Browse Source

Basic sorted

pull/24/head
rmusser01 3 years ago
parent
commit
de0a0deafc
1 changed files with 152 additions and 185 deletions
  1. +152
    -185
      Draft/sysinternals.md

+ 152
- 185
Draft/sysinternals.md View File

@ -17,189 +17,10 @@
##### To Do:
* Fix ToC so its accurate
* Split sections into reference material and writeup material(quick vs long reference)
* Split sections into reference material and writeup material(quick vs long reference)
* Further categorize sections (network vs memory vs exploit mitigations vs feature)
* [SetProcessMitigationPolicy function - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
* Sets a mitigation policy for the calling process. Mitigation policies enable a process to harden itself against various types of attacks.
[GetProcessMitigationPolicy function - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-getprocessmitigationpolicy)
* Retrieves mitigation policy settings for the calling process.
* [Introduction to Paging - Philipp Oppermann](https://os.phil-opp.com/paging-introduction/)
* [Windows Defender Advanced Threat Protection - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)
* [Windows Defender ATP data storage and privacy - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection)
* This document explains the data storage and privacy details related to Windows Defender ATP
* [Thread-local storage - Wikipedia](https://en.wikipedia.org/wiki/Thread-local_storage)
* [SSP Packages Provided by Microsoft - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/ssp-packages-provided-by-microsoft)
* [Microsoft Digest SSP - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/microsoft-digest-ssp)
* Microsoft Digest is a security support provider (SSP) that implements the Digest Access protocol, a lightweight authentication protocol for parties involved in Hypertext Transfer Protocol (HTTP) or Simple Authentication Security Layer (SASL) based communications. Microsoft Digest provides a simple challenge response mechanism for authenticating clients. This SSP is intended for use by client/server applications using HTTP or SASL based communications.
https://xinu.cs.purdue.edu/
https://github.com/mit-pdos/xv6-public
http://pages.cs.wisc.edu/~remzi/OSTEP/
http://man7.org/tlpi/
https://wiki.osdev.org/Expanded_Main_Page
https://www.haiku-os.org/
https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/
https://j00ru.vexillium.org/syscalls/nt/64/
* [User Account Control: Inside Windows 7 User Account Control - Mark Russinovich](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/dd822916(v=msdn.10))
http://arno.org/arnotify/2006/10/on-the-origins-of-ds_store/
https://0day.work/parsing-the-ds_store-file-format/
https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-store-files-12-03-2018/
* [Introducing the Office (2007) Open XML File Formats
- docs.ms](https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/aa338205(v=office.12)#office2007aboutnewfileformat_structureoftheofficexmlformats)
* [SSP Packages Provided by Microsoft - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/ssp-packages-provided-by-microsoft)
File Locking
* https://lwn.net/Articles/317814/
OOM
* https://linux-mm.org/OOM_Killer
* https://unix.stackexchange.com/questions/153585/how-does-the-oom-killer-decide-which-process-to-kill-first
* https://www.memset.com/docs/additional-information/oom-killer/
* https://www.kernel.org/doc/gorman/html/understand/understand016.html
* https://stackoverflow.com/questions/9199731/understanding-the-linux-oom-killers-logs
* https://static.lwn.net/kerneldoc/admin-guide/mm/concepts.html
* https://serverfault.com/questions/134669/how-to-diagnose-causes-of-oom-killer-killing-processes
* http://eloquence.marxmeier.com/sdb/html/linux_limits.html
* http://bl0rg.krunch.be/oom-frag.html
* https://stackoverflow.com/questions/17935873/malloc-fails-when-there-is-still-plenty-of-swap-left
* https://serverfault.com/questions/724469/rsync-triggered-linux-oom-killer-on-a-single-50-gb-file/724518#724518
* https://www.oracle.com/technetwork/articles/servers-storage-dev/oom-killer-1911807.html
https://www.vergiliusproject.com/
https://www.tarlogic.com/en/blog/how-kerberos-works/
* [chcp](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp)
* Changes the active console code page. If used without parameters, chcp displays the number of the active console code page.
https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
* [Secure Channel - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/secure-channel)
* Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.
* [Know your Windows Processes or Die Trying(2014) - sysforensics.org](https://web.archive.org/web/20140209004217/https://sysforensics.org/2014/01/know-your-windows-processes.html)
* [Fibers - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/fibers)
* [Using Fibers](https://docs.microsoft.com/en-us/windows/win32/procthread/using-fibers)
* [NUMA Support - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/numa-support)
* [Standard ECMA-335 Common Language Infrastructure (CLI) 6th ed- ECMA](https://www.ecma-international.org/publications/standards/Ecma-335.htm)
* [The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge.net](http://davenport.sourceforge.net/ntlm.html)
* [What are the undocumented features and limitations of the Windows FINDSTR command? - StackOverflow](https://stackoverflow.com/questions/8844868/what-are-the-undocumented-features-and-limitations-of-the-windows-findstr-comman)
* [Remote Procedure Call (RPC) - cio-wiki.org](https://cio-wiki.org/wiki/Remote_Procedure_Call_(RPC))
* [Remote Procedure Call - Wikipedia](https://en.wikipedia.org/wiki/Remote_procedure_call)
* **Constrained-Language Mode**
* [PowerShell Constrained Language Mode - devblogs.ms](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/)
* **Logging**
* [About Eventlogs(PowerShell) - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs?view=powershell-5.1)
* [Script Tracing and Logging - docs.ms](https://docs.microsoft.com/en-us/powershell/wmf/whats-new/script-logging)
* [Remote Procedure Calls - Paul Krzyzanowski](https://www.cs.rutgers.edu/~pxk/417/notes/08-rpc.html)
* [What is RPC and why is it so important?(windows) - StackOverflow](https://superuser.com/questions/616098/what-is-rpc-and-why-is-it-so-important)
* [How RPC Works - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738291(v=ws.10))
* [RPC Components - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/Rpc/microsoft-rpc-components)
* [Kerberos.NET](https://github.com/SteveSyfuhs/Kerberos.NET)
https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/
* [The COM Library - docs.ms](https://docs.microsoft.com/en-us/windows/win32/com/the-com-library)
* [Security in COM - docs.ms](https://docs.microsoft.com/en-us/windows/win32/com/security-in-com)
* [Remote Procedure Call - IBM Knowledgebase](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.progcomc/ch8_rpc.htm)
* [Remote Procedure Calls (RPC) - users.cs.cf.ac.uk](https://users.cs.cf.ac.uk/Dave.Marshall/C/node33.html)
* [CLSID Key - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/com/clsid-key-hklm)
* A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.
* The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state.
* [COM Fundamentals - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/com/com-fundamentals)
* [Executing Macros From a DOCX With Remote Template Injection - redxorblue.com](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
* [LM, NTLM, Net-NTLMv2, oh my! - Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* [ Microsoft Office – NTLM Hashes via Frameset - netbiosX](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [SMB/HTTP Auth Capture via SCF File - mubix](https://room362.com/post/2016/smb-http-auth-capture-via-scf/)
* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
* [Microsoft Word – UNC Path Injection with Image Linking - Thomas Elling](https://blog.netspi.com/microsoft-word-unc-path-injection-image-linking/)
* [Creating a service using sc.exe](https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe)
Windows Authentication
* [Windows Authentication Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-overview)
* [Windows Authentication Architecture - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture)
* [Windows Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-technical-overview)
* [Security Support Provider Interface Architecture - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture)
* [Group Policy Settings Used in Windows Authentication - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication)
* [Windows Logon and Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication)
* [Windows Logon and Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169017(v=ws.10))
Accounts
* [AD Accounts - docs.ms](https://technet.microsoft.com/itpro/windows/keep-secure/active-directory-accounts)
* [AD Security Groups](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
* [Microsoft Accounts - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/microsoft-accounts)
* [Service Accounts - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts)
* [Special Identities - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities)
* [Group Managed Service Accounts Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
* [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10))
* [Getting Started with Group Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts)
* [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10))
* [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff641731(v=ws.10))
* [Service Accounts Step-by-Step Guide - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10))
Logon
* [Windows Logon Scenarios - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios)
AD
* [How Domain and Forest Trusts Work - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10))
*
Kerberos
* [Kerberos Authentication Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview)
https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html
https://web.archive.org/web/20060904080018/http://security.tombom.co.uk/shatter.html
https://web.archive.org/web/20170614215931/http://mattwarren.org:80/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/
http://morningcoffee.io/killing-a-process-and-all-of-its-descendants.html
https://jugad2.blogspot.com/2008/09/unix-one-liner-to-kill-hanging-firefox.html?m=1
* [The Windows Research Kernel AKA WRK](https://github.com/Zer0Mem0ry/ntoskrnl)
* Is a part of the source code of the actual windows NT Kernel. WRK is designed for academic uses and research, by no means it can be used for commercial purposes.
https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md
https://web.archive.org/web/20170411184849/https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md
https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi
---------------------
## <a name="general">General Internals</a>
@ -211,7 +32,7 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [duartes.org - internals](http://duartes.org/gustavo/blog/category/internals/)
* [The little book about OS development](https://littleosbook.github.io/)
* [How to Make a Computer Operating System in C++](https://github.com/SamyPesse/How-to-Make-a-Computer-Operating-System)
* [Introduction to Paging - Philipp Oppermann](https://os.phil-opp.com/paging-introduction/)
---------------------
## <a name="winref">Windows Reference</a>
@ -237,6 +58,18 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* **Access Control**
* [Mandatory Integrity Control](https://msdn.microsoft.com/en-gb/library/windows/desktop/bb648648(v=vs.85).aspx)
* [Windows Access Control Demystified](http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=E1A09F166B29C17D2CD38C70A02576E4?doi=10.1.1.88.1930&rep=rep1&type=pdf)
* **Accounts**
* [AD Accounts - docs.ms](https://technet.microsoft.com/itpro/windows/keep-secure/active-directory-accounts)
* [AD Security Groups](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
* [Microsoft Accounts - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/microsoft-accounts)
* [Service Accounts - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts)
* [Special Identities - docs.ms](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities)
* [Group Managed Service Accounts Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
* [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10))
* [Getting Started with Group Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts)
* [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378925(v=ws.10))
* [Managed Service Accounts - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff641731(v=ws.10))
* [Service Accounts Step-by-Step Guide - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10))
* **Active Directory**
* [Active Directory Architecture](https://technet.microsoft.com/en-us/library/bb727030.aspx)
* [AD Local Domain groups, Global groups and Universal groups.](https://ss64.com/nt/syntax-groups.html)
@ -247,6 +80,11 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [How the Data Store Works - technet.ms](https://technet.microsoft.com/en-us/library/cc772829%28v=ws.10%29.aspx)
* [KCC and Topology Generation - technet.ms](https://technet.microsoft.com/en-us/library/cc961781.aspx?f=255&MSPPError=-2147217396)
* The KCC is a built-in process that runs on all domain controllers. It is a dynamic-link library that modifies data in the local directory in response to systemwide changes, which are made known to the KCC by changes to the data within Active Directory. The KCC generates and maintains the replication topology for replication within sites and between sites.
* [How Domain and Forest Trusts Work - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10))
* **Advanced Threat Protection(ATP)**
* [Windows Defender Advanced Threat Protection - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)
* [Windows Defender ATP data storage and privacy - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection)
* This document explains the data storage and privacy details related to Windows Defender ATP
* **Alternate Data Streams**
* [Kurt Seifried Security Advisory 003 (KSSA-003)](https://seifried.org/security/advisories/kssa-003.html)
* [NTFS Alternate Data Streams - winitor](https://www.winitor.com/pdf/NtfsAlternateDataStreams.pdf)
@ -260,15 +98,33 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [AppContainer Isolation](https://msdn.microsoft.com/en-us/library/windows/desktop/mt595898(v=vs.85).aspx)
* **Application Shims**
* [Application Shims](https://technet.microsoft.com/en-us/library/dd837644%28v=ws.10%29.aspx)
* **Authentication**
Windows Authentication
* [Windows Authentication Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-overview)
* [Windows Authentication Architecture - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture)
* [Windows Authentication Technical Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-technical-overview)
* [Group Policy Settings Used in Windows Authentication - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication)
* [Windows Logon and Authentication Technical Overview(Win10) - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/group-policy-settings-used-in-windows-authentication)
* [Windows Logon and Authentication Technical Overview(Server08R2) - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169017(v=ws.10))
* **Authenticode**
* [Authenticode - MSDN](https://msdn.microsoft.com/en-us/library/ms537359(v=vs.85).aspx)
* Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.
* **AutoStart Locations**
* [Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610)
* [Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
* **Component Object Model**
* **(Distributed) Component Object Model**
* [The Component Object Model](https://msdn.microsoft.com/library/ms694363.aspx)
* [Minimal COM object registration](https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object-registration/)
* [CLSID Key - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/com/clsid-key-hklm)
* A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.
* The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state.
* [COM Fundamentals - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/com/com-fundamentals)
* [The COM Library - docs.ms](https://docs.microsoft.com/en-us/windows/win32/com/the-com-library)
* [Security in COM - docs.ms](https://docs.microsoft.com/en-us/windows/win32/com/security-in-com)
* [Scripting(COM) - thrysoee.dk](https://web.archive.org/web/20160826221656/http://thrysoee.dk:80/InsideCOM+/ch05e.htm)
* [[MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol - msdn.ms](https://msdn.microsoft.com/en-us/library/cc226801.aspx)
* [DCOM Overview - active-undelete.com](http://active-undelete.com/dcom-overview.htm)
* [Active Directory Service Interfaces - docs.ms](https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi)
* **Credential Provider**
* [Credential Providers in Windows 10 - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/mt158211(v=vs.85).aspx)
* [ICredentialProvider interface - msdn](https://msdn.microsoft.com/en-us/library/bb776042(v=vs.85).aspx)
@ -301,6 +157,9 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [Antimalware Scan Interface Reference](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889588)
* prevents certain kinds of powershell attacks
* [Compiler Security Checks In Depth - MSDN Library](https://msdn.microsoft.com/library/aa290051.aspx)
* **File Formats**
* [[MS-CFB]: Compound File Binary File Format - docs.ms](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b)
* Specifies the Compound File Binary File Format, a general-purpose file format that provides a file-system-like structure within a file for the storage of arbitrary, application-specific streams of data.
* **Group Policy**
* [Group Policy - Wikipedia](https://en.wikipedia.org/wiki/Group_Policy)
* **Guarded Fabric/Shielded VMs**
@ -316,17 +175,26 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* **Kerberos**
* [Kerberos Delegation, SPNs and More...](https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more)
* [Article Explaining what the KRBTGT account in AD is](http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-environment)
* [Kerberos Authentication Overview - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview)
* [Kerberos (I): How does Kerberos work? – Theory - Eloy Perez](https://www.tarlogic.com/en/blog/how-kerberos-works/)
* [Explain like I’m 5: Kerberos - Lynn Roots](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
* **Kernel**
* [Inside the Windows Vista Kernel: Part 1](http://technet.microsoft.com/en-us/magazine/2007.02.vistakernel.aspx)
* **Lightweight Directory Access Protocol**
* [Lightweight Directory Access Protocol (v3) - RFC 2251](https://www.ietf.org/rfc/rfc2251.txt)
* **Linux Subsystem**
* [Learn About Windows Console & Windows Subsystem For Linux (WSL) - devblogs.ms](https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/)
* **Local Security Authority**
* [LSA Authentication](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326%28v=vs.85%29.aspx)
* LSA Authentication describes the parts of the Local Security Authority (LSA) that applications can use to authenticate and log users on to the local system. It also describes how to create and call authentication packages and security packages.
* **Logon**
* [Windows Logon Scenarios - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios)
* **Memory**
* [Pushing the Limits of Windows: Virtual Memory](http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx)
* [Memory Translation and Segmentation](http://duartes.org/gustavo/blog/post/memory-translation-and-segmentation/)
* [Exploring Windows virtual memory management](http://www.triplefault.io/2017/08/exploring-windows-virtual-memory.html)
* **MS Office**
* [Introducing the Office (2007) Open XML File Formats - docs.ms](https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2007/aa338205(v=office.12)#office2007aboutnewfileformat_structureoftheofficexmlformats)
* **Named Pipes**
* [Named Pipes](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365590(v=vs.85).aspx)
* [CreateNamedPipe function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365150(v=vs.85).aspx)
@ -352,9 +220,16 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* **Powershell**
* [Understanding the Windows PowerShell Pipeline - docs.ms](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/fundamental/understanding-the-windows-powershell-pipeline?view=powershell-5.1)
* [PowerShell Language Modes - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1)
* [PowerShell - docs.ms](https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-6)
* **Constrained-Language Mode**
* [PowerShell Constrained Language Mode - devblogs.ms](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/)
* **Logging**
* [About Eventlogs(PowerShell) - docs.ms](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_eventlogs?view=powershell-5.1)
* [Script Tracing and Logging - docs.ms](https://docs.microsoft.com/en-us/powershell/wmf/whats-new/script-logging)
* **Printing**
* [[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)](https://msdn.microsoft.com/en-us/library/cc245476.aspx)
* Specifies the Security Account Manager (SAM) Remote Protocol (Client-to-Server), which supports printing and spooling operations that are synchronous between client and server.
* [[MS-RPRN]: Print System Remote Protocol - docs.ms](https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
* **Processes/Threads**
* [About Processes and Threads](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681917%28v=vs.85%29.aspx)
* [TechNet Library: About Processes and Threads](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681917%28v=vs.85%29.aspx)
@ -369,6 +244,16 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
* [Unkillable Processes](https://blogs.technet.microsoft.com/markrussinovich/2005/08/17/unkillable-processes/)
* [SetProcessMitigationPolicy function - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
* Sets a mitigation policy for the calling process. Mitigation policies enable a process to harden itself against various types of attacks.
* [GetProcessMitigationPolicy function - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-getprocessmitigationpolicy)
* Retrieves mitigation policy settings for the calling process.
* [Know your Windows Processes or Die Trying(2014) - sysforensics.org](https://web.archive.org/web/20140209004217/https://sysforensics.org/2014/01/know-your-windows-processes.html)
* [Fibers - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/fibers)
* [Using Fibers](https://docs.microsoft.com/en-us/windows/win32/procthread/using-fibers)
* [PE-Runtime-Data-Structures](https://github.com/JeremyBlackthorne/PE-Runtime-Data-Structures)
* Originally posted by me in 2013: http://uncomputable.blogspot.com/2013/08/pe-runtime-data-structures-v1.html, just migrating it to a better home. This is a diagram of PE runtime data structures created using WinDbg and OmniGraffle. I have included jpg and PDF versions in the repository. I was inspired by Ero Carrera's [1](http://blog.dkbza.org/2012/08/pe-file-format-graphs.html) diagrams and Corkami [2](https://code.google.com/p/corkami/). I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from WinDbg and Windows Internals 6 by Russinovich, Solomon, and Ionescu [Windows Internals].
* [Thread-local storage - Wikipedia](https://en.wikipedia.org/wiki/Thread-local_storage)
* **Prefetch**
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
@ -376,12 +261,36 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [What registry entries are needed to register a COM object.](https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries-are-needed-to-register-a-com-object/)
* [Authentication Registry Keys - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374737(v=vs.85).aspx)
* When it installs a network provider, your application should create the registry keys and values described in this topic. These keys and values provide information to the MPR about the network providers installed on the system. The MPR checks these keys when it starts and loads the network provider DLLs that it finds.
* **RPC**
* [Remote Procedure Call - IBM Knowledgebase](https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.progcomc/ch8_rpc.htm)
* [Remote Procedure Calls (RPC) - users.cs.cf.ac.uk](https://users.cs.cf.ac.uk/Dave.Marshall/C/node33.html)
* [Remote Procedure Call (RPC) - cio-wiki.org](https://cio-wiki.org/wiki/Remote_Procedure_Call_(RPC))
* [Remote Procedure Call - Wikipedia](https://en.wikipedia.org/wiki/Remote_procedure_call)
* [Remote Procedure Calls - Paul Krzyzanowski](https://www.cs.rutgers.edu/~pxk/417/notes/08-rpc.html)
* [What is RPC and why is it so important?(windows) - StackOverflow](https://superuser.com/questions/616098/what-is-rpc-and-why-is-it-so-important)
* [How RPC Works - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738291(v=ws.10))
* [RPC Components - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/Rpc/microsoft-rpc-components)
* **Sandboxing**
* [Advanced Desktop Application Sandboxing via AppContainer](https://www.malwaretech.com/2015/09/advanced-desktop-application-sandboxing.html)
* [Usermode Sandboxing](http://www.malwaretech.com/2014/10/usermode-sandboxing.html)
* **Scripting Host**
* [wscript - docs.ms](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wscript)
* Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.
* **Security Descriptor Definition Language**
* [The Security Descriptor Definition Language of Love (Part 1) - technet.ms](https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/)
* [The Security Descriptor Definition Language of Love (Part 2) - technet.ms](https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/)
* [SECURITY_DESCRIPTOR_CONTROL - docs.ms](https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-control?redirectedfrom=MSDN)
* The SECURITY_DESCRIPTOR_CONTROL data type is a set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.
* **Security Support Providers**
* [Security Support Provider Interface Architecture - docs.ms](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture)
* [SSP Packages Provided by Microsoft - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/ssp-packages-provided-by-microsoft)
* [Secure Channel - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/secure-channel)
* Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.
* [The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge.net](http://davenport.sourceforge.net/ntlm.html)
* [Microsoft Digest SSP - docs.ms](https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/microsoft-digest-ssp)
* Microsoft Digest is a security support provider (SSP) that implements the Digest Access protocol, a lightweight authentication protocol for parties involved in Hypertext Transfer Protocol (HTTP) or Simple Authentication Security Layer (SASL) based communications. Microsoft Digest provides a simple challenge response mechanism for authenticating clients. This SSP is intended for use by client/server applications using HTTP or SASL based communications.
* **Services**
* [Creating a service using sc.exe](https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe)
* **Service Accounts**
* [Service Account best practices Part 1: Choosing a Service Account](https://4sysops.com/archives/service-account-best-practices-part-1-choosing-a-service-account/)
* In this article you will learn the fundamentals of Windows service accounts. Specifically, we discover the options and best practices concerning the selection of a service account for a particular service application.
@ -406,8 +315,16 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [How Do Windows NT System Calls REALLY Work?](http://www.codeguru.com/cpp/w-p/system/devicedriverdevelopment/article.php/c8035/How-Do-Windows-NT-System-Calls-REALLY-Work.htm)
* [Debugging Functions - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679303.aspx)
* [Intercepting System Calls on x86_64 Windows](http://jbremer.org/intercepting-system-calls-on-x86_64-windows/)
* **UAC**
* **User Account Control(UAC)**
* [Protecting Windows Networks – UAC - dfirblog.wordpress.com](https://dfirblog.wordpress.com/2015/10/24/protecting-windows-networks-uac/)
* User Account Control - Steven Sinofsky(blogs.msdn)](https://blogs.msdn.microsoft.com/e7/2008/10/08/user-account-control/)
* [Inside Windows Vista User Account Control - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc138019(v=msdn.10)?redirectedfrom=MSDN)
* [Inside Windows 7 User Account Control - docs.ms](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/dd822916(v=msdn.10)?redirectedfrom=MSDN)
* [User Account Control - docs.ms](https://docs.microsoft.com/en-us/windows/win32/secauthz/user-account-control)
* [User Account Control Step-by-Step Guide - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc709691(v=ws.10))
* [User Account Control: Inside Windows 7 User Account Control - Mark Russinovich](https://docs.microsoft.com/en-us/previous-versions/technet-magazine/dd822916(v=msdn.10))
* **Volume Shadow Copy Service**
* [About the Volume Shadow Copy Service - docs.ms](https://docs.microsoft.com/en-us/windows/win32/vss/about-the-volume-shadow-copy-service)
* **Windows Filtering Platform**
* [Windows Filtering Platform: Persistent state under the hood](http://blog.quarkslab.com/windows-filtering-platform-persistent-state-under-the-hood.html)
* **Windows Communication Foundation**
@ -487,11 +404,23 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [Linux GLibC Stack Canary Values](https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/)
* [Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
* [Memory Translation and Segmentation](http://duartes.org/gustavo/blog/post/memory-translation-and-segmentation/)
* **Out-of-Memory(OOM) Killer**
* [Taming the OOM killer - Goldwyn Rodrigues](https://lwn.net/Articles/317814/)
* [OOM_Killer - linux-mm.org](https://linux-mm.org/OOM_Killer)
* [How does the OOM killer decide which process to kill first? - stackexchange](https://unix.stackexchange.com/questions/153585/how-does-the-oom-killer-decide-which-process-to-kill-first)
* [OOM - Linux kernel user's and administrator's guide](https://static.lwn.net/kerneldoc/admin-guide/mm/concepts.html)
* [How to diagnose causes of oom-killer killing processes - Stackexchange](https://serverfault.com/questions/134669/how-to-diagnose-causes-of-oom-killer-killing-processes)
* [Linux Kernel limits - eloquence.marxmeier](http://eloquence.marxmeier.com/sdb/html/linux_limits.html)
* This document provides an overview of the default Linux Kernel limits (kernel parameter) and where they are defined.
* [The OOM killer may be called even when there is still plenty of memory available - bl0g.krunch.be](http://bl0rg.krunch.be/oom-frag.html)
* [How to Configure the Linux Out-of-Memory Killer - Robert Chase](https://www.oracle.com/technical-resources/articles/it-infrastructure/dev-oom-killer.html)
* **Process Structure/Syscalls**
* [FlexSC: Flexible System Call Scheduling with Exception-Less System Calls](https://www.cs.cmu.edu/~chensm/Big_Data_reading_group/papers/flexsc-osdi10.pdf)
* [List of Linux/i386 system calls](http://asm.sourceforge.net/syscall.html)
* [Linux Syscall Table](http://www.informatik.htw-dresden.de/~beck/ASM/syscall_list.html)
* Complete listing of all Linux Syscalls
* [Killing a process and all of its descendants - Igor Sarcevic](http://morningcoffee.io/killing-a-process-and-all-of-its-descendants.html)
* [UNIX one-liner to kill a hanging Firefox process - Vasudev Ram](https://jugad2.blogspot.com/2008/09/unix-one-liner-to-kill-hanging-firefox.html?m=1)
* **X**
* [X Window System Explained](https://magcius.github.io/xplain/article/index.html)
* [Foreign LINUX](https://github.com/wishstudio/flinux)
@ -550,4 +479,42 @@ https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-int
* [Application Compatibility in Windows](https://technet.microsoft.com/en-us/windows/jj863248)
* [Hard Links and Junctions - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365006(v=vs.85).aspx)
* [Security Configuration Wizard](https://technet.microsoft.com/en-us/library/cc754997(v=ws.11).aspx)
* The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: you can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles, such as a file server, a print server, or a domain controller.
* The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: you can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles, such as a file server, a print server, or a domain controller.
* [Executing Macros From a DOCX With Remote Template Injection - redxorblue.com](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
* [LM, NTLM, Net-NTLMv2, oh my! - Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* [ Microsoft Office – NTLM Hashes via Frameset - netbiosX](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [SMB/HTTP Auth Capture via SCF File - mubix](https://room362.com/post/2016/smb-http-auth-capture-via-scf/)
* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
* [Microsoft Word – UNC Path Injection with Image Linking - Thomas Elling](https://blog.netspi.com/microsoft-word-unc-path-injection-image-linking/)
https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html
https://web.archive.org/web/20060904080018/http://security.tombom.co.uk/shatter.html
* [The 68 things the CLR does before executing a single line of your code - Matt Warren](https://web.archive.org/web/20170614215931/http://mattwarren.org:80/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/)
* [CLR Configuration Knobs - dotnet/coreclr](https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md)
* There are two primary ways to configure runtime behavior: CoreCLR hosts can pass in key-value string pairs during runtime initialization, or users can set special variables in the environment or registry. Today, the set of configuration options that can be set via the former method is relatively small, but moving forward, we expect to add more options there. Each set of options is described below.
* [The Windows Research Kernel AKA WRK](https://github.com/Zer0Mem0ry/ntoskrnl)
* Is a part of the source code of the actual windows NT Kernel. WRK is designed for academic uses and research, by no means it can be used for commercial purposes.
* [chcp](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp)
* Changes the active console code page. If used without parameters, chcp displays the number of the active console code page.
* [NUMA Support - docs.ms](https://docs.microsoft.com/en-us/windows/win32/procthread/numa-support)
* [Standard ECMA-335 Common Language Infrastructure (CLI) 6th ed- ECMA](https://www.ecma-international.org/publications/standards/Ecma-335.htm)
* [What are the undocumented features and limitations of the Windows FINDSTR command? - StackOverflow](https://stackoverflow.com/questions/8844868/what-are-the-undocumented-features-and-limitations-of-the-windows-findstr-comman)
* [Kerberos.NET](https://github.com/SteveSyfuhs/Kerberos.NET)
https://xinu.cs.purdue.edu/
https://github.com/mit-pdos/xv6-public
http://pages.cs.wisc.edu/~remzi/OSTEP/
http://man7.org/tlpi/
https://wiki.osdev.org/Expanded_Main_Page
https://www.haiku-os.org/
https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/
https://j00ru.vexillium.org/syscalls/nt/64/
http://arno.org/arnotify/2006/10/on-the-origins-of-ds_store/
https://0day.work/parsing-the-ds_store-file-format/
https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-store-files-12-03-2018/
https://www.vergiliusproject.com/

Loading…
Cancel
Save