Trust? Years to earn, seconds to break (T2A4D)
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break
@WindowsHackingLibrary
https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break
@WindowsHackingLibrary
powershellveryless
== Constrained Language Mode + AMSI bypass all in one ==
https://github.com/decoder-it/powershellveryless
@WindowsHackingLibrary
== Constrained Language Mode + AMSI bypass all in one ==
https://github.com/decoder-it/powershellveryless
@WindowsHackingLibrary
GitHub
GitHub - decoder-it/powershellveryless: Constrained Language Mode + AMSI bypass all in one
Constrained Language Mode + AMSI bypass all in one - decoder-it/powershellveryless
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
@WindowsHackingLibrary
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
@WindowsHackingLibrary
Posts By SpecterOps Team Members
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
Whether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms…
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
https://blog.netspi.com/exporting-azure-runas-certificates
@WindowsHackingLibrary
https://blog.netspi.com/exporting-azure-runas-certificates
@WindowsHackingLibrary
NetSPI Blog
Get-AzurePasswords: Exporting Azure RunAs Certificates for Persistence
Logging in with RunAs certificates is a great way for maintaining access in an Azure environment during a penetration test. See how we export the PFX files.
A Case Study in Wagging the Dog: Computer Takeover
https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
@WindowsHackingLibrary
https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeover-2bcb7f94c783
@WindowsHackingLibrary
Medium
A Case Study in Wagging the Dog: Computer Takeover
Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory…
Remote Code Execution — Gaining Domain Admin due to a typo
https://medium.com/@DanielC7/remote-code-execution-gaining-domain-admin-privileges-due-to-a-typo-dbf8773df767
@WindowsHackingLibrary
https://medium.com/@DanielC7/remote-code-execution-gaining-domain-admin-privileges-due-to-a-typo-dbf8773df767
@WindowsHackingLibrary
Medium
Remote Code Execution — Gaining Domain Admin due to a typo
CVE-2018–9022
SirepRAT - RCE as SYSTEM on Windows IoT Core
https://github.com/SafeBreach-Labs/SirepRAT
@WindowsHackingLibrary
https://github.com/SafeBreach-Labs/SirepRAT
@WindowsHackingLibrary
GitHub
GitHub - SafeBreach-Labs/SirepRAT: Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3)
Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3) - SafeBreach-Labs/SirepRAT
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation
@WindowsHackingLibrary
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation
@WindowsHackingLibrary
dirkjanm.io
The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
After my in-depth post last month about unconstrained delegation, this post will discuss a different type of Kerberos delegation: resource-based constrained delegation. The content in this post is based on Elad Shamir’s Kerberos research and combined with…
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings
https://blog.netspi.com/machineaccountquota-is-useful-sometimes
@WindowsHackingLibrary
https://blog.netspi.com/machineaccountquota-is-useful-sometimes
@WindowsHackingLibrary
NetSPI
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings
MachineAccountQuota (MAQ) is a domain level attribute that by default permits unprivileged users to attach up to 10 computers to an Active Directory (AD) domain.
Silencing Cylance: A Case Study in Modern EDRs
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs
@WindowsHackingLibrary
MDSec
Silencing Cylance: A Case Study in Modern EDRs - MDSec
As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in...
Dynamic Shellcode Execution
https://countercept.com/blog/dynamic-shellcode-execution
@WindowsHackingLibrary
https://countercept.com/blog/dynamic-shellcode-execution
@WindowsHackingLibrary
WEF Logging Bypass for Elastic's Winlogbeat
https://blog.neu5ron.com/2019/03/wef-logging-bypass-for-elastics.html
@WindowsHackingLibrary
https://blog.neu5ron.com/2019/03/wef-logging-bypass-for-elastics.html
@WindowsHackingLibrary
Neu5Ron
WEF Logging Bypass for Elastic's Winlogbeat
Background On 2019-02-26 3:27am EST, I alerted Elastic to a reliable bypass for Winlogbeat. Thankfully, it is now fixed as of 6.6.2 I ...
Fileless UAC Bypass in Windows Store Binary
https://www.activecyber.us/activelabs/windows-uac-bypass
@WindowsHackingLibrary
https://www.activecyber.us/activelabs/windows-uac-bypass
@WindowsHackingLibrary
Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)
https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command
@WindowsHackingLibrary
https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command
@WindowsHackingLibrary
Red Team Telemetry: Empire Edition
https://www.lares.com/red-team-telemetry-empire-edition
@WindowsHackingLibrary
https://www.lares.com/red-team-telemetry-empire-edition
@WindowsHackingLibrary
Kerbrute
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
https://github.com/ropnop/kerbrutehttps://github.com/ropnop/kerbrute
@WindowsHackingLibrary
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
https://github.com/ropnop/kerbrutehttps://github.com/ropnop/kerbrute
@WindowsHackingLibrary
Faction C2 Framework
A modern, flexible C2 framework
https://github.com/factionc2
@WindowsHackingLibrary
A modern, flexible C2 framework
https://github.com/factionc2
@WindowsHackingLibrary
GitHub
Faction C2 Framework
A modern, flexible C2 framework (currently very beta) - Faction C2 Framework
Excel4-DCOM
PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe).
https://github.com/outflanknl/Excel4-DCOM
@WindowsHackingLibrary
PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe).
https://github.com/outflanknl/Excel4-DCOM
@WindowsHackingLibrary
GitHub
GitHub - outflanknl/Excel4-DCOM: PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM…
PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe) - outflanknl/Excel4-DCOM
CommandoVM - a fully customized, Windows-based security distribution for penetration testing and red teaming
https://github.com/fireeye/commando-vm
@WindowsHackingLibrary
https://github.com/fireeye/commando-vm
@WindowsHackingLibrary
GitHub
GitHub - mandiant/commando-vm: Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual…
Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected] - mandiant/commando-vm