Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Escalation
https://www.illumant.com/blog/2019/01/16/check-point-anti-virus-technical-white-paper
@WindowsHackingLibrary
https://www.illumant.com/blog/2019/01/16/check-point-anti-virus-technical-white-paper
@WindowsHackingLibrary
illumant llc
Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Escalation
Introduction Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate privileges to SYSTEM-level with the anti-virus software enabled. The vulnerability is…
Local Admin Access and Group Policy Don’t Mix
https://www.trustedsec.com/2019/01/local-admin-access-and-group-policy-dont-mix
@WindowsHackingLibrary
https://www.trustedsec.com/2019/01/local-admin-access-and-group-policy-dont-mix
@WindowsHackingLibrary
TrustedSec
Cybersecurity Education from the Experts | TrustedSec Blog Posts
Learn more about how to safeguard your company through our educational blog posts on everything from updated tech to the newest scams infiltrating organizations today.
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
@WindowsHackingLibrary
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
@WindowsHackingLibrary
Shenanigans Labs
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was…
Too much % makes Event Viewer drunk
http://www.hexacorn.com/blog/2019/01/27/too-much-makes-event-viewer-drunk
@WindowsHackingLibrary
http://www.hexacorn.com/blog/2019/01/27/too-much-makes-event-viewer-drunk
@WindowsHackingLibrary
How to Argue like Cobalt Strike
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike
@WindowsHackingLibrary
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - How to Argue like Cobalt Strike
In Cobalt Strike 3.13, the argue command was introduced as a way of taking advantage of argument spoofing. I was first made aware of the concept while watching Will Burgess's awesome talk RedTeaming in the EDR Age, with Will crediting Casey Smith who presented…
w0rk3r's Windows Hacking Library
Abusing Exchange: One API call away from Domain Admin https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin @WindowsHackingLibrary
[PrivExchange] From user to domain admin in less than 60sec
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec
@WindowsHackingLibrary
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec
@WindowsHackingLibrary
Exploiting Malwarebytes Anti-Exploit
https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit
@WindowsHackingLibrary
https://acru3l.github.io/2019/02/02/exploiting-mb-anti-exploit
@WindowsHackingLibrary
Round of use Winrm code execution XML
https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31
@WindowsHackingLibrary
https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31
@WindowsHackingLibrary
Medium
Round of use Winrm code execution XML
Introduction This beginning alludes to give point simple concept related to using Winrm.vbs to do code executed by XML file so I could…
PoC: Using CloudFlare as an HTTP C2 with PowerShell Empire
https://holdmybeersecurity.com/2019/02/07/poc-using-cloudflare-as-an-http-c2-with-powershell-empire
@WindowsHackingLibrary
https://holdmybeersecurity.com/2019/02/07/poc-using-cloudflare-as-an-http-c2-with-powershell-empire
@WindowsHackingLibrary
Entering a Covenant: .NET Command and Control
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
@WindowsHackingLibrary
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
@WindowsHackingLibrary
Medium
Entering a Covenant: .NET Command and Control
I’ve slowly been open sourcing .NET tradecraft that I’ve been working on for some time, including the SharpSploit, SharpGen, and…
External C2, IE COM Objects and how to use them for Command and Control
https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/02/external-c2-ie-com-objects-and-how-to-use-them-for-command-and-control
@WindowsHackingLibrary
MDSec
External C2, IE COM Objects and how to use them for Command and Control - MDSec
Background Cobalt Strike 3.6 introduced a powerful new feature called External C2, providing an interface for custom Command and Control channels. Being a fan of custom C2 channels I started...
Bypasses Microsoft's Anti-Malware Scan Interface for a PowerShell session process started through the "Start-Job" cmdlet, the PID of which is accessed using "Enter-PSHostProcess"
https://github.com/securemode/Bypass-AMSI9000
@WindowsHackingLibrary
https://github.com/securemode/Bypass-AMSI9000
@WindowsHackingLibrary
Getting PowerShell Empire Past Windows Defender
https://www.blackhillsinfosec.com/getting-powershell-empire-past-windows-defender
@WindowsHackingLibrary
https://www.blackhillsinfosec.com/getting-powershell-empire-past-windows-defender
@WindowsHackingLibrary
Black Hills Information Security
Getting PowerShell Empire Past Windows Defender - Black Hills Information Security
Carrie Roberts //* (Updated 2/12/2020) ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential […]
Azure AD Connect for Red Teamers
https://blog.xpnsec.com/azuread-connect-for-redteam
@WindowsHackingLibrary
https://blog.xpnsec.com/azuread-connect-for-redteam
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Azure AD Connect for Red Teamers
With clients increasingly relying on cloud services from Azure, one of the technologies that has been my radar for a while is Azure AD. For those who have not had the opportunity to work with this, the concept is simple, by extending authentication beyond…
“Relaying” Kerberos - Having fun with unconstrained delegation
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit
@WindowsHackingLibrary
https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit
@WindowsHackingLibrary
dirkjanm.io
“Relaying” Kerberos - Having fun with unconstrained delegation
There have been some interesting new developments recently to abuse Kerberos in Active Directory, and after my dive into Kerberos across trusts a few months ago, this post is about a relatively unknown (from attackers perspective), but dangerous feature:…
w0rk3r's Windows Hacking Library
“Relaying” Kerberos - Having fun with unconstrained delegation https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit @WindowsHackingLibrary
Krbrelayx - Unconstrained delegation abuse toolkit
https://github.com/dirkjanm/krbrelayx
@WindowsHackingLibrary
https://github.com/dirkjanm/krbrelayx
@WindowsHackingLibrary
GitHub
GitHub - dirkjanm/krbrelayx: Kerberos relaying and unconstrained delegation abuse toolkit
Kerberos relaying and unconstrained delegation abuse toolkit - dirkjanm/krbrelayx
Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study
https://gosecure.net/2019/02/20/abusing-unsafe-defaults-in-active-directory
@WindowsHackingLibrary
https://gosecure.net/2019/02/20/abusing-unsafe-defaults-in-active-directory
@WindowsHackingLibrary
GoSecure
Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study - GoSecure
Combine a bug in Antidote, a popular enterprise spellchecker, and unsafe defaults in Active Directory, and you get more NTLM hashes than you can deal with.