Bypass Defender AV static detection:
If you name a malicious file
UPD:
DumpStack (by any file number) can bypass MDE easily with no detection as mimikatz or eicar mode.
The malicious file can be shown in the console but not identified as malicious.
#defender #evasion #tricks
If you name a malicious file
*.log Defender doesn't scan it.UPD:
DumpStack (by any file number) can bypass MDE easily with no detection as mimikatz or eicar mode.
The malicious file can be shown in the console but not identified as malicious.
#defender #evasion #tricks
🔥5
APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278
This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
#ad #pac #s4u2self #research #escalation
This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
#ad #pac #s4u2self #research #escalation
TrustedSec
An 'Attack Path' Mapping Approach to CVEs 2021-42287 and 2021-42278
Figure 1 - CVE 2021-42287 and 2021-42278 Attack Path 1 Diagram While each detection strives for high fidelity and may be able stand on its own accord,…
Domain Persistence – AdminSDHolder
https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/
#ad #adminsdholder #redteam
https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/
#ad #adminsdholder #redteam
Penetration Testing Lab
Domain Persistence – AdminSDHolder
Utilizing existing Microsoft features for offensive operations is very common during red team assessments as it provides the opportunity to blend in with the environment and stay undetected. Micros…
Process Injection via KernelCallBackTable
Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used.
C# Code Snippet:
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
#edr #evasion #dll #injection #kernelcallbacktable
Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used.
C# Code Snippet:
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
#edr #evasion #dll #injection #kernelcallbacktable
👍2
RemoteNET
This library lets you examine, create and interact with remote objects in other .NET processes.
It's like System.Runtime.Remoting except the other app doesn't need to be compiled (or consent) to support it.
Basically this library lets you mess with objects of any other .NET app without asking for permissions
https://github.com/theXappy/RemoteNET
#csharp #injection #pentest
This library lets you examine, create and interact with remote objects in other .NET processes.
It's like System.Runtime.Remoting except the other app doesn't need to be compiled (or consent) to support it.
Basically this library lets you mess with objects of any other .NET app without asking for permissions
https://github.com/theXappy/RemoteNET
#csharp #injection #pentest
GitHub
GitHub - theXappy/RemoteNET: Examine, create and interact with remote objects in other .NET processes.
Examine, create and interact with remote objects in other .NET processes. - theXappy/RemoteNET
Optimizing Windows Function Resolving: A Case Study Into GetProcAddress
https://phasetw0.com/windows-internals/optimizing_function_resolving/
#edr #evasion #winapi #getprocaddress
https://phasetw0.com/windows-internals/optimizing_function_resolving/
#edr #evasion #winapi #getprocaddress
Phasetw0
Optimizing Windows Function Resolving: A Case Study Into GetProcAddress - phasetw0
It was a cold winter morning. hypervis0r had just woken up at 1 AM because his sleep schedule was royally fucked, and he hopped onto the private...
EDR Parallel-asis through Analysis
New method for enumerating Syscalls numbers using the Parallel loader
Research:
https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/
C++ Code Snipped:
https://github.com/mdsecactivebreach/ParallelSyscalls
C# Code Snipped:
https://github.com/cube0x0/ParallelSyscalls
#edr #evasion #parallel #csharp
New method for enumerating Syscalls numbers using the Parallel loader
Research:
https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/
C++ Code Snipped:
https://github.com/mdsecactivebreach/ParallelSyscalls
C# Code Snipped:
https://github.com/cube0x0/ParallelSyscalls
#edr #evasion #parallel #csharp
Domain Domination With Windows Shortcuts
This article on malicious shortcut files and how they can be leveraged to capture NTLM hashes quietly and dominate a network or domain.
https://medium.com/cybersecpadawan/domain-domination-with-windows-shortcuts-6aab1d72b793
#shortcuts #lnk #abuse #windows
This article on malicious shortcut files and how they can be leveraged to capture NTLM hashes quietly and dominate a network or domain.
https://medium.com/cybersecpadawan/domain-domination-with-windows-shortcuts-6aab1d72b793
#shortcuts #lnk #abuse #windows
Medium
Domain Domination With Windows Shortcuts
Wait, what? How?
👍3
Deep Technical Analysis of an Office RCE Exploit
https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/
#office #rce #cve_2021_40444
https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce/
#office #rce #cve_2021_40444
Malicious PDF Generator
Generate ten different malicious pdf files with phone-home functionality. Can be used with Burp Collaborator.
https://github.com/pussycat0x/malicious-pdf
#pdf #payload #burp #collaborator
Generate ten different malicious pdf files with phone-home functionality. Can be used with Burp Collaborator.
https://github.com/pussycat0x/malicious-pdf
#pdf #payload #burp #collaborator
GitHub
GitHub - pussycat0x/malicious-pdf: Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp…
Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator - pussycat0x/malicious-pdf
Important Windows processes for Threat Hunting
https://www.socinvestigation.com/important-windows-processes-for-threat-hunting/
#edr #detection #forensic #process
https://www.socinvestigation.com/important-windows-processes-for-threat-hunting/
#edr #detection #forensic #process
Security Investigation - Be the first to investigate
Important Windows processes for Threat Hunting - Security Investigation
Introduction: The various processes that are running in a Windows computer. Some of the processes are parts of the operating system, while others are applications automatically launched at startup or manually by the user or hackers. Knowing What’s normal…
👍2
Log4jHorizon
A proof of concept for VMWare Horizon instances and allows attackers to execute code as an unauthenticated user using a single HTTP request.
Research:
https://www.sprocketsecurity.com/blog/crossing-the-log4j-horizon-a-vulnerability-with-no-return
Exploit:
https://github.com/puzzlepeaches/Log4jHorizon
#log4j #vmware #horizon #rce
A proof of concept for VMWare Horizon instances and allows attackers to execute code as an unauthenticated user using a single HTTP request.
Research:
https://www.sprocketsecurity.com/blog/crossing-the-log4j-horizon-a-vulnerability-with-no-return
Exploit:
https://github.com/puzzlepeaches/Log4jHorizon
#log4j #vmware #horizon #rce
👍3
Domain Escalation — ShadowCoerce (MS-FSRVP)
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coerced authentication is the PetitPotam attack which uses the Encrypting File System Remote Protocol (MS-EFSR). However, this is not the only protocol which could be utilized for domain escalation.
Research:
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
PoC:
https://github.com/ShutdownRepo/ShadowCoerce
#ad #escalation #relay #redteam
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coerced authentication is the PetitPotam attack which uses the Encrypting File System Remote Protocol (MS-EFSR). However, this is not the only protocol which could be utilized for domain escalation.
Research:
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
PoC:
https://github.com/ShutdownRepo/ShadowCoerce
#ad #escalation #relay #redteam
Password Hash Cracking in AWS
https://www.sans.org/blog/password-hash-cracking-amazon-web-services/
#aws #cuda #hashcat
https://www.sans.org/blog/password-hash-cracking-amazon-web-services/
#aws #cuda #hashcat
www.sans.org
Password Hash Cracking in Amazon Web Services | SANS Institute
This article will discuss the use of cracking cloud computing resources in Amazon Web Services (AWS) to crack password hashes.
Free Labs to Learn Cloud Penetration Testing
https://flaws.cloud/
https://flaws2.cloud/
https://github.com/OWASP/Serverless-Goat
https://n0j.github.io/2017/10/02/aws-s3-ctf.html
https://github.com/torque59/AWS-Vulnerable-Lambda
https://github.com/wickett/lambhack
https://github.com/BishopFox/iam-vulnerable
https://github.com/RhinoSecurityLabs/cloudgoat
https://github.com/appsecco/attacking-cloudgoat2
https://github.com/m6a-UdS/dvca
https://github.com/OWASP/DVSA
https://github.com/nccgroup/sadcloud
#cloud #aws #pentest
https://flaws.cloud/
https://flaws2.cloud/
https://github.com/OWASP/Serverless-Goat
https://n0j.github.io/2017/10/02/aws-s3-ctf.html
https://github.com/torque59/AWS-Vulnerable-Lambda
https://github.com/wickett/lambhack
https://github.com/BishopFox/iam-vulnerable
https://github.com/RhinoSecurityLabs/cloudgoat
https://github.com/appsecco/attacking-cloudgoat2
https://github.com/m6a-UdS/dvca
https://github.com/OWASP/DVSA
https://github.com/nccgroup/sadcloud
#cloud #aws #pentest
GitHub
GitHub - OWASP/Serverless-Goat: OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws
OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws - OWASP/Serverless-Goat
👍1
AWS IAM explained for RedTeam & BlueTeam
https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
#aws #iam #redteam #blueteam
https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
#aws #iam #redteam #blueteam
Medium
AWS IAM explained for Red and Blue teams
Introduction
Suspicious Named Pipe Events
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
#windows #pipe #events #blueteam #redteam
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
#windows #pipe #events #blueteam #redteam
Medium
FalconFriday — Suspicious named pipe events — 0xFF1B
TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…
Active Directory ACL Visualizer and Explorer
adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
https://github.com/lkarlslund/adalanche
#ad #acl #visualizer #blueteam #redteam
adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
https://github.com/lkarlslund/adalanche
#ad #acl #visualizer #blueteam #redteam
Network Access Control (NAC) Bypass
This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/
#nac #bypass #pentest
This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/
#nac #bypass #pentest
luemmelsec.github.io
I got 99 problems but my NAC ain´t one
This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
Designed to keep rouge devices out of your network, I´ll show you ways around it, as well as ways to protect yourself.
From a pentester´s…
Designed to keep rouge devices out of your network, I´ll show you ways around it, as well as ways to protect yourself.
From a pentester´s…