Covenant: Developing Custom C2 Communication Protocols
https://posts.specterops.io/covenant-developing-custom-c2-communication-protocols-895587e7f325
@WindowsHackingLibrary
https://posts.specterops.io/covenant-developing-custom-c2-communication-protocols-895587e7f325
@WindowsHackingLibrary
Medium
Covenant: Developing Custom C2 Communication Protocols
As of Covenant v0.4, Covenant provides options that allow developers to integrate custom C2 communication protocols into an operation…
Protecting Your Malware with blockdlls and ACG
https://blog.xpnsec.com/protecting-your-malware
@WindowsHackingLibrary
https://blog.xpnsec.com/protecting-your-malware
@WindowsHackingLibrary
XPN InfoSec Blog
@_xpn_ - Protecting Your Malware with blockdlls and ACG
In Cobalt Strike, blockdlls was introduced to allow protection of spawned processes from non-Microsoft signed DLL's. In this post I will show just how this works, and look at an additional process security option which could help us to deter endpoint security…
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients
https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients
@WindowsHackingLibrary
https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients
@WindowsHackingLibrary
MDSec
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients - MDSec
Introduction Remote Desktop is one of the most widely used tools for managing Windows Servers. Admins love using RDP and so do attackers. Often the credentials that are used to...
Ghost Potato (NTLM Reflection)
https://shenaniganslabs.io/2019/11/12/Ghost-Potato.html
@WindowsHackingLibrary
https://shenaniganslabs.io/2019/11/12/Ghost-Potato.html
@WindowsHackingLibrary
Shenanigans Labs
Ghost Potato
Halloween has come and gone, and yet NTLM reflection is back from the dead to haunt MSRC once again. This post describes a deceptively simple bug that has existed in Windows for 15 years.
NTLM reflection is still possible through a highly reliable timing…
NTLM reflection is still possible through a highly reliable timing…
[Paper] Injecting .NET Ransomware into Unmanaged Process
https://exploit-db.com/docs/47680
@WindowsHackingLibrary
https://exploit-db.com/docs/47680
@WindowsHackingLibrary
w0rk3r's Windows Hacking Library
[Paper] Injecting .NET Ransomware into Unmanaged Process https://exploit-db.com/docs/47680 @WindowsHackingLibrary
[Tool] DNCI - Dot Net Code Injector
DNCI allows the injection of .Net code (.exe or .dll) remotely in unmanaged processes in windows.
https://github.com/guibacellar/DNCI
@WindowsHackingLibrary
DNCI allows the injection of .Net code (.exe or .dll) remotely in unmanaged processes in windows.
https://github.com/guibacellar/DNCI
@WindowsHackingLibrary
GitHub
GitHub - guibacellar/DNCI: DNCI - Dot Net Code Injector
DNCI - Dot Net Code Injector. Contribute to guibacellar/DNCI development by creating an account on GitHub.
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Unrestricted Release of Offensive Security Tools
Uncontrolled proliferation of Offensive Security Tools is an unnecessary contribution to real threat actor’s computer network operations.
https://medium.com/@QW5kcmV3/misconceptions-unrestricted-release-of-offensive-security-tools-789299c72afe
@BlueTeamLibrary
Uncontrolled proliferation of Offensive Security Tools is an unnecessary contribution to real threat actor’s computer network operations.
https://medium.com/@QW5kcmV3/misconceptions-unrestricted-release-of-offensive-security-tools-789299c72afe
@BlueTeamLibrary
Medium
Misconceptions: Unrestricted Release of Offensive Security Tools
Uncontrolled proliferation of Offensive Security Tools is an unnecessary contribution to real threat actor’s computer network operations.
Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start
https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass
@WindowsHackingLibrary
https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass
@WindowsHackingLibrary
Matteomalvica
Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start
Cobalt Strike 4.0 – Bring Your Own Weaponization
https://blog.cobaltstrike.com/2019/12/05/cobalt-strike-4-0-bring-your-own-weaponization
@WindowsHackingLibrary
https://blog.cobaltstrike.com/2019/12/05/cobalt-strike-4-0-bring-your-own-weaponization
@WindowsHackingLibrary
Cobalt Strike
Resources - Cobalt Strike
[...]Read More... from Resources
SCshell: Fileless Lateral Movement Using Service Manager
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/
[Github]
https://github.com/SpiderLabs/SCShell
@WindowsHackingLibrary
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/
[Github]
https://github.com/SpiderLabs/SCShell
@WindowsHackingLibrary
Trustwave
SCshell: Fileless Lateral Movement Using Service Manager
During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In…
Reversing Windows Internals (Part 1) – Digging Into Handles, Callbacks & ObjectTypes
https://rayanfam.com/topics/reversing-windows-internals-part1
@WindowsHackingLibrary
https://rayanfam.com/topics/reversing-windows-internals-part1
@WindowsHackingLibrary
Rayanfam Blog
Reversing Windows Internals (Part 1) - Digging Into Handles, Callbacks & ObjectTypes
We write about Windows Internals, Hypervisors, Linux, and Networks.
Updating adconnectdump - a journey into DPAPI
https://dirkjanm.io/updating-adconnectdump-a-journey-into-dpapi
@WindowsHackingLibrary
https://dirkjanm.io/updating-adconnectdump-a-journey-into-dpapi
@WindowsHackingLibrary
dirkjanm.io
Updating adconnectdump - a journey into DPAPI
Last year when I started playing with Azure I looked into Azure AD connect and how it stores its high privilege credentials. When I was revisiting this topic a few weeks ago, it turned out that some things had changed and my previous method of dumping credentials…
From iPhone to NT AUTHORITY\SYSTEM
https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem
@WindowsHackingLibrary
https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem
@WindowsHackingLibrary
Decoder's Blog
From iPhone to NT AUTHORITY\SYSTEM
As promised in my previous post , I will show you how to exploit the “Printconfig” dll with a real world example. But what does Apple’s iPhone have to do with it?? Well, keep on r…
SysWhispers helps with AV/EDR evasion by generating header/ASM files implants can use to make direct system calls, all core syscalls are supported from Windows XP to 10.
https://github.com/jthuraisamy/SysWhispers
@WindowsHackingLibrary
https://github.com/jthuraisamy/SysWhispers
@WindowsHackingLibrary
GitHub
GitHub - jthuraisamy/SysWhispers: AV/EDR evasion via direct system calls.
AV/EDR evasion via direct system calls. Contribute to jthuraisamy/SysWhispers development by creating an account on GitHub.
No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
@WindowsHackingLibrary
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
@WindowsHackingLibrary
Redxorblue
No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
There are a ton of great resources that have been released in the past few years on a multitude of Kerberos delegation abuse avenues. Howe...
Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
@WindowsHackingLibrary
https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
@WindowsHackingLibrary
Medium
Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows…
SpecterOps' Adversary Tactics - PowerShell Training course material
https://github.com/specterops/at-ps
@WindowsHackingLibrary
https://github.com/specterops/at-ps
@WindowsHackingLibrary
GitHub
GitHub - SpecterOps/at-ps: Adversary Tactics - PowerShell Training
Adversary Tactics - PowerShell Training. Contribute to SpecterOps/at-ps development by creating an account on GitHub.
Attacking Azure, Azure AD, and Introducing PowerZure
https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
@WindowsHackingLibrary
https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a
@WindowsHackingLibrary
Medium
Attacking Azure, Azure AD, and Introducing PowerZure
Interacting with Azure, offensively
(Ab)using Kerberos from Linux
https://www.onsecurity.co.uk/blog/abusing-kerberos-from-linux
@WindowsHackingLibrary
https://www.onsecurity.co.uk/blog/abusing-kerberos-from-linux
@WindowsHackingLibrary
www.onsecurity.io
Abusing Kerberos From Linux - An Overview of Available Tools
Explore Kerberos abuse techniques on Linux with our comprehensive guide. Delve into the available tools and methods for effective Kerberos exploitation.