Technical Rundown of WebExec
https://blog.skullsecurity.org/2018/technical-rundown-of-webexec
@WindowsHackingLibrary
https://blog.skullsecurity.org/2018/technical-rundown-of-webexec
@WindowsHackingLibrary
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight
By Omer Yair at Derbycon
https://youtu.be/Y3oMEiySxcc
@SecTalks
By Omer Yair at Derbycon
https://youtu.be/Y3oMEiySxcc
@SecTalks
YouTube
Track 3 15 Goodbye Obfuscation Hello Invisi Shell Hiding Your Powershell Script in Plain Sight Omer
These are the videos from Derbycon 2018:
http://www.irongeek.com/i.php?page=videos/derbycon8/mainlist
Patreon:
https://www.patreon.com/irongeek
http://www.irongeek.com/i.php?page=videos/derbycon8/mainlist
Patreon:
https://www.patreon.com/irongeek
w0rk3r's Windows Hacking Library
Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight By Omer Yair at Derbycon https://youtu.be/Y3oMEiySxcc @SecTalks
Invisi-Shell: Hide your Powershell script in plain sight. Bypass all Powershell security features
https://github.com/OmerYa/Invisi-Shell
@WindowsHackingLibrary
https://github.com/OmerYa/Invisi-Shell
@WindowsHackingLibrary
GitHub
GitHub - OmerYa/Invisi-Shell: Hide your Powershell script in plain sight. Bypass all Powershell security features
Hide your Powershell script in plain sight. Bypass all Powershell security features - OmerYa/Invisi-Shell
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Another Word on Delegation
https://posts.specterops.io/another-word-on-delegation-10bdbe3cd94a
@BlueTeamLibrary
https://posts.specterops.io/another-word-on-delegation-10bdbe3cd94a
@BlueTeamLibrary
Medium
Another Word on Delegation
Every time I think I start to understand Active Directory and Kerberos, a new topic pops up to mess with my head. A few weeks ago, @elad_shamir contacted @tifkin_ and myself with some ideas about…
Forwarded from Security Talks (Jonhnathan Jonhnathan Jonhnathan)
If we win, we lose
Tim MalcomVetter at BlueHat v18
https://www.youtube.com/watch?v=ifCeaYShRSU
@SecTalks
Tim MalcomVetter at BlueHat v18
https://www.youtube.com/watch?v=ifCeaYShRSU
@SecTalks
YouTube
BlueHat v18 || "If we win, we lose"
Tim MalcomVetter, Walmart
We have this saying on my red team that we borrowed from the NSA Red Team: “if we win, we lose.” It reveals the dichotomy of excelling at both offense and defense. We want our Red Teams to try to win, right? Or was it Blue? The…
We have this saying on my red team that we borrowed from the NSA Red Team: “if we win, we lose.” It reveals the dichotomy of excelling at both offense and defense. We want our Red Teams to try to win, right? Or was it Blue? The…
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Slides: "If we win, we lose" - Using healthy competition to measure and improve security programs || BlueHat v18
https://www.slideshare.net/MSbluehat/if-we-win-we-lose-using-healthy-competition-to-measure-and-improve-security-programs
@BlueTeamLibrary
https://www.slideshare.net/MSbluehat/if-we-win-we-lose-using-healthy-competition-to-measure-and-improve-security-programs
@BlueTeamLibrary
www.slideshare.net
BlueHat v18 || "If we win, we lose" (using healthy competition to mea…
Tim MalcomVetter, Walmart We have this saying on my red team that we borrowed from the NSA Red Team: “if we win, we lose.” It reveals the dichotomy of excellin…
10 Red Teaming Lessons Learned Over 20 Years
https://www.oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years
@WindowsHackingLibrary
https://www.oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years
@WindowsHackingLibrary
OODA Loop
10 Red Teaming Lessons Learned Over 20 Years
I've been a red teamer for twenty years now, perhaps even longer, but I didn't know what to call it until 1995 when I started working with the Department of Defense. I've also been fortunate
SMB Named Pipe Pivoting in Meterpreter
https://medium.com/@petergombos/smb-named-pipe-pivoting-in-meterpreter-462580fd41c5
@WindowsHackingLibrary
https://medium.com/@petergombos/smb-named-pipe-pivoting-in-meterpreter-462580fd41c5
@WindowsHackingLibrary
Medium
SMB Named Pipe Pivoting in Meterpreter
A hidden feature of Metasploit, is the ability to add SMB Named Pipe listeners in a meterpreter session to pivot on an internal network…
On-the-Run with Empire
https://posts.specterops.io/on-the-run-with-empire-67ddde01270c
@WindowsHackingLibrary
https://posts.specterops.io/on-the-run-with-empire-67ddde01270c
@WindowsHackingLibrary
Posts By SpecterOps Team Members
On-the-Run with Empire.
During my study time for mobile application testing, I came to the realization that there are a lot of bad coding practices taking place…
Reversing ALPC: Where are your windows bugs and sandbox escapes?
https://sandboxescaper.blogspot.com/2018/10/reversing-alpc-where-are-your-windows.html
@WindowsHackingLibrary
https://sandboxescaper.blogspot.com/2018/10/reversing-alpc-where-are-your-windows.html
@WindowsHackingLibrary
Abusing PowerShell Desired State Configuration for Lateral Movement
https://posts.specterops.io/abusing-powershell-desired-state-configuration-for-lateral-movement-ca42ddbe6f06
@WindowsHackingLibrary
https://posts.specterops.io/abusing-powershell-desired-state-configuration-for-lateral-movement-ca42ddbe6f06
@WindowsHackingLibrary
Medium
Abusing PowerShell Desired State Configuration for Lateral Movement
Lateral Movement Technique Description
How to bypass AMSI and execute ANY malicious Powershell code
https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html
@WindowsHackingLibrary
zc00l blog
How to bypass AMSI and execute ANY malicious Powershell code
Hello again. In my previous posts I detailed how to manually get SYSTEM shell from Local Administrators users. That’s interesting but very late game during a penetration assessment as it is presumed that you already owned the target machine.
A C# penetration testing tool to discover low-haning web fruit via web requests
https://github.com/rvrsh3ll/SharpFruit
@WindowsHackingLibrary
https://github.com/rvrsh3ll/SharpFruit
@WindowsHackingLibrary
GitHub
GitHub - rvrsh3ll/SharpFruit: A C# penetration testing tool to discover low-haning web fruit via web requests.
A C# penetration testing tool to discover low-haning web fruit via web requests. - rvrsh3ll/SharpFruit
RunDLL32 your .NET (AKA DLL exports from .NET)
https://blog.xpnsec.com/rundll32-your-dotnet
@WindowsHackingLibrary
https://blog.xpnsec.com/rundll32-your-dotnet
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - RunDLL32 your .NET (AKA DLL exports from .NET)
In this post I wanted to look at a technique which is by no means new to .NET developers, but may prove useful to redteamers crafting their tools... exporting .NET static methods within a DLL... AKA using RunDLL32 to launch your .NET assembly.
Playing with Relayed Credentials
https://www.secureauth.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
https://www.secureauth.com/blog/playing-relayed-credentials
@WindowsHackingLibrary
Operational Challenges in Offensive C#
https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200
@WindowsHackingLibrary
https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200
@WindowsHackingLibrary
Medium
Operational Challenges in Offensive C#
As offensive toolsets continue to move towards using C# as the language of choice for post-exploitation, I thought it’d be useful to think…
Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html
@WindowsHackingLibrary
https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html
@WindowsHackingLibrary
zc00l blog
Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host
Introduction