindowsHackingLibrary
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
@WindowsHackingLibrary
Blogspot
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
Posted by James Forshaw, Project Zero And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll...
Bypass in Microsoft AD FS Multi-Factor Authentication protocol (CVE-2018-8340):
Multi-Factor Mixup: Who Were You Again?
https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability
@WindowsHackingLibrary
Multi-Factor Mixup: Who Were You Again?
https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability
@WindowsHackingLibrary
Okta Security
Multi-Factor Mixup: Who Were You Again?
Summary:
A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
After being notified about the vulnerability…
A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization.
After being notified about the vulnerability…
Reconerator: C# Targeted Attack Reconnissance Tools
https://github.com/stufus/reconerator
@WindowsHackingLibrary
https://github.com/stufus/reconerator
@WindowsHackingLibrary
GitHub
GitHub - stufus/reconerator: C# Targeted Attack Reconnissance Tools
C# Targeted Attack Reconnissance Tools. Contribute to stufus/reconerator development by creating an account on GitHub.
DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
@WindowsHackingLibrary
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
@WindowsHackingLibrary
Labofapenetrationtester
DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
Home of Nikhil SamratAshok Mittal. Posts about Red Teaming, Offensive PowerShell, Active Directory and Pen Testing.
Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
@WindowsHackingLibrary
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
@WindowsHackingLibrary
Medium
Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe
Bypass Technique Description
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
YouTube
SANS Webcast: PowerShell for PenTesting
Learn ethical hacking: www.sans.org/sec504
Presented by: Mick Douglas
Attendees of this talk will learn why attackers have latched on to PowerShell. Mick will discuss how bad guys use this built in OS component to dodge many defensive techniques.
Mick…
Presented by: Mick Douglas
Attendees of this talk will learn why attackers have latched on to PowerShell. Mick will discuss how bad guys use this built in OS component to dodge many defensive techniques.
Mick…
w0rk3r's Windows Hacking Library
Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb @WindowsHackingLibrary
Microsoft.Workflow.Compiler.exe Mimikatz Runner.
https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e
@WindowsHackingLibrary
https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e
@WindowsHackingLibrary
List-RDP-Connections-History
Use powershell to list the RDP Connections History of logged-in users or all users
https://github.com/3gstudent/List-RDP-Connections-History
@WindowsHackingLibrary
Use powershell to list the RDP Connections History of logged-in users or all users
https://github.com/3gstudent/List-RDP-Connections-History
@WindowsHackingLibrary
GitHub
GitHub - 3gstudent/List-RDP-Connections-History: Use powershell to list the RDP Connections History of logged-in users or all users
Use powershell to list the RDP Connections History of logged-in users or all users - 3gstudent/List-RDP-Connections-History
Forwarded from Zer0 to her0 (Jonhnathan Jonhnathan Jonhnathan)
A Universal Windows Bootkit
An analysis of the MBR bootkit referred to as “HDRoot"
http://williamshowalter.com/a-universal-windows-bootkit
@FromZer0toHero
An analysis of the MBR bootkit referred to as “HDRoot"
http://williamshowalter.com/a-universal-windows-bootkit
@FromZer0toHero
William Showalter
A Universal Windows Bootkit
An analysis of the MBR bootkit referred to as “HDRoot”
.NET Deserialization To NTLM Hashes
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes
@WindowsHackingLibrary
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes
@WindowsHackingLibrary
Broadcast Name Resolution Poisoning / WPAD Attack Vector
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector
@WindowsHackingLibrary
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector
@WindowsHackingLibrary
Python tool to inject fake updates into unencrypted WSUS traffic
https://github.com/pdjstone/wsuspect-proxy
@WindowsHackingLibrary
https://github.com/pdjstone/wsuspect-proxy
@WindowsHackingLibrary
GitHub
GitHub - pdjstone/wsuspect-proxy: Python tool to inject fake updates into unencrypted WSUS traffic
Python tool to inject fake updates into unencrypted WSUS traffic - pdjstone/wsuspect-proxy
Remotely Modify Anti-Virus Configurations
https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations
@WindowsHackingLibrary
https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations
@WindowsHackingLibrary
FortyNorth Security Blog
Remotely Modify Anti-Virus Configurations
Last week, we covered how to enumerate anti-virus configurations on remote systems. The information that you could gather would allow you to create a much more targeted attack against any system you are targeting. The natural next questions might be: What…
Making The Perfect Injector: Abusing Windows Address Sanitization And CoW
https://blog.can.ac/2018/05/02/making-the-perfect-injector-abusing-windows-address-sanitization-and-cow
@WindowsHackingLibrary
https://blog.can.ac/2018/05/02/making-the-perfect-injector-abusing-windows-address-sanitization-and-cow
@WindowsHackingLibrary
Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files
https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html
@WindowsHackingLibrary
https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html
@WindowsHackingLibrary
Blogspot
Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files
I recently discovered an interesting behavior how explorer.exe handles defined icon resources for certain file types IconFile property ...
Extracting SSH Private Keys from Windows 10 ssh-agent
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
@WindowsHackingLibrary
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
@WindowsHackingLibrary
ropnop blog
Extracting SSH Private Keys From Windows 10 ssh-agent
The newest Windows 10 update includes OpenSSH utilities, including ssh-agent. Here’s how to extract unencrypted saved private keys from the registry
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
@WindowsHackingLibrary
https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
@WindowsHackingLibrary
Medium
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
Yes it’s still easy to get Domain Admin “before lunch” as it was when I first started.
CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
@WindowsHackingLibrary
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
@WindowsHackingLibrary
Atredis Partners
CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service — Atredis Partners
In this write-up, Ryan Hanson describes his process for identifying and exploiting CVE-2018-0952, an arbitrary file creation vulnerability in the Windows Diagnostics Hub Standard Collector service, allowing for elevation of privileges.
Operational Guidance for Offensive User DPAPI Abuse
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
@WindowsHackingLibrary
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
@WindowsHackingLibrary
Medium
Operational Guidance for Offensive User DPAPI Abuse
I’ve spoken about DPAPI (the Data Protection Application Programming Interface) a bit before, including how KeePass uses DPAPI for its “Windows User Account” key option. I recently dove into some of…