"Heresy's Gate": Kernel Zw*/NTDLL Scraping +
"Work Out": Ring 0 to Ring 3 via Worker Factories
https://zerosum0x0.blogspot.com/2020/06/heresys-gate-kernel-zwntdll-scraping.html
@WindowsHackingLibrary
"Work Out": Ring 0 to Ring 3 via Worker Factories
https://zerosum0x0.blogspot.com/2020/06/heresys-gate-kernel-zwntdll-scraping.html
@WindowsHackingLibrary
Blogspot
"Heresy's Gate": Kernel Zw*/NTDLL Scraping + <br />"Work Out": Ring 0 to Ring 3 via Worker Factories
Introduction Heresy's Gate Closing Nebbett's Gate Meltdown KVA Shadow Page Fault Loop NTDLL ...
Engineering antivirus evasion
https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion
@WindowsHackingLibrary
https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion
@WindowsHackingLibrary
Persistence: “the continued or prolonged existence of something” Series
Part 1 – Microsoft Office
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office
Part 2 – COM Hijacking
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking
Part 3 – WMI Event Subscription
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription
@WindowsHackingLibrary
Part 1 – Microsoft Office
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office
Part 2 – COM Hijacking
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking
Part 3 – WMI Event Subscription
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription
@WindowsHackingLibrary
MDSec
Persistence: "the continued or prolonged existence of something": Part 1 - Microsoft Office - MDSec
During a red team engagement, one of the first things you may want to do after obtaining initial access is establish reliable persistence on the endpoint. Being able to streamline...
A Guide to Reversing and Evading EDRs
Part 1: Introduction
http://jackson-t.ca/edr-reversing-evading-01.html
Part 2: Sensor Reconnaissance
http://jackson-t.ca/edr-reversing-evading-02.html
Part 3: Diverting EDR Telemetry to Private Infrastructure
http://jackson-t.ca/edr-reversing-evading-03.html
@WindowsHackingLibrary
Part 1: Introduction
http://jackson-t.ca/edr-reversing-evading-01.html
Part 2: Sensor Reconnaissance
http://jackson-t.ca/edr-reversing-evading-02.html
Part 3: Diverting EDR Telemetry to Private Infrastructure
http://jackson-t.ca/edr-reversing-evading-03.html
@WindowsHackingLibrary
SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
@WindowsHackingLibrary
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
@WindowsHackingLibrary
Check Point Research
SIGRed - Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers - Check Point Research
Research by: Sagi Tzadik Introduction DNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Because it is such a core component of the internet, there are…
Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
@WindowsHackingLibrary
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
@WindowsHackingLibrary
Red Cursor
Bypassing LSA Protection without Mimikatz on Windows 10 - Red Cursor
Starting with Windows 8.1 (and Server 2012 R2) Microsoft introduced a feature termed LSA Protection. This feature is based on the ...
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra, Jupyter Notebooks and Graphframes
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd
@WindowsHackingLibrary
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd
@WindowsHackingLibrary
Medium
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra 🐉, Jupyter Notebooks 📓 and Graphframes…
A few weeks ago, I was going over some of the research topics in my to-do list, and the one that sounded interesting to work on during 4th…
Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
GitHub
GitHub - jthuraisamy/TelemetrySourcerer: Enumerate and disable common sources of telemetry used by AV/EDR.
Enumerate and disable common sources of telemetry used by AV/EDR. - jthuraisamy/TelemetrySourcerer
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon
@WindowsHackingLibrary
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon
@WindowsHackingLibrary
Death from Above: Lateral Movement from Azure to On-Prem AD
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
Medium
Death from Above: Lateral Movement from Azure to On-Prem AD
I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what…
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking
@WindowsHackingLibrary
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking
@WindowsHackingLibrary
MDSec
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking - MDSec
Introduction During red team engagements, it is not uncommon to encounter Endpoint Defence & Response (EDR) / Prevention (EDP) products that implement user-land hooks to gain insight in to a...
Death from Above: Lateral Movement from Azure to On-Prem AD
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
Medium
Death from Above: Lateral Movement from Azure to On-Prem AD
I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what…
Pwning Windows Event Logging with YARA rules
https://blog.dylan.codes/pwning-windows-event-logging
@WindowsHackingLibrary
https://blog.dylan.codes/pwning-windows-event-logging
@WindowsHackingLibrary
Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)
https://www.secura.com/pathtoimg.php?id=2055
@WindowsHackingLibrary
https://www.secura.com/pathtoimg.php?id=2055
@WindowsHackingLibrary
w0rk3r's Windows Hacking Library
Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) https://www.secura.com/pathtoimg.php?id=2055 @WindowsHackingLibrary
Test tool: https://github.com/SecuraBV/CVE-2020-1472
PoC: https://github.com/dirkjanm/CVE-2020-1472
@WindowsHackingLibrary
PoC: https://github.com/dirkjanm/CVE-2020-1472
@WindowsHackingLibrary
GitHub
GitHub - SecuraBV/CVE-2020-1472: Test tool for CVE-2020-1472
Test tool for CVE-2020-1472. Contribute to SecuraBV/CVE-2020-1472 development by creating an account on GitHub.
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Mitre's Center Releases FIN6 Adversary Emulation Plan
Blogpost: https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b
Github: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
@BlueTeamLibrary
Blogpost: https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b
Github: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
@BlueTeamLibrary
Medium
Center Releases FIN6 Adversary Emulation Plan
Written by Jon Baker and Forrest Carver.
Weaponizing Group Policy Objects (GPO) Access
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
@WindowsHackingLibrary
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
@WindowsHackingLibrary
TrustedSec
Weaponizing Group Policy Objects Access
Use Group Policy to pull down a file from your attack machine to Domain Controllers, leveraging client-side extensions and Admin Tool Extensions to bypass…