Persistence: “the continued or prolonged existence of something” Series
Part 1 – Microsoft Office
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office
Part 2 – COM Hijacking
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking
Part 3 – WMI Event Subscription
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription
@WindowsHackingLibrary
Part 1 – Microsoft Office
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office
Part 2 – COM Hijacking
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking
Part 3 – WMI Event Subscription
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription
@WindowsHackingLibrary
MDSec
Persistence: "the continued or prolonged existence of something": Part 1 - Microsoft Office - MDSec
During a red team engagement, one of the first things you may want to do after obtaining initial access is establish reliable persistence on the endpoint. Being able to streamline...
A Guide to Reversing and Evading EDRs
Part 1: Introduction
https://jackson-t.ca/edr-reversing-evading-01.html
Part 2: Sensor Reconnaissance
https://jackson-t.ca/edr-reversing-evading-02.html
Part 3: Diverting EDR Telemetry to Private Infrastructure
https://jackson-t.ca/edr-reversing-evading-03.html
@WindowsHackingLibrary
Part 1: Introduction
https://jackson-t.ca/edr-reversing-evading-01.html
Part 2: Sensor Reconnaissance
https://jackson-t.ca/edr-reversing-evading-02.html
Part 3: Diverting EDR Telemetry to Private Infrastructure
https://jackson-t.ca/edr-reversing-evading-03.html
@WindowsHackingLibrary
SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
@WindowsHackingLibrary
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
@WindowsHackingLibrary
Check Point Research
SIGRed - Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers - Check Point Research
Research by: Sagi Tzadik Introduction DNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Because it is such a core component of the internet, there are…
Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
@WindowsHackingLibrary
https://www.redcursor.com.au/blog/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10
@WindowsHackingLibrary
Red Cursor
Bypassing LSA Protection without Mimikatz on Windows 10 - Red Cursor
Starting with Windows 8.1 (and Server 2012 R2) Microsoft introduced a feature termed LSA Protection. This feature is based on the ...
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra, Jupyter Notebooks and Graphframes
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd
@WindowsHackingLibrary
https://medium.com/threat-hunters-forge/extending-the-exploration-and-analysis-of-windows-rpc-methods-calling-other-functions-with-ghidra-e4cdaa9555bd
@WindowsHackingLibrary
Medium
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra 🐉, Jupyter Notebooks 📓 and Graphframes…
A few weeks ago, I was going over some of the research topics in my to-do list, and the one that sounded interesting to work on during 4th…
Telemetry Sourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows.
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
https://github.com/jthuraisamy/TelemetrySourcerer
@WindowsHackingLibrary
GitHub
GitHub - jthuraisamy/TelemetrySourcerer: Enumerate and disable common sources of telemetry used by AV/EDR.
Enumerate and disable common sources of telemetry used by AV/EDR. - jthuraisamy/TelemetrySourcerer
CVE-2020-1337 – PrintDemon is dead, long live PrintDemon!
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon
@WindowsHackingLibrary
https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon
@WindowsHackingLibrary
Death from Above: Lateral Movement from Azure to On-Prem AD
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
Medium
Death from Above: Lateral Movement from Azure to On-Prem AD
I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what…
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking
@WindowsHackingLibrary
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking
@WindowsHackingLibrary
MDSec
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking - MDSec
Introduction During red team engagements, it is not uncommon to encounter Endpoint Defence & Response (EDR) / Prevention (EDP) products that implement user-land hooks to gain insight in to a...
Death from Above: Lateral Movement from Azure to On-Prem AD
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
@WindowsHackingLibrary
Medium
Death from Above: Lateral Movement from Azure to On-Prem AD
I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what…
Pwning Windows Event Logging with YARA rules
https://blog.dylan.codes/pwning-windows-event-logging
@WindowsHackingLibrary
https://blog.dylan.codes/pwning-windows-event-logging
@WindowsHackingLibrary
Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)
https://www.secura.com/pathtoimg.php?id=2055
@WindowsHackingLibrary
https://www.secura.com/pathtoimg.php?id=2055
@WindowsHackingLibrary
English
404 Page
Unfortunately, this page cannot be found.
w0rk3r's Windows Hacking Library
Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) https://www.secura.com/pathtoimg.php?id=2055 @WindowsHackingLibrary
Test tool: https://github.com/SecuraBV/CVE-2020-1472
PoC: https://github.com/dirkjanm/CVE-2020-1472
@WindowsHackingLibrary
PoC: https://github.com/dirkjanm/CVE-2020-1472
@WindowsHackingLibrary
GitHub
GitHub - SecuraBV/CVE-2020-1472: Test tool for CVE-2020-1472
Test tool for CVE-2020-1472. Contribute to SecuraBV/CVE-2020-1472 development by creating an account on GitHub.
Forwarded from w0rk3r's Blue team Library (Jonhnathan Jonhnathan Jonhnathan)
Mitre's Center Releases FIN6 Adversary Emulation Plan
Blogpost: https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b
Github: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
@BlueTeamLibrary
Blogpost: https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b
Github: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
@BlueTeamLibrary
Medium
Center Releases FIN6 Adversary Emulation Plan
Written by Jon Baker and Forrest Carver.
Weaponizing Group Policy Objects (GPO) Access
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
@WindowsHackingLibrary
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access
@WindowsHackingLibrary
TrustedSec
Weaponizing Group Policy Objects Access
Goal: Use Group Policy to pull down a file from our attack machine to the Domain Controllers. It may work that way in some cases, but in our scenario, we…
Abusing Group Policy Caching
https://decoder.cloud/2020/09/23/abusing-group-policy-caching
@WindowsHackingLibrary
https://decoder.cloud/2020/09/23/abusing-group-policy-caching
@WindowsHackingLibrary
Decoder's Blog
Abusing Group Policy Caching
In this post I will show you how I discovered a severe vulnerability in the so-called “Group Policy Caching” which was fixed (among other GP vulnerabilities) in CVE-2020-1317 A standard…
A different way of abusing Zerologon (CVE-2020-1472)
Using the Printer Bug with zerologon to relay to DSRUAPI and DCSYNC (No password reset needed)
https://dirkjanm.io/a-different-way-of-abusing-zerologon
@WindowsHackingLibrary
Using the Printer Bug with zerologon to relay to DSRUAPI and DCSYNC (No password reset needed)
https://dirkjanm.io/a-different-way-of-abusing-zerologon
@WindowsHackingLibrary
dirkjanm.io
A different way of abusing Zerologon (CVE-2020-1472)
In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most straightforward…
Sysmon Internals - From File Delete Event to Kernel Code Execution
https://undev.ninja/sysmon-internals-from-file-delete-event-to-kernel-code-execution
@WindowsHackingLibrary
https://undev.ninja/sysmon-internals-from-file-delete-event-to-kernel-code-execution
@WindowsHackingLibrary
undev.ninja
Sysmon Internals - From File Delete Event to Kernel Code Execution
Sysmon File Delete Event Internals and Kernel Code Execution
Evading Static Machine Learning Malware Detection Models – Part 1: The Black-Box Approach
https://blog.compass-security.com/2020/10/evading-static-machine-learning-malware-detection-models-the-black-box-approach
@WindowsHackingLibrary
https://blog.compass-security.com/2020/10/evading-static-machine-learning-malware-detection-models-the-black-box-approach
@WindowsHackingLibrary