Browse Source

some backlog clearing sharing queue

Persistence and some misc windows stuff. sharing macos backlog since it's taking a while to get around to it. Next update to PrivEsc will be clearing out cred attacks and actual privesc backlog
Robert 8 months ago
committed by GitHub
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 397 additions and 25 deletions
  1. +397

+ 397
- 25
Draft/ View File

@ -1297,6 +1297,12 @@
* [Upload and download small files with CertReq.exe - DTM(2020)](
* [Staying Off the Land: A Threat Actor Methodology - Crowdstrike(2020)](
* [Load/Inject malicious DLL using Microsoft Tools - safe(2018)](
* [FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C - Olaf Hartong(2021)](
* [Abusing and Detecting LOLBIN Usage of .NET Development Mode Features - BOHOPS(2021](
* From an attacker’s perspective, configuration adjustments provide interesting opportunities for living-off-the-land-binary (lolbin) execution. In this short post, we’ll highlight a technique for turning pretty much any .NET executable into an opportunistic lolbin that abuses .NET development features by overriding Global Assembly Cache (GAC) path lookups. Furthermore, we’ll examine several defensive considerations for detecting malicious use of the presented technique.
* [Living off the land - Slayerlabs(2021)](
* [BYOT – Bring Your Own Telemetry - Hexacorn(2021)](
* [Symantec Endpoint Protection Meets COM — Using “Symantec.SSHelper” As A LOLBIN - Nasreddine Bencherchali(2021)](
* **Talks/Presentations/Videos**
* [Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell, Matthew Graeber(Derybcon2013)](
* Two of the biggest challenges of long-term penetration tests are advanced security products and active administrators. Host intrusion prevention, application white-listing and antivirus software are all looking for your tools. Administrators and network defenders are doing everything they can to find you. Surprisingly, the easiest way to hide from them and homestead in a Windows enterprise is to live off the land. Microsoft provides you with all the tools you need to get into a network and live there forever. Tools such as Wmic, Netsh and PowerShell are well-known to administrators, but they also provide an attacker a whole range of virtually untapped features. By simply leveraging PowerSploit and a few tricks you can reliably bypass antivirus, get around whitelisting, escalate privileges, redirect network traffic, take full packet captures, log keystrokes, take screenshots, dump hashes, persist and pivot to other hosts all without introducing a single binary!
@ -1396,6 +1402,7 @@
* **Command and Scripting Interpreter**<a name="wincmdexec"></a>
* **Cmd.exe**
* **Articles/Blogposts/Writeups**
* [Create Your Own CMD.XLS - Didier Stevens(2016](
* [cmd.exe running any file no matter what extension - Hexacorn](
* [Command line do-nothingness - hexacorn(2020)](
* **CMD Arg Spoofing**
@ -1484,6 +1491,10 @@
* [Sideloading DLL like APT1337 -](
* [Bypassing AV's using DLL Side-Loading -](
* [DLL Proxy Loading Your Favourite C# Implant - Flangvik(2020)](
* [Adding DLL Exports with dnlib - RastaMouse(2020)](
* **Tools**
* [dll-exports](
* Collection of DLL function export forwards for DLL export function proxying
* **Downloaders**
* [Using signed Installshield installers as downloaders - hexacorn(2019)](
* **Exploitation for Client Execution**
@ -1571,6 +1582,12 @@
* Some research on AltSystemCallHandlers functionality in Windows 10 20H1 18999
* [FreshyCalls PoC](
* A simple dumper as FreshyCalls' PoC. That's what's trendy, isn't it? `¯\_(ツ)_/¯`
* [inline_syscall](
* Header only library that allows you to generate direct syscall instructions in an optimized, inlineable and easy to use manner.
* **Power API**
* [Deus Somnum](
* Leverage the Windows Power Management API for code execution and defense evasion.
* [Paper](
* **Processes**
* [Creating a Child Process with Redirected Input and Output -](
* **Scheduled Task/Job**
@ -1728,6 +1745,10 @@
* **Persistence**<a name="winpersist"></a>
* **101**
* [Windows Userland Persistence Fundamentals - b33f](
* [Persistence -](
* [alphaseclab Persistence](
* [Windows Persistence - Chad Duffey(2020)](
* [Wicked malware persistence methods - Hasherezade(2017)](
* **Tactics**
* [Hiding Registry keys with PSReflect - Brian Reitz](
* [Hiding Files by Exploiting Spaces in Windows Paths](
@ -1737,7 +1758,13 @@
* [Materials](
* [Here to stay: Gaining persistency by Abusing Advanced Authentication Mechanisms - Marina Simakov, Igal Gofman](
* [Slides](
* [Killsuit the equation group's swiss army knife for persistence - Francisco J Donoso(BlueHat v18)](
* This talk expands on my research into the Equation Group's post exploitation tools. My previous research focused on providing a general overview of DanderSpritz, a full-featured post-exploitation toolkit included in the ShadowBroker's "Lost in Translation" leak. This talk provides a deep dive into KillSuit which is the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration in unique and interesting ways. During the talk, we will dissect the capabilities and functionality of the KillSuit framework, a little-known (and somewhat overlooked) component of the much larger DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to quietly establish persistence on machines via bootkits and other persistence methods and then allows operators to install persistent modules such as keyloggers, packet capture tools, tools that perform WiFi MITM, and other more information gathering tools. KillSuit also includes support for many plugins that provide interesting ways to silently exfiltrate data - some specifically designed to make data exfiltration across air gapped networks possible - including custom written IPSEC-like protocols and misuse of "disabled" WIFI cards and nearby open networks.
* **Tools**
* **3rd Party Applications**
* [Zoom Persistence via Symlink Abuse](
* [Persistence with KeePass - Part 1 - two06(2019](
* [Part 2](
* **Account Manipulation**
* **Additional Azure Service Principal Credentials**
* **Exchange Email Delegate Permissions**
@ -1754,6 +1781,8 @@
* [RID Hijacking: Maintaining Access on Windows Machines](
* The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user. By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.
* **SSH Authorized Keys**
* **Accessibility Features**
* [Windows Persistence: Accessibility Features - Pavandeep Singh(2020](
* **Active Directory Specific**
* **Articles/Blogposts/Writeups**
* [Sneaky Active Directory Persistence Tricks -](
@ -1805,6 +1834,8 @@
* Powershell script to search for alternate data streams This script searches recursively through a specified file system for alternate data streams (ADS). The script can search local and UNC paths speciffied by the $path paramenter. All readable files will have the stream attrubute inspected ignoring the default DATA and FAVICON (image file on URL files) streams. The script use Boe Prox's amazing Get-RunspaceData function and other code to multithread the search. The default number of threads is the number of logical cores plus one. This can be adjusted by specifiying the $threads parameter. Use with caution as runspaces can easily chomp resources (CPU and RAM). Once the number of file system objects (files and folders) is determined, they are split into equal groups of objects divided by the number of threads. Then each thread has a subset of the total objects to inspect for ADS.
* **AMSI Provider**
* [Antimalware Scan Interface Provider for Persistence - B4rtik(2020)](
* [AMSI-Provider](
* A fake AMSI Provider which can be used to gain persistence on a host when a specific text is triggered. By default calc.exe will open.
* **APPX/UWP**
* [Persistence using Universal Windows Platform apps (APPX) - oddvarmoe](
* Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.
@ -1820,6 +1851,8 @@
* **Boot or Logon Autostart Execution**
* [Windows Startup Application Database](
* [Windows Program Automatic Startup Locations(2004) BleepingComputer](
* [Hijacking the Boot Process - Ransomware Style - Raul Alvarez(ShowMeCon2018)](
* Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised? In this presentation, we are going to look into how Petya, a ransomware, can overwrite an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then, we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API. We are also going to see how we can use a combination of different tools to figure out how a ransomware can infect the very first sector of a harddisk. Tools, such as, Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course, x64dbg and ollydbg for debugging the ransomware in application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its own kernel code.
* **Authentication Package**
* **Kernel Modules and Extensions**
* **LSASS Driver**
@ -1849,6 +1882,8 @@
* [Backdooring Plugins - Averagejoe](
* **Create Account**
* **Local Account**
* [Backdoorplz](
* adding a backdooruser using win32api
* **Domain Account**
* **Cloud Account**
* **Create or Modify System Process**
@ -1856,6 +1891,11 @@
* **Systemd Service**
* **Windows Service**
* **Launch Daemon**
* **DLL Injection/Hijacking**
* **Articles/Blogposts/Writeups**
* **Tools**
* [bait](
* Bait for dll injection and executable planting
* **Drivers**
* [Windows Firewall Hook Enumeration](
* We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
@ -1883,19 +1923,16 @@
* **Tools**
* [Windows 0wn3d By Default - Mark Baggett(Derbycon2013)](
* Description: “In this talk we will discuss API Hooking, Process Execution Redirection, Hiding Registry keys and hiding directories on the hard drive. We must be talking about rootkits, right? Well yes, but not in the way you think. The Windows family of operating systems has all of these capabilities built right in! Using nothing but tools and techniques distributed and documented by Microsoft we can implement all of these rootkit functions. During this exciting talk I will present new attacks against Windows operating system that provide rootkit like functionality with built-in OS tools. In session, we’ll demonstrate how to leverage the Microsoft Application Compatibility Toolkit to help hide an attacker’s presence on your system. The Application Compatibility Toolkit allows you to create application shims that intercept and redirect calls from applications to the operating system. This native rootkit like capability is intended to make the Windows operating system compatible with very old or poorly written applications. Do DEP, ASLR, UAC, and Windows Resource Protection, File system ACLS and other modern OS security measures get it your way? No problem. Turn them off! Do you want to hide files and registry keys and from the user? The Application Compatibility toolkit allows you to create a virtual world for any application and hide resources from view. If someone inspects the registry with regedit they will see exactly what the attacker wants them to see and not what the OS sees when it launches programs. Did they patch your target so your exploit doesn’t work? Guess what, making applications backwards compatible is what this tool is intended to do. Make your favorite applications “old exploit compatible” insuring you can re-exploit the target with this awesome untapped resource. Everything you need to subvert windows applications is built right into the windows kernel. Come learn how to use the application compatibility toolkit to tap this great resource.”
* **Change Default File Association**
* [Registering an Application to a URI Scheme -](
* [Exploiting custom protocol handlers in Windows - Andrey Polkovnychenko](
* In this article we would like to present the mechanism for custom protocol handling in Windows, and how it can be exploited using a simple command injection vulnerability.
* **Component Object Model Hijacking**
* [COM Object hijacking: the discreet way of persistence](
* [Userland Persistence with Scheduled Tasks and COM Handler Hijacking](
* [Userland Persistence with Scheduled Tasks and COM Handler Hijacking - enigma0x3(2016)](
* [How To Hunt: Detecting Persistence & Evasion With The COM - Blake Strom](
* [Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking - MDSec](
* [Use COM Object hijacking to maintain persistence——Hijack CAccPropServicesClass and MMDeviceEnumerator - 3gstudent](
* [Use COM Object hijacking to maintain persistence——Hijack explorer.exe - 3gstudent](
* [Activation Contexts — A Love Story - Philip Tsukerman(2019)](
* TL;DR — Windows loads a version of the Microsoft.Windows.SystemCompatible assembly manifest into every process. Tampering with it lets you inject DLL side-loading opportunities into every process, and to perform COM hijacking without touching the registry. Unfortunately, the manifest could be replaced by another version, possibly killing your persistence by surprise.
* [Persistence – COM Hijacking - NetbiosX](
* **Emond**
* **Event Log**
* [Windows Event Log Driven Back Doors](
@ -1916,6 +1953,8 @@
* **Screensaver**
* **Trap**
* **Windows Management Instrumentation Event Subscription**
* **Extension Handlers**
* [Hijacking extensions handlers as a malware persistence method - hasherezade(2017)](
* **External Remote Services**
* **Filesystem**
* **NTFS**
@ -1933,6 +1972,9 @@
* **Path Interception by Unquoted Path**
* **Services File Permissions Weakness**
* **Services Registry Permissions Weakness**
* **IIS Modules**
* [IIS Raid – Backdooring IIS Using Native Modules - Rio Sherri(2020)](
* Back in 2018, PaloAlto Unit42 publicly documented RGDoor, an IIS backdoor used by the APT34. The article highlighted some details which sparked my interest and inspired me to write IIS-Raid, an IIS backdoor module that allows red-team operators to keep a stealthy persistence on IIS web-servers. In this blogpost, we will discuss some of the key components of this tool, how it was built and demonstrate its features.
* **Implant Container Image**
* **MS Distributed Transaction Coordinator Service**
* **Articles/Blogposts/Writeups**
@ -1940,6 +1982,12 @@
* [The Microsoft Distributed Transaction Coordinator service must run under the NT AUTHORITY\NetworkService Windows account -](
* [Shadow Force Uses DLL Hijacking, Targets South Korean Company - Dove Chiu(2015)](
* [Use msdtc to maintain persistence - 3gstudent](
* **.NET**
* [Common Language Runtime Hook for Persistence - Paul Laine(2019](
* This blog post explains how it is possible to execute arbitrary code and maintain access to a Microsoft Windows system by leveraging the Common Language Runtime application domain manager.
* [Configuring our Machine for Persistence - NotoriousRebel(2020)](
* [ConfigPersist](
* Utilizes modifying machine.config for persistence through CLR hooking, after installing signed .NET assembly onto Global Assembly Cache.
* **LAPS**
* **Articles/Blogposts/Writeups**
* [Mise en place d'une Backdoor LAPS via modification de l'attribut SearchFlags avec DCShadow - Gregory Lucand](
@ -1966,13 +2014,15 @@
* Windows persistence toolkit written in C#
* **AppDomain**
* [Use AppDomainManager to maintain persistence](
* **Netsh Helper DLL**
* **Netsh**
* [Windows Persistence using Netsh - Pavandeep Singh(2020)](
* [Persistence – Netsh Helper DLL - NetbiosX](
* **Office Applications**
* **Articles/Blogposts/Writeups**
* [Use Office to maintain persistence - 3gstudent](
* [Office Persistence on x64 operating system - 3gstudent](
* [Persistence: “the continued or prolonged existence of something” - Dominic Chell](
* [app-password-persistence](
* **Add-ins**
* [Add-In Opportunities for Office Persistence - William Knowles](
* **Extensibility Features**
@ -1982,6 +2032,8 @@
* Introduction of wePWNize
* **Outlook Forms**
* **Outlook Rules**
* [XRulez](
* "XRulez" is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.
* **Outlook Home Page**
* **Office Test**
* **Password Filter DLL**
@ -2012,10 +2064,19 @@
* OpenPasswordFilter is an open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.
* [PasswordStealing](
* Password stealing DLL I have written about 1999, some time before Active Directory was announced. And of course it still works. First, it was written in 32-bit Delphi (pardon my language) and when it stopped working as everything changed into 64-bit - in (so much simpler when it comes to Win32 API) C, as I did not have 64-bit Delphi. The original implementation was a bit more complex, including broadcasting the changed password over the network etc. but now it works as a demonstration of an idea, so let's keep it as simple as possible. It works everywhere - on local machines for local accounts and on DCs for domain accounts.
* **Port Monitors**
* [Windows Persistence: Port Monitors - Aarti Singh(2020)](
* [Windows Persistence via Port Monitors - Slayerlabs(2020](
* **Pre-OS Boot**
* **System Firmware**
* **Component Firmware**
* **Bootkit**
* **Print Processor**
* [No “Game over” for the Winnti Group - Mathieu Tartare, Martin Smolár(2020)](
* [New PipeMon malware uses Windows print processors for persistence - Ionut Ilascu(2020)](
* **Processes**
* [Mayhem](
* The Mayhem packages aims to provide a Python interface for the programmatic manipulation of executable files at runtime on both the Linux and Windows platforms.
* **Registry**
* [Windows Registry Attacks: Knowledge Is the Best Defense](
* [Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](
@ -2034,15 +2095,16 @@
* [schtasks](
* [Script Task](
* Persistence Via MSSQL
* **At (Linux)**
* **Launchd**
* **Cron**
* [Persistence using Task Scheduler without a Scheduled Task - marpie(2019](
* **Scheduled Job**
* [How to create PowerShell Scheduled Jobs on the Local Computer and on Remote Hosts - Patrick Gruenauer(2018](
* **ScreenSaver**
* [Persistence – Screensaver - NetbiosX](
* **Services**
* [Create A Windows Service In C# - Faisal Pathan(2020](
* [Stealthier persistence using new services purposely vulnerable to path interception - Christophe Tafani-Dereeper](
* [Persistence – New Service - NetbiosX](
* [Persisting in svchost.exe with a Service DLL - @spotheplanet](
* **Server Software Component**
* **IIS**
* [IIS Raid – Backdooring IIS Using Native Modules - MDSec](
@ -2052,6 +2114,12 @@
* **SQL Stored Procedures**
* **Transport Agent**
* **Web Shell**
* **SMB**
* [smbdoor](
* The proof-of-concept smbdoor.sys driver is a silent remote backdoor that does not bind new sockets or perform function modification hooking. Instead it abuses undocumented APIs in srvnet.sys to register itself as a valid SMB handler. It then listens on the already-bound ports 139/445 for special packets in which to execute secondary shellcode. In several ways, it has similarities with DoublePulsar and DarkPulsar, as well as ToxicSerpent.
* **Windows Telemetry**
* [Abusing Windows Telemetry for Persistence -Christopher Paschen(2020)](
* [Telemetry](
* **Third-Party Programs**
* [Persistence with KeePass - Part 1 - James](
* **Traffic Signaling**
@ -2060,6 +2128,12 @@
* [Blogpost](
* Covert Stage-3 Persistence Framework utilizing NVRAM variables
* **URI Scheme**
* [Registering an Application to a URI Scheme -](
* [Exploiting custom protocol handlers in Windows - Andrey Polkovnychenko](
* In this article we would like to present the mechanism for custom protocol handling in Windows, and how it can be exploited using a simple command injection vulnerability.
* [backoori](
* Tool aided persistence via Windows URI schemes abuse
* **Valid Accounts**
* **Default Accounts**
* **Domain Accounts**
@ -2071,6 +2145,8 @@
* [waitfor -](
* [Persistence – WaitFor - NetbiosX(2020)](
* "Waitfor is a Microsoft binary which is typically used to synchronize computers across a network by sending signals. This communication mechanism can be used in a red team operation in order to download and execution arbitrary code and for persistence. The binary is stored in C:\Windows\System32 folder which means that local administrator privileges are required to perform this activity and both hosts (sender and receiver) needs to be on the same network segment. "
* **Windows Subsystem for Linux**
* [Unremovable malware with WSL - foresixchange(2019](
* **WMI**
* [Playing with MOF files on Windows, for fun & profit - xst3nz(2016)](
* [Windows Management Instrumentation (WMI) Offense, Defense, and Forensics - William Ballenthin, Matt Graeber, Claudiu Teodorescu](
@ -2129,10 +2205,13 @@
* [DLL Hijacking via URL files - InsertScript](
* [DLL Hijacking -](
* [Understanding how DLL Hijacking works - Astr0baby(2018)](
* [ Microsoft File Checksum Integrity Verifier "fciv.exe" v2.05 / DLL Hijack Arbitrary Code Execution - hyp3rlinx(2019)](
* [DLL Hijacking -](
* [Lateral Movement — SCM and DLL Hijacking Primer - Dwight Hohnstein(2019)](
* [Windows Server 2008R2-2019 NetMan DLL Hijacking - itm4n(2020](
* [Automating DLL Hijack Discovery - Justin Bui(2020)](
* [UAC bypass through Trusted Folder abuse - Jean Maes(2020)](
* [My First 2020 [NonTroll] CVE - DLL Hijacking in NVIDIA System Management Interface (SMI) - Andy Gill(2020)](
* [Windows 10 - Task Scheduler service - Privilege Escalation/Persistence through DLL planting - remoteawesomethoughts.blogspot](
* I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Scheduler service was looking for a missing DLL exposing it to DLL hijacking/planting. It opens for persistence and privilege escalation in case one can write a rogue DLL in a folder pointed by the PATH environment variable. It can also be used as a UAC bypass.
* [Use CLR to bypass UAC - 3gstudent](
@ -2151,7 +2230,10 @@
* This project is a demonstration of advanced DLL hijack techniques. It was released in conjunction with the ["Adaptive DLL Hijacking" blog post]( I recommend you start there to contextualize this code.
* [TrustJack](
* [HijackHunter](
* [RunHijackHunter](
* **DLL Tools**
* [Dependencies - An open-source modern Dependency Walker](
* A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.
* [rattler](
* Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.
* [injectAllTheThings](
@ -2790,6 +2872,11 @@
* A VBA implementation of the RunPE technique or how to bypass application whitelisting.
* **Applocker**
* **101**
* [AppLocker architecture and components -](
* [AppLocker -](
* This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
* [AppLocker architecture and components -](
* [Windows Applocker Policy – A Beginner’s Guide - AArti Singh(2019)](
* [Ultimate AppLocker ByPass List](
* "The goal of this repository is to document the most common and known techniques to bypass AppLocker. Since AppLocker can be configured in different ways I maintain a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone. I also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs."
* [myAPPLockerBypassSummary](
@ -2798,14 +2885,17 @@
* [AppLocker Bypass Checklist - netbiosX](
* [AppLocker Case study: How insecure is it really? Part 1](
* AppLocker Case study: How insecure is it really? Part 2](
* [AppLocker Bypass – Weak Path Rules](
* [AppLocker Bypass – Weak Path Rules(2017](
* [Applocker Bypass via Registry Key Manipulation](
* [Bypassing AppLocker Custom Rules - 0x09AL Security Blog](
* [AppLocker Bypass – CMSTP - netbiosX](
* [Bypassing AppLocker Custom Rules](
* [A small discovery about AppLocker -](
* [Bypassing AppLocker Custom Rules - 0x09AL Security Blog(2018)](
* [AppLocker Bypass – CMSTP - netbiosX(2018](
* [Bypassing AppLocker Custom Rules(2018)](
* [Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell - Morten Schenk(2018](
* [Code](
* [A small discovery about AppLocker -](
* 'While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset.'
* [Applocker Bypass via Registry Key Manipulation - Francesco Mifsud](
* [Applocker and PowerShell: how do they tightly work together? - Emin Atac(2019)](
* [Bypassing AppLocker Custom Rules - 0x09AL](
* [myAPPLockerBypassSummary](
* Simple APPLocker bypass summary based on the extensive work of @api0cradle
@ -2821,6 +2911,10 @@
* **Talks/Presentations/Videos**
* [GreatSCT: Gotta Catch 'Em AWL - Chris Spehn(CircleCityCon2018)](
* Great Scott Marty, we went all the way back to 1995! The project is called Great SCT (Great Scott). GreatSCT is an open source project to generate application whitelist (AWL) bypasses. This tool is intended for BOTH red and blue team. Blue team can benefit by testing the publicly known application whitelisting bypass methods. We will review the most common application whitelisting bypass methods and how to utilize these methods with GreatSCT.
* [Shackles, Shims, and Shivs - Understanding Bypass Techniques - Mirovengi(Derbycon2016](
* Our industry recognizes the importance of physical security, but often, we focus on the lock core itself and the challenges with picking it. This talk discuss an overview of the common retention mechanisms and how many of the common forms can be bypassed quicker than picking the lock.
* [App-o-Lockalypse now! - Oddvar Moe(Derbycon2018](
* Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.
* **Tools**
* [Backdoor-Minimalist.sct](
* Applocker bypass
@ -2847,8 +2941,15 @@
* [Use attack surface reduction rules to prevent malware infection -](
* **Articles/Blogposts/Writeups**
* [Bypass Windows Defender Attack Surface Reduction - Emeric Nasi](
* [Windows ASR Rules & (Re)Enabling WMI When Blocked - FortyNorthSecurity(2018](
* **Talks/Presentations/Videos**
* [Bypass Windows Exploit Guard ASR - Emeric Nasi(OffensiveCon2019](
* **Tools**
* [Bypass Windows Exploit Guard ASR - Emeric Nasi(OffensiveCon2020)](
* How to bypass all Microsoft latest "Attack Surface Reduction" rules with malicious Office documents and scripts. The last years, I have been doing some research around Windows security. I liked exploring APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am naturally interested into new security features such as ASR. Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard. ASR is composed of a set of configurable rules such as: "Block Office applications from creating child process". While these rules seem effective against common Office and scripts malwares, there are ways to bypass all of them. We will go over each rule related to malicious Office or VB scripts behavior, analyze how It work behind the scene and find a way to bypass it. As example we will take common attack scenario and see how they can be achieved with all rules enforced: Download execute DLL/EXE/script from Office/VBscript; Drop execute embedded DLL/EXE/script from Office/VBscript; Machine takeover with Meterpreter shell from Office/VBscript; Lateral movement/UAC bypass/AMSI bypass/etc.
* **Defender**<a name="defender"></a>
* **101**
* [Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -](
@ -2929,6 +3030,8 @@
* [Domain Controller Security Logs – how to get at them *without* being a Domain Admin - girlgerms(2016)](
* [Pwning Windows Event Logging with YARA rules - Dylan Halls(2020)](
* [Disabling Windows Event Logs by Suspending EventLog Service Threads - @spottheplanet](
* [肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动 - ](
* [Windows XML Event Log (EVTX)单条日志清除(五)——通过DuplicateHandle获取日志文件句柄删除当前系统单条日志记录 - 3gstudent](
* **Tools**
* [Ghost In The Logs](
* This tool allows you to evade sysmon and windows event logging, my blog post about it can be found [here](
@ -3414,10 +3517,9 @@
* In this article I give a variety of examples of how to refer to the notepad.exe executable from the C:\Windows\System32 directory using various path notations. I also discuss how some of these tricks can be used to annoy or fool system administrators and information security analysts.
* **Polymorphism**
* **101**
* [Polymorphism - A Discussion Of Methodology And Implementation - Buz(1999)](
* **Articles/Blogposts/Writeups**
* [Engineering antivirus evasion - Vladimir Meier(2020)](
* [Engineering antivirus evasion (Part II) - Vladimir Meier(2020)](
* **Talks/Presentations/Videos**
* [Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon 2013)](
* Description: Think of the last time you got sick. Your immune system is an amazing piece of machinery, but every now and then, something gets past it. Antivirus evasion techniques can become more effective when modeled after infectious diseases. This talk highlights many of the antivirus evasion techniques in use today. Going further, this talk shows how genetic algorithms can quickly and repeatedly “evolve” code to evade many malicious code detection techniques in use today.
@ -3434,19 +3536,25 @@
* **Process Un-Linking**
* [Manipulating ActiveProcessLinks to Hide Processes in Userland - @spotheplanet](
* **Process 'Hardening'**
* [D/Invokify PPID Spoofy & BlockDLLs - RastaMouse(2020)](
* [Hiding Process Memory via Anti Forensic Techniques - Ralph Palutke, Frank Block, Patrick Reichenberger, Dominik Stripeika(DFRWS USA2020)](
* [Bypassing VirtualBox Process Hardening on Windows - James Forshaw(2017)](
* This blog post will describe the implementation of Oracle’s VirtualBox protected process and detail three different, but now fixed, ways of bypassing the protection and injecting arbitrary code into the process. The techniques I’ll present can equally be applied to similar implementations of “protected” processes in other applications.)
* **REPL**
* **Sandbox Detection & Evasion**
* **Articles/Writeups**
* **Tools**
* See
* **Signatures**
* **Articles/Writeups**
* [Discovering The Anti-Virus Signature and Bypassing it - Oddvar Moe(2019)](
* [Building a custom Mimikatz binary - s3cur3th1ssh1t(2020)](
* **Credential Access**<a name="wincredac"></a>
* **Want to learn this stuff? What should you know/study?**
* Windows Authentication Concepts
* Windows Logon Scenarios
* Windows Authentication Architecture
* Security Support Provider Interface Architecture
* Credentials Processes in Windows Authentication
* Group Policy Settings Used in Windows Authentication
* **101**
* [An Overview of KB2871997 -](
* Increasing complexity of retrieving clear-text creds
@ -3829,6 +3937,10 @@
* **Articles/Blogposts/Writeups**
* [Capture a Network Trace without installing anything (& capture a network trace of a reboot) - Chad Duffey(blogs.mdsn)](
* **Tools**
* [raw-socket-sniffer](
* **RPC**
* [The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication - Nicolas Delhaye(2020](
* [The OXID Resolver [Part 2] – Accessing a Remote Object inside DCOM - Nicolas Delhaye(2020)](
* **Sitrep**
* **Articles/Blogposts/Writeups**
* [Windows Driver and Service enumeration with Python - slacker007(2015)](
@ -3837,7 +3949,8 @@
* [Detecting Hypervisor Presence On Windows 10 - Daax Rynd](
* [Windows information gathering using Powershell: a brief cheatsheet - Andrea Fortuna(2019)](
* [Get Process List with Command Line Arguments - mubix(2020)](
* [ What was my IP? Ask DoSvc on Windows 10 - Forense nella Nebbia(2018)](
* [What was my IP? Ask DoSvc on Windows 10 - Forense nella Nebbia(2018)](
* [Windows Event IDs and Others for Situational Awareness - @spotheplanet](
* **Tools**
* [netview](
* Netview enumerates systems using WinAPI calls
@ -3889,10 +4002,13 @@
* [AppInit_DLLs in Windows 7 and Windows Server 2008 R2 -](
* [Alternative psexec: no wmi, services or mof needed - Diablohorn](
* [Poc](
* **BGInfo**
* [Exploiting BGInfo to Infiltrate a Corporate Network - Dolev Taler(2020)](
* **DCOM**
* [Lateral movement using excel application and dcom(2017)](
* [Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript - Matt Nelson(2017)](
* [New lateral movement techniques abuse DCOM technology - Philip Tsukerman(2018)](
* [Lateral Movement Using internetexplorer.Application Object (COM) - homjxi0e(2018)](
* [Lateral Movement with PowerPoint and DCOM - Attactics(2018)](
* [T1175: Lateral Movement via DCOM - @spotheplanet](
* [I Like to Move It: Windows Lateral Movement Part 2 – DCOM - Dominic Chell(2020)](
@ -3929,12 +4045,15 @@
* [Pass the Hash with Kerberos - mubix](
* This blog post may be of limited use, most of the time, when you have an NTLM hash, you also have the tools to use it. But, if you find yourself in a situation where you don’t have the tools and do happen to have kerberos tools, you can pass the hash with it.
* [Pass-The-Hash with RDP in 2019 - Acebond](
* [Named Pipe Pass-the-Hash - s3cur3th1ssh1t(2021)](
* **Tools**
* [smbexec](
* A rapid psexec style attack with samba tools
* [Blogpost that inspired it](
* [pth-toolkit I.e Portable pass the hash toolkit](
* A modified version of the passing-the-hash tool collection designed to be portable and work straight out of the box even on the most 'bare bones' systems
* [SharpNoPSExec](
* Get file less command execution for lateral movement.
* **PS-Remoting**
* **101**
* [Running Remote Commands -](
@ -3950,7 +4069,8 @@
* **Protocol Handler**
* **Articles/Blogposts/Writeups**
* [Lateral movement using URL Protocol - Matt harr0ey](
* **Tools**
* [Attack Surface Analysis - Part 2 - Custom Protocol Handlers - Parsia(2021)](
* **Tools**
* [PoisonHandler](
* This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.
* **Port-Forwarding & Proxies**
@ -3985,6 +4105,10 @@
* [SharpMove](
* [SCShell](
* SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.
* **ShadowMove**
* [ShadowMove: Lateral Movement by Duplicating Existing Sockets - @spotheplanet](
* [Windows ShadowMove Socket Duplication](
* The tool (/POC) is a simple programming exercise in order to replicate the socket duplication technique explained in [ShadowMove: A Stealthy Lateral Movement Strategy](
* **SMB**
* **Articles/Blogposts/Writeups**
* [Lateral movement: A deep look into PsExec - Daniel Munoz(2018)](
@ -4034,6 +4158,8 @@
* The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.
* [WMIcmd](
* A command shell wrapper using only WMI for Microsoft Windows
* A Bypass Anti-virus Software Lateral Movement Command Execution Tool
* **WSH**
* [Lateral Movement using WSHController/WSHRemote objects (IWSHController and IWSHRemote interfaces) - hexacorn(2018)](
* **(Ab)Using 'Legitimate' Applications already installed**
@ -4057,6 +4183,12 @@
* [Decrypting IIS Passwords to Break Out of the DMZ: Part 1 ](
* [Decrypting IIS Passwords to Break Out of the DMZ: Part 2](
* [Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host - zc00l(2018)](
* **Generic**
* [Pillager](
* Pillager is designed to provide a simple means of leveraging Go's strong concurrency model to recursively search directories for sensitive information in files. Pillager does this by standing on the shoulders of a few giants. Once pillager finds files that match the specified pattern, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for sensitive pattern matches. The available pattern filters can be defined in a rules.toml file or you can use the default ruleset.
* **Browser**
* [Adamantium-Thief](
* Get chromium based browsers: passwords, credit cards, history, cookies, bookmarks, autofill.
* **CC**
* [SearchForCC](
* A collection of open source/common tools/scripts to perform a system memory dump and/or process memory dump on Windows-based PoS systems and search for unencrypted credit card track data.
@ -4092,7 +4224,6 @@
#### Windows Technologies<a name="wintech"></a>
* **Alternate Data Streams**<a name="wads"></a>
@ -7020,5 +7151,246 @@
* **Unsorted**
* [New method of injection - w4kfu(2011)](
* "I disovered a new method of injection (I don't know if it is really new) in a malware dropped by duqu. So I want to share it with you and as usual write a p0c. Edit : This method is not new, apparently it have been using by game cheats for years, but instead of using ZwUnmapViewOfSection they use FreeLibrary."
* [Disclosure: Another macOS privacy protections bypass - Jeff Johnson(2020)](
* CVE-2019-5514 is a cool RCE in VMware Fusion 11, abusing an unauthenticated REST endpoint running on localhost
* [Offensive MacOS](
* This is a collection of macOS specific tooling, blogs, and other related information for offensive macOS assessments
* [XcodeGhost - Wikipedia](
* [XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits - Trend Micro(2020)](
3rd Party
Cred Attacks
* **Articles**
* **Tools**
Code Injection
* [insert_dylib](
* Command line utility for inserting a dylib load command into a Mach-O binary
* **Articles/Blogposts/Writeups**
* **Tools**
Defense Evasion
* []()
* [Exploiting XPC in AntiVirus - Csaba Fitz(NullCon2021)](
* In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
* [Mojave’s security “hardening” | User protections could be bypassed - Phil Stokes(2018)]
* Apple Events are blocked depending on origination, could be bypassed using SSH.
* **Articles/Blogposts/Writeups**
* [Always Watching: macOS Eavesdropping – Justin Bui (SO-CON 2020)](
* As macOS becomes more prevalent in modern enterprise environments, red teamers have had to adapt their tradecraft. Input monitoring and screenshots can provide a wealth of information for attacker on any operating system. In this talk, we’ll discuss macOS internals and dive into the various API calls necessary for keylogging, clipboard monitoring, and screenshots. The accompanying source code will be released to GitHub!
* **Tools**
* [Dylib-Hijack-Scanner](
* JavaScript for Automation (JXA) version of Patrick Wardle's tool that searches applications for dylib hijacking opportunities
* **Articles/Blogposts/Writeups**
* **Tools**
* **101**
* **Articles/Blogposts/Writeups**
* **Talks/Presentations/Videos**
* **Tools**
* **Bring-Your-Own-`*`**
* [subhook](
* SubHook is a super-simple hooking library for C and C++ that works on Windows, Linux and macOS. It supports x86 only (32-bit and 64-bit).
* [Function Hooking for Mac OSX and Linux - ](
* [Slides](
* [InjectCheck](
* The tool enumerates the Hardened Runtime, Entitlements, and presence of Electron files to determine possible injection opportunities
* [An Attacker's Perpsective on JAMF Configurations - Luke Roberts, Calum Hall(ObjectiveByTheSeav3)](
* [Jamfing for Joy: Attacking macOS in Enterprise - Calum Hall, Luke Roberts(2020)](
* [PersistentJXA](
* Collection of macOS persistence methods and miscellaneous tools in JXA
* [So You Want To Be A Mach-O Man? - symbolcrash(2019)](
* [Mach-O Universal / Fat Binaries - symbolcrash(2019)](
* [Persistent JXA - Leo Pitt(2020)](
* [Operationalising Calendar Alerts: Persistence on macOS - Luke Roberts(2020)](
* Throughout the following blog post we provide insights into calendar alerts, a method of persisting on macOS. Building on the work of Andy Grant over at NCC (, this post takes deeper look into weaponising the feature for use in offensive operations. This includes reversing to find an undocumented API that enables the technique.
* [Hey, I'm Still In Here: An Overview of macOS Persistence Techniques – Leo Pitt (SO-CON 2020)](
* There is more to macOS persistence than Launch Agents. This talk goes over some lesser utilized macOS persistence methods. We will walk through how these methods work, how automation can be leveraged to quickly execute these from an offensive perspective, and how defenders can leverage indicators of these methods to assist in detection efforts.
* Finder plugins
* **Tools**
* [CalendarPersist](
* JXA script to allow programmatic persistence via macOS alerts.
Unpacking Pkgs: A Look Inside Macos Installer Packages And Common Security Flaws - Andy Grant
* [macos_execute_from_memory](
Privileged Helper Tools
* [Unauthd - Logic bugs FTW - A2nkF(2020)](
* [Privilege Escalation | macOS Malware & The Path to Root Part 2 - Phil Stokes(2019)](
URL Schemes
* [Custom_URL_Scheme](