Windows Privilege Escalation & Post-Exploitation
December 16, 2022 · View on GitHub
Table of Contents
- Quick Jump List:
- 101
- Living_off_The_Land
- CSharp & .NET Stuff
- Powershell Stuff
- Windows Code Injection Techniques
- APC
- Atom Bombing
- Breaking BaDDEr
- 'Code-Less'
- Command Line and Environment Variables
- Console Window Class
- Ctrl Injection
- DLL Injection
- Reflective DLL Injection
- DNS Client API
- Process Doppelganging
- DoppelGate
- DoubleAgent
- EarlyBird Injection
- Extra Window Bytes Injection
- Fibers
- Gargoyle
- GhostWriting Injection
- Process Herpaderping
- Process Hollowing
- Inject-Me
- Kernel Callback Table
- KnownDlls Cache Poisoning
- Mapping Injection
- Multiple Provider Router (MPR) DLL and Shell Notifications
- NINA
- NtCreate
- PE Injection
- PowerLoader(Ex)
- Print Spooler
- PROPagate
- Service Control Handler
- Shatter
- Stack Bomber
- Thread Execution Hijacking
- ThreadLocal Storage Injection
- Tooltips/Common Controls
- Windows Notification Facility
- WinSock Helper Functions(WSHX)
- Windows Post Exploitation
- Execution
- lolbins
- Command and Scripting Interpreter
- Compiled HTML Files
- Component-Object-Model
- ontrolPanel Items
- DLL-Related
- Downloaders - FIX
- Exploitation for Client Execution - FIX
- Indirect Execution
- Inter-Process Communication
- Scripting Host - FIX(Add langs)
- Native API(Syscalls & WinAPI)
- Power API
- Processes
- Scheduled Task/Job - FIX
- Shared Modules
- Shellcode Stuff
- Software Deployment Tools - FIX
- System Services
- 1st-Party Software
- Third-Party Software
- User Execution
- Windows Diagnostic Tool
- WIndows Management Instrumentation
- Windows Remote Management(WinRM)
- Windows Trouble shooting Packs
- Persistence
- 101
- Tactics
- 3rd Part Applications
- Account Manipulation
- Accessibility Features
- Active Directory Specific
- Alternate Data Streams
- AMSI Provider
- APPX/UWP
- BITS Jobs
- Boot or Logon Autostart Execution
- Boot or Logon Initialization Scripts
- Compromise Client Software Binary
- Create account
- Create or Modify System Process
- DLL Injection/Hijacking
- Drivers
- Event Triggered Execution
- Extension Handlers
- External Remote Services
- Filesystem
- Hijack Execution Flow
- IIS Module
- [Implant Container Image
- LAPS
- Library Files
- MS Distributed Transaction Coordinator
- .NET
- Netsh
- Office Applications
- Password Filter DLL
- Port Monitors
- Pre-OS Boot
- Print Processor
- Processes
- Registry
- Scheduled Task/Job
- ScreenSaver
- Services
- Server Software Component
- SMB
- Telemetry
- Traffic Signaling
- UEFI
- URI Scheme
- Valid Accounts
- VisualStudio
- WaitFor
- Windows Subsystem for Linux
- WMI
- Privilege Escalation
- 101
- DLL Stuff
- Exploits/Missing Patches
- Fax/Printer/Network Service
- Group Policy (Preferences)
- Intel SYSRET
- LAPS
- Local Phishing
- Logic Bugs
- Named Pipes
- Privileged File Operation Abuse
- NTLM-Related
- Privilege Abuse
- Privileged File Operations
- Registry Paths/Permissions
- Services
- Unquoted Service Paths
- Stored Creds/Passwords on disk
- Tokens
- Obtaining System Privileges
- Talks & Presentations
- Tools
- Writeups
- Exploits
- Just-Enough-Administration(JEA)
- Microsoft
- MSSQL
- VirtualMachines
- VMWare
- Windows Defense Evasion
- Anti-Malware Scan Interface
- Anti-Virus
- Application Whitelisting
- Windows Defender
- Microsoft ATA/P
- Callbacks
- Device Guard
- DLL Execution-Related
- Drivers
- Endpoint Detection & Response
- Event Tracing
- Event Log
- Hooking
- PowerShell Related
- Syscalls
- Sysmon
- Windows User Account Control(UAC)
- Specific Techniques
- Credential Access - FIXME
- 101
- Articles/Blogposts/Writeups
- 3rd Party
- Active Directory Environment
- AWS
- AutoLogon
- Azure
- Clipboard
- CredSSP
- DPAPI - FIX
- Internal Monologue
- Keylogger
- Local Account
- Local Phishing
- Logon
- Local Files
- Local Security Authority Subsystem Service(LSA & LSASS)
- Mimikatz/Similar
- MsvpPasswordValidate Hooking
- NPLogonNotify()
- Dumping NTDS.dit
- NTLM-related
- Password Filter DLL
- Physical Memory
- Dumping Process Memory
- RDP
- SeTrustedCredManaAccess
- Service Accounts
- Tokens
- Volume Shadow Copy Service
- WDigest
- [Web Browsers -wcwb
- Wifi
- Tools
- Discovery
- Lateral Movement
- Collection
- Execution
- Windows Specific Technologies
- Alternate Data Streams
- AppLocker
- Application Shims
- Bitlocker
- ClickOnce
- Credential Guard
- Code Signing
- (Distributed) Component-Object-Model(COM)
- (Windows) Cryptography
- Data Protection API(DPAPI)
- Device Guard
- Dynamic Link Library
- Event Log
- Event Tracing for Windows
- Print & Fax
- Fibers
- File Extensions
- Hooking in Windows
- Kernel Operations
- Library Description files
- LNK Files
- Logging
- MS-SQL Server
- Named Pipes
- PowerShell
- PowerShell Desired State
- Privileges
- Processes
- RPC
- Search Connectors
- Tokens
- Windows Communication Foundation
- Windows Managemet Instrumentation
- Windows Notification Facility
- Windows Privileges
- Windows Processes
- Windows RPC stuff
- Windows Remote Management
- Windows Scripting Host
Post-Exploitation Windows
- 101
- Unsorted
- Living_off_The_Land
- 101
- Living Off The Land: A Minimalist's Guide To Windows Post Exploitation - Christopher Campbell, Matthew Graeber(Derbycon3)
- LOLBins - Living Off The Land Binaries & Scripts & Libraries
- "Living off the land" was coined by Matt Graeber - @mattifestation <3"
- The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here: https://twitter.com/MathCasualty/status/969174982579273728
- The term LOLScripts came from Jimmy - @bohops: https://twitter.com/bohops/status/984828803120881665
- Installers – Interactive Lolbins - Hexacorn
- WinBinDex - The Windows Binaries Index
- Articles/Blogposts/Writeups
- Installers – Interactive Lolbins, Part 2 - Hexacorn
- Bring your own lolbas? - Hexacorn
- Reusigned Binaries - Hexacorn
- Reusigned Binaries – Living off the signed land - Hexacorn
- Hack Microsoft Using Microsoft Signed Binaries - Pierre-Alexandre Braeken
- Microsoft Applications and Blocklist - FortyNorth Security
- Unsanitized file validation leads to Malicious payload download via Office binaries. - Reegun J
- Background Intelligent Transfer Protocol - TH Team
- Stay positive Lolbins… not! - Hexacorn
- Living Off the Land - liberty-shell
- Living Off Windows Land – A New Native File “downldr” - Gal Kristal(2020)
- Also Node.js has been used to perform a Living off the Land (LotL) attack - Andrea Fortuna(2019)
- Upload and download small files with CertReq.exe - DTM(2020)
- Staying Off the Land: A Threat Actor Methodology - Crowdstrike(2020)
- Load/Inject malicious DLL using Microsoft Tools - safe(2018)
- FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C - Olaf Hartong(2021)
- Abusing and Detecting LOLBIN Usage of .NET Development Mode Features - BOHOPS(2021
- From an attacker’s perspective, configuration adjustments provide interesting opportunities for living-off-the-land-binary (lolbin) execution. In this short post, we’ll highlight a technique for turning pretty much any .NET executable into an opportunistic lolbin that abuses .NET development features by overriding Global Assembly Cache (GAC) path lookups. Furthermore, we’ll examine several defensive considerations for detecting malicious use of the presented technique.
- Living off the land - Slayerlabs(2021)
- BYOT – Bring Your Own Telemetry - Hexacorn(2021)
- Symantec Endpoint Protection Meets COM — Using “Symantec.SSHelper” As A LOLBIN - Nasreddine Bencherchali(2021)
- Talks/Presentations/Videos
- Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell, Matthew Graeber(Derybcon2013)
- Two of the biggest challenges of long-term penetration tests are advanced security products and active administrators. Host intrusion prevention, application white-listing and antivirus software are all looking for your tools. Administrators and network defenders are doing everything they can to find you. Surprisingly, the easiest way to hide from them and homestead in a Windows enterprise is to live off the land. Microsoft provides you with all the tools you need to get into a network and live there forever. Tools such as Wmic, Netsh and PowerShell are well-known to administrators, but they also provide an attacker a whole range of virtually untapped features. By simply leveraging PowerSploit and a few tricks you can reliably bypass antivirus, get around whitelisting, escalate privileges, redirect network traffic, take full packet captures, log keystrokes, take screenshots, dump hashes, persist and pivot to other hosts all without introducing a single binary!
- Code Execution with JDK Scripting Tools & Nashorn Javascript Engine - Brett Hawkins(Derbycon2018)
- There are several languages and methods used to execute code on a computer system, such as C#, Powershell, Python, VBA, and many more. The defense is getting better, which has caused the offense to adapt and look for innovative ways to “live off the land”. One area that has not been explored deeply is utilizing tools that the Java Development Kit (JDK) provides. According to a statement by Oracle, Java runs on 3 billion devices. Enterprises depend on Java running on their user endpoints and servers in order to keep their businesses running. This makes using tools installed with the JDK very enticing to attackers. This talk will explore using JDK command-line scripting tools and the Nashorn Javascript Engine to perform several actions, such as downloading files, executing scripts locally and remotely, and gaining a remote interactive shell to a computer system. Detective and preventive controls will also be discussed for the usage of these JDK scripting tools.
- Living off the land: enterprise post-exploitation - Adam Reiser(Derbycon2018)
- You've compromised that initial server and gained a foothold in the target network: congratulations! But wait - the shadow file has no hashes but root, the ssh keys have strong passphrases, and all the interesting traffic is encrypted - there's nothing of value here! Or is there? In this talk, I will explore post-exploitation techniques for turning your compromised bastion hosts into active credential interceptors under a variety of blue team monitoring scenarios.
- WEBCAST: Hacker Tools, Compliments of Microsoft - David Fletcher & Sally Vandeven(2018)
- Slides
- Join David “Fletch” and Sally as they explore the cornucopia of wonderful, free tools in the SysInternals Suite that conveniently are signed by Microsoft and that they use on a daily basis to hack their customers.
- #LOLBins - Nothing to LOL about! - Oddvar Moe(Derbycon2018)
- You have probably heard the term LOLBin, LOLScript or LOLLib by now. Want to get more insights on that? Then this is the talk you want to attend.This talk will cover the Living Off The Land Binaries and Scripts (LOLBAS) project, what the project is, how it became and how you can help this evolve into the future. The talk will also go over some of my favorite LOLBins that has came to light due to this project (at least that's what I like to think) and show you some cool stuff! I mean, everybody loves to see binaries misbehave.
- Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft "features" - Mike Felch and Beau Bullock (WWHF2018)
- Over the last few months we’ve been doing a bit of research around various Microsoft “features”, and have mined a few interesting nuggets that you might find useful if you’re trying to be covert on your red team engagements. This talk will be “mystery surprise box” style as we’ll be weaponizing some things for the first time. There will be demos and new tools presented during the talk. So, if you want to win at hide-n-seek with the blue team, come get your covert attack mystery box!
- Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation - Christopher Campbell, Matthew Graeber(Derybcon2013)
- In-the-Spirit-Of
- BADministration
- BADministration is a tool which interfaces with management or administration applications from an offensive standpoint. It attempts to provide offsec personnel a tool with the ability to identify and leverage these non-technical vulnerabilities. As always: use for good, promote security, and fight application propagation.
- BADministration
- Not really
- 101
- Bring-Your-Own-Land
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- BYOI (Bring Your Own Interpreter) payloads - Marcello Salvati(RomHack2020)
- Slides
- Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sort of dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language. Operationally this has a few major downsides: we can’t be as “flexible” as setting up a proper development environment has an overhead and can be time consuming and you have to compile all the things all the time etc.
- BYOI (Bring Your Own Interpreter) payloads - Marcello Salvati(RomHack2020)
- Bring-Your-Own-Driver
- Execution
- Articles/Blogposts/Writeups
- CodeExecutionOnWindows
- A list of ways to execute code, including examples, are shown below. Note that UAC bypasses and DLL hijacking will not be included as these are covered elsewhere.
- CodeExecutionOnWindows
- LoLBins
- Certreq.exe
- Nuget/Squirrel/Electron
- Microsoft.Workflow.Compiler.exe
- MSBuild
- 101
- MSBuild - docs.ms
- MSBuild Inline Tasks - docs.ms
- Understanding the Project File(MSBuild) - docs.ms
- Understanding the project file - docs.ms
- Microsoft Build Engine (MSBuild) project files lie at the heart of the build and deployment process. This topic starts with a conceptual overview of MSBuild and the project file. It describes the key components you'll come across when you work with project files, and it works through an example of how you can use project files to deploy real-world applications.
- Articles/Blogposts/Writeups
- MSBuild: A Profitable Sidekick! - Sarah Norris(2020)
- MSBuild without MSBuild - pentestlaboratories(2020)
- [...]MSBuild is no longer required to execute code since it is possible to use a .NET assembly that will call the malicious .csproj from a remote location (UNC path). This technique doesn’t leave any artifacts since it doesn’t touch the disk and the code is injected into a legitimate Windows process Internet Explorer.
- Doing More With MSBuild - 3gstudent
- Remotely Host MSBuild Payloads - Joe Leon(2020)
- tl;dr Separate your C# payload from a MSBuild XML file and host it remotely on a WebDav server.
- Another MSBuild Invocation (February 2020 Edition) - Joe Leon(2020)
- TL;DR: Use MSBuild’s UnregisterAssembly task to execute arbitrary code in a .NET assembly.
- Tools
- MSBuild
- MSBuildAPICaller
- MSBuild Without MSBuild.exe
- NoMSBuild
- MSBuild without MSbuild.exe
- 101
- MSI
- Windows Installer - docs.ms
- Windows Installer - Wikipedia
- The Return of Raining SYSTEM Shells with Citrix Workspace app -
- Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the initial fix I discovered a new vector that quite frankly should not exist at all since the previous reported vulnerability. The core of the issue lies with a remote command line injection vulnerability that allows attackers to bypass Citrix signed MSI installers using a malicious MSI transform.
- PwnyForm
- PwnyForm will take an MSI installer as input and generate an MSI transform (mst) that can be used to inject arbitrary command execution by adding a custom action that will execute during the UI or Install sequence of an MSI file. The generated MST produces a JScript custom action that will by default launch cmd.exe, the executed command can be overriden using the CMD MSI property
- MSHTA
- Internet Explorer MSHTA Security Threat - Dennis Faas(2003)
- The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware - Andy Green(2020)
- MSHTA code execution - bypass application whitelisting. - @spottheplanet
- Bypass Application Whitelisting using mshta.exe (Multiple Methods) - Raj Chandel
- w.e w.e Internet Explorer Does What It Wants - Aaron Heikkila(GrrCON2018)
- MS Office
- Excel
- Tools
- Hello World XLL
- This is a simple XLL, showing how to create an XLL from scratch.
- xllpoc
- A small project that aggregates community knowledge for Excel XLL execution, via xlAutoOpen() or PROCESS_ATTACH.
- Hello World XLL
- MS Teams
- Windows Update Client(wuauclt)
- 3rd-Party LoLbins
- Command and Scripting Interpreter
- Cmd.exe
- Articles/Blogposts/Writeups
- CMD Arg Spoofing
- Articles/Blogposts/Writeups
- Tools
- Obfuscation
- Articles/Blogposts/Writeups
- DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques - Daniel Bohannon(2018)
- Cmd Hijack - a command/argument confusion with path traversal in cmd.exe - Julian Horoszkiewicz(2020)
- Hiding process creation and cmd line with a long com… - Hexacorn(2020)
- Tried and True Hacker Technique: DOS Obfuscation - John Hammond(2020)
- Windows Command-Line Obfuscation - @Wietze(2021)
- Tools
- Invoke-DOSfuscation
- Cmd.exe Command Obfuscation Generator & Detection Test Harness
- Windows Command-Line Obfuscation
- Project for identifying executables that have command-line options that can be obfuscated, possibly bypassing detection rules.
- Invoke-DOSfuscation
- Articles/Blogposts/Writeups
- PPID Spoofing
- .NET
- Articles/Blogposts/Writeups
- Running a .NET Assembly in Memory with Meterpreter - Thomas Hendrickson(2019)
- In this blog post I will discuss leveraging Meterpreter’s powershell module to execute .NET assemblies in-memory.
- Running a .NET Assembly in Memory with Meterpreter - Thomas Hendrickson(2019)
- Articles/Blogposts/Writeups
- WebAssembly
- Articles/Blogposts/Writeups
- Tools
- WASSUP-WASM
- "WASSUP-WASM" is a tiny application that can be used to download and execute the WebAssembly binary using Node.JS.
- WASSUP-WASM
- XSL Script Processing
- Articles/Blogposts/Writeups
- Tools
- Cmd.exe
- Compiled HTML Files
- 101
- Articles/Blogposts/Writeups
- CHM Badness Delivers a Banking Trojan - Rodel Mendrez(2017)
- Malicious CHM Files Being Used to Install Brazilian Banking Trojans - Lawrence Abrams(2017)
- PuTTY vulnerability vuln-chm-hijack - chiark.greenend.org(2019)
- Potential malicious code execution via CHM hijacking
- What the Shell? New Security Breach Uses CHM Files to Cover Banking Trojans - Douglas Bonderud(2017)
- Tools
- Malicious-CHM-Guide.md - mgeeky
- CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).
- PuTTY vulnerability vuln-chm-hijack
- Potential malicious code execution via CHM hijacking (CVE-2019-9896)
- Out-CHM.ps1
- Malicious-CHM-Guide.md - mgeeky
- Component-Object-Model
- 101
- See (D)COM
- Articles/Blogposts/Writeups
- 101
- ControlPanel Items
- 101
- Articles/Blogposts/Writeups
- Starting a Dynamic-link Library as a Control Panel File(Vault7)
- FalconFriday — Process injection and malicious CPL files — 0xFF03 - Henri Hambartsumyan(2020)
- Executing Code as a Control Panel Item through an Exported Cplapplet Function - @spottheplanet
- Code Execution through Control Panel Add-ins - @spottheplanet
- Tools
- CPLResourceRunner
- Run shellcode from resource
- CPLResourceRunner
- DLL-Related
- 101
- See DLLs
- DLL Injection
- See DLL Injection
- Hijacking
- Articles/Blogposts/Writeups
- Vulnerability and Exploit Detector - Stefan Kanthak](https://skanthak.homepage.t-online.de/sentinel.html)
- "The Vulnerability and Exploit Detector for Microsoft® Windows® NT consists of the independent executable files SENTINEL.DLL and SENTINEL.EXE. They are used as "canaries" to indicate the execution of bogus or rogue applications and DLLs from unintended or unwanted locations, typically in order to detect and demonstrate programming errors which lead to weaknesses and vulnerabilities, or to catch and detect (malicious) code which exploits such weaknesses and vulnerabilities. "
- HijackLibs.net
- This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.
- MITRE ATT&CK turned purple – Part 1: Hijack execution flow - NVISO(2020)
- Finding writable folders and hijackable DLLs - Mark Mo(2021)
- %appdata% is a mistake – Introducing Invoke-DLLClone - Jean Maes(2021)
- AddExeImport - Add a hardcoded DLL dependency to any EXE - x86Matthew(2022)
- DLL Hijacking using Spartacus - Pavel Tsakalidis(2022)
- Accidentally Graphing DLL Hijacks in Every Electron App - ctrl.red(2022)
- Save the Environment (Variable) -Wietze Beukema(Defcon30)
- Talk
- Slides
- "By manipulating environment variables on process level, it is possible to let trusted applications load arbitrary DLLs and execute malicious code. This post lists nearly 100 executables vulnerable to this type of DLL Hijacking on Windows 11 (21H2); it is demonstrated how this can achieved with just three lines of VBScript."
- Vulnerability and Exploit Detector - Stefan Kanthak](https://skanthak.homepage.t-online.de/sentinel.html)
- Talks/Presentations
- Tools
- windows-dll-hijacking
- Project for identifying executables and DLLs vulnerable to relative path DLL hijacking.
- DLLHijackTest
- HijackHunter
- Parses a target's PE header in order to find lined DLLs vulnerable to hijacking. Provides reasoning and abuse techniques for each detected hijack opportunity
- siofra
- Siofra is a tool designed to identify and exploit DLL hijacking vulnerabilities in Windows programs. It is able to simulate the Windows loader in order to give visibility into all of the dependencies (and corresponding vulnerabilities) of a PE on disk, or alternatively an image file in memory corresponding to an active process. More significantly, the tool has the ability to easily generate DLLs to exploit these types of vulnerabilities via PE infection with dynamic shellcode creation. These infected DLLs retain the code (DllMain, exported functions) as well as the resources of a DLL to seamlessly preserve the functionality of the application loading them, while at the same time allowing the researcher to specify an executable payload to be either run as a separate process or loaded into the target as a module. Additionally, the tool contains automated methods of combining UAC auto-elevation criteria with the aforementioned functionality in order to scan for UAC bypass vulnerabilities.
- ImpulsiveDLLHijack
- C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
- DLLirant
- DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
- https://sh0ckfr.com/pages/martine-a-la-recherche-de-la-dll-hijacking-perdue/
- https://sh0ckfr.com/pages/martin-et-le-dll-proxying-de-cristal/
- DLL-Hijack-Calculator
- DLL that indicates if it was ran with admin Privileges. Could be used for Bug Bounty (DLL hijack attack). Starts calc and makes MessageBox with info about priveleges
- Brownie
- Brownie is a platform to rapidly prototype and weaponise DLL hijacks. In particular, we are interested in DLL Search Order Hijacking to sideload our malicious code by a signed and legitimate executable.
- ino
- In 'n Out - See what goes in and comes out of PEs
- bait
- Bait for dll injection and executable planting
- windows-dll-hijacking
- Articles/Blogposts/Writeups
- Hollowing
- Articles/Blogposts/Writeups
- Tools
- phantom-dll-hollower-poc
- Phantom DLL hollowing PoC
- phantom-dll-hollower-poc
- Object Overload
- Object Overloading - Adam Chester(2022)
- " In this post we are going to look at one such technique that I thought was cool while playing around with the Windows Object Manager, and which should allow us to load an arbitrary DLL of our creation into a Windows process during initial execution, something that I’ve been calling “Object Overloading” for reasons which will hopefully become apparent in this post."
- Object Overloading - Adam Chester(2022)
- Proxying
- 101
- Articles/Blogposts/Writeups
- I’M SO excited - Hexacorn(2019)
- DLL Proxying for Persistence - @spottheplanet
- Sideloading DLL like APT1337 - flangvik.com(2019)
- Bypassing AV's using DLL Side-Loading - flangvik.com(2019)
- DLL Proxy Loading Your Favourite C# Implant - Flangvik(2020)
- Adding DLL Exports with dnlib - RastaMouse(2020)
- Create a proxy DLL with artifact kit - Joe Vest(2021)
- Windows DLL Proxying/Hijacking - cihansol(2021)
- DLL proxying & sideloading - Diego(2022)
- Tools
- dll-exports
- Collection of DLL function export forwards for DLL export function proxying
- ProxyDLLExample
- A simple DLL for Windows that can be used to demonstrate a DLL Proxy Attack.
- ExportsToC++
- ExportsToC++ parses dumpbin output and converts an assembly’s exported function list output to C++ formatted code. This is very useful for creating Proxy DLL files to Intercept API Calls. You must have the .NET 2.0 Framework installed to run this application.
- SharpDllProxy
- Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
- proxy_dll
- Taking advantage of CRT initialization, to get away with hooking protected applications
- dll-exports
- Side Loading
- 101
- Articles/Blogposts/Writeups
- Side Loading Dll with a SteelSeries Signed Binaries - Pierre-Alexandre Braeken(2018)
- PE Import Table hijacking as a way of achieving persistence - or exploiting DLL side loading - Julian Horoszkiewicz(2019)
- Alternative to LSASS dumping - Magnus Stubman(2020)
- DLL Hijacking & DLL Proxying An SNES Emulator - huskyhacks(2021)
- Safe code & pitfalls: DLL side-loading, WinAPI and C++ - Roman Dudin(2021)
- Hunting for Windows “Features” with Frida: DLL Sideloading - Chris Spehn(2021)
- Recreating an ISO Payload for Fun and No Profit - Sunggwan Choi(2022)
- Attacking on Behalf of Defense: DLL Sideloading EDR Binaries - Naor Hodorov(2022)
- Guide to DLL Sideloading - Ahmed Sher(2022)
- Talks/Presentations/Videos
- Tools
- DLLSideloader
- PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading
- DLLSpy
- DLLSpy is a that detects DLL hijacking in running processes, services and in their binaries.
- Windows Feature Hunter
- "Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common “vulnerabilities” or “features” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale."
- %appdata% is a mistake – Introducing Invoke-DLLClone - Jean Maes(2021)
- SideLOADR
- A "simple" script to perform DLL sideloading using Python.
- DLLSideloader
- 101
- Downloaders
- Exploitation for Client Execution
- Articles/Blogposts/Writeups
- CVE-2019-0726 - MWRLabs
- DHCP client rce
- Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET - MDSec(2020)
- Microsoft patched a number of deserialisation issues using the XPS files. Although the patch for CVE-2020-0605 was released in January 2020, it was incomplete and an additional update was released in May 2020. The patched issue could be useful to exploit any code that deals with the XPS file using .NET libraries. The identified issues could also be helpful as bridged gadgets when exploiting XAML deserialisation related issue.
- CVE-2019-0726 - MWRLabs
- Articles/Blogposts/Writeups
- Indirect Execution
- Inter-Process Communication
- Component Object Model and Distributed COM
- Articles/Blogposts/Writeups
- Tools
- DDE
- See Phishing.md
- Articles/Blogposts/Writeups
- Tools
- Component Object Model and Distributed COM
- Scripting Host
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Establishing A Foothold With JavaScript - Casey Smith(Derbycon2016)
- Yes, you read that right. JavaScript is everywhere, and is often overlooked. This talk will briefly outline some tactics you can use to establish a foothold and persist in an Enterprise network using only JavaScript. I will demonstrate some fileless persistence mechanisms.
- Establishing A Foothold With JavaScript - Casey Smith(Derbycon2016)
- Native API(Syscalls & WinAPI)
- 101
- (Un)Official Documentation
- Windows API index - docs.ms
- The following is a list of the reference content for the Windows application programming interface (API) for desktop and server applications. Using the Windows API, you can develop applications that run successfully on all versions of Windows while taking advantage of the features and capabilities unique to each version. (Note that this was formerly called the Win32 API. The name Windows API more accurately reflects its roots in 16-bit Windows and its support on 64-bit Windows.)
- System calls: What are system calls and why are they necessary? - ionos.com
- System Calls - docs.ms
- WinAPI Documentation - Steve Donovan
- Windows API index - docs.ms
- Learning
- Struggling between syscall or sysenter (Windows) - StackOverflow
- System calls on Windows x64 - n4r1b(2019)
- Introduction to Windows API - ZetCode(2020)
- Tutorial Understanding Windows SysCalls - SysCall Dumper - Timb3r
- Undocumented Windows API Functions & Structures - Rake(2020)
- Windows Native API - Roger Orr(ACCU 2019)
- Many programmers are familiar with the Windows "Win32" API that provides access to a large variety of services, from user interface to memory management; but far fewer have much idea about the Windows "Native" API which is the mechanism used to access the operating system services located in the kernel. While it is rare to need to use these services directly (since the Win32 API provides a richer, better supported, and documented interface) it can be very useful to have some understanding of what is going on 'under the covers' inside this API. I will look at the Native API from the application programmer’s point of view and will also touch on how Microsoft provides a 32bit subsystem in the 64bit version of Windows. I hope this session will be of interest to all those who like to know more about how things work!
- Syscall Numbers
- Using Them
- SharedUserData SystemCall Hook - bugcheck, skape(2005)
- Making Raw Syscalls on Windows From Python - Spencer(2017)
- Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs - @spottheplanet
- Retrieving ntdll Syscall Stubs from Disk at Run-time - @spottheplanet
- Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR - Cornelis de Plaa(2019)
- In this blog post we will explore the use of direct system calls, restore hooked API calls and ultimately combine this with a shellcode injection technique called sRDI. We will combine these techniques in proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.
- Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams - @modexpblog(2020)
- Implementing Direct Syscalls Using Hell’s Gate - N4kedTurtle(2020)
- Syscalls with D/Invoke - RastaMouse2021
- Hiding your syscalls - passthehashbrowns(2021
- Syscall Filtering
- Articles/Blogposts/Writeups
- Accessing the Windows API Directly - Osanda Malith(2015
- I Like Syscalls (And I Cannot Lie) - Steiner(2015)
- Using Syscalls to Inject Shellcode on Windows - Solomon Sklash(2020)
- Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge - Jack Halon
- Red Team Tactics: Utilizing Syscalls in C# - Writing The Code - Jack Halon
- The Windows 10 TH2 INT 2E mystery - Adrien Chevalier(2018)
- Malware Mitigation when Direct System Calls are Used - Hod Gavriel(2018)
- System Call Monitoring Despite KPP - Jason(2018
- SharedUserData SystemCall Hook - uninformed Vol.3
- Fuzzing the Windows API for AV Evasion - Winternl(2020)
- Detecting Manual Syscalls from User Mode - jackullrich(2021
- Detecting Hooked Syscalls - @spotheplanet
- It's possible to enumerate which Windows API calls are hooked by an EDR using inline patcihng technique, where a jmp instruction is inserted at the beginning of the syscall stub to be hooked.
- MySyscall: Hijacking Windows System Calls For Personal Use - Anze Lesnik(2019)
- Invoking System Calls and Windows Debugger Engine - modexp(2020)
- Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams - modexp(2020
- Worried about EDR hooking catching you out? - benpturner(2020)
- Understanding SysCalls Manipulation - benpturner(2021)
- When You sysWhisper Loud Enough for AV to Hear You - Cpt Meelo(2021)
- EDR Bypass : Retrieving Syscall ID with Hell's Gate, Halo's Gate, FreshyCalls and Syswhispers2 - Alice Climent-Pommeret(2022)
- A Syscall Journey in the Windows Kernel - Alice Climent-Pommeret(2022)
- Making NtCreateUserProcess Work - Cpt Meelo(2022)
- On how we can keep whispering the syscalls - Adrian Denkiewicz(2022)
- Creating Processes Using System Calls - Santiago Pecin(2022)
- Talks/Presentations/Videos
- Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse - Brady Bloxham(Derbycon2014)
- Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
- RedTeam Tricks Exposed - Reversing Engineering Syscalls To Evade Detection - OA Labs(2021)
- Getting Windows to Play with Itself: A Pen Testers Guide to Windows API Abuse - Brady Bloxham(Derbycon2014)
- Tools
- SysWhispers
- SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
- directInjectorPOC
- Small POC written in C# that performs shellcode injection on x64 processes using direct syscalls as a way to bypass user-land EDR hooks.
- hunter - fdiskyou
- CallObfuscator
- Obfuscate specific windows apis with different apis
- SyscallPOC
- A simple proof of concept shellcode injector using syscalls.
- VBA-RunPE
- A VBA implementation of the RunPE technique or how to bypass application whitelisting.
- SharpSploit.Execution.DynamicInvoke
- CallMon
- CallMon is an experimental system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers
- Windows-API-Fuzzer
- Designed to learn OS specific anti-emulation patterns by fuzzing the Windows API.
- WinAltSyscallHandler
- Some research on AltSystemCallHandlers functionality in Windows 10 20H1 18999
- FreshyCalls PoC
- A simple dumper as FreshyCalls' PoC. That's what's trendy, isn't it?
¯\_(ツ)_/¯
- A simple dumper as FreshyCalls' PoC. That's what's trendy, isn't it?
- inline_syscall
- Header only library that allows you to generate direct syscall instructions in an optimized, inlineable and easy to use manner.
- Syscall Monitorhttps://github.com/hzqst/Syscall-Monitor)
- This is a process monitoring tool (like Sysinternal's Process Monitor) implemented with Intel VT-X/EPT for Windows 7+.
- SyscallDumper
- Dump system call codes, names, and offsets from Ntdll.dll
- windows-syscall-table
- windows syscall table from xp ~ 10 rs4
- SyscallExtractorAnalyzer
- This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes
- AtomicSyscall
- Tools and PoCs for Windows syscall investigation.
- SysWhispers
- Power API
- Deus Somnum
- Leverage the Windows Power Management API for code execution and defense evasion.
- Paper
- Deus Somnum
- Processes
- Scheduled Task/Job
- AT
- Scheduled Task
- 101
- Windows Task Scheduler - Wikipedia
- Task Scheduler for developers - docs.ms
- The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. Task Scheduler does this by monitoring whatever criteria you choose (referred to as triggers) and then executing the tasks when those criteria are met.You can use the Task Scheduler to execute tasks such as starting an application, sending an email message, or showing a message box. Tasks can be scheduled to execute in response to these events, or triggers.
- Articles/Blogposts/Writeups
- 101
- Shared Modules
- Tools
- DueDLLigence
- Shellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.
- DueDLLigence
- Tools
- Shellcode Stuff
- 101
- Shellcode - Wikipedia
- Shellcoding for Linux and Windows Tutorial - Steve Hanna(2007)
- shellcode-resources
- Resources About Shellcode
- Analysis
- How-Tos
- Writeups
- How To Build A Kernel Shellcode Design and Testing Platform For Windows 8 By Using Windbg - cawanblog(2012)
- Network detection of x86 buffer overflow shellcode - Gary Golomb(2012)
- Phishing with obfuscated javascript, shellcode and malware - Manuel Pelaacuteez(2012)
- Shellcode Detection with XORSearch - Didier Stevens(2014)
- Obfuscated shellcode inside a malicious RTF document - zairon(2014)
- Converting Shellcode to Portable Executable (32- and 64- bit) - hexacorn(2015)
- VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick - Jeff White(2016)
- VBA Shellcode and EMET - Didier Stevens(2016)
- Threat Actors Employ COM Technology in Shellcode to Evade Detection - Haifei Li(2016)
- UAF Bug Affects Internet Explorer, Runs Shellcode - Elliot Cao(2018)
- Malicious Excel documents with macros running shellcodes - Angel Alonso-Parrizas(2016)
- Reversing shellcode using blobrunner and Olly - @malwarenailed(2018)
- Those Pesky Powershell Shellcode’s And How To Understand Them - pcsxcetrasupport3(2019)
- Shellcode Tester
- GUI Application in C# to run and disassemble shellcode
- A look at a bmp file with embedded shellcode - pcsxcetrasupport3(2019)
- Solving MalwareTech Shellcode challenges with some radare2 magic! - Alan Vivona(2019)
- ShellCodeEmulator
- ShellcodeEmulator emulates Windows shellcode with the help of windbg process memory dumps. You can provide shellcode to analyze with any Windows process dump image. The tool will emulate as much as of the userland code using the shellcode bytes and the provided dump image.
- Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess - Vitali Kremez(2019)
- Maldoc with Nonfunctional Shellcode - Didier Stevens(2019)
- bdshemu: The Bitdefender shellcode emulator - Andrei Lutas(2020)
- RIFT: Analysing a Lazarus Shellcode Execution Method - Research and Intelligence Fusion Team(RIFT)(2021
- A Look at Metasploit’s Shellcodes - Hido Cohen(2021)
- Reversing a shellcode with import by hash - jeremy@bidouillesecurity
- Videos
- Shellcode detection techniques - Svetlana Gaivoronski(2014)
- Debugging shellcode using BlobRunner and IDA Pro - OALabs(2017
- Extract Shellcode from Fileless Malware like a Pro -
- Here I demonstrate how to extract shellcode from the context of a malicious Word doc which uses VBA to inject shellcode into the memory space of a victim process.
- Beginner Reversing #2 (Shellcode1 & MEMZ Malware) - Marcus Hutchins(2018
- Walkthrough of static analysis challenge Shellcode1 from https://www.malwaretech.com/beginner-malware-reversing-challenges, some live reversing of the MEMZ trojan, and viewer Q&A.
- Beginner Reversing #3 (Shellcode2 & Lab Overview) - Marcus Hutchins(2018)
- Walkthrough of static analysis challenge Shellcode2 from https://www.malwaretech.com/beginner-malware-reversing-challenges, some overview of my home malware analysis lab, and viewer Q&A.
- Excel 4.0 Macros Analysis - Cobalt Strike Shellcode Injection - Colin Hardy(2019)
- Here I describe how you can analyse a very stealthy technique to execute shellcode via Process Injection from an old-skool Excel Macro technique, known as Excel 4.0 Macros. This seems to be a technique favoured by many APT's and Red Teams given the lack of detection by lots of anti-malware technology. The sample attempts to inject shellcode which transpires to be a Cobalt Strike beacon which uses Domain Fronting to access its C2.
- Tools
- Shellcode2Exe
- Shellcode Analysis - Rolf Rolles(2007)
- "My solution to this is a small python script, based upon Ero's pefile, that creates an IDC declaration of an IDA enumeration for each DLL. The enum serves as a mapping between each exported name and its hash. Since the API hashing function may change, the Python function to do this is extensible via a function pointer which defaults to the standard hash presented above."
- BlobRunner
- BlobRunner is a simple tool to quickly debug shellcode extracted during malware analysis. BlobRunner allocates memory for the target file and jumps to the base (or offset) of the allocated memory. This allows an analyst to quickly debug into extracted artifacts with minimal overhead and effort. Writing Shellcode
- 101
- Multi-Platform
- Architecture Spanning Shellcode - eugene(2002)
- The general idea behind an architecture spanning shellcode is trying to come up with a sequence of bytes that would execute a jump instruction on one architecture while executing a nop-like instruction on another architecture. That way we can branch to architecture specific code depending on the platform our code is running on.
- isX64 Gem - ragestorm.net(2012)
- Building multi-architecture shellcode with shellcodecs - chokepoint.net(2013)
- Building a multiplatform shellcode header - chokepoint.net(2013)
- Shellcode: Detection between Windows/Linux/BSD on x86 architecture - odzhan(2016)
- Shellcode: Execute command for x32/x64 Linux / Windows / BSD - odzhan(2016)
- "I was hoping to present here a code that would execute perfectly on 32/64-bit Linux/BSD and Windows systems"
- Shellcodes: Executing Windows and Linux Shellcodes - modexp(2016)
- CPU signatures for OS identification - modexp
- Architecture Spanning Shellcode - eugene(2002)
- Agnostic
- Not all shellcode locations are made equal - seanhn(2009)
- Morphing shellcode using CFGs and SAT - seanhn(2009) (De/En)coders
- Writing Custom Shellcode Encoders and Decoders - @spotheplanet
- Synesthesia: Modern Shellcode Synthesis (Ekoparty 2016 Talk) - Rolf Rolles(2016)
- Here are the slides and code for my recent presentation at Ekoparty 2016. The full abstract can be found below. In brief, this research involved automatically generating shellcodes when there are restrictions on legal encodings. We explore examples ranging from well-known ones (no NULL bytes, no '%' character, printable, alphanumeric, all letters uppercase, etc.) to weird and challenging ones (bytes must alternate even and odd, no duplicate bytes, all words are prime numbers, etc). We also explore automated encoding and decoder generation: e.g., given some existing shellcode, transform it into (for example) alphanumeric bytes, and generate a decoder to revert the encoding at run-time. We also explore tasks like finding the shortest or longest solutions, re-writing existing shellcodes into a given encoding, exploiting known facts about the input state, and integration with automated exploit generation.
- Creating a Custom shellcode encoder - Dhayalan(2017)
- Custom shellcode encoder - Snowscan(2018)
- Creating a Custom Shellcode Encoder - rastating(2018)
- Custom base64 alphabet encoder/decoder - Matteo Malvica(2019)
- Converting win shellcode from msfvenom to FASM - Matteo Malvica(2019)
- Shikata Ga Nai Encoder Still Going Strong - Steve Miller, Evan Reese, Nick Carr(2019)
- The Lost Art of Shellcode Encoder/Decoders - Dave Aitel(2019
- In-Memory shellcode decoding to evade AVs/EDRs - Askar(2020)
- x86 ASCII AND-SUB Encoder - phra(2019)
- Shellcode: Encoding Null Bytes Faster With Escape Sequences - odzhan(2020
- The Shikata Ga Nai Encoder - Nick Hoffman, Jeremy Humble, and Toby Taylor
- The x86 Countdown Encoder, Explained
- Modifying Metasploit Shellcode Decoders to Bypass Static Analysis - Alexander Bode, Jelle Ermerins(2020)
- Obfuscators
- Articles/Blogposts/Writeups
- Papers
- Tools
- OWASP ZSC
- OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.
- Shellcoding(Mr-Un1k0d3r)
- Shellcoding Utilities and shellcode obfuscator generator.
- Obfuscator
- UniByAv
- Simple x64 XOR Shellcode Obfuscation - Entropy(2011
- Obfusion
- This library handles obfuscation of assembled X86 machine code in order to make it harder to read and analyze during the reverse engineering process.
- PythonAESObfuscate
- ADDMutate
- A shellcode mutation engine, can evade NIDS.
- Windows
- 101/&Stuff
- Understanding Windows Shellcode - Skape(2003)
- Understanding the PEB Loader - dzzie
- High Level Windows Shellcode Development Methods - Stephen Bradhshaw(2011)
- The Art of Win32 Shellcoding - AmrThabet(2012)
- Create a custom shellcode using System() function - Peru@gosecure.it(2014)
- Part 6: Writing W32 shellcode - b33f
- Shellcode - Massimiliano Tomassoli(2015)
- How to write a Windows Shellcode... (beginners) - Abdel Harbi(2016)
- Basics of Windows shellcode writing - Iliya Dafchev(2017)
- Win32 Shellcode - Intro - bolo(2019)
- (Windows 32-bit) Shellcoding 101 - ivanitlearning.wordpress.com(2018)
- Introduction to Windows shellcode development – Part 1 - Ionut Popescu(2015)
- Safer Shellcode Implants - Stuart Morgan(2016)
- Writing Shellcode in Visual Studio - UserExistsError(2018)
- Windows x86 Manual Shellcode - Part 1 - bugtree(2018)
- Dynamic Shellcode Execution - Noora Hyvärinen(2019
- Weaponizing dnscat with shellcode and Metasploit - skullsecurity(2010)
- masm_shc
- A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
- Binary to shellcode - superkojiman(2013)
- Staying Hidden on the Endpoint: Evading Detection with Shellcode - Evan Pena, Casey Erikson(2019)
- Baby’s First Win32 Shellcode - h0mbre(2019)
- Windows x86 MessageBox shellcode - Marcos Valle(2019)
- Leveraging from PE parsing technique to write x86 shellcode - Mohamed Fakroud(2021)
- Talks/Presentations
- Windows Shellcode Mastery - Benjamin Caillat(BHEU2009)
- Teaching Old Shellcode New Tricks - @midnite_runr(Defcon25)
- Slides
- Code
- Metasploit x86 shellcode has been defeated by EMET and other techniques not only in exploit payloads but through using those payloads in non-exploit situations (e.g. binary payload generation, PowerShell deployment, etc..). This talk describes taking Metasploit payloads (minus Stephen Fewer's hash API), incorporating techniques to bypass Caller/EAF[+] checks (post ASLR/DEP bypass) and merging those techniques together with automation to make something better.
- Techniques
- x86 vs x64
- Windows x64 Shellcode - Topher Timzen(2014)
- I will go over the differences between 32 and 64 bit assembly that I have noticed and how to work with them as well as some of the structures windows uses that are useful to know about for shellcode in the 64bit environment. I will also introduce two tools that I have created in helping my exploit development process.
- Asmcodes: Platform Independent PIC for Loading DLL and Executing Commands - odzhan(2015)
- Shellcode: Dual mode PIC for x86 (Reverse and Bind Shells for Windows) - odzhan(2017)
- Writing shellcodes for Windows x64 - nytrosecurity(2019)
- Windows x64 Shellcode - Topher Timzen(2014)
- Dumping LSASS
- Encryption
- Execute a PE in memory/RDI * Shellcode: In-Memory Execution of DLL - modexp(2019)
- HTA->ActiveX
- Hiding WinAPI imports
- Kernel-related
- Resolving Function Addresses Statically
- Resolving Function Addresses Dynamically
- PE infection under Win32 - Mister Sandman, Jack Qwerty, GriYo(
- Impersonation, your friend - Ratter/29A
- GetProcAddress-alike utility - Jack Qwerty
- RETRIEVING API'S ADRESSES - LethalMind
- Retrieving Kernel32's Base Address - Stephen Fewer(2009)
- Customizing the GetProcAddress - Marc Kranz(2011)
- Finding Kernel32 Base Address Shellcode - ragestorm.net(2016)
- Shellcode: Fido and how it resolves GetProcAddress and LoadLibraryA - odzhan(2017)
- Shellcode: Using the Exception Directory to find GetProcAddress - odzhan(2019)
- Shellcode: Resolving API addresses in memory - Odzhan(2017)
- Finding Kernel32 Base and Function Addresses in Shellcode - @spotheplanet
- Windows Shellcoding x86 – Hunting Kernel32.dll – Part 1 - paranoidninja(2018)
- How to implement GetProcAddress in shellcode using x86-64 and x86 assembly language. - Dennis A. Babkin(2020
- Writing Minimized Shellcode
- Writing Small Shellcode - Dafydd Stuttard(2005)
- This paper describes an attempt to write Win32 shellcode that is as small as possible, to perform a common task subject to reasonable constraints. The solution presented implements a bindshell in 191 bytes of null-free code, and outlines some general ideas for writing small shellcode.
- Shellcode Golf: Every Byte is Sacred - egypt(2014)
- Shellcode reduction tips (x86) - abatchy(2017)
- Shellcode: x86 optimizations part 1 - odzhan(2017)
- Shellcode: Data Compression - odzhan(2019)
- Shellcode: Recycling Compression Algorithms for the Z80, 8088, 6502, 8086, and 68K Architectures. - odzhan(2020)
- Writing Small Shellcode - Dafydd Stuttard(2005)
- Writing Using a Compiler
- Writing WIN32 Shellcode With a C-compiler - Didier Stevens(2010)
- Writing Shellcode with a C Compiler - Nick Harbour(2010)
- Writing Optimized Windows Shellcode in C - Matt Graeber(2013)
- Writing shellcode in C++ - zwclose7(2014)
- Shellcode Techniques in C++ - Topher Timzen(2015)
- Shellcode: A Windows PIC using RSA-2048 key exchange, AES-256, SHA-3 - odzhan(2016
- Writing and Compiling Shellcode in C - @spotheplanet
- Write Windows Shellcode in Rust
- x86 vs x64
- Talks/Presentations/Videos
- POP POP RETN An Introduction to Writing Win32 Shellcode - Christopher Maddalena(Derbycon2017)
- Slides
- If you have ever worked with an exploit or Metasploit, you have probably used shellcode, but do you know how it is made? This talk has been designed to walk you through the ins and outs of basic shellcode, with a focus on Windows and the x86 architecture. There will be a review of the basic computer science behind shellcode, a look under the hood of msfvenom works and how you can recreate msfvenom’s shellcode in Assembly, and then a walkthrough and a demo of how you can create a custom connectback stager using Assembly.
- POP POP RETN An Introduction to Writing Win32 Shellcode - Christopher Maddalena(Derbycon2017)
- Tools
- Donut
- Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
- Venom
- The script will use msfvenom (metasploit) to generate shellcode in diferent formats (
C#, python, ruby, dll, msi, hta-psh, docm, apk, macho, elf, deb, mp4, etc) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file. It also starts a multi-handler to recive the remote connection (shell or meterpreter session). 'venom generator' reproduces some of the technics used by Veil-Evasion.py, unicorn.py, powersploit.py, etc..
- The script will use msfvenom (metasploit) to generate shellcode in diferent formats (
- Cross Arch Shellcode Compiler
- Cross Architecture Shellcode in C
- shellcode
- Shellcode library as a Go package.
- Shellsploit
- Shellsploit let's you generate customized shellcodes, backdoors, injectors for various operating system. And let's you obfuscation every byte via encoders.
- Shellcode Compiler
- Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows (x86 and x64) and Linux (x86 and x64). It is possible to call any Windows API function or Linux syscall in a user-friendly way.
- Donut
- Samples
- Windows x64 Shellcode - mcdermottcybersecurity(2011)
- Windows Kernel Shellcodes - a compendium - Matteo Malvica
- Shellcode - Didier Stevens
- SelfDefense
- Several self defense shellcodes
- x86_shellcode_tutorial
- ShellcodeOfDeath
- In-Memory Shellcode
- PIC_Bindshell
- Position Independent Windows Shellcode Written in C
- Windows Reverse Shell Shellcode I. - elcapitan(2015)
- Shellcode to Invert Colors - Osanda Malith(2017)
- Shellcode to Scroll Your Desktop Horizontally - Osanda Malith(2017)
- Shellcode to Scroll your Desktop Vertically and Horizontally - Osanda Malith(2017)
- Windows XP PRO SP3 - Full ROP calc shellcode - b33f
- FreeFloat FTP (custom shellcode) - b33f
- ProfessionallyEvil x86 ASM
- Expiring Shellcode update - averagejoe(2019)
- A Shellcode Idea - averagejoe(2019)
- Shellcode: A Tweetable Reverse Shell for x86 Windows - odzhan(2017)
- Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes) - weiss
- rev_overlap32.asm
- ASM that provides a win32 reverse connect shell with no null bytes.
- block_api.asm - Stephen Fewer
- Input: The hash of the API to call and all its parameters must be pushed onto stack. Output: The return value from the API call will be in EAX.
- Download and Execute Payload Using MSIEXEC - Kartik Durg(2019)
- win-exec-calc-shellcode
- Small null-free shellcode that execute calc.exe. Runs on x86 and x64 versions of Windows 5.0-6.3 (2000, XP, 2003, 2008, 7, 8, 8.1), all service packs.
- win-exec-calc-shellcode
- Windows x86 - spawn calc.exe Win7/10 (176 bytes) - bolonobolo
- Windows x86 - spawn custom MessageBox Win7/10 (223 bytes) - bolonobolo
- Windows x86 - spawn reverse shell Win7/10 (387 bytes) - bolonobolo
- Windows x86 - hashed reverse shell Win7/10 (222 bytes) - bolonobolo
- 101/&Stuff
- Execution of Shellcode
- Windows
- Dyna-legacy
- IActiveScript - MSDN
- Provides the methods necessary to initialize the scripting engine. The scripting engine must implement the
IActiveScriptinterface.
- Provides the methods necessary to initialize the scripting engine. The scripting engine must implement the
- Last-minute presentation: Novel code obfuscation with COM - Robert Freeman(VB2007)
- A DynaCall() Function for Win32 - Ton Plooy(1998)
- An Automation Object for Dynamic DLL Calls - Jeff Strong(1998)
- "Here's an OLE automation object for dynamically declaring and accessing functions in external DLLs"
- Additional exe encoder option "vbsmem" - Metasploit(2011)
- Shellcode Via JScript / VBScript - Happening Now! - Casey Smith(2016)
- Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL - Osanda Malith(2019)
- DynamicWrapper
- DynamicWrapperX
- DynamicWrapperEx – Registration-Free In-Process COM Automation Server - Paul Laîné(2020)
- DynamicWrapperEx – Windows API Invocation from Windows Script Host - Paul Laine(2021)](https://www.contextis.com/en/blog/dynamicwrapperex-windows-api-invocation-from-windows-script-host)
- In-Memory Execution of an Executable - Amit Malik
- IActiveScript - MSDN
- Runners
- Articles
- Syringe utility provides ability to inject shellcode into processes - firebits(2011)
- A patch for PowerSploit’s Invoke-Shellcode.ps1 - Marco Ivaldi(2017)
- C_Shot - Just What The Doctor Ordered - redxorblue(2020)
- Alaris * Blogpost
- A Fundamental Tool in the Toolkit: Evasive Shellcode Launchers – Part 1 - Nichoali Wang(2020)
- ScatterBrain * ScatterBrain is a shell code runner with a variety of execution and elevation options. Given unencoded shellcode, it will then be encoded with the XOR key SecretKey (found in Cryptor/Program.cs and ScatterBrain/Headers/RawData.h) using the Cryptor binary. Cryptor.exe generates an encrypted.bin, which can be copied into ScatterBrain/Headers/RawData.h. You can then build ScatterBrain as a DLL which can be leveraged in one of the templates. Additionally, this will build the .NET Profiler UAC Bypass to use in your operations.
- Bypassing EDR real-time injection detection logic - @_lpvoid(2021)
- SyscallPOC
- Shellcode injection POC using syscalls.
- Techniques
101
- A Beginner’s Guide to Windows Shellcode Execution Techniques - Carsten Sandker(2019) * Code * This blog post is aimed to cover basic techniques of how to execute shellcode within the memory space of a process.
- Syscalls
- Callbacks
- Articles/Blogposts/Writeups
- Shellcode. I’ll Call you back. - hexacorn(2016
- Abusing native Windows functions for shellcode execution - Jeff White(2017)
- "I've been doing a lot of analysis on malicious docs (maldocs) lately and, among a popular variant circulating right now, is a technique that I found particularly interesting. Effectively, it abuses native Windows function calls to transfer execution to shellcode that it loads into memory. I thought it was cool in this context, and not something that I was super familiar with, even though I've since learned it's a very old technique, so I set out to do some research in identifying additional functions that could be abused in a similar way and how to leverage them
- Executing Shellcode via Callbacks - Osanda Malith(2021
- Shellcode Execution via CreateThreadpoolWait - @spotheplanet
- TLS Injector: running shellcodes through TLS callbacks - Borja Merino(2015)
- Windows Data Structures and Callbacks, Part 1 - odzhan(2020
- Samples
- Alternative Code Execution
- According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation. This repository contains a list of callback functions that can be used to execute position independent shellcode so that CreateThread would be a thing of the past :P.
- Alternative Code Execution
- Articles/Blogposts/Writeups
- Debugging APIs
- Articles/Blogposts/Writeups
- debug_inject
- Shellcode injection using debugging APIs
- debug_inject
- Articles/Blogposts/Writeups
- Embedded within a File
- Punk Ode - Hiding shellcode in plain sight - Michael Sutton, Greg MacManus(BHUSA2006)
- Slides
- "Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files.
- Punk Ode - Hiding shellcode in plain sight - Michael Sutton, Greg MacManus(BHUSA2006)
- 'Empty' PE
- Execution through a language
- Execute ShellCode Using Python - Debasish Mandal(2012)
- Executing Shellcode with Python - doyler(2015)
- PythonShellcode
- A simple script for executing shellcode in Python (as opposed to C)
- File Installers
- Articles/Blogposts/Writeups
- InnoSetup Execute Shellcode PoC
- Run shellcode through InnoSetup code engine.
- InnoSetup Execute Shellcode PoC
- Articles/Blogposts/Writeups
- In-Line Assembly
- Articles/Blogposts/Writeups
- .NET
- PE Resources
- PIC in C
- sRDI
- sRDI – Shellcode Reflective DLL Injection - Nick Landers(2017)
- sRDI - Shellcode Reflective DLL Injection
- sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.
- Shellcode Reflective DLL Injection - @spotheplanet
- Beginners guide to Reflective DLL Injection - quantumcore(2021)
- UUid
- Articles/Blogposts/Writeups
- Tools
- go-shellcode(Ne0nd0g)
- A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.
- C_Shot
- C_Shot is an offensive security tool written in C which is designed to download, inject, and execute shellcode in memory.
- go-shellcode
- This is a program to run shellcode as its own process, all from memory. This was written to defeat anti-virus detection.
- Go4aRun
- GOing 4 A Run - Leo Pitt(2020)
- Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process
- UrbanBishopLocal
- A port of FuzzySecurity's UrbanBishop project for inline shellcode execution
- DueDLLigence
- Shellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.
- Crab-Runner
- shellcode-process-injection
- Simple C implementation to perform shellcode process injection via win32 APIs
- fido
- pe_to_shellcode
- Converts PE so that it can be then injected just like a normal shellcode. (At the same time, the output file remains to be a valid PE). Supports both 32 and 64 bit PEs Authors: @hasherezade & @hh86
- ShellcodeWrapper
- Shellcode wrapper with encryption for multiple target languages
- go-shellcode(Ne0nd0g)
- Ridgway
- A quick tool for hiding a new process running shellcode.
- go-shellcode
- A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.
- RemoteCryptoShellcodeLoader
- Doge-Loader](https://github.com/timwhitez/Doge-Loader)
- ShellcodeLoader
- ShellcodeLoader of windows can bypass AV.
- SimpleShellcodeInjector (SSI)
- SimpleShellcodeInjector receives as an argument a shellcode in hex and executes it. It DOES NOT inject the shellcode in a third party application.
- SharpZipRunner
- Executes position independent shellcode from an encrypted zip Get PIC code from your assembly either by using donut or metasploit or cobaltstrike RAW format.
- RedTeamFSharp
- Red Team Toolset written in F# (Experimental)
- DripLoader
- DripLoader-Ops
- Dyna-legacy
- Windows
- 101
- Software Deployment Tools
- System Services
- Service Execution
- Articles/Blogposts/Writeups
- Service Execution
- 1st-Party Software
- Third-Party Software
- Articles/Blogposts/Writeups
- Abusing Firefox in Enterprise Environments - Daniil Vylegzhanin(2020)
- In this blogpost, we will describe a technique that abuses legacy Firefox functionality to achieve command execution in enterprise environments. The security issue was that the compromised domain user had Full Control rights on the files stored in the GPO, which were then subsequently deployed by SCCM to the Mozilla Firefox installation folder for all computer objects within the OU where the GPO was applied.
- Abusing Firefox in Enterprise Environments - Daniil Vylegzhanin(2020)
- Talks/Presentations/Videos
- Tools
- Articles/Blogposts/Writeups
- User Execution
- Malicious Link
- Articles/Blogposts/Writeups
- Malicious File
- Malicious Link
- Windows Diagnostic Tools
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Using Windows diagnostics for system compromise - Nicholas Berthaume "aricon"(Derbycon2015)
- This talk will discuss the merits of using Microsoft diagnostic tools in order to deliver payloads to modern Microsoft operating systems with little or no scrutiny by anti-virus and network intrusion sensors.Ê In it I will go over the reasons for using this tool-set including the advantages of more conventional techniques as well as the reasoning behind its exploration vs. more invasive payloads including those reliant on bugs to provide system compromise.Ê Additionally a tool will be introduced that will provide for the creation of payloads on compatible
*nixoperating systems whereas previously they could only be generated using the Microsoft SDK on their operating systems.Ê Additionally there will be an element of privilege escalation by way of UAC bypass on default configurations of the windows operating system.
- This talk will discuss the merits of using Microsoft diagnostic tools in order to deliver payloads to modern Microsoft operating systems with little or no scrutiny by anti-virus and network intrusion sensors.Ê In it I will go over the reasons for using this tool-set including the advantages of more conventional techniques as well as the reasoning behind its exploration vs. more invasive payloads including those reliant on bugs to provide system compromise.Ê Additionally a tool will be introduced that will provide for the creation of payloads on compatible
- Using Windows diagnostics for system compromise - Nicholas Berthaume "aricon"(Derbycon2015)
- Windows Management Instrumentation
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)
- Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI). With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events. This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.
- Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)
- Tools
- Windows Remote Management(WinRM)
- Tools
- CSharpWinRM
- CsharpWinRM is a .NET 4.0 implementation of WinRM using the WinRM C++ API. This project takes in credentials and a command, then executes it on the remote host using Win32_Process.
- CSharpWinRM
- Tools
- Windows Trouble Shooting Packs
- 101
- Windows Troubleshooting Platform - docs.ms
- Windows Troubleshooting Platform (WTP) provides ISVs, OEMs, and administrators the ability to write troubleshooting packs that are used to discover and resolve issues found on the computer. Previously, troubleshooting software and hardware issues was a manual process; however, using WTP you can automate the process of fixing the most common detectable issues that the user might encounter using your software or hardware.
- Built-in Troubleshooting Packs - docs.ms
- Windows 7 includes built-in troubleshooting packs to deal with common problems such as problems that are related to printers, displays, sound, networking, system performance, and hardware compatibility. Microsoft designed these troubleshooting packs to correlate to the top ten categories of Microsoft support calls.
- Windows Update Troubleshooter for Windows 10
- TroubleshootingPack(PowerShell) - docs.ms
- This reference provides cmdlet descriptions and syntax for all Troubleshooting Pack cmdlets. It lists the cmdlets in alphabetical order based on the verb at the beginning of the cmdlet.
- Windows Troubleshooting Platform - docs.ms
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Tools
- 101
- Payloads
- Articles/Blogposts/Writeups
- Papers
- Post-Exploitation on Windows using ActiveX Controls
- When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS.
- Post-Exploitation on Windows using ActiveX Controls
- Tools
- SirepRAT
- Remote Command Execution as SYSTEM on Windows IoT Core; The method is exploiting the Sirep Test Service that’s built in and running on the official images offered at Microsoft’s site. This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on the IoT device. It serves the Sirep/WPCon/TShell protocol. We broke down the Sirep/WPCon protocol and demonstrated how this protocol exposes a remote command interface for attackers, that include RAT abilities such as get/put arbitrary files on arbitrary locations and obtain system information. Based on the findings we have extracted from this research about the service and protocol, we built a simple python tool that allows exploiting them using the different supported commands. We called it SirepRAT. It features an easy and intuitive user interface for sending commands to a Windows IoT Core target. It works on any cable-connected device running Windows IoT Core with an official Microsoft image.
- Whitepaper
- Slides
- SirepRAT
- Articles/Blogposts/Writeups
- Persistence
- 101
- Tactics
- Talks/Presentations/Videos
- Evading Autoruns - Kyle Hanslovan, Chris Bisnet(Derbycon2017)
- When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.
- Materials
- Here to stay: Gaining persistency by Abusing Advanced Authentication Mechanisms - Marina Simakov, Igal Gofman
- Killsuit the equation group's swiss army knife for persistence - Francisco J Donoso(BlueHat v18)
- This talk expands on my research into the Equation Group's post exploitation tools. My previous research focused on providing a general overview of DanderSpritz, a full-featured post-exploitation toolkit included in the ShadowBroker's "Lost in Translation" leak. This talk provides a deep dive into KillSuit which is the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration in unique and interesting ways. During the talk, we will dissect the capabilities and functionality of the KillSuit framework, a little-known (and somewhat overlooked) component of the much larger DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to quietly establish persistence on machines via bootkits and other persistence methods and then allows operators to install persistent modules such as keyloggers, packet capture tools, tools that perform WiFi MITM, and other more information gathering tools. KillSuit also includes support for many plugins that provide interesting ways to silently exfiltrate data - some specifically designed to make data exfiltration across air gapped networks possible - including custom written IPSEC-like protocols and misuse of "disabled" WIFI cards and nearby open networks.
- Evading Autoruns - Kyle Hanslovan, Chris Bisnet(Derbycon2017)
- Tools
- 3rd Party Applications
- Account Manipulation
- Additional Azure Service Principal Credentials
- Exchange Email Delegate Permissions
- Add Office 365 Global Administrator Role
- RID Hijack
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- RID Hijacking: Maintaining Access on Windows Machines - Sebastián Castro(Derbycon2018)
- Slides
- The art of persistence is (and will be...) a matter of concern when successfully exploitation is achieved. Sometimes it is pretty tricky to maintain access on certain environments, especially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target. What could be more convenient that only use OS resources in order to persist an access? This presentation will provide a new post-exploitation hook applicable to all Windows versions called RID Hijacking, which allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes. To show its effectiveness, the attack will be demonstrated by using a module which was recently added by Rapid7 to their Metasploit Framework, and developed by the security researcher Sebastián Castro.
- RID Hijacking: Maintaining Access on Windows Machines - Sebastián Castro(Derbycon2018)
- Tools
- RID Hijacking: Maintaining Access on Windows Machines
- The RID Hijacking hook, applicable to all Windows versions, allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes of an user. By only using OS resources, it is possible to replace the RID of an user right before the primary access token is created, allowing to spoof the privileges of the hijacked RID owner.
- RID Hijacking: Maintaining Access on Windows Machines
- SSH Authorized Keys
- Accessibility Features
- Active Directory Specific
- Articles/Blogposts/Writeups
- Sneaky Active Directory Persistence Tricks - adsecurity.org
- Shadow Admins – The Stealthy Accounts That You Should Fear The Most - Asaf Hect
- Thousand ways to backdoor a Windows domain (forest)
- Remote Hash Extraction On Demand Via Host Security Descriptor Modification - Will Harmjoy
- Tl;dr if you gain “administrative” access to a remote machine, you can modify a few host security descriptors and have a security principal/trustee of your choice generate Silver Tickets indefinitely, as well as remotely retrieve local hashes and domain cached credentials.
- Talks/Presentations/Videos
- Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)
- When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker.
- Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)
- Tools
- Directory Services Restore Mode
- Golden(Silver) Ticket
- Golden Ticket
- Kerberos Golden Tickets are Now More Golden
- Silver & Golden Tickets - hackndo
- [Mimikatz 2.0 - Golden Ticket Walkthrough - Ben Lincoln
https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Golden_Ticket_Walkthrough.html
- Security Support Provider
- SeEnableDelegationPrivilege
- SID History
- Articles/Blogposts/Writeups
- Alternate Data Streams
- 101
- Articles/Blogposts/Writeups
- Stealth Alternate Data Streams and Other ADS Weirdness - @mattifestation(2011)
- Putting data in Alternate data streams and how to execute it - oddvar.moe
- Kurt Seifried Security Advisory 003 (KSSA-003)
- NTFS Alternate Data Streams for pentesters (part 1)
- Using Alternate Data Streams to Persist on a Compromised Machine
- Using Alternate Data Streams to Persist on a Compromised Machine - enigma0x3
- NTFS Alternate Data Streams - darknessgate.com
- NTFS Alternate Data Streams (ADS) - Vault7
- NTFS Alternate Data Streams for pentesters (part 1) - AMM(2014)
- NTFS Alternate Streams: What, When, and How To - flexhex.com
- Talks & Presentations
- Tools
- Streams
- "NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information."
- Exe_ADS_Methods.txt - api0cradle
- Execute from Alternate Streams
- Get-ADS
- Powershell script to search for alternate data streams
- Evading Autoruns
- When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.
- Talk
- Alternate-Data-Streams with PowerShell
- I literally stumbled upon this whilst reading up on the parameters for the Get-Content and Set-Content cmdlets for another piece of research. The parameter that got my interest is -Stream which allows the user the ability to read and write NTFS alternate data streams. If we create a file with the following commands:
$file = "$env:TEMP\test.txt" \ Set-Content -Path $file -Value 'Alternate Data Stream Test File'. To read the file content, we use the following:Get-Content -Path $file; Which will return:Alternate Data Stream Test File
- I literally stumbled upon this whilst reading up on the parameters for the Get-Content and Set-Content cmdlets for another piece of research. The parameter that got my interest is -Stream which allows the user the ability to read and write NTFS alternate data streams. If we create a file with the following commands:
- Get-ADS
- Powershell script to search for alternate data streams This script searches recursively through a specified file system for alternate data streams (ADS). The script can search local and UNC paths speciffied by the threads parameter. Use with caution as runspaces can easily chomp resources (CPU and RAM). Once the number of file system objects (files and folders) is determined, they are split into equal groups of objects divided by the number of threads. Then each thread has a subset of the total objects to inspect for ADS.
- Streams
- AMSI Provider
- Antimalware Scan Interface Provider for Persistence - B4rtik(2020)
- AMSI-Provider
- A fake AMSI Provider which can be used to gain persistence on a host when a specific text is triggered. By default calc.exe will open.
- APPX/UWP
- Persistence using Universal Windows Platform apps (APPX) - oddvarmoe
- Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns.
- Persistence using Universal Windows Platform apps (APPX) - oddvarmoe
- Background-Intelligent-Transfer-Service Jobs
- 101
- Articles/Blogposts/Writeups
- Background Intelligent Transfer Service - docs.ms
- BITSAdmin tool - docs.ms
- BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.
- Temporal Persistence with bitsadmin and schtasks
- Talks/Presentations/Videos
- Tools
- Boot or Logon Autostart Execution
- Windows Startup Application Database
- Windows Program Automatic Startup Locations(2004) BleepingComputer
- Hijacking the Boot Process - Ransomware Style - Raul Alvarez(ShowMeCon2018)
- Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised? In this presentation, we are going to look into how Petya, a ransomware, can overwrite an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then, we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API. We are also going to see how we can use a combination of different tools to figure out how a ransomware can infect the very first sector of a harddisk. Tools, such as, Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course, x64dbg and ollydbg for debugging the ransomware in application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its own kernel code.
- Authentication Package
- Kernel Modules and Extensions
- LSASS Driver
- GPO
- Port Monitors
- Plist Modification
- Re-opened Applications
- Registry Run Keys / Startup Folder
- Security Support Provider
- Shortcut Modification
- Time Providers
- Winlogon Helper DLL
- Boot or Logon Initialization Scripts
- Browser Extensions
- Logon Script (Mac)
- Logon Script (Windows)
- Network Logon Script
- Rc.common
- Startup Items
- Compromise Client Software Binary
- Create Account
- Local Account
- Backdoorplz
- adding a backdooruser using win32api
- Backdoorplz
- Domain Account
- Cloud Account
- Local Account
- Create or Modify System Process
- Launch Agent
- Systemd Service
- Windows Service
- Launch Daemon
- DLL Injection/Hijacking
- See 'DLL Hijack'/'DLL Injection'
- Drivers
- Windows Firewall Hook Enumeration
- We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
- Windows Firewall Hook Enumeration
- Event Triggered Execution
- .bash_profile and .bashrc
- Accessibility Features
- AppCert DLLs
- AppInit DLLs
- Articles/Blogposts/Writeups
- AppInit_DLLs in Windows 7 and Windows Server 2008 R2 - docs.ms
- AppInit DLLs and Secure Boot - docs.ms
- Starting in Windows 8, the AppInit_DLLs infrastructure is disabled when secure boot is enabled.
- Alternative psexec: no wmi, services or mof needed - Diablohorn
- Articles/Blogposts/Writeups
- Application Shimming
- Articles/Blogposts/Writeups
- Windows Persistence using Application Shimming - Kavish Tyagi(2020)
- Post Exploitation Persistence With Application Shims (Intro)
- Shimming for Post Exploitation(blog)
- Demystifying Shims – or – Using the App Compat Toolkit to make your old stuff work with your new stuff
- Post Exploitation Persistence With Application Shims (Intro)
- Shim Database Talks
- Using Application Compatibility Shims
- Persistence via Shims - liberty-shell
- Tools
- Windows 0wn3d By Default - Mark Baggett(Derbycon2013)
- Description: “In this talk we will discuss API Hooking, Process Execution Redirection, Hiding Registry keys and hiding directories on the hard drive. We must be talking about rootkits, right? Well yes, but not in the way you think. The Windows family of operating systems has all of these capabilities built right in! Using nothing but tools and techniques distributed and documented by Microsoft we can implement all of these rootkit functions. During this exciting talk I will present new attacks against Windows operating system that provide rootkit like functionality with built-in OS tools. In session, we’ll demonstrate how to leverage the Microsoft Application Compatibility Toolkit to help hide an attacker’s presence on your system. The Application Compatibility Toolkit allows you to create application shims that intercept and redirect calls from applications to the operating system. This native rootkit like capability is intended to make the Windows operating system compatible with very old or poorly written applications. Do DEP, ASLR, UAC, and Windows Resource Protection, File system ACLS and other modern OS security measures get it your way? No problem. Turn them off! Do you want to hide files and registry keys and from the user? The Application Compatibility toolkit allows you to create a virtual world for any application and hide resources from view. If someone inspects the registry with regedit they will see exactly what the attacker wants them to see and not what the OS sees when it launches programs. Did they patch your target so your exploit doesn’t work? Guess what, making applications backwards compatible is what this tool is intended to do. Make your favorite applications “old exploit compatible” insuring you can re-exploit the target with this awesome untapped resource. Everything you need to subvert windows applications is built right into the windows kernel. Come learn how to use the application compatibility toolkit to tap this great resource.”
- Windows 0wn3d By Default - Mark Baggett(Derbycon2013)
- Articles/Blogposts/Writeups
- Component Object Model Hijacking
- COM Object hijacking: the discreet way of persistence
- Userland Persistence with Scheduled Tasks and COM Handler Hijacking - enigma0x3(2016)
- How To Hunt: Detecting Persistence & Evasion With The COM - Blake Strom
- Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking - MDSec
- Use COM Object hijacking to maintain persistence——Hijack CAccPropServicesClass and MMDeviceEnumerator - 3gstudent
- Use COM Object hijacking to maintain persistence——Hijack explorer.exe - 3gstudent
- Activation Contexts — A Love Story - Philip Tsukerman(2019)
- TL;DR — Windows loads a version of the Microsoft.Windows.SystemCompatible assembly manifest into every process. Tampering with it lets you inject DLL side-loading opportunities into every process, and to perform COM hijacking without touching the registry. Unfortunately, the manifest could be replaced by another version, possibly killing your persistence by surprise.
- Persistence – COM Hijacking - NetbiosX
- Emond
- Event Log
- Image File Execution Options Injection
- LC_LOAD_DYLIB Addition
- Netsh Helper DLL
- PowerShell-relatd
- Articles/Blogposts/Writeups
- Using and Abusing Aliases with PowerShell - notoriousrebel.space
- Shimming Aliases with PowerShell
- Using and Abusing Aliases with PowerShell - notoriousrebel.space
- Tools
- Remapper
- PowerShell script that will shim aliases throughout PowerShell sessions through the use of PowerShell profiles.
- p0shkiller(2016)
- Proof of Concept exploit to bypass Microsoft latest AntiMalware Scan Interface technology within PowerShell5 on Windows 10. With this exploit/patch applied, you can take control over powershells program flow by using DLL Hijacking and UAC Bypasstechniques. Every time powershell is started, a local admin named BadAss with password FacePalm01 will be added to the system (when run by an non elevated administrator account) and a reverse (SYSTEM) https meterpreter session (default 192.168.1.120) will be started every hour using a scheduled task.
- Remapper
- Articles/Blogposts/Writeups
- Screensaver
- Trap
- Windows Management Instrumentation Event Subscription
- Extension Handlers
- External Remote Services
- Filesystem
- Hijack Execution Flow
- COR_PROFILER
- DLL Search Order Hijacking
- DLL Side-Loading
- Dylib Hijacking
- Executable Installer File Permissions Weakness
- Implant Container Image
- LD_PRELOAD
- Path Interception by PATH Environment Variable
- Path Interception by Search Order Hijacking
- Path Interception by Unquoted Path
- Services File Permissions Weakness
- Services Registry Permissions Weakness
- IIS Modules
- IIS Raid – Backdooring IIS Using Native Modules - Rio Sherri(2020)
- Back in 2018, PaloAlto Unit42 publicly documented RGDoor, an IIS backdoor used by the APT34. The article highlighted some details which sparked my interest and inspired me to write IIS-Raid, an IIS backdoor module that allows red-team operators to keep a stealthy persistence on IIS web-servers. In this blogpost, we will discuss some of the key components of this tool, how it was built and demonstrate its features.
- IIS Raid – Backdooring IIS Using Native Modules - Rio Sherri(2020)
- Implant Container Image
- LAPS
- Library Files
- 101
- Windows libraries - docs.ms
- Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
- Windows libraries - docs.ms
- Articles/Blogposts/Writeups
- 101
- MS Distributed Transaction Coordinator Service
- Articles/Blogposts/Writeups
- Distributed Transaction Coordinator - docs.ms
- The Microsoft Distributed Transaction Coordinator service must run under the NT AUTHORITY\NetworkService Windows account - support.ms
- Shadow Force Uses DLL Hijacking, Targets South Korean Company - Dove Chiu(2015)
- Use msdtc to maintain persistence - 3gstudent
- Articles/Blogposts/Writeups
- .NET
- Articles/Blogposts/Writeups
- Common Language Runtime Hook for Persistence - Paul Laine
- This blog post explains how it is possible to execute arbitrary code and maintain access to a Microsoft Windows system by leveraging the Common Language Runtime application domain manager.
- CLR-Persistence
- Use CLR to inject all the .NET apps
- Using CLR to maintain Persistence
- SharPersist: Windows Persistence Toolkit in C# - Brett Hawkins
- Configuring our Machine for Persistence - NotoriousRebel(2020)
- Common Language Runtime Hook for Persistence - Paul Laine
- Tools
- SharPersist
- Windows persistence toolkit written in C#
- ConfigPersist
- Utilizes modifying machine.config for persistence through CLR hooking, after installing signed .NET assembly onto Global Assembly Cache.
- SharPersist
- AppDomain
- Articles/Blogposts/Writeups
- Netsh
- Office Applications
- Articles/Blogposts/Writeups
- Add-ins
- Extensibility Features
- Office Template Macros
- One Template To Rule 'Em All - Kostas Lintovois
- Introduction of wePWNize
- One Template To Rule 'Em All - Kostas Lintovois
- Outlook Forms
- Outlook Rules
- XRulez
- "XRulez" is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.
- XRulez
- Outlook Home Page
- Office Test
- Password Filter DLL
- 101
- Password Filters - docs.ms
- Password filters provide a way for you to implement password policy and change notification.
- AD Password Filters - ldapwiki
- Installing and Registering a Password Filter DLL - docs.ms
- You can use the Windows password filter to filter domain or local account passwords. To use the password filter for domain accounts, install and register the DLL on each domain controller in the domain.
- Installing and Registering a Password Filter DLL - msdn.ms
- PSAM_PASSWORD_NOTIFICATION_ROUTINE callback function - docs.ms
- The PasswordChangeNotify function is implemented by a password filter DLL. It notifies the DLL that a password was changed.
- Password Filters - docs.ms
- Articles/Blogposts/Writeups
- Capture password change at active directory controller - StackOverflow(2013)
- How a Windows Password Filters Works - NFront(2014)
- Stealing passwords every time they change - carnal0wnage(2013)
- Intercepting Password Changes With Function Hooking - clymb3r(2013)
- T1174: Password Filter - @spottheplanet
- Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS - Leanne Dutil
- This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it.
- Dump-Clear-Text-Password-after-KB2871997-installed - 3gstudent
- Domain Penetration-Hook PasswordChangeNotify – Three Good Students
- Talks/Presentations/Videos
- Tools
- DLLPasswordFilterImplant
- DLLPasswordFilterImplant is a custom password filter DLL that allows the capture of a user's credentials. Each password change event on a domain will trigger the registered DLL in order to exfiltrate the username and new password value prior successfully changing it in the Active Directory (AD).
- OpenPasswordFilter
- OpenPasswordFilter is an open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.
- PasswordStealing
- Password stealing DLL I have written about 1999, some time before Active Directory was announced. And of course it still works. First, it was written in 32-bit Delphi (pardon my language) and when it stopped working as everything changed into 64-bit - in (so much simpler when it comes to Win32 API) C, as I did not have 64-bit Delphi. The original implementation was a bit more complex, including broadcasting the changed password over the network etc. but now it works as a demonstration of an idea, so let's keep it as simple as possible. It works everywhere - on local machines for local accounts and on DCs for domain accounts.
- DLLPasswordFilterImplant
- 101
- Port Monitors
- Pre-OS Boot
- System Firmware
- Component Firmware
- Bootkit
- Print Processor
- Processes
- Mayhem
- The Mayhem packages aims to provide a Python interface for the programmatic manipulation of executable files at runtime on both the Linux and Windows platforms.
- Mayhem
- Registry
- Windows Registry Attacks: Knowledge Is the Best Defense
- Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services
- Windows Registry Persistence, Part 2: The Run Keys and Search-Order
- List of autorun keys / malware persistence Windows registry entries
- How to Evade Detection: Hiding in the Registry - David Lu
- Persistence – Registry Run Keys - NetbiosX
- InvisiblePersistence
- Persisting in the Windows registry "invisibly". Whitepaper and POC
- Scheduled Task/Job
- At (Windows)
- Scheduled Task
- Sc
- Communicates with the Service Controller and installed services. The SC.exe program provides capabilities similar to those provided in Services in the Control Panel.
- schtasks
- Script Task
- Persistence Via MSSQL
- Persistence using Task Scheduler without a Scheduled Task - marpie(2019
- Sc
- Scheduled Job
- ScreenSaver
- Services * Create A Windows Service In C# - Faisal Pathan(2020 * Stealthier persistence using new services purposely vulnerable to path interception - Christophe Tafani-Dereeper * Persistence – New Service - NetbiosX * Persisting in svchost.exe with a Service DLL - @spotheplanet
- Server Software Component
- IIS
- MS-SQL Server
- SQL Stored Procedures
- Transport Agent
- Web Shell
- SMB
- smbdoor
- The proof-of-concept smbdoor.sys driver is a silent remote backdoor that does not bind new sockets or perform function modification hooking. Instead it abuses undocumented APIs in srvnet.sys to register itself as a valid SMB handler. It then listens on the already-bound ports 139/445 for special packets in which to execute secondary shellcode. In several ways, it has similarities with DoublePulsar and DarkPulsar, as well as ToxicSerpent.
- smbdoor
- Windows Telemetry
- Third-Party Programs
- Traffic Signaling
- Port Knocking
- UEFI
- MIDNIGHTTRAIN
- Blogpost
- Covert Stage-3 Persistence Framework utilizing NVRAM variables
- URI Scheme
- Registering an Application to a URI Scheme - docs.ms
- Exploiting custom protocol handlers in Windows - Andrey Polkovnychenko
- In this article we would like to present the mechanism for custom protocol handling in Windows, and how it can be exploited using a simple command injection vulnerability.
- backoori
- Tool aided persistence via Windows URI schemes abuse
- Valid Accounts
- Default Accounts
- Domain Accounts
- Local Accounts
- Cloud Accounts
- VisualStudio
- WaitFor
- waitfor - docs.ms
- Persistence – WaitFor - NetbiosX(2020)
- "Waitfor is a Microsoft binary which is typically used to synchronize computers across a network by sending signals. This communication mechanism can be used in a red team operation in order to download and execution arbitrary code and for persistence. The binary is stored in C:\Windows\System32 folder which means that local administrator privileges are required to perform this activity and both hosts (sender and receiver) needs to be on the same network segment. "
- Windows Subsystem for Linux
- WMI
- WPAD
- Unsorted
- Quiet in the Windows: Dropping Network Connections - Eviatar Gerzi
- Tools
- Invisible Persistence
- DropNet
- A tool that can be used to close network connections automatically with a given parameters
- Miscellaneous
- backdoorme
- Tools like metasploit are great for exploiting computers, but what happens after you've gained access to a computer? Backdoorme answers that question by unleashing a slew of backdoors to establish persistence over long periods of time. Once an SSH connection has been established with the target, Backdoorme's strengths can come to fruition. Unfortunately, Backdoorme is not a tool to gain root access - only keep that access once it has been gained.
- backdoorme
- Privilege Escalation
-
- Windows Privilege Escalation Fundamentals
- Windows Privilege Escalation Methods for Pentesters
- Common Windows Privilege Escalation Vectors
- Windows Privilege Escalation Cheat Sheet/Tricks
- Windows / Linux Local Privilege Escalation Workshop
- Hunting for Privilege Escalation in Windows Environment - Heirhabarov
- Elevating your Windows Privileges Like a Boss! - Jake Williams(WWHF2019)
- Local privilege escalation on Windows is becoming increasingly difficult. Gone are the days when you could just easily exploit the Windows kernel. Multiple controls (KASLR, DEP, SMEP, etc.) have made kernel mode exploitation of the bugs that are discovered much more difficult. In this talk, we'll discuss multiple opportunities for privilege escalation including using COM objects, DLL side loading, and various privileges assigned to user accounts. Bring a Windows 10 VM. We'll have instructions available for recreating the scenarios demonstrated in the talk.
-
General
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw
- Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read - James Forshaw
- PrivescCheck
- This script aims to enumerate common Windows security misconfigurations which can be leveraged for privilege escalation and gather various information which might be useful for exploitation and/or post-exploitation.
-
Specific Techniques
- DLL Hijacking/Plant/Proxying
- 101
* Dynamic-Link Library Search Order - docs.ms
* Dynamic-Link Library Hijacking
* Crash Course in DLL Hijacking
* VB.NET Tutorial - Create a DLL / Class Library
* Exploiting DLL Hijacking by DLL Proxying Super Easily
* This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.
* Hijacking DLLs in Windows - Wietze(2020)
* DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
* dll-hijack-by-proxying
* This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.
- Articles/Blogposts/Writeups
- Adaptive DLL Hijacking - Nick Landers
- DLL Hijacking - @spotheplanet
- Windows 10 - Task Scheduler service - Privilege Escalation/Persistence through DLL planting - remoteawesomethoughts.blogspot
- DLL Hijacking via URL files - InsertScript
- DLL Hijacking - pentestlab.blog(2017)
- Understanding how DLL Hijacking works - Astr0baby(2018)
- Microsoft File Checksum Integrity Verifier "fciv.exe" v2.05 / DLL Hijack Arbitrary Code Execution - hyp3rlinx(2019)
- DLL Hijacking - libertyshell.com(2019)
- Lateral Movement — SCM and DLL Hijacking Primer - Dwight Hohnstein(2019)
- Windows Server 2008R2-2019 NetMan DLL Hijacking - itm4n(2020
- Automating DLL Hijack Discovery - Justin Bui(2020)
- UAC bypass through Trusted Folder abuse - Jean Maes(2020)
- My First 2020 [NonTroll] CVE - DLL Hijacking in NVIDIA System Management Interface (SMI) - Andy Gill(2020)
- Windows 10 - Task Scheduler service - Privilege Escalation/Persistence through DLL planting - remoteawesomethoughts.blogspot
- I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Scheduler service was looking for a missing DLL exposing it to DLL hijacking/planting. It opens for persistence and privilege escalation in case one can write a rogue DLL in a folder pointed by the PATH environment variable. It can also be used as a UAC bypass.
- Use CLR to bypass UAC - 3gstudent
- UAC bypass via elevated .NET applications - @clavoillotte(2017)
- TL;DR .NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.
- .NET Profiler DLL Hijack
- The .NET Framework can be coerced into loading a profiling DLL into any .NET assembly when launched. This is done when a handful of environment variables and registry keys are set. For a full write-up you can view this blog here: https://offsec.provadys.com/UAC-bypass-dotnet.html
- Tools
- Siofra
- DLL hijacking vulnerability scanner and PE infector tool
- DLLSpy
- DLLSpy is a that detects DLL hijacking in running processes, services and in their binaries.
- Robber
- Robber is open source tool for finding executables prone to DLL hijacking
- Koppeling
- This project is a demonstration of advanced DLL hijack techniques. It was released in conjunction with the "Adaptive DLL Hijacking" blog post. I recommend you start there to contextualize this code.
- TrustJack
- HijackHunter
- RunHijackHunter
- DLL-Hijack-Calculator
- DLL that indicates if it was ran with admin Privileges. Could be used for Bug Bounty (DLL hijack attack). Starts calc and makes MessageBox with info about priveleges
- Siofra
- Articles/Blogposts/Writeups
- DLL Tools
- Dependencies - An open-source modern Dependency Walker
- A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.
- rattler
- Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.
- injectAllTheThings
- Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
- Pazuzu
- Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory. This can be useful in various scenarios.
- Bleak
- A Windows native DLL injection library written in C# that supports several methods of injection.
- Dependencies - An open-source modern Dependency Walker
- 101
* Dynamic-Link Library Search Order - docs.ms
* Dynamic-Link Library Hijacking
* Crash Course in DLL Hijacking
* VB.NET Tutorial - Create a DLL / Class Library
* Exploiting DLL Hijacking by DLL Proxying Super Easily
* This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.
* Hijacking DLLs in Windows - Wietze(2020)
* DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
* dll-hijack-by-proxying
* This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.
- Exploits/Missing Patches
- Windows Kernel Exploits - NetbiosX
- kernel-exploits - SecWiki
- MS17-010 (Eternal Blue)
- CVE-2018-8140
- CVE-2019-0841
- CVE-2019-1064
- CVE-2019-1069
- CVE-2019–1082
- CVE-2020-0618
- CVE-2020-0787
- CVE-2020-0796
- CVE-2020-0796
- Windows SMBv3 LPE Exploit
- CVE-2020-0796 Windows SMBv3 LPE Exploit POC Analysis - Sung Lin(2020)
- Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC - Zecops(2020)
- CVE-2020-0796 Windows SMBv3 Client/Server Remote Code Execution Vulnerability - portal.msrc
- I'm SMBGhost, daba dee daba da - Lucas Georges(2020)
- CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server - Yije Wang(2020)
- SMBGhost – Analysis of CVE-2020-0796 - Eoin Carroll, Philippe Laulheret, Kevin McGrath, Steve Povolny(2020)
- 微软SMBv3客户端/服务端远程代码执行漏洞(CVE-2020-0796)技术分析 - blogs.360.cn
- Vulnerability Reproduction: CVE-2020-0796 POC - Zecops
- CVE-2020-0796
- CVE-2020-1362
- Exploiting an Elevation of Privilege bug in Windows 10 (CVE-2020-1362)
- writeup of CVE-2020-1362
- Exploiting an Elevation of Privilege bug in Windows 10 (CVE-2020-1362)
- Miscellaneous
- CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service - Phillip Langlois and Edward Torkington
- This blog post discusses two vulnerabilities discovered by NCC Group consultants during research undertaken on privilege elevation via COM local services. The first of these vulnerabilities (CVE-2019-1405) is a logic error in a COM service and allows local unprivileged users to execute arbitrary commands as a LOCAL SERVICE user. The second vulnerability (CVE-2019-1322) is a simple service misconfiguration that allows any user in the local SERVICE group to reconfigure a service that executes as SYSTEM (this vulnerability was independently also discovered by other researchers). When combined, these vulnerabilities allow an unprivileged local user to execute arbitrary commands as the SYSTEM user on a default installation of Windows 10.
- Thanksgiving Treat: Easy-As-Pie Windows 7 Secure Desktop Escalation Of Privilege - Simon Zuckerbraun
- Docker Desktop for Windows PrivEsc (CVE-2020-11492) - Ceri Coburn(2020)
- Windows Telemetry service elevation of privilege - secret.club(2020)
- CVE-2016-5237: Valve Steam 3.42.16.13 Local Privilege Escalation
- CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service - Phillip Langlois and Edward Torkington
- Fax/Printer/Network Service
- Articles/Blogposts/Writeups
- Tools
- faxhell ("Fax Shell")
- A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on
Ualapi.dll.
- A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on
- RpcSsImpersonator
- faxhell ("Fax Shell")
- Group Policy (Preferences)
- Get-GPPermission - docs.ms
- Exploiting Windows 2008 Group Policy Preferences
- Decrypting Windows 2008 GPP user passwords using Gpprefdecrypt.py
- Group Policy Preferences and Getting Your Domain 0wned - Carnal0wnage
- Compromise Networks Through Group Policy Preferences - securestate.com(archive.org)
- Group Policy Preferences - NetbiosX
- Credential Dumping: Group Policy Preferences (GPP) - Yashika Dhir(2020)
- Intel SYSRET
- LAPS Misconfiguration
- Taking over Windows Workstations thanks to LAPS and PXE - Rémi ESCOURROU
- In this article we will examine how the combination of two good security solutions with no apparent connection to each other can lead to the takeover of all workstations in a Windows environment. The main advantage of this technique is that it is exploitable in black box, i.e. without any prior knowledge of the target.
- Who Can See LAPS Passwords? - David Rowe
- Credential Dumping: LAPS - Kavish Tyagi(2020)
- Taking over Windows Workstations thanks to LAPS and PXE - Rémi ESCOURROU
- Local Phishing
- Articles/Blogposts/Writeups
- Ask and ye shall receive - Impersonating everyday applications for profit - FoxIT
- Phishing for Credentials: If you want it, just ask! - enigma0x3
- Phishing Windows Credentials - NetbiosX
- Credentials Collection via CredUIPromptForCredentials - @spottheplanet
- ICU: A Red Teamer’s Hail Mary - Jean Maes
- Phishing Windows Credentials - NetbiosX(2020)
- How to Phish for User Passwords with PowerShell - tokyoneon(2021)
- Tools
- Invoke-CredentialPhisher
- The first one is a powershell script to send toast notifications on behalf on an (installed) application or the computer itself. The user will be asked to supply credentials once they click on the notification toast. The second one is a Cobalt Strike module to launch the phishing attack on connected beacons.
- Powershell Popups + Capture - mubix(2015)
- Invoke-CredentialsPhish.ps1
- Invoke-LoginPrompt
- Invokes a Windows Security Login Prompt and outputs the clear text password.
- CredsLeaker
- Credsleaker allows an attacker to craft a highly convincing credentials prompt using Windows Security, validate it against the DC and in turn leak it via an HTTP request.
- Invoke-CredentialPhisher
- Articles/Blogposts/Writeups
- Logic Bugs
- Introduction to Logical Privilege Escalation on Windows - James Forshaw
- Windows Logical EoP Workbook
- Abusing Token Privileges For EoP
- This repository contains all code and a Phrack-style paper on research into abusing token privileges for escalation of privilege. Please feel free to ping us with questions, ideas, insults, or bugs.
- awesome_windows_logical_bugs
- Named Pipes
- Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit - Blake Watts(2002)
- Named Pipe Filename Local Privilege Escalation - Securiteam(2003)
- Windows Named Pipes & Impersonation - decoder.cloud(2019)
- Windows NamedPipes 101 + Privilege Escalation - @spottheplanet
- Part I: The Fundamentals of Windows Named Pipes - Robert Hawes
- Part II: Analysis of a Vulnerable Microsoft Windows Named Pipe Application - Robert Hawes
- Privileged File Operation Abuse
- James Forshaw's work
- Articles/Blogposts/Writeups
- Windows 10^H^H Symbolic Link Mitigations - James Forshaw(2015)
- Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read - James Forshaw(2017)
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw(2018)
- An introduction to privileged file operation abuse on Windows - @Claviollotte
- TL;DR This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.
- CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service - Ryan Hanson(2018)
- Escalating Privileges with CylancePROTECT - Ryan Hanson(2018)
- CVE-2020–1088 — Yet another arbitrary delete EoP - Søren Fritzbøger(2020)
- From directory deletion to SYSTEM shell - Jonas L(2020)
- "Vulnerabilities that enable an unprivileged profile to make a service (that is running in the SYSTEM security context) delete an arbitrary directory/file are not a rare occurrence. These vulnerabilities are mostly ignored by security researchers on the hunt as there is no established path to escalation of privilege using such a primitive technique. By chance I have found such a path using an unlikely quirk in the Windows Error Reporting Service. The technical details are neither brilliant nor novel, though a writeup has been requested by several Twitter users."
- Code
- Weaponizing Privileged File Writes with the USO Service - Part 1/2 - itm4n(2019)
- DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) - Nabeel Ahmed(2019)
- This vulnerability allows low privileged users to hijack file that are owned by NT AUTHORITY\SYSTEM by overwriting permissions on the targeted file. Successful exploitation results in "Full Control" permissions for the low privileged user.
- CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability - itm4n(2020)
- "Here is my writeup about CVE-2020-1170, an elevation of privilege bug in Windows Defender."
- Talks/Presentations/Videos
- Tools
- UsoDllLoader
- This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo), which was fixed by Microsoft starting from build version 1903.
- UsoDllLoader
- NTLM-related
- Search "NTLM" in the 'Network_Attacks.md' page.
- Articles/Blogposts/Writeups
- NTLM Reflection
- Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
- Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema
- Earlier this week, Microsoft issued patches for CVE-2019-1040, which is a vulnerability that allows for bypassing of NTLM relay mitigations. The vulnerability was discovered by Marina Simakov and Yaron Zinar (as well as several others credited in the Microsoft advisory), and they published a technical write-up about the vulnerability here. The short version is that this vulnerability allows for bypassing of the Message Integrity Code in NTLM authentication. The impact of this however, is quite big if combined with the Printer Bug discovered by Lee Christensen and some of my own research that builds forth on the Kerberos research of Elad Shamir. Using a combination of these vulnerabilities, it is possible to relay SMB authentication to LDAP. This allows for Remote code execution as SYSTEM on any unpatched Windows server or workstation (even those that are in different Active Directory forests), and for instant escalation to Domain Admin via any unpatched Exchange server (unless Exchange permissions were reduced in the domain). The most important takeaway of this post is that you should apply the June 2019 patches as soon as possible.
- CVE-2019-1040 scanner
- Checks for CVE-2019-1040 vulnerability over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx. Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
- NTLM Relay
- Articles/Blogposts/Writeups
- Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) - byt3bl33d3r
- NTLM Relay - Pixis
- Playing with Relayed Credentials - @agsolino(2018)
- Server Message Block: SMB Relay Attack (Attack That Always Works) - CQURE Academy
- An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit - Jordan Drysdale
- Effective NTLM / SMB Relaying - mubix
- SMB Relay with Snarf - Jeff Dimmock
- Responder with NTLM relay and Empire - chryzsh
- What is old is new again: The Relay Attack - @0xdeaddood, @agsolino(2020)
- The purpose of this blog post is to present a new approach to ntlmrelayx.py allowing multi-relay attacks, that means, using just a single connection to attack several targets. On top of this, we added the capability of relaying connections for specific target users.
- Capturing and Relaying NTLM Authentication: Methods and Techniques - Acebond(2020)
- Mitigation
- Articles/Blogposts/Writeups
- Hot Potato
- Hot Potato
- Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
- Hot Potato
- SmashedPotato
- Hot Potato
- Ghost Potato
- Ghost Potato - shenaniganslabs.io(2019)
- Halloween has come and gone, and yet NTLM reflection is back from the dead to haunt MSRC once again. This post describes a deceptively simple bug that has existed in Windows for 15 years. NTLM reflection is still possible through a highly reliable timing attack. The attack works by abusing the logic responsible for its mitigation, a widely speculated challenge cache. Attackers can purge this cache by deliberately failing an authentication attempt and doing so removes all challenge entries older than 5 minutes.
- Ghost Potato - shenaniganslabs.io(2019)
- Tools
- Snarf
- Snarf man-in-the-middle / relay suite
- eternalrelayx.py — Non-Admin NTLM Relaying & ETERNALBLUE Exploitation - Kory Findley
- In this post, we will cover how to perform the EternalRelay attack, an attack technique which reuses non-Admin SMB connections during an NTLM Relay attack to launch ETERNALBLUE against hosts running affected versions of the Windows operating system. This attack provides an attacker with the potential to achieve remote code execution in the privilege context of SYSTEM against vulnerable Windows hosts without the need for local Administrator privileges or credentials.
- Responder
- Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
- Snarf
- Privilege Abuse
- Priv2Admin
- Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.
- Priv2Admin
- Privileged File Operations
- 101
- An introduction to privileged file operation abuse on Windows - @clavoillotte(2019)
- TL;DR This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.
- An introduction to privileged file operation abuse on Windows - @clavoillotte(2019)
- Articles/Blogposts/Writeups
- 101
- Registry Paths/Permissions
- Insecure Registry Permissions - NetbiosX
- RegSLScan
- This tool scans registery keys under Local Machine (HKLM) and lists out any keys non-admins have access to create symbolic links in.
- Services
- Articles/Blogposts/Writeups
- Tools
- FullPowers
- FullPowers is a Proof-of-Concept tool I made for automatically recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.
- FullPowers
- Unquoted Service Paths
- Articles/Blogposts/Writeups
- Tools
- Stored Creds/Passwords on Disk
- Tokens
- Articles/Blogposts/Writeups
- Abusing Token Privileges For LPE - drone/breenmachine
- Post-Exploitation with “Incognito”. - Ignacio Sorribas
- The Art of Becoming TrustedInstaller
- There's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
- c:\whoami /priv - [show me your privileges and I will lead you to SYSTEM] - Andrea Pierini
- Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege
- Account Hunting for Invoke-TokenManipulation - TrustedSec
- Tokenvator: A Tool to Elevate Privilege using Windows Tokens - Alexander Polce Leary
- Tokenvator: Release 2 - Alexander Leary
- Abusing SeLoadDriverPrivilege for privilege escalation - TarLogic
- The power of backup operators - decoder.cloud
- Token Manipulation
- Talks & Presentations
- Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities - James Forshaw - BHUSA2015
- Slides
- One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers. Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
- Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities - James Forshaw - BHUSA2015
- Tools
- Tokenvator
- A tool to alter privilege with Windows Tokens
- token_manipulation
- Bypass User Account Control by manipulating tokens (can bypass AlwaysNotify)
- Tokenvator
- Potatoes
- General
- WindowsPotatoes
- Potatoes and tokens - decoder.cloud(2018)
- Potato privilege escalation exploits for Windows - @ivanlu986(2019)
- Potatoes - Windows Privilege Escalation - Jorge Lajara(2020)
- "Hot, Rotten, Lonely, Juicy, Rogue potatoes. There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM. But, what are the differences? When should I use each one? Do they still work? This post is a summary of each kind of potato, when to use it and how to achieve successful exploitation."
- Hot Potato
- Hot Potato – Windows Privilege Escalation - @breenmachine(2016)
- Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
- Hot Potato – Windows Privilege Escalation - @breenmachine(2016)
- Rotten
- Articles/Talks/Writeups
- Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM - @breenmachine(2016
- Rotten Potato Privilege Escalation from Service Accounts to SYSTEM - Stephen Breen Chris Mallz - Derbycon6
- The lonely potato - decoder.cloud(2017)
- No more rotten/juicy potato? - decoder.cloud(2018)
- Rotten potato inadvertently patched on Win10 1809
- Tools
- RottenPotatoNG
- New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
- RottenPotatoNG
- Articles/Talks/Writeups
- Juicy Potato
- Juicy Potato (abusing the golden privileges) - Andrea Pierini, Giuseppe Trotta(2018)
- Juicy Potato - hunter2
- JuicyPotato(Reference for testing) - Carlos Polop
- SweetPotato – Service to SYSTEM - Ceri Coburn(2020)
- Candy Potato (Caramelized Juicy Potato)
- This tool has been made on top of the original JuicyPotato, with the main focus on improving/adding some functionalities which was lacking. It is known to work against both Windows Workstation and Server versions up to 8.1 and Server 2016, respectively.
- The Power of SeImpersonation - Micah Van Duesen(2021)
- Rogue Potato
- Remote Potato
- Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol - Antonio Cocomazzi, Andrea Pierini(2021)
- RemotePotato0
- "It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource."
- General
- Articles/Blogposts/Writeups
- PentestLab Windows PrivEsc Writeup List
- Secondary Logon Handle
- Insecure Registry Permissions
- Intel SYSRET
- Weak Service Permissions Obtaining System Privileges
- The “SYSTEM” challenge
- Writeup of achieving system from limited user privs.
- [All roads lead to SYSTEM]
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf - Alternative methods of becoming SYSTEM - Adam Chester(2017)
- admin to SYSTEM win7 with remote.exe - carnal0wnage
- Getting a CMD prompt as SYSTEM in Windows Vista and Windows Server 2008 - blogs.technet
- Another way to get to a system shell – Assistive Technology -oddvar.moe
Manipulate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifier– StartExe to run other binary when pressing WinKey and plus to zoom.Can load binary from Webdav and also start webbrowser and browse to desired linkRuns command as system during UAC prompt and logon screen
- DLL Hijacking/Plant/Proxying
-
- Hacking windows through the Windows API; delves into windows api, how it can break itself
- Sedating the Watchdog Abusing Security Products to Bypass Windows Protections - Tomer Bit - BSidesSF
- Black hat talk on Windows Privilege Escalation
- Level Up! - Practical Windows Privilege Escalation
- Extreme Privelege Escalataion on Windows8 UEFI Systems
- Slides
- Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
- The Travelling Pentester: Diaries of the Shortest Path to Compromise
- Windows Privilege Escalation - Riyaz Walikar
- Privilege Escalation FTW - MalwareJake(WWHF2018)
- Often you don't land in a penetration test with full admin rights. How can you fix that? In most networks it's easier than you might think. In this session, Jake will discuss and demonstrate various privilege escalation techniques that are possible primarily due to misconfigurations. Practically every network has one or more misconfigurations that let you easily escalate from random Joe to total pro. We'll examine some common issues present in both Windows and Linux to you can level up for your next penetration test.
- Abusing privileged file operations on Windows - Clement Lavoillotte(Troopers19)
-
- Windows Exploit Suggester
- [Blogpost]https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
- This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
- PowerUp
- Windows Privilege Escalation through Powershell
- ElevateKit
- The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload.
- BeRoot
- BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
- Pompem
- Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database
- AccessChk
- As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
- AutoDane at BSides Cape Town
- Auto DANE
- Auto DANE attempts to automate the process of exploiting, pivoting and escalating privileges on windows domains.
- lonelypotato
- Modified version of RottenPotatoNG C++
- Blogpost
- psgetsystem
- getsystem via parent process using ps1 & embeded c#
- Sherlock
- PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
- Robber
- Robber is open source tool for finding executables prone to DLL hijacking
- WinPrivCheck.bat
- JAWS - Just Another Windows (Enum) Script
- JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
- Windows Exploit Suggester - Next Generation (WES-NG)
- WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
- Powerless
- "A Windows privilege escalation (enumeration) script designed with OSCP labs (i.e. legacy Windows machines without Powershell) in mind. The script represents a conglomeration of various privilege escalation checks, gathered from various sources, all done via native Windows binaries present in almost every version of Windows." - It's a batch file
- Windows Exploit Suggester
-
- To-be-sorted
- Analyzing local privilege escalations in win32k
- This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
- Windows-Privilege-Escalation - frizb
- Windows Privilege Escalation Techniques and Scripts
- Some forum posts on Win Priv Esc
- Post Exploitation Using netNTLM Downgrade attacks - Fishnet/Archive.org
- Old Privilege Escalation Techniques
- Windows 7 ‘Startup Repair’ Authentication Bypass
- Windows Privilege Escalation Guide - sploitspren(2018)
- Nice methodology/walk through of Windows PrivEsc methods and tactics
- Windows Privilege Escalation Methods for Pentesters - pentest.blog
- Linux Vulnerabilities Windows Exploits: Escalating Privileges with WSL - BlueHat IL 2018 - Saar Amar
- CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service - Ryan Hanson
- Windows 10 Privilege Escalation using Fodhelper - hackercool
- Local privilege escalation via the Windows I/O Manager: a variant finding collaboration - swiat
- Abusing SeLoadDriverPrivilege for privilege escalation - Oscar Mallo
- Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege - James Forshaw
- CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracing - itm4n
- "In this post, I’ll discuss an arbitrary file move vulnerability I found in Windows Service Tracing. From my testing, it affected all versions of Windows from Vista to 10 but it’s probably even older because this feature was already present in XP."
- Issue 1554: Windows: Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix EoP - Project0
- Waves Maxx Audio DLL Side-Loading LPE via Windows Registry - Robert Hawes
- Analyzing local privilege escalations in win32k
- ALPC
- Original
- zeroday-powershell
- A PowerShell example of the Windows zero day priv esc
- Anti-Virus Software
- #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine
- CVE-2018-8955: Bitdefender GravityZone Arbitrary Code Execution - Kyriakos Economou
- COModo: From Sandbox to SYSTEM (CVE-2019–3969) - David Wells
- Reading Physical Memory using Carbon Black's Endpoint driver - Bill Demirkapi
- SEPM-EoP
- Exploiting STOPzilla AntiMalware Arbitrary Write Vulnerability using SeCreateTokenPrivilege - Parvez
- Analysis and Exploitation of an ESET Vulnerability - Tavid Ormandy(2015)
- Compromised by Endpoint Protection - codewhitesec.blogspot
- Symantec Endpoint Protection vulns
- Escalating Privileges with CylancePROTECT - Ryan Hanson
- Avira Optimizer Local Privilege Escalation - Enigma0x3
- Other
- One more Steam Windows Client Local Privilege Escalation 0day - Vasily Kravets
- Local Privilege Escalation on Dell machines running Windows - Bill Demirkapi
- This blog post will cover my research into a Local Privilege Escalation vulnerability in Dell SupportAssist. Dell SupportAssist is advertised to “proactively check the health of your system’s hardware and software”. Unfortunately, Dell SupportAsssist comes pre-installed on most of all new Dell machines running Windows. If you’re on Windows, never heard of this software, and have a Dell machine - chances are you have it installed.
- CVE-2019-9730: LPE in Synaptics Sound Device Driver - @Jackon_T
- CVE details for a COM-based local privilege elevation with a brief write-up on discovery to root.
- Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation - NCCGroup
- Elastic Boundaries – Elevating Privileges by Environment Variables Expansion - Yoam Gottesman
- DisplayLink USB Graphics Software arbitrary file write Elevation of Privilege - Yannick Méheut(2020)
- To-be-sorted
-
- CVE-2017-8759
- Exploit toolkit CVE-2017-8759 - v1.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft .NET Framework RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
- Win10-LPE
- The Windows 10 LPE exploit written by SandboxEscaper. This includes the source code for the original exploit, a precompiled DLL injector binary included with the original source, and a powershell script to find potentially vulnerable libraries to overwrite for the exploit.
- Component Services Volatile Environment LPE - bytecode77
- CVE-2018-0952-SystemCollector
- PoC for Privilege Escalation in Windows 10 Diagnostics Hub Standard Collector Service
- CVE-2018-8420
- CVE-2018-8440 - PowerShell PoC
- Remote Code Execution — Gaining Domain Admin due to a typo: CVE-2018-9022 - Daniel C
- A short time ago as part of a red team engagement I found and successfully exploited a remote code execution vulnerability that resulted in us quickly gaining high privilege access to the customers internal network. So far nothing sounds too out of the ordinary, however interestingly the root cause of this vulnerability was due to a two character typo.
- Another Local Privilege Escalation Vulnerability Using Process Creation Impersonation - Wayne Chin Yick Low
- XIGNCODE3 xhunter1.sys LPE - x86.re
- Display Languages Volatile Environment LPE - bytecode77
- Performance Monitor Volatile Environment LPE
- Enter Product Key Volatile Environment LPE
- Sysprep Volatile Environment LPE(2017)
- Remote Assistance Volatile Environment LPE
- Display Languages Volatile Environment LPE
- CVE-2017-12478 - Unitrends 9.x api_storage exploit
- CVE-2020-0668
- Use CVE-2020-0668 to perform an arbitrary privileged file move operation.
- CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver - Jackson_T
- TL;DR: CVE for driver-based LPE with an in-depth tutorial on discovery to root and details on two new tools.
- CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function - itm4n
- This post is about an arbitrary file move vulnerability I found in the Background Intelligent Transfer Service. This is yet another example of a privileged file operation abuse in Windows 10. There is nothing really new but the bug itself is quite interesting because it was hidden in an undocumented function. Therefore, I will explain how I found it and I will also share some insights about the reverse engineering process I went through in order to identify the logic flaw.
- [CVE49] Microsoft Windows LNK Remote Code Execution Vulnerability - CVE-2020-1299 - linhlhq from Infiniti Team - VinCSS
- CVE-2017-8759
-
Just-Enough-Administration(JEA)
- Get $pwnd: Attacking Battle Hardened Windows Server - Lee Holmes - Defcon25
- Windows Server has introduced major advances in remote management hardening in recent years through PowerShell Just Enough Administration ("JEA"). When set up correctly, hardened JEA endpoints can provide a formidable barrier for attackers: whitelisted commands, with no administrative access to the underlying operating system. In this presentation, watch as we show how to systematically destroy these hardened endpoints by exploiting insecure coding practices and administrative complexity.
- Get $pwnd: Attacking Battle Hardened Windows Server - Lee Holmes - Defcon25
-
- From Hyper-V Admin to SYSTEM - decoder.cloud
- Windows Credential Theft: RDP & Internet Explorer 11
- NTLM Hashes/relay through RDP files/IE11 XXE explained
-
- PowerUpSQL - 2018 Blackhat USA Arsenal
- This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
- PowerUpSQL - 2018 Blackhat USA Arsenal
-
- InviZzzible
- InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them. Also, you can add and expand existing techniques yourself even without modifying the source code.
- InviZzzible
-
- VMware Escape Exploit
- VMware Escape Exploit before VMware WorkStation 12.5.5
- A bunch of Red Pills: VMware Escapes - Marco Grassi, Azureyang, Jackyxty
- VMware Exploitation
- A bunch of links related to VMware escape exploits
- VMware Escape Exploit
-
- Defense Evasion
- 101
- String Replacement & Obfuscation
- Runtime modification(Polymorphism)
- Sandbox detection & Avoidance
- Log Avoidance & Deletion
- Articles/Blogposts/Writeups
- Quiet in the Windows: Dropping Network Connections - Eviatar Gerzi
- DropNet
- A tool that can be used to close network connections automatically with a given parameters
- DropNet
- Evade the analyst - Forensics|Exchange(2019)
- Bypassing Signature-Based AV - Red Siege(2021)
- The difference between signature-based and behavioural detections - s3cur3th1ssh1t(2022)
- Creating AV Resistant Malware — Part 2 - Brendand Ortiz(2020)
- Evadere Classifications - Jonathan Johnson(2021)
- Home Grown Red Team: Lateral Movement With Havoc C2 And Microsoft EDR - assume-breach(2022)
- Quiet in the Windows: Dropping Network Connections - Eviatar Gerzi
- On-Disk
- Defense Evasion: Hide Artifacts - Tanish Bugnait(2020)
- "Today, in this article, we will focus on various methods that are implemented by an attacker to evade their detection by hiding artifacts in the victim’s system in order to execute their malicious intent."
- Basic operational security when dropping to disk - Jean Maes(2021)
- Injection Targets
- Release the Kraken: Fileless injection into Windows Error Reporting service - MalwareBytes ThreatIntel
- threat-recognition
- "I attempted to diagram everything I've learned about the problem-set of endpoint threat recognition over the past 2 years of research. (Final Draft)"
- Talks/Presentations/Videos
- Noob 101: Practical Techniques for AV Bypass - Jared Hoffman - ANYCON 2017
- The shortcomings of anti-virus (AV) solutions have been well known for some time. Nevertheless, both public and private organizations continue to rely on AV software as a critical component of their information security programs, acting as a key protection mechanism over endpoints and other information systems within their networks. As a result, the security posture of these organizations is significantly jeopardized by relying only on this weakened control.
- Evading Autoruns - Kyle Hanslovan, Chris Bisnett(DerbyCon7)
- When it comes to offense, maintaining access to your endpoints is key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass includes a live demo and recommendations for detection.
- RE: Evading Autoruns PoCs on Windows 10 - Kyle Hanslovan
- Evading Autoruns - DerbyCon 7.0
- Antivirus Evasion: Lessons Learned – thelightcosine(Derbycon2013)
- Over the past year, the speaker has spent alot of time talking with people in the infoSec Community and doing research on antivirus evasion techniques. Learning what works and what doesn't. There are a lot of good ideas floating around out there. In this talk we're going to pull those ideas all together. We'll discuss the basics of the AV evasion problem, what techniques work, which ones don't and why. The talk will have a particular focus on AV evasion as it relates to Metasploit payloads.
- Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon2013)
- Description: Think of the last time you got sick. Your immune system is an amazing piece of machinery, but every now and then, something gets past it. Antivirus evasion techniques can become more effective when modeled after infectious diseases. This talk highlights many of the antivirus evasion techniques in use today. Going further, this talk shows how genetic algorithms can quickly and repeatedly “evolve” code to evade many malicious code detection techniques in use today.
- Bypassing Antivirus: With Understanding Comes Ease - Jeff McJunkin(WWHF Deadwood2020)
- The job of a penetration tester is to emulate real-world, realistic adversaries to compromise the client and explain the business risks of the technical findings. Those pesky real-world adversaries bypass AV all the time, even with essentially the same malware, over and over. How do they do it? Simple. By understanding what traps AV is setting, you can step around, jump over, or disable those traps before sauntering to your destination unhindered. I can't help with your saunter, but I can help you understand and bypass AV using arbitrary payloads (whether Cobalt Strike, Metasploit, Covenant, Mystic, SILENTTRINITY, or whichever) in many ways, all in less than an hour.
- The Art of bypassing endpoint protections for red teaming engagements - Eslam Reda, Jameel Nabbo(2020)
- Evading Detection A Beginner's Guide to Obfuscation - BC-Security(2021)
- Have you wanted to learn some more advanced Windows evasion techniques? Here is your chance to learn from the experts. This 2-hour long webinar will cover the basics of Windows Defenses such as Event and Script Block Logging, Anti-Malware Scan Interface (AMSI), and Windows Defender. Next, we will demonstrate obfuscations and evasion techniques that Advanced Persistent Threats (APTs) employ to evade modern defenses.
- EDR Evasion Primer For Red Teamers - Jorge Gimenez & Karsten Nohl(#HITB2022SIN)
- Hiding in plain sight from blue teams | Henri Hambartsumyan | WWHF San Diego 2022
- Blue teams using detection logic to detect attacks always need to balance the false positives and false negatives. One very common way of dealing with false positives is to allow “known good” – i.e. allow lists. This presentation is about my research of real-world data to identify and classify such “known good” behaviours in “common software”. With this overview of “known good” software, you can start replicating the same behaviour and try to hide in the “allow lists” of the blue teams. The presentation will show you which IoCs are related to various tactics that occur very often “in the wild”, and how you can use the same IoC to hide in the allow lists of detection rules. During the presentation, I will share numerous examples which can directly be used in real attack simulations, emulating semi-sophisticated attackers. Examples of topics discussed in the presentation: how to pretend to be a SAP macro, which filename/function name to use when using rundll32, how to drop your persistence in the startup folder without being detected, etc.
- Noob 101: Practical Techniques for AV Bypass - Jared Hoffman - ANYCON 2017
- AMSI
- 101
- Remember kids, it's not a security boundary according to MS. Just like UAC, and AppLocker. Just something they threw in there for funsies. Totally not about security. Nope. No way. Nuh uh. Never in a million years. (Just a little salty after reading some official documentation saying so)
- Antimalware Scan Interface (AMSI) - docs.ms
- Developer audience, and sample code - docs.ms
- Antimalware Scan Interface (AMSI) functions - docs.ms
- AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - Nikhil Mittal(BHUS16)
- Blogpost
- Paper
- In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI) which is designed to target script-based attacks and malware. Script-based attacks have been lethal for enterprise security and with advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript etc. and drastically improves detection and blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and the code is scanned for malicious content. What makes AMSI effective is, no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn't matter if the code came from disk, memory or was entered interactively. AMSI is an open interface and MS says any application will be able to call its APIs. Currently, Windows Defender uses it on Windows 10. Has Microsoft finally killed script-based attacks? What are the ways out? The talk will be full of live demonstrations.
- Announcing the .NET Framework 4.8 - devblogs.ms
- whoamsi
- The purpose of this page is to be a repository of endpoint protection (AV, EDR, etc) that uses Microsoft's Antimalware Scan Interface (AMSI). This will provide some context around endpoint protection and possible attack vectors. Products with information missing have not been verified yet. This project expands on the work done by @Lee_Holmes and @PyroTek3 by keeping a publicly available list up-to-date.
- AMSI Internals
- The Rise and Fall of AMSI - Tal Liberman(BHAsia 2018)
- IAmsiStream interface sample - MS Github
- Demonstrates how to use the Antimalware Scan Interface to scan a stream.
- Antimalware Scan Interface (AMSI) functions - docs.ms
- AMSI Bypass - Paul Laine(2019)
- This blog post explains the inner workings of AMSI, and describes a new bypass technique.(related to AmsiScanBuffer)
- AMSI Module Remote In-Memory Patch - Paul Laine(2020)
- MS Office file format sorcery - Stan Hegt, Pieter Ceelen(Troopers19)
- Slides
- A deep dive into file formats used in MS Office and how we can leverage these for offensive purposes. We will show how to fully weaponize ‘p-code’ across all MS Office versions in order to create malicious documents without using VBA code, successfully bypassing antivirus and other defensive measures. In this talk Stan and Pieter will do a deep dive into the file formats used in MS Office, demonstrating many features that can be used offensively. They will present attacks that apply to both the legacy formats (OLE streams) and the newer XML based documents. Specific focus is around the internal representation of VBA macros and pseudo code (p-code, execodes) and how these can be weaponized. We will detail the inner logic of Word and Excel regarding VBA and p-code, and release scripts and tools for creating malicious Office documents that bypass anti-virus, YARA rules, AMSI for VBA and various MS Office document analyzers.
- Bypasses
- Compilations
- Amsi-Bypass-PowerShell - S3cur3Th1sSh1t
- List of Bypasses
- Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion - iwantmore.pizza
- Exploring PowerShell AMSI and Logging Evasion - Adam Chester(2018)
- Adventures in the Wonderful World of AMSI. - byte_st0rm(2019)
- Overview + Rather then use “LoadLibrary” and “GetProcAddress” to locate the memory addresses of “amsi.dll” and “amsiScanBuffer”, walk the “PEB” of the process and the export directory of “amsi.dll”.
- How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code - modexp(2019)
- AMSI - Resurrecting the Dead - Crawl3r(2020)
- AMSI Bypass Methods - pentestlaboratories.com(2021)
- PatchThatAMSI
- this repo contains 6 AMSI patches , both force the triggering of a conditional jump inside AmsiOpenSession() that close the Amsi scanning session. The 1st patch by corrupting the Amsi context header and the 2nd patch by changing the string "AMSI" that will be compared to the Amsi context header to "D1RK". The other just set ZF to 1.
- Amsi-Bypass-PowerShell - S3cur3Th1sSh1t
- General Stuff
- How to bypass AMSI and execute ANY malicious Powershell code - zc00l
- Weaponizing AMSI bypass with PowerShell - @0xB455(2019)
- AMSI.fail
- C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures.
- AMSI.fail4
- Converted AMSI.fail to a .NET Framework 4 solution so that it can be called from PowerShell 5.
- Bypassing AV (Windows Defender) … the tedious way. - CB Hue(2019)
- AMSI Bypass Using Memory Patching - Andres Roldan(2021)
- Microsoft Windows Antimalware Scan Interface Bypasses - Thalpius(2021)
- In-Process Patchless AMSI Bypass - CCob
- Use PSv2
- Obfuscation
- AmsiInitialize
- Patchless AMSI bypass using SharpBlock - Ceri Coburn(2020)
- SharpBlock
- A method of bypassing EDR's active projection DLL's by preventing entry point execution.
- DLL Hijack
- Bypassing Amsi using PowerShell 5 DLL Hijacking - cn33liz(2016)
- Disabling AMSI in JScript with One Simple Trick - James Forshaw(2018)
- Resurrecting an old AMSI Bypass - Philippe Vogler(2020)
- Before the latest Windows Defender update, and possibly with other endpoint security products, regardless of access rights on a host, users can bypass AMSI for PowerShell. Other scripting engines such as jscript or cscript do not suffer from this DLL hijack and directly load AMSI from the System32 folder.
- COM Server Hijack
- Bypassing AMSI via COM Server Hijacking - Enigma0x3
- This post will highlight a way to bypass AMSI by hijacking the AMSI COM server, analyze how Microsoft fixed it in build #16232 and then how to bypass that fix. This issue was reported to Microsoft on May 3rd, and has been fixed as a Defense in Depth patch in build #16232.
- Bypassing AMSI via COM Server Hijacking - Enigma0x3
- Chunking
- PowerChunker
- "PowerChunker is tool designed to Bypass AMSI via PowerShell by splitting a file into multiple chunks. In a post on my blog, I discuss how malicious powershell scripts can evade detection by AMSI if they're run line-by-line, or in chunks. I've included Rasta-mouse's AmsiScanBuffer patch as a PoC to demonstrate how PowerChunker can automate this process to make a detected bypass execute without the need for obfuscation."
- PowerChunker
- Forcing an Error
- Heap-based
- How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code - modexp(2019)
- Heap-based AMSI bypass for MS Excel VBA and others - Dan@CodeWhite(2019)
- This blog post describes how to bypass Microsoft's AMSI (Antimalware Scan Interface) in Excel using VBA (Visual Basic for Applications). In contrast to other bypasses this approach does not use hardcoded offsets or opcodes but identifies crucial data on the heap and modifies it. The idea of an heap-based bypass has been mentioned by other researchers before but at the time of writing this article no public PoC was available. This blog post will provide the reader with some insights into the AMSI implementation and a generic way to bypass it.
- CorruptCLRGlobal.ps1 - Matt Graeber
- A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
- AMSI in the HEAP x32 - secureyourit.co.uk(2020)
- Hooking
- Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)
- “The very concept of objective truth is fading out of the world. Lies will pass into history.” George Orwell. Objective truth is essential for security. Logs, notifications and saved data must reflect the actual events for security tools, forensic teams and IT managers to perform their job correctly. Powershell is a prime example of the constant cat and mouse game hackers and security personnel play every day to either reveal or hide the “objective truth” of a running script. Powershell’s auto logging, obfuscation techniques, AMSI and more are all participants of the same game playing by the same rules. We don’t like rules, so we broke them. As a result, Babel-Shellfish and Invisi-Shelltwo new tools that both expose and disguise powershell scripts were born. Babel-Shellfish reveals the inner hidden code of any obfuscated script while Invisi-Shell offers a new method of hiding malicious scripts, even from the Powershell process running it. Join us as we present a new way to think about scripts.
- Invisi-Shell
- Understanding and Bypassing AMSI - Tom Carver(2020)
- Bypass AMSI in local process hooking NtCreateSection - Alejandro Pinna(2022)
- AmsiHooker
- Goodbye Obfuscation, Hello Invisi-Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)
- Jscript9.dll
- Null Character
- Patching AmsiScanString
- Patching AmsiScanBuffer
- RastaMouse AmsiScanBuffer Bypass Series(2018)
- How to bypass AMSI and execute ANY malicious Powershell code - zc00l(2018)
- AMSI Bypass Redux - Avi Gimpel(2018)
- Alternative AMSI bypass - Benoit Sevens(2018)
- Yet another update to bypass AMSI in VBA - Khris Tolbert(2019)
- Hunting for AMSI bypasses - Wee-Jing Chung(2019)
- Execute any "evil" Powershell code by bypassing AMSI - Dec0ne(2019)
- AMSI Bypass - Paul Laine(2019)
- This blog post explains the inner workings of AMSI, and describes a new bypass technique.(related to AmsiScanBuffer)
- Understanding and Bypassing AMSI - Tom Carver(2020)
- AmsiHook
- AmsiHook is a DLL that when injected to a process containing AMSI logging, will hook the AMSI functions and allow them to execute with dummy parameters.
- AmsiHook
- Using Reflection for AMSI Bypass -
- Defense Evasion Series Part 1 AMSI Bypass - Dazzy Ddos(2021)
- Memory Patching AMSI Bypass - Rasta Mouse(2021)
- Tools
- AmsiScanBufferBypass
- Circumvent AMSI by patching AmsiScanBuffer
- AmsiScanBufferBypass
- Patching X
- Registry Key
- [The Rise and Fall of AMSI - Tal Liberman(BH Asia18)]https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf)
- Manually set the
amsiInitFailedfield to$true - ...
- Vectored-Exception Handling
- Compilations
- Bypass Talks
- AMSI: How Windows 10 Plans To Stop Script Based Attacks And How Well It Does It - Nikhil Mittal(BHUSA16)
- Antimalware Scan Interface (AMSI) - Dave Kennedy(WWHF2018)
- This talk will dive into the Antimalware Scan Interface (AMSI) as well as other alternatives in the “NextGen” series of preventative measures and show how trivial it is to write code that doesn’t get snagged. The security market is focusing on open source data collection sources and security researchers as the main method to write signatures to detect attacks, much like what we saw in the 90s with traditional anti-virus tech. Not much has changed, let’s dive into the reality in security and how little these protective measures really do in the grand scheme of things. We’ll also be covering solid practices in defending against attacks, and what we should be focusing on.
- PSAmsi An offensive PowerShell module for interacting with the Anti Malware Scan Interface in Windows - Ryan Cobb(Derbycon7)
- Red Team TTPs Part 1: AMSI Evasion - paranoidninja
- Bypass Tools
- CorruptCLRGlobal.ps1
- A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694 Raw
- AMSI Bypass Code Snippet Examples
- "This repo contains some Amsi Bypass methods i found on different Blog Posts."
- PSAmsi
- PSAmsi is a tool for auditing and defeating AMSI signatures. It's best utilized in a test environment to quickly create payloads you know will not be detected by a particular AntiMalware Provider, although it can be useful in certain situations outside of a test environment. When using outside of a test environment, be sure to understand how PSAmsi works, as it can generate AMSI alerts.
- powershellveryless
- Constrained Language Mode + AMSI bypass all in one
- AmsiBypass
- C# PoC implementation for bypassing AMSI via in memory patching
- NoAmci
- A PoC for using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). .Net tradecraft can be compressed, encoded (encrypted if required) in order to keep the assembly size less than 1MB, then embedded as a resource to be loaded after patching amsi.dll memory.
- CorruptCLRGlobal.ps1
- VBA Specific
- 101
- Blogposts
- Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA - Richard Davy, Gary Nield(2019)
- The Document that Eluded AppLocker and AMSI - ZLAB-YOROI
- Office 365 AMSI Bypass (fixed) - Iliya Dafchev(2019)
- Bypassing AMSI for VBA - Pieter Ceelen
- This blog is a writeup of the various AMSI weaknesses presented at the Troopers talk ‘MS Office File Format Sorcery‘ and the Blackhat Asia presentation ‘Office in Wonderland’.
- Adventures in the Wonderful World of AMSI. - byte_st0rm(2019)
- Overview + Rather then use “LoadLibrary” and “GetProcAddress” to locate the memory addresses of “amsi.dll” and “amsiScanBuffer”, walk the “PEB” of the process and the export directory of “amsi.dll”.
- AMSI in the HEAP x32 - secureyourit.co.uk(2020)
- Instrumenting AMSI
- Articles/Blogposts/Writeups
- Using Windows Antimalware Scan Interface in .NET - Gérald Barré(2020)
- Tools
- MalwareScan.AMSI
- AMSITrigger v3
- The Hunt for Malicious Strings
- SimpleAmsiProvider
- A simple provider to analyse what gets passed into Microsoft's Anti-Malware Scan Interface
- AMSI Scanner
- A C/C++ implementation of Microsoft's Antimalware Scan Interface
- amsi-tracer
- Leverage AMSI (Antimalware Scan Interface) technology to aid your analysis. This tool saves all buffers (scripts, .NET assemblies, etc) passed into AMSI during dynamic execution.
- 101
- Anti-Virus
- General Articles/Blogposts/Writeups
- Bypass Antivirus Dynamic Analysis: Limitations of the AV model and how to exploit them - Emeric Nasi(2014)
- Evasion & Obfuscation Techniques - z3roTrust
- Learn how to hide your trojans, backdoors, etc from anti virus.
- Bypassing Antivirus & Host Intrusion Prevention Systems - Pentestlab.blog(2017)
- How to Bypass Anti-Virus to Run Mimikatz
- AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester
- Art of Anti Detection 1 – Introduction to AV & Detection Techniques - Ege Balci
- Art of Anti Detection 2 – PE Backdoor Manufacturing - Ege Balci
- Art of Anti Detection 3 – Shellcode Alchemy - Ege Balci
- Art of Anti Detection 4 – Self-Defense - Ege Balci
- Breaking Antivirus Software - Joxean Koret, COSEINC(SYSCAN2014)
- Antimalware-Research
- Research on Anti-malware and other related security solutions
- Discovering The Anti-Virus Signature and Bypassing it - Oddvar Moe(2019)
- Building a custom Mimikatz binary - s3cur3th1ssh1t(2020)
- Bypassing Signature-Based AV - RedSiege(2021)
- Talks/Presentations
- Muts Bypassing AV in Vista/Pissing all over your AV
- presentation, listed here as it was a bitch finding a live copy
- Easy Ways To Bypass Anti-Virus Systems - Attila Marosi(Troopers14)
- Noob 101 Practical Techniques for AV Bypass Jared Hoffman(Anycon2017)
- Web attacks against AV software - Juho Nurminen(Disobey2018)
- Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology - Lee Christensen, Matt Graeber(BHUSA2018)
- While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their specific offensive technique, mature actors recognize a need to holistically subvert the product at every step during the course their operation.
- Whitepaper
- Slides
- Code
- Bypassing Antivirus: With Understanding Comes Ease - Jeff McJunkin(WWHF Deadwood2020-Virtual)
- Muts Bypassing AV in Vista/Pissing all over your AV
- Papers
- Understanding behavioural detection of antivirus - Liangyu Chai, R. Holloway, A. Lanzi(2016)
- In this project, we study the behavioural detection engines of the antivirus in both the 32-bit and 64-bit versions of Windows 7 by using specialised modules to identify the technologies that the antivirus are using to monitor application behaviours. Our analysis revealed that the 64-bit versions of the antivirus are generally weaker than their 32-bit versions. To determine the effectiveness of the antivirus behavioural detection engines, we propose replaying the actions of applications from sandbox logs to the antivirus and observing the reaction of the antivirus. Our experiments demonstrated that this approach can illustrate the capabilities of the antivirus behavioural detection engines and uncover the behavioural detection signatures of the antivirus at the same time.
- Bare Knuckled Antivirus Breaking - Balin Varga-Perke(2018)
- ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files(2021)
- Python and Malware: Developing Stealth and Evasive Malware Without Obfuscation - Vasilios Koutsokostas, Constantinos Patsakis(2021)
- With the continuous rise of malicious campaigns and the exploitation of new attack vectors, it is necessary to assess the efficacy of the defensive mechanisms used to detect them. To this end, the contribution of our work is twofold. First, it introduces a new method for obfuscating malicious code to bypass all static checks of multi-engine scanners, such as VirusTotal. Interestingly, our approach to generating the malicious executables is not based on introducing a new packer but on the augmentation of the capabilities of an existing and widely used tool for packaging Python, PyInstaller but can be used for all similar packaging tools. As we prove, the problem is deeper and inherent in almost all antivirus engines and not PyInstaller specific. Second, our work exposes significant issues of well-known sandboxes that allow malware to evade their checks. As a result, we show that stealth and evasive malware can be efficiently developed, bypassing with ease state of the art malware detection tools without raising any alert.
- Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesized Inputs - Ziya Alper Genc, Gabriele Lenzini, Daniele Sgandurra(2021)
- Understanding behavioural detection of antivirus - Liangyu Chai, R. Holloway, A. Lanzi(2016)
- Exploiting AV Engines/Software
- #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine(2017)
- Abuse NTFS paths for privilege escalation from a DLL Hijack to modify the file restore process of the targeted AV.
- Hacking Antiviruses - Jaanus Kääp(Disobey 2017)
- SELF-DEFENSELESS - Balint Varga-Perke(SilentSignal2019)
- BitDefender Antivirus Free 2020 Elevation of Privilege (CVE-2020-8103) - Elias Dimopoulos(2020)
- Exploiting Bitdefender Antivirus: RCE from any website - Wladimir Palant(2020)
- Bitdefender: UPX Unpacking Featuring Ten Memory Corruptions - landave(2020)
- Oh, so you have an antivirus… name every bug - halov(2020)
- #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine(2017)
- Code Runners
- Execute ShellCode Using Python
- In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
- Bypassing AV's like its 2001 - Flangvik(2020)
- EXOCET-AV-Evasion
- Execute ShellCode Using Python
- Code Signing
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- History
- Obfuscation
- Polymorphism
- See 'Polymorphism' under 'Specific Techniques'
- Static Analysis
- A quick look at Windows API obfuscation via hashing - lloydlabs(2018) https://medium.com/@sshell_/bypassing-av-detections-the-dumb-way-part-1-4e13cc973390
- Customizing C2-Frameworks for AV-Evasion - s3cur3th1ssh1t(2020)
- Bypass Windows Defender's Signature Based Detection - mr.d0x(2021)
- AV Evasion Part 1 - 0xhop
- Tools
- WinPwnage
- The goal of this repo is to study the Windows penetration techniques.
- Find-AVSignature.ps1
- WinPwnage
- General Articles/Blogposts/Writeups
- Application Whitelisting
- 101
- Articles/Blogposts/Writeups
- Bypassing Application Whitelisting By Using dnx.exe - enigma0x3(2016)
- WSH Injection: A Case Study - enigma0x3(2017)
- Abusing NVIDIA’s Node.js To Bypass Application Whitelisting - René Freingruber(2017)
- Escaping the Microsoft Office Sandbox: a faulty regex, allows malicious code to escape and persist - Adam Chester
- Microsoft Applications and Blocklist - FortyNorthSecurity
- Technical Advisory: Bypassing Workflows Protection Mechanisms - Remote Code Execution on SharePoint - Soroush Dalilil
- Bypassing Application Whitelisting with BGInfo - Oddvar Moe
- Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner - exploit-monday.com
- Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
- How to Evade Application Whitelisting Using REGSVR32 - Joff Thyer
- Bypassing Application Whitelisting with runscripthelper.exe - Matt Graeber
- Using Application Compatibility Shims - subTee
- Consider Application Whitelisting with Device Guard - subTee
- Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations - subTee
- Setting Up A Homestead In the Enterprise with JavaScript - subTee
- Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)
- Application Whitelist Bypass Techniques
- A Catalog of Application Whitelisting Bypass Techniques - SubTee
- Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
- BinariesThatDoesOtherStuff.txt - api0cradle
- VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 1/2 - itm4n
- Talks & Presentations
- Fantastic Red-Team Attacks and How to Find Them - Casey Smith, Ross Wolf(BHUSA 2019)
- This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
- Slides
- Blogpost
- Fantastic Red-Team Attacks and How to Find Them - Casey Smith, Ross Wolf(BHUSA 2019)
- Talks
- Tools
- MS Signed mimikatz in just 3 steps
- GreatSCT
- The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team.
- RunMe.c
- Trick to run arbitrary command when code execution policy is enforced (i.e. AppLocker or equivalent). Works on Win98 (lol) and up - tested on 7/8
- Window Signed Binary
- VBA-RunPE
- A VBA implementation of the RunPE technique or how to bypass application whitelisting.
- Applocker
- 101
- AppLocker architecture and components - docs.ms(2017
- AppLocker - docs.ms
- This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
- AppLocker architecture and components - docs.ms
- Windows Applocker Policy – A Beginner’s Guide - AArti Singh(2019)
- Ultimate AppLocker ByPass List
- "The goal of this repository is to document the most common and known techniques to bypass AppLocker. Since AppLocker can be configured in different ways I maintain a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone. I also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs."
- myAPPLockerBypassSummary
- Simple APPLocker bypass summary based on the extensive work of @api0cradle
- Articles/Blogposts/Writeups
- AppLocker Bypass Checklist - netbiosX
- AppLocker Case study: How insecure is it really? Part 1 oddvar.moe
- AppLocker Case study: How insecure is it really? Part 2](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)
- AppLocker Bypass – Weak Path Rules(2017
- Applocker Bypass via Registry Key Manipulation
- Bypassing AppLocker Custom Rules - 0x09AL Security Blog(2018)
- AppLocker Bypass – CMSTP - netbiosX(2018
- Bypassing AppLocker Custom Rules(2018)
- Babushka Dolls or How To Bypass Application Whitelisting and Constrained Powershell - Morten Schenk(2018
- A small discovery about AppLocker - oddvar.moe(2019)
- 'While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset.'
- Applocker Bypass via Registry Key Manipulation - Francesco Mifsud
- Applocker and PowerShell: how do they tightly work together? - Emin Atac(2019)
- Bypassing AppLocker Custom Rules - 0x09AL
- myAPPLockerBypassSummary
- Simple APPLocker bypass summary based on the extensive work of @api0cradle
- Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies - sixdub(2014)
- AppLocker Bypass – File Extensions - pentestlab.blog(2017)
- Bypassing AppLocker restrictions usually requires the use of trusted Microsoft binaries that can execute code or weak path rules. However it is possible in a system that it has been configured with default rules and it is allowing the use of command prompt and PowerShell to the users to bypass AppLocker by using payloads with different file extensions.
- Bring your own .NET Core Garbage Collector - Paul Laine(2020)
- This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.
- Code
- Abusing .NET Core – Evasion - pentestlaboratories.com
- Bypassing Windows protection mechanisms & Playing with OffensiveNim - s3cur3th1ssh1t(2020)
- Signed Binary Proxy Execution via PyCharm - ArchCloudLabs(2021)
- Talks/Presentations/Videos
- GreatSCT: Gotta Catch 'Em AWL - Chris Spehn(CircleCityCon2018)
- Great Scott Marty, we went all the way back to 1995! The project is called Great SCT (Great Scott). GreatSCT is an open source project to generate application whitelist (AWL) bypasses. This tool is intended for BOTH red and blue team. Blue team can benefit by testing the publicly known application whitelisting bypass methods. We will review the most common application whitelisting bypass methods and how to utilize these methods with GreatSCT.
- Shackles, Shims, and Shivs - Understanding Bypass Techniques - Mirovengi(Derbycon2016
- Our industry recognizes the importance of physical security, but often, we focus on the lock core itself and the challenges with picking it. This talk discuss an overview of the common retention mechanisms and how many of the common forms can be bypassed quicker than picking the lock.
- App-o-Lockalypse now! - Oddvar Moe(Derbycon2018
- Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.
- GreatSCT: Gotta Catch 'Em AWL - Chris Spehn(CircleCityCon2018)
- Tools
- Backdoor-Minimalist.sct
- Applocker bypass
- Evasor
- The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.
- Backdoor-Minimalist.sct
- 101
- Windows Defender Application Control
- 101
- UltimateWDACBypassList
- A centralized resource for previously documented WDAC bypass techniques
- Dent
- A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
- Fully Undetectable Techniques
- Application Control for Windows - docs.ms
- Windows Defender Application Control and AppLocker Overview - docs.ms
- Windows Defender Application Control design guide - docs.ms
- Deploy Windows Defender Application Control policies by using Group Policy - docs.ms
- Plan for Windows Defender Application Control lifecycle policy management - docs.ms
- Planning and getting started on the Windows Defender Application Control deployment process
- Articles/Blogposts/Writeups
- Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology - Matt Graeber
- My goal for this blog post is to not only describe the mechanics of this new feature, but more importantly, I wanted to use this opportunity to paint a picture of the methodology I applied to understand and attempt to bypass the feature. So, if you’re already interested in WDAC features, great. If you’re not, that’s also cool but I hope you’ll follow along with the specific strategies I took to understand an undocumented Windows feature.
- Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative - BOHOPS(2020)
- Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology - Matt Graeber
- Talks/Presentations/Videos
- Tools
- Windows Defender Application Guard
- Attack Surface Reduction
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Bypass Windows Exploit Guard ASR - Emeric Nasi(OffensiveCon2019
- Bypass Windows Exploit Guard ASR - Emeric Nasi(OffensiveCon2020)
- How to bypass all Microsoft latest "Attack Surface Reduction" rules with malicious Office documents and scripts. The last years, I have been doing some research around Windows security. I liked exploring APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am naturally interested into new security features such as ASR. Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard. ASR is composed of a set of configurable rules such as: "Block Office applications from creating child process". While these rules seem effective against common Office and scripts malwares, there are ways to bypass all of them. We will go over each rule related to malicious Office or VB scripts behavior, analyze how It work behind the scene and find a way to bypass it. As example we will take common attack scenario and see how they can be achieved with all rules enforced: Download execute DLL/EXE/script from Office/VBscript; Drop execute embedded DLL/EXE/script from Office/VBscript; Machine takeover with Meterpreter shell from Office/VBscript; Lateral movement/UAC bypass/AMSI bypass/etc.
- Tools
- Callbacks
- 101
- Callback (computer programming) - Wikipedia
- Callback Objects - docs.ms(2017)
- ObRegisterCallbacks function (wdm.h) - docs.ms
- The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
- Event Tracing for Windows (ETW) (Kernel/Drivers version)- docs.ms
- PsSetCreateThreadNotifyRoutine function (ntddk.h) - docs.ms
- The PsSetCreateThreadNotifyRoutine routine registers a driver-supplied callback that is subsequently notified when a new thread is created and when such a thread is deleted.
- Detecting Kernel-Mode Callbacks - docs.ms
- Kernel Callback Functions - CodeMachine * Comprehensive list of documented and undocumented APIs available in the Windows kernel to register callback routines.
- Articles/Blogposts/Writeups
- ObRegisterCallbacks and countermeasures - Doug Confere(2015)
- Windows’ PsSetLoadImageNotifyRoutine Callbacks – The Good, The Bad, and The Unclear (Part 1) - Omri Misgav(2017)
- Hooking via InstrumentationCallback - secrary(2017)
- Instrumentation callbacks a.k.a. Syscall callbacks - wlan(2018)
- Reversing Windows Internals (Part 1) – Digging Into Handles, Callbacks & ObjectTypes - Mohammad Sina Karvandi(2019)
- Yes, More Callbacks — The Kernel Extension Mechanism - Yarden Shafir(2019)
- Issue 1849: Windows: RPCSS Activation Kernel Security Callback EoP - James Forshaw(2019)
- "The RPCSS Activation Kernel RPC server’s security callback can be bypassed resulting in EoP."
- ExecutiveCallbackObjects
- Windows Kernel Ps Callbacks Experiments - deniable.org(2020)
- Windows Kernel Ps Callbacks Experiments - rui(2020)
- Silencing the EDR. How to disable process, threads and image-loading detection callbacks. - matteomalvica.com
- This post is about resuming the very inspiring Rui’s piece on Windows Kernel’s callbacks and taking it a little further by extending new functionalities and build an all-purpose AV/EDR runtime detection bypass. Specifically, we are going to see how Kaspersky Total Security and Windows Defender are using kernel callbacks to either inhibit us from accessing LSASS loaded module or detect malicious activities. We’ll then use our evil driver to temporarily silence any registered AV’s callbacks and restore EDR original code once we are done with our task. The resulting tool has been tested on the following Windows 10 builds: 1903,1909 and 2004.
- Removing Kernel Callbacks Using Signed Drivers - no bs
- Bypassing Image Load Kernel Callbacks - @batsec(2021)
- Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks) - Mehmet Ergene(2021)
- The Rootkit Arsenal: Bypassing Callback PatchGuard Protection on Windows - Kento Oki(2021)
- Talks/Presentations/Videos
- Kernel Attacks through User-Mode Callbacks - Tarjei Mandt(BHUSA2011)
- Paper
- "15 years ago, Windows NT 4.0 introduced Win32k.sys to address the inherent limitations of the older client-server graphics subsystem model. Today, win32k still remains a fundamental component of the Windows architecture and manages both the Window Manager (User) and Graphics Device Interface (GDI). In order to properly interface with user-mode data, win32k makes use of user-mode callbacks, a mechanism allowing the kernel to make calls back into user-mode. Usermode callbacks enable a variety of tasks such as invoking applicationdefined hooks, providing event notifications, and copying data to/from user-mode. In this paper, we discuss the many challenges and problems concerning user-mode callbacks in win32k. In particular, we show how win32k’s dependency on global locks in providing a thread-safe environment does not integrate well with the concept of user-mode callbacks. Although many vulnerabilities related to user-mode callbacks have been addressed, their complex nature suggests that more subtle flaws might still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, we conclusively provide some suggestions as to how users may protect themselves against future kernel attacks."
- Callback objects: Everything you didn’t know you wanted to hook in the kernel - Yarden Shafir(BSides Delhi2020)
- Slides
- CallbackObjectAnalyzer
- Whether you’re an attacker, trying to persist and gather information while avoiding detection, or a defender, trying to monitor everything that’s running on a box and staying a step ahead of the attackers, everyone wants to know what’s happening on a machine. Windows has a mechanism that can fulfill all these needs and isn’t getting the attention it deserves – callback objects. Used by many kernel components and easy to access for 3rd-party drivers, these objects can supply valuable information about various kernel events, internal AV communication, and more. Even Patch Guard has its own callback! As helpful as they are, they are mostly ignored by security solutions, making them a great place for rootkits to hide in, where no one is looking.
- Kernel Attacks through User-Mode Callbacks - Tarjei Mandt(BHUSA2011)
- Papers
- Fast and Furious: Outrunning Windows Kernel Notification Routines from User-Mode - Pierre Ciholas, Jose Miguel Such, Angelos K. Marnerides, Benjamin Green, Jiajie Zhang, Utz Roedigautho
- Code
- Modern Operating Systems (OSs) enable user processes to obtain full access control over other processes initiated by the same user. In scenarios of sensitive security processes (e.g., antivirus software), protection schemes are enforced at the kernel level such as to confront arbitrary user processes overtaking with malicious intent. Within the Windows family of OSs, the kernel driver is notified via dedicated routines for user-mode processes that require protection. In such cases the kernel driver establishes a callback mechanism triggered whenever a handle request for the original user-mode process is initiated by a different user process. Subsequently, the kernel driver performs a selective permission removal process (e.g., read access to the process memory) prior to passing a handle to the requesting process. In this paper we are the first to demonstrate a fundamental user-mode process access control vulnerability, existing in Windows 7 up to the most recent Windows 10 OSs. We show that a user-mode process can indeed obtain a fully privileged access handle before the kernel driver is notified, thus prior to the callback mechanism establishment. Our study shows that this flaw can be exploited by a method to (i) disable the anti-malware suite Symantec Endpoint Protection; (ii) overtake VirtualBox protected processes; (iii) circumvent two major video game anti-cheat protection solutions, BattlEye and EasyAntiCheat. Finally we provide recommendations on how to address the discovered vulnerability.
- Fast and Furious: Outrunning Windows Kernel Notification Routines from User-Mode - Pierre Ciholas, Jose Miguel Such, Angelos K. Marnerides, Benjamin Green, Jiajie Zhang, Utz Roedigautho
- Tools
- libelevate - Bypass ObRegisterCallbacks via elevation
- Handle elevation DKOM against ObRegisterCallbacks
- DarkLoadLibrary
- LoadLibrary for offensive operations
- STFUEDR
- A lot of modern AV/EDR technologies monitor process/thread creation events by registering
PspSetXXXXNotifyRoutinecallback. This code checks for popular EDR/AV driver names and removes them fromPspSetXXXXNotifyRoutinecallback array. To do so the code checks for a byte pattern that occurs beforejmp PspSetXXXXNotifyRoutineinstructions. The byte pattern differs among windows versions, so this code aims to cover all of them.
- A lot of modern AV/EDR technologies monitor process/thread creation events by registering
- windows-ps-callbacks-experiments
- CheekyBlinder
- Enumerating and removing kernel callbacks using signed vulnerable drivers
- CallbackEx
- CallbackObjectAnalyzer
- Dumps information about all the callback objects found in a dump file and the functions registered for them
- cbtest
- "Windows kernel-mode callbacks tutorial driver. It is a sample driver made for my article about Windows kernel-mode callbacks and notifies (use google translate button on site). Build using Visual Studio 2012 + WDK 8.0."
- CallbackDisabler
- "Disable ObCallbacks On Process And Thread. Disable PsCallbacks On Images, Process Creation And Thread Creation. Should work on WIN7 - WIN10 (Only x64)."
- kernel_callbacks
- Bypasses for Windows kernel callbacks PatchGuard protection
- instrumentation-callbacks
- libelevate - Bypass ObRegisterCallbacks via elevation
- 101
- Defender
- 101
- Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 - docs.ms
- Microsoft Defender Advanced Threat Protection - docs.ms
- Microsoft Defender ATP Blog - Microsoft
- Configure Microsoft Defender Antivirus exclusions on Windows Server - docs.ms
- "Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the list of automatic exclusions (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the Windows Security app."
- Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - ms.com
- Manual updates for Defender
- DisableAntiSpyware - docs.ms
- Reg key to disable Defender on 1903 and prior.
- Fun times trying to get this working in later versions....
- Reverse engineering Windows Defender's signature for Metasploit Framework's metsrv.dll - plowsec(StackOverflow2018)
- comment by plowsec on Metasploit Project(2018)
- MDE Antivirus Configuration Common Mistakes and Best Practice - Tan Tran(2021)
- Windows Defender's VDM Format - commial
- Lifting the veil, a look at MDE under the hood - Olaf Hartong(Troopers22
- General
- Untangling the “Windows Defender” Naming Mess - Lenny Zeltser
- Bypassing AV (Windows Defender) … the tedious way. - CB Hue
- Dear Windows Defender, please tell me where I can drop my malicious code. - Simone Aonzo
- 'The Get-MpPreference cmdlet exposes the field ExclusionPath without administrator privilege.'
- Hiding Metasploit Shellcode to Evade Windows Defender - Rapid7(2018)
- Evading Windows Defender with 1 Byte Change - @spottheplanet
- Windows Defender Bypassing For Meterpreter - HackerHouse(2020)
- Bypassing Windows Defender Runtime Scanning - Charalampos Billinis(2020)
- Bypass Defender and other thoughts on Unicode RTLO attacks - Emeric Nasi(2020)
- How to bypass Defender in a few easy steps - arty hlr(2021)
- MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
- Disable Win Defender - Chris Titus
- My Experience bypassing Windows Defender - Jack Rendor(2021)
- Defender Bypass With .PIF Extensions - x0xr00t(2022)
- Bypass Windows Defender in Windows 11 - 0xcybery(2021)
- Bypassing Windows Defender Runtime Scanning - Charalampos Billinis(2020)
- The Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions - Fabian Bader(2022)
- My learnings on Microsoft Defender for Endpoint and Exclusions - Christopher Brumm(2021)
- Attack Surface Reduction/ASR
- Bypass Windows Defender Attack Surface Reduction - Emeric Nasi
- Documenting and Attacking a Windows Defender Application Control Feature the Hard Way — A Case Study in Security Research Methodology - Matt Graeber
- Extracting Whitelisted Paths from Windows Defender ASR Rules - https://gist.github.com/adamsvoboda/c99e9b6748ff2f2ba6b78e02cfc79e5b
- Attack Surface Reduction - commial
- Breaking Defender
- Incapacitating Windows Defender - offensiveops.io
- Silencing Microsoft Defender for Endpoint using firewall rules - Søren Fritzbøger(2021)
- 🇬🇧 The dying knight in the shiny armour - APTortellini(2021)
- With Administrator level privileges and without interacting with the GUI, it’s possible to prevent Defender from doing its job while keeping it alive and without disabling tamper protection by redirecting the \Device\BootDevice NT symbolic link which is part of the NT path from where Defender’s WdFilter driver binary is loaded. This can also be used to make Defender load an arbitrary driver, which no tool succeeds in locating, but it does not survive reboots. The code to do that is in APTortellini’s Github repository unDefender.
- Sandboxing Antimalware Products for Fun and Profit - Gabriel Landau(2022)
- Talks/Presentations/Videos
- Reverse Engineering Windows Defender’s JavaScript Engine - Alexei Bulazel(REcon Brussels18)
- Auditing and Bypassing Windows Defender Application Control - Matt Graeber
- Bypass Windows Exploit Guard ASR - Emeric Nasi(OffensiveCon2020)
- How to bypass all Microsoft latest "Attack Surface Reduction" rules with malicious Office documents and scripts. The last years, I have been doing some research around Windows security. I liked exploring APT/Redteam techniques and payload used for social engineering and airgap bypass attacks. I am naturally interested into new security features such as ASR. Microsoft introduced Attack Surface Reduction (ASR) as part of Windows defender exploit guard. ASR is composed of a set of configurable rules such as: "Block Office applications from creating child process". While these rules seem effective against common Office and scripts malwares, there are ways to bypass all of them. We will go over each rule related to malicious Office or VB scripts behavior, analyze how It work behind the scene and find a way to bypass it. As example we will take common attack scenario and see how they can be achieved with all rules enforced: Download execute DLL/EXE/script from Office/VBscript; Drop execute embedded DLL/EXE/script from Office/VBscript; Machine takeover with Meterpreter shell from Office/VBscript; Lateral movement/UAC bypass/AMSI bypass/etc.
- Adapting Exploit Frameworks to Evade Microsoft ATP - Jake Krasnov, Anthony Rose(Defcon27)
- Tools
- ExtractedDefender
- Just an attempt to group extracted data from Defender for research purposes.
- Windows Defender Emulator Tools
- ExpandDefenderSig.ps1
- Decompresses Windows Defender AV signatures for exploration purposes
- Ninjasploit
- A meterpreter extension for applying hooks to avoid windows defender memory scans
- DefenderCheck-t3hbb
- ThreatCheck - RastaMouse
- Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen. This can be helpful when trying to identify the specific bad pieces of code in your tool/payload.
- Add Defender Exclusion via WMI and COM - stmxcsr
- DetectionHistory Parser
- "A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables."
- unDefender
- At its core, this technique revolves around changing the \Device\BootDevice symbolic link in the Windows Object Manager so that when Defender's WdFilter driver is unloaded and loaded again by its Tamper Protection feature, another file is mapped in memory in place of the original WdFilter.sys, rendering it effectively useless!
- PlayWithDefender
- An easy tool to disable and enable windows defender protections
- MSI_Payload - PSBits
"When playing with my machines, I have realized that Windows Defender: does not scan *.MSI cab files in the realtime; excludes files dropped by msiexec.exe from realtime scan"
- Token abuse
- SandboxDefender
- DefenderSwitch
- KillDefender
- StopDefender
- DefenderStop
- This is a C# project to stop the defender service using via token impersonation. In this technique, we first steal the token from the WinLogon service, and escalate to SYSTEM integrity. Then we steal the token from the TrustedInstaller service and impersonate it. This will finally allow us to stop the WinDefend service.
- ExtractedDefender
- DeviceGuard
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- ExploitGuard
- 101
- Protect devices from exploits - docs.ms
- Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.
- Windows Defender Exploit Guard under the hood - Artur Wojtkowski
- In this article, we will explain the main functionality of Exploit Protection and ASR rules and its’ internals.
- Protect devices from exploits - docs.ms
- Articles/Blogposts/Writeups
- Exploit Protection Event Documentation - Palantir & Matt Graeber
- Documentation and supporting script sample for Windows Exploit Guard
- Assessing the effectiveness of a new security data source: Windows Defender Exploit Guard - Palantir(2019)
- Vulnserver Exploit vs Windows Defender Exploit Guard - Chad Duffey(2020)
- Exploit Guard Mistakes - Chad Duffey(2020)
- Exploit Guard vs Process (DLL) Injection - Chad Duffey(2020)
- Exploit Protection Event Documentation - Palantir & Matt Graeber
- Talks/Presentations/Videos
- 101
- 101
- Microsoft ATA & ATP/Defender for Idenity/Name#48
- Articles/Blogposts/Talks/Writeups
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
- Red Team Revenge - Attacking Microsoft ATA
- Evading Microsoft ATA for Active Directory Domination
- Week of Evading Microsoft ATA - Announcement and Day 1 - Nikhil Mittal(Aug 2017)
- Week of Evading Microsoft ATA - Day 2 - Overpass-the-hash and Golden Ticket - Nikhil Mittal
- Week of Evading Microsoft ATA - Day 3 - Constrained Delegation, Attacks across trusts, DCSync and DNSAdmins - Nikhil Mittal
- Week of Evading Microsoft ATA - Day 4 - Silver ticket, Kerberoast and SQL Servers - Nikhil Mittal
- Week of Evading Microsoft ATA - Day 5 - Attacking ATA, Closing thoughts and Microsoft's response - Nikhil MIttal
- Microsoft Advanced Threat Analytics – My best practices - Oddvar Moe
- Evading WinDefender ATP credential-theft: kernel version - B4rtik
- Microsoft ATA Evasion (Over PTH, Golden Ticket) - Cyber Delta
- Talks/Presentations/Videos
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics - Chris Thompson(BHUSA2017)
- Windows Defender Advanced Threat Protection is now available for all Blue Teams to utilize within Windows 10 Enterprise and Server 2012/16, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics.
- Evading Microsoft ATA for Active Directory Domination - Nikhil Mittal(BH USA17)
- Hack to Basics – Adapting Exploit Frameworks to Evade Microsoft ATP - BC-Security(2019)
- Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics - Chris Thompson(BHUSA2017)
- Tools
- DefenderCheck
- Takes a binary as input and splits it until it pinpoints that exact byte that Microsoft Defender will flag on, and then prints those offending bytes to the screen.
- DefenderCheck
- Articles/Blogposts/Talks/Writeups
- DeviceGuard Bypass
- 101
- Articles/Blogposts/Talks/Writeups
- Defeating Device Guard: A look into CVE-2017-0007
- Consider Application Whitelisting with Device Guard - subt0x10(2017)
- Bypassing Application Whitelisting using MSBuild.exe - Device guard Example and Mitigations - subt0x10(2017)
- Defeating Device Guard: A look into CVE-2017–0007 - Matt Nelson
- UMCI vs Internet Explorer: Exploring CVE-2017–8625 - Matt Nelson
- Windows: LUAFV NtSetCachedSigningLevel Device Guard Bypass - Google
- Talks/Presentations/Videos
- Tools
- DeviceGuard Bypasses - James Forshaw
- This solution contains some of my UMCI/Device Guard bypasses. They're are designed to allow you to analyze a system, such as Windows 10 S which comes pre-configured with a restrictive UMCI policy.
- Window 10 Device Guard Bypass
- DeviceGuard Bypasses - James Forshaw
- DLL Execution-Related
- DLL Hijacking
- DLL Hollowing/Module Stomping/Overloading
- 101
- Articles/Blogposts/Writeups
- Remote DLL Injection, Plus… - Security Ninja(2016)
- Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing - Sumith Maniath, Prashanth Krushna Kadam(2019)
- Hiding malicious code with “Module Stomping”: Part 1 - Aliz Hammdond(2019)
- Hiding malicious code with “Module Stomping”: Part 2 - Aliz Hammdond(2019)
- Understanding And Detecting Dll 1nj3ct0n & Process Hollowing - Alparslan Akyıldız academy(2019)
- Detecting VBA Process Hollowing With Cortex XDR - Stav Setty and Aviad Meyer(2020)
- Talks/Presentations/Videos
- Papers
- Articles/Blogposts/Writeups
- Tools
- Phantom DLL hollowing
- DLL hollowing is a technique which can be used to provide stealth for malware in memory, either within the local process or a remote one (in combination with process injection/hollowing).
- CodeCoverageModuleStomping
- Phantom DLL hollowing
- DNS
- Papers
- On The Vulnerability of Anti-Malware Solutions to DNS Attacks - Asaf Nadler, Ron Bitton, Oleg Brodt, Asaf Shabtai(2021)
- "Anti-malware agents typically communicate with their remote services to share information about suspicious files. These remote services use their up-to-date information and global context (view) to help classify the files and instruct their agents to take a predetermined action (e.g., delete or quarantine). In this study, we provide a security analysis of a specific form of communication between anti-malware agents and their services, which takes place entirely over the insecure DNS protocol. These services, which we denote DNS anti-malware list (DNSAML) services, affect the classification of files scanned by anti-malware agents, therefore potentially putting their consumers at risk due to known integrity and confidentiality flaws of the DNS protocol. By analyzing a large-scale DNS traffic dataset made available to the authors by a well-known CDN provider, we identify anti-malware solutions that seem to make use of DNSAML services. We found that these solutions, deployed on almost three million machines worldwide, exchange hundreds of millions of DNS requests daily. These requests are carrying sensitive file scan information, oftentimes - as we demonstrate - without any additional safeguards to compensate for the insecurities of the DNS protocol. As a result, these anti-malware solutions that use DNSAML are made vulnerable to DNS attacks. For instance, an attacker capable of tampering with DNS queries, gains the ability to alter the classification of scanned files, without presence on the scanning machine. We showcase three attacks applicable to at least three anti-malware solutions that could result in the disclosure of sensitive information and improper behavior of the anti-malware agent, such as ignoring detected threats. Finally, we propose and review a set of countermeasures for anti-malware solution providers to prevent the attacks stemming from the use of DNSAML services."
- On The Vulnerability of Anti-Malware Solutions to DNS Attacks - Asaf Nadler, Ron Bitton, Oleg Brodt, Asaf Shabtai(2021)
- Papers
- Drivers
- 101
- Overview of Device and Driver Installation - docs.ms
- Getting a kernel mode driver signed for Windows 10 - Christoph Lüders(2016)
- Methodology for Static Reverse Engineering of Windows Kernel Drivers - Matt Hand(2020)
- Kernel Hacking With HEVD Part 1 - The Setup - Brian Beaudry(2016)
- HackSys Extreme Vulnerable Driver
- HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
- See
Rootkits.md
- Articles/Blogposts/Writeups
- Debugging
- Filter Drivers
- 101
- Filter Drivers - docs.ms
- About file system filter drivers - docs.ms
- Filter driver - Wikipedia
- File systems driver design guide
- This section of the WDK provides conceptual information related to file systems and filter drivers.
- How File System Filter Drivers Are Similar to Device Drivers - docs.ms
- The Role of a Filter Driver - Flylib.com
- FLTMC.exe - SS64
- Articles
- Understanding Minifilters: Why and How File System Filter Drivers Evolved - OSR.com
- How File System Filter Drivers Are Different from Device Drivers
- Introduction to File System Filter Drivers - EaseFilter
- Understanding Windows File System Filter Driver - EaseFilter
- Filter Drivers in Windows - MohanKumar(2017)
- Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver - Matt Hand(2020)
- Hunting for Bugs in Windows Mini-Filter Drivers - James Forshaw(2021)
- 101
- Driver Loading/Unloading
- See 'Drivers' section.
- Articles/Blogposts/Writeups
- Attacking
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Who’s Watching the Watchdog? Uncovering a Privilege Escalation Vulnerability in OEM Driver - Amit Rapaport(BlueHat IL2019)
- With Microsoft continuously improving kernel mitigations and raising the exploitation bar for native kernel components, third-party kernel drivers are becoming a more appealing target for real attackers and security researchers. A vulnerability in a signed third-party driver can have a dramatic impact as it can be abused by attackers to escalate their privileges, without the complexity of a kernel zero-day. Computer manufacturers usually ship devices with software and tools to facilitate device management. This software often contains components running with ring-0 privileges in kernel. With these components installed by default, they must be as secure as the kernel, otherwise they can become the Achilles Heel for the whole kernel security design. In this session, we’ll explain exactly how we discovered such a driver. From an anomalous behavior alerted by a kernel sensor of Windows Defender ATP, we dug deeper into a specific device management driver, where we found a highly obscure design. This led us to the discovery of a zero-day vulnerability, which resulted in a local privilege escalation that affected millions of devices.
- Device Driver Debauchery and MSR Madness - Ryan Warns, Timothy Harrison(INFILTRATE2019)
- Papers
- VDM: Vulnerable Driver Manipulation - Xeroxz
- Abstract—This research paper documents the process of usinga vulnerable Windows kernel driver exposing a physical memoryread and write1primitive to call any function inside of theWindows kernel; while also teaching you the basics of pagingand physical memory.
- VDM: Vulnerable Driver Manipulation - Xeroxz
- Training
- Tools
- ExploitCapcom
- This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and to execute an arbitrary user supplied function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then launches the command prompt with the elevated privilege.
- Reflective-Driver-Loader
- Reflective Kernel Driver injection is a injection technique base off Reflective DLL injection by Stephen Fewer. The technique bypasses Windows driver signing enforcement (KMCS). Reflective programming is employed to perform the loading of a driver from memory into the kernel. As such the driver is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. Injection works on Windows Vista up to Windows 10, running on x64.
- IRPMon
- The goal of the tool is to monitor requests received by selected device objects or kernel drivers. The tool is quite similar to IrpTracker but has several enhancements. It supports 64-bit versions of Windows (no inline hooks are used, only modifications to driver object structures are performed) and monitors IRP, FastIo, AddDevice, DriverUnload and StartIo requests.
- gdrv-loader
- Windows10 - Custom Kernel Signers
- Load self-signed drivers without TestSigning or disable DSE.
- KsDumper
- Dumping processes using the power of kernel space !
- drvmap
- driver mapper / capcom wrapper
- KernelBhop
- Cheat that uses a driver instead WinAPI for Reading / Writing memory.
- Shhmon - Neuter Sysmon by unloading its driver
- TitanHide
- TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
- ExploitCapcom
- Who’s Watching the Watchdog? Uncovering a Privilege Escalation Vulnerability in OEM Driver - Amit Rapaport(BlueHat IL2019)
- Writeups
- Part 19: Kernel Exploitation -> Logic bugs in Razer rzpnk.sys - FuzzySec
- MSI ntiolib.sys/winio.sys local privilege escalation - rewolf(2016)
- Dell SupportAssist Driver - Local Privilege Escalation - hatRiot(2018)
- Mother of All Drivers – New Vulnerabilities Found in Windows Drivers - Jesse Michael, Mickey Shkatov
- CVE-2019-9730: LPE in Synaptics Sound Device Driver - @Jackson_T(2019)
- Viper RGB Driver Local Privilege Escalation (CVE-2019-18845) - ActiveCyber.us(2020)
- CORSAIR iCUE Driver Local Privilege Escalation (CVE-2020-8808) - ActiveCyber.us(2020)
- MSI Ambient Link Multiple Vulnerabilities - CoreSecurity(2020)
- CVE-2020-12138 Exploit Proof-of-Concept, Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys - h0mbre(2020)
- Dissecting the Windows Defender Driver - WdFilter (Part 1) - n4r1b(2020)
- For those who don’t know, WdFilter is the main kernel component of Windows Defender. Roughly, this Driver works as a Minifilter from the load order group “FSFilter Anti-Virus”, this means that is attached to the File System stack (Actually, quite high - Big Altitude) and handles I/O operations in some Pre/Post callbacks. Not only that, this driver also implements other techniques to get information of what’s going on in the system. The goal of this series of post is to have a solid understanding on how this works under the hood.
- Part 2
- Part 3
- Part 4
- How to Bypass Kernel Anticheat & Develop Drivers - Rake(2018)
- Undocumented Windows API Functions & Structures - Rake(2020)
- Ring 0 / 3 Protection - Jitsumi(2020)
- Papers
- Windows Kernel-mode Payload Fundamentals - bugcheck, skape(2006)
- This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows.
- Windows Kernel-mode Payload Fundamentals - bugcheck, skape(2006)
- MS ELAM
- Writing
- Tools
- Physmem drivers
- A collection of various vulnerable (mostly physical memory exposing) drivers.
- Vulnerable Driver Manipulation
- A library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. There are thousands of drivers exposing physical memory read/write, a bunch are listed in this repo. Currently the project is using gdrv.sys. This is basiclly what physmeme was about but that project is not truly "physical read and write" whereas this project is. This project can be used more broadly then physmeme.
- DriverMon
- Monitor activity of (almost) any driver
- Capcom Rootkit Proof-Of-Concept
- Capcom Rootkit POC
- Windows kernel driver exploits
- ColdHide
- ColdHide is a mini and simple open source user mode anti-anti debug library x86/x64 for Windows. To inject this library try using ColdMDLoader.
- Canadian Furious Beaver
- Canadian Furious Beaver is a tool for hijacking IRPs handler in Windows drivers, and facilitating the process of analyzing Windows drivers for vulnerabilities
- TDL (Turla Driver Loader)
- Driver loader for bypassing Windows x64 Driver Signature Enforcement
- injdrv
- injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.
- Physmem drivers
- 101
- Endpoint Detection & Response
- Articles/Blogposts/Talks/Writeups
- Hexacorn's Blogposts marked with 'EDR'
- A few ideas to mess around with threat hunting, and EDR software (anti-threat hunting/anti-edr) - Hexacorn(2016)
- EDRs
- This repo contains information about EDRs that can be useful during red team exercise.
- A Guide to Reversing and Evading EDRs: Part 1 - @Jackson_T
- Moar and Moar Agents – sthap! - Hexacorn(2019)
- Endpoint Protection, Detection and Response Bypass Techniques Index - p3zx.blogspot(2019)
- Recent EDR & AV Observations - Christopher Vella(2019)
- Lets Create An EDR… And Bypass It! Part 1 - Ceri Coburn(2020)
- Generic bypass of next-gen intrusion / threat / breach detection systems
- The focus of this blog post is to bypass network monitoring tools, e.g. good-old IDS or next-generation threat detection systems in a generic way. The focus is on the exploit delivery.
- SMOOTHPHERRET - generic hooking evasion - rb(2020)
- Relying on usermode data is a bad idea (AKA Stop Trusting The Enemy) - krabsonsecurity(2020
- Blinding EDR On Windows - Zach Stein(2020)
- Low-tech EDR bypass - Magnus Stubman(2020)
- Dechaining Macros and Evading EDR
- Security and Bypass Endpoint Detection Response (EDR) (Part 1) - Matthieu(2020)
- Sécurité et Bypass d’Endpoint Detection Response (EDR) (Partie 2) - Matthieu(2021)
- A tale of EDR bypass methods - s3cur3th1ssh1t(2021)
- Thread and Process State Change - Yarden Shafir(2021)
- Bypassing EDR real-time injection detection logic - @_lpvoid
- Endpoint Detection and Response: How Hackers Have Evolved - Matthew Eidelberg(2021)
- EDR and Blending In: How Attackers Avoid Getting Caught - Matthew Eidelberg(2021)
- Evading EDR in 15 Minutes with ScareCrow - Adam Svoboda(2021)
- Shellcode Detection Using Real-Time Kernel Monitoring - Alonso Candado()
- This is how I bypassed almost every EDR! - Omri Baso(2021)
- Evading EDR Detection with Reentrancy Abuse - Asaf GilboaAsaf Gilboa(2021)
- Bypassing EDR real-time injection detection logic - @_lpvoid(2021)
- EDR Series : How EDR Hooks API Calls (Part-1) - John Sherchan, Yash Bharadwaj(2022)
- Sacrificing Suspended Processes - Matthew Eidelberg(2022)
- Roll for Stealth: Intro to AV/EDR Evasion - Mike@RedSiege(2022)
- Feeding EDRs False Telemetry - rad9800(2022)
- Bypass CrowdStrike Falcon EDR protection against process dump like lsass.exe - bilal al-qurneh(2022)
- EDR: Detections, Bypassess and other Shenanigans - Sourav Sen(2022)
- Master of Puppets: How to tamper the EDR? - Daniel Feichter(2022)
- EDR, a closer look at protected services - Daniel Feichter(2022)
- EDR Observations - Christopher Vella(2022)
- Bypassing EDR Real-Time Injection Detection Logic - Filip Olszak(2022)
- Talks/Presentations/Videos
- EDR, ETDR, Next Gen AV is all the rage, so why am I enraged? - Michael Gough - Derbycon7
- A funny thing happened when I evaluated several EDR, ETDR and Next Gen AV products, currently all the rage and latest must have security solution. Surprisingly to me the solutions kinda sucked at things we expected them to do or be better at, thus this talk so you can learn from our efforts. While testing, flaws were discovered and shared with the vendors, some of the flaws, bugs, or vulns that were discovered will be discussed. This talk takes a look at what we initially expected the solutions to provide us, the options or categories of what these solutions address, what to consider when doing an evaluation, how to go about testing these solutions, how they would fit into our process, and what we found while testing these solutions. What enraged me about these EDR solutions were how they were all over the place in how they worked, how hard or ease of use of the solutions, and the fact I found malware that did not trigger an alert on every solution I tested. And this is the next new bright and shiny blinky security savior solution? The news is not all bad, there is hope if you do some work to understand what these solutions target and provide, what to look for, and most importantly how to test them! What we never anticipated or expected is the tool we used to compare the tests and how well it worked and how it can help you.
- Modern Evasion Techniques - Jason Lang(Derbycon7 2017)
- Slides
- As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. Defenders: might want to come to this one.
- Next Gen AV vs My Shitty Code by James Williams - SteelCon 2018
- Red Teaming in the EDR age - Will Burgess(WWHF2018)
- An Inconvenient Truth: Evading the Ransomware Protection in Windows 10 - Soya Aoyama(GrrCON2018)
- Maintaining post-exploitation opsec in a world with EDR - Michael Roberts, Martin Roberts(Derbycon2018)
- How a modern pentesting or red team can remain stealthy during post exploitation activities. Will go in depth on various code execution and lateral movement techniques and indicate ways to improve upon these methods.
- Reversing & bypassing EDRs - Christopher Vella(CrikeyCon2019)
- Endpoint Detection and Response (EDR) product vendors will give you the spiel on what they do and their capabilities, but how do they actually work at the lowest level? And how can we discover weaknesses in these products to develop bypasses or evaluate them? Christopher will reverse engineer an EDR product and the windows kernel to unveil its inner-workings, alongside the windows kernel structures and functions EDR products rely on to operate, and by doing so discover weaknesses and gaps in their protections that allow actors to bypass the product’s defenses, rendering them null & void. Finally, by abusing an identified weakness, he’ll use a custom-built mimikatz to dump all the hashes on a machine protected by EDR.
- Next Gen AV vs My Shitty Code by James Williams(BSidesMCR 2018)
- SteelCon version
- Video tried getting taken down by S1...
- Testing Endpoint Protection: How Anyone Can Bypass Next Gen AV - Kevin Gennuso(Derbycon2019)
- Well-known antivirus vendors all have "next gen" solutions, and most newer players in the market claim to be "better" simply because they're new.This software is a significant investment for any organization, so it should do what it claims to do, right?In this talk, we'll discuss methodologies for testing these products, known and lesser-known payload generation frameworks, and how you can use these to inform your choice in EDR solutions.
- Unveiling the Underground World of Anti-Cheats - Joel Noguera(BHEU2019)
- Slides
- During our research, we analyzed, tested and discovered multiple bypassing techniques against different current market Anti-Cheat technologies such as XignCode3, EasyAntiCheat and BattleEye, to understand and determine the current state of the art of Anti-Cheat software. We use a combination of static and dynamic techniques to document the different techniques to protect and unprotect gaming software. As a result, we put together a tool "AntiCheat-Testing-Framework" that contains a series of bypassing techniques to test them against current market Anti-Cheats software, this will allow attendees and researchers to understand the virtues and weaknesses of them. This talk pretends to catch everyone's attention from new people to experts on the field, starting with a state of the market and interesting cases around the cheating world, and finishing with a deep explanation of each analyzed technique and the results we obtained during the journey.
- Tricking modern endpoint security products - Michel Coene(SANS2020)
- The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system. There are, however, ways the adversaries can get around these detections. During this presentation, we'll talk about the following techniques and how we can detect them: Parent-child relationships spoofing; Command-line arguments spoofing; Process injection; Process hollowing
- Tradecraft - This is why your tools and exploits get detected by EDR - xentropy(2020)
- Rendering Ransomware Detection and EDR Products Blind - Rene Kolga(BSidesSLC 2020)
- Offensive Development: Post-Exploitation Tradecraft in an EDR World - Dominic Chell(x33fcon2020)
- Detection and Efficiency Testing of Endpoint Security Sensors - Filipi Pires(HTBCyberWeek2020)
- During this presentation we’ll show our tests performed in three different endpoint security solutions (CrowdStrike, Sophos, and Cybereason) where we simulate targeted attacks using many strategies of attacks to obtain a panoramic view of the resilience presented by the solutions, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, running scripts, such as: Download many malwares within the victim machine, moving all those malware to other folders (expectation of detection without execution), and as well as, an idea in to download these artifacts directly on the victim’s machine using malware from The Zoo Repository while also running scripts with powershell downloading daily malwares batches, provide by MalwaresBazaar using API access.
- Understanding Modern EDR Tools: How They Work, How They Provide Value, and How to Bypass Them - Nick Landers(2021
- Watch this webinar to explore the role that modern EDRs play and tips for evaluating vendors, review the latest defensive evasion techniques sophisticated adversaries deploy to bypass EDR tools, discover helpful resources for staying up to date with modern research and techniques, and learn how to effectively implement the defensive evasion techniques within your own red team operations.
- Defeating EDR's using D/Invoke - Jean Maes(2021)
- How can red team operators emulate covert operations and operate at the same level as a real threat group? EDR solutions can make the life of a red team operator significantly harder. Dynamic invocation (also known as D/Invoke) – a sub branch of the popular “Sharpsploit” project, can help with evading those pesky EDR’s and execute your payloads successfully. In this presentation, we will go over D/Invokes capabilities and how to leverage them in your red team operations.
- An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors - George Karantzas, Constantinos Patsakis(2021
- Advanced persistent threats pose a significant challenge for blue teams as they apply various attacks over prolonged periods, impeding event correlation and their detection. In this work, we leverage various diverse attack scenarios to assess the efficacy of EDRs against detecting and preventing APTs. Our results indicate that there is still a lot of room for improvement as state-of-the-art EDRs fail to prevent and log the bulk of the attacks that are reported in this work. Additionally, we discuss methods to tamper with the telemetry providers of EDRs, allowing an adversary to perform a more stealth attack.
- Source Zero Con: Remaining Invisible in the Age of EDR - Matthew Eidelberg(2021)
- "We’ll start by examining the issues that ALL EDRs face in their current deployment and how hackers can take advantage of this to completely bypass the product and blind them to their malicious activities. We will look from the perspective of EDRs as a whole; most of these flaws are present in all of them. Once we understand the systemic issues and how attackers can abuse them, we’ll focus on several techniques developed and deployed in the wild that are highly successful. We’ll conclude with some new techniques that will be introduced into ScareCrow 2.0 being released after the talk."
- EDR Evasion and OODA Loops by Jackson T.(x33fcon2021)
- EDR is Coming Hide Yo Sh!t - Michael Leibowitz (Defcon27)
- There’s a new, largely unaddressed threat in the security industry today, Endpoint Detection and Response (EDR), which aims to stop threat actors in their tracks. The scenario plays out like this... At first your campaign is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time. You may feel this is just fear mongering, but we assure you, the risk is real.Fortunately, we have a few new tricks up our sleeves to keep this nightmare scenario at bay. While many would have you believe that we live in a measured and signed boot Utopia on modern systems, we will show you the seedy underbelly of this Brave New World. By abusing early boot mechanisms and UEFI platform firmware, we are able to evade common detection. By showing up early to the fight, we sucker punch EDR, leaving it in a daze unable to see our malicious activities. We put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak. By leveraging these two techniques, you and the analyst can have a happy and relaxing evening. From that point on - the good ol’ days are back again! Plunder away!
- Defeating EDRs using Dynamic Invocation in C# - Jean Francois Maes(BruCON0x0D
- How To Defeat EDRs In Usermode - Alessandro Magnosi & Jean Francois Maes(HITBCW2021)
- In this presentation, Jean-François will walk is through how defensive solutions have matured over the years, and how attackers have bypassed said defences. Over the years several EDR bypass tricks have been used ranging from PID spoofing to DLL Blocking to userland unhooking, syscalls, manual mapping. Jean-François will demonstrate these bypassess using a "custom" EDR specifically built for this talk that hook specific key functions. The bypassess will be demonstrated using C# (specifically the D/Invoke framework), but the same principals can be applied to other programming languages as well. The second half of the presentation will be presented by Allesandro, whom got inspired by a prior presentation Jean-François had given. He took the knowledge he learned from a conf presentation into a tool (inceptor) that can be used to bypass modern defences in a variety of languages and has built in obfuscation methods. With this presentation we want to inspire others to attend these kind of conferences, learn from them and get to work to build something truely amazing.
- EDR: Efficiently Defeating Red Teamers? - Mr Un1k0d3r(2022)
- Master Of Puppets: How To Tamper The EDR? - Daniel Feichter(BSidesMunich2022)
- Despite admin privileges an EDR product in Windows can be very annoying from red team perspective. Therefor we search ways to disable the EDR without relying on a uninstall password, Windows security center etc.
- EDR Internals From a Defenders Perspective - Olaf Hartong(FIRST2022)
- Companies often put a high level of trust on their tools to support them in their quest to protect them from harm. But is that trust warranted? What are the out of the box capabilities and what can be gained from the telemetry that they produce in terms of custom detections.
- EDR is Coming Hide Yo Sh!t - Michael Leibowitz (Defcon27)
- EDR, ETDR, Next Gen AV is all the rage, so why am I enraged? - Michael Gough - Derbycon7
- Papers
- An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors - George Karantzas, Constantinos Patsakis(2021)
- Advanced persistent threats pose a significant challenge for blue teams as they apply various attacks over prolonged periods, impeding event correlation and their detection. In this work, we leverage various diverse attack scenarios to assess the efficacy of EDRs and other endpoint security solutions against detecting and preventing APTs. Our results indicate that there is still a lot of room for improvement as state of the art endpoint security systems fail to prevent and log the bulk of the attacks that are reported in this work. Additionally, we discuss methods to tamper with the telemetry providers of EDRs, allowing an adversary to perform a more stealth attack
- An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors - George Karantzas, Constantinos Patsakis(2021)
- Tools
- SharpBlock
- A method of bypassing EDR's active projection DLL's by preventing entry point execution
- WhiteBeam
- BLUESPAWN
- BLUESPAWN is an active defense and endpoint detection and response tool which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.
- ProcessThis
- Small C# tool to call out AV/EDR processes running.
- Invoke-EDRChecker
- Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services, the registry and running drivers for the presence of known defensive products such as AV's, EDR's and logging tools.
- SharpEDRChecker
- Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
- Telemetry Sourcerer
- Enumerate and disable common sources of telemetry used by AV/EDR.
- SylantStrike
- Simple EDR implementation to demonstrate bypass
- OpenEDR
- Open EDR public repository
- Scarecrow
- Payload creation framework designed around EDR bypass.
- Defeat the Castle – Bypass AV & Advanced XDR solutions. - 0xsp
- noWatch
- W0wS3cur1tyEDR
- Pyramid
- EDRSandBlast
- EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
- Freeze
- Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
- GoodbyeEDR
- Disable & hook notifications of AV & EDR from events occurring in the system.
- SharpBlock
- Specific EDRs
- Crowdstrike
- Bypassing CrowdStrike in an enterprise production network [in 3 different ways] - KomodoResearch(2019-June)
- Bypassing CrowdStrike Endpoint Detection and Response - RedCursor(2020)
- How I Bypassed Crowdstrike Restriction - Vivek Chauhan(2020)
- EDR Bypasses - Harlan Carvey(2021)
- Three ways of using MSBuild to beat CrowdStrike - Brandon@secarma
- Exploitation With Shell Reverse & Infection With PowerShell - Filipi Pires(HITB2021AMS)
- Slides
- The purpose of this presentation, it was to execute several efficiency and detection tests in our lab environment protected with an endpoint solution, provided by CrowdStrike, this document brings the result of the defensive security analysis with an offensive mindset using reverse shell techniques to gain the access inside the victim’s machine and after that performing a Malware in VBS to infected the victim machine through use some scripts in PowerShell to call this malware, in our environment.
- Cybereason
- Cylance
- Bypass Cylance Memory Exploitation Defense & Script Cntrl - Chris Ross(2017)
- Cylance Bypass Method - dru1d(2018)
- How I evaded “next-generation” Cylance Smart AntiVirus in less than 15 minutes - slaeryan
- [Silencing Cylance: A Case Study in Modern EDRs - Adam Chester, Dominic Chell(2019)](2019(https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/)
- Cylance, I Kill You! - Adi Ashkenazy, Shahar Zini(2019)
- "By carefully analyzing the engine and model of Cylance’s AI based antivirus product, we identify a peculiar bias towards a specific game. Combining an analysis of the feature extraction process, its heavy reliance on strings, and its strong bias for this specific game, we are capable of crafting a simple and rather amusing bypass. Namely, by appending a selected list of strings to a malicious file, we are capable of changing its score significantly, avoiding detection. This method proved successful for 100% of the top 10 Malware for May 2019, and close to 90% for a larger sample of 384 malware."
- Bypassing Defenses: Cylance - Scott Goetzinger(2021)
- Kaspersky
- McAfee
- Palo Alto
- Sophos
- Symantec
- Vipre
- Crowdstrike
- Kernel Callbacks
- See 'Kernel Callbacks' under 'Drivers'.
- Memory Obfuscation During Runtime
- Articles/Blogposts/Writeups
- See 'Gargoyle' injection technique under 'Injection'
- Talks
- Avoiding Memory Scanners - Customizing Malware to Evade YARA, PE-sieve - Kyle Avery(Defcon30)
- Tired of obfuscating strings and recompiling to break signatures? Wish you could keep PE-sieve from ripping your malware out of memory? Interested in learning how to do all of this with your existing COTS or private toolsets? For years, reverse engineers and endpoint security software have used memory scanning to locate shellcode and malware implants in Windows memory. These tools rely on IOCs such as signatures and unbacked executable memory. This talk will dive into the various methods in which memory scanners search for these indicators and demonstrate a stable evasion technique for each method. A new position-independent reflective DLL loader, AceLdr, will be released alongside the presentation and features the demonstrated techniques to evade all of the previously described memory scanners. The presenter and their colleagues have used AceLdr on red team operations against mature security programs to avoid detection successfully. This talk will focus on the internals of PE-sieve, MalMemDetect, Moneta, Volatility malfind, and YARA to understand how they find malware in memory and how malware can be modified to fly under their radar consistently.
- Avoiding Memory Scanners - Customizing Malware to Evade YARA, PE-sieve - Kyle Avery(Defcon30)
- Articles/Blogposts/Writeups
- Command Line Buffers
- Process Execution through Proxy
- Process Execution through DLL SideLoading by Signed binary
- Articles/Blogposts/Writeups
- Tools
- Windows Feature Hunter (WFH)
- "Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common “vulnerabilities” or “features” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale."
- Windows Feature Hunter (WFH)
- Killing a Process
- Articles/Blogposts/Writeups
- Tools
- disable-defender.ps1
- Backstab
- Have these local admin credentials but the EDR is standing in the way? Unhooking or direct syscalls are not working against the EDR? Well, why not just kill it? Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer (ProcExp) driver, which is signed by Microsoft.
- Protected Processes
- Articles/Blogposts/Writeups
- How To Bypass AM-PPL & Disable EDRs - A Red Teamer's Story-Stephen Kho & Juan Sacco(Nullcon Berlin2022)
- Microsoft introduced the Antimalware Protected Process Light (AM-PPL) technology in Windows 8.1 whose purpose is to ensure that the operating system only loads trusted services and processes. In essence, PPL is used for controlling and protecting running processes and protecting them from infection by malicious code and the potentially harmful effects of other processes. How effective is AM-PPL and can it be abused to bypass AV/EDR products? In this talk, we'll introduce our research on abusing the AM-PPL technology to effectively bypass AVs and EDR products on a Windows system.
- How To Bypass AM-PPL & Disable EDRs - A Red Teamer's Story-Stephen Kho & Juan Sacco(Nullcon Berlin2022)
- Articles/Blogposts/Writeups
- (Reflective)DLL Injection/sRDI
- General
- Windows DLL Injection Basics -
- ReflectiveDLLInjection
- Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.
- Reflective DLL Injection - dtm(2017)
- Reflective DLLs and You - @CPL3H(2018)
- PE Reflection: The King is Dead, Long Live the King - DarkVortex(2021)
- Reflective DLL Injection in C++ - Brendan Ortiz(2021)
- Beginners guide to Reflective DLL Injection - quantumcore(2021)
- Talks/Presentations
- Tools
- ReflectiveDLLInjection
- Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.
- sRDI - Shellcode Reflective DLL Injection
- Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
- ReflectiveDLLInjection
- General
- Reflective-PE Injection - See PE Injection
- Safe Mode
- Articles/Blogposts/Writeups
- Tools
- CheckSafeBoot
- "I used this to see if an EDR is running in Safe Mode"
- CheckSafeBoot
- Self-Deleting Executable
- Articles/Blogposts/Writeups
- Signing (Cryptographic)
- Articles/Blogposts/Writeups
- Tools
- CarbonCopy
- A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
- Windows-SignedBinary
- "Generate Windows Signed Binary With a Different Hash; The idea was to bypass endpoint solution that block known "malicious" signed application such as "regsvr32.exe". I wanted to find a way to get a valid signed file with a different hash."
- CarbonCopy
- Skrull Technique
- Splitting Actions
- Divide and Conquer - A technique to bypass NextGen AV - Csaba Fitzl
- This blog post describes a generic technique I called internally on our red team assessment “Divide and Conquer”, which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
- Divide and Conquer - A technique to bypass NextGen AV - Csaba Fitzl
- Token Sandboxing
- General
- Tools
- PPL_Sandboxer
- PoC in C.
- SandboxPPL
- Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted.
- TokenStomp
- C# implementation of the token privilege removal flaw discovered by @GabrielLandau/Elastic
- PPL_Sandboxer
- Articles/Blogposts/Talks/Writeups
- Windows Event Log Avoidance & Deletion
- Articles/Writeups
- Uncovering Windows Security Events Part 2: The Methodology - Jonathan Johnson
- Remove individual lines from Windows XML Event Log (EVTX) files
- Remove individual lines from Windows XML Event Log (EVTX) files
- Phant0m: Killing Windows Event Log - artofpwn.com
- Stopping the Event Logger via Service Control Handler - modexp(2018)
- Crash Windows Event Logging Service - limbenjamin(2020)
- A few more Anti-BlueTeam ideas - Hexacorn(2018)
- Universally Evading Sysmon and ETW - Dylan Halls(2020)
- Mute Sysmon - Silence Sysmon via event manifest tampering - SecurityJosh(2020)
- Deletion and Bypass of Windows Logs - 3gstudent
- Domain Controller Security Logs – how to get at them without being a Domain Admin - girlgerms(2016)
- A few more Anti-BlueTeam ideas - hexacorn(2018)
- Pwning Windows Event Logging with YARA rules - Dylan Halls(2020)
- Disabling Windows Event Logs by Suspending EventLog Service Threads - @spottheplanet
- 肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动 -
- Windows XML Event Log (EVTX)单条日志清除(五)——通过DuplicateHandle获取日志文件句柄删除当前系统单条日志记录 - 3gstudent
- Defense Evasion: Windows Event Logging (T1562.002) - Aarti Singh(2021)
- Unicode Reflection - Event Null Byte Injection - Jason Wheeler
- Windows Event Log Evasion via Native APIs - Lina L(2022)
- Windows Event Log Evasion Review - Harlan Carvey(2022)
- Windows Event Logs for Red Teams - Tim Fowler(2022)
- Tools
- Invoke-Phant0m
- This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
- GENE: Go Evtx sigNature Engine
- The idea behind this project is to provide an efficient and standard way to look into Windows Event Logs (a.k.a EVTX files). For those who are familiar with Yara, it can be seen as a Yara engine but to look for information into Windows Events.
- Documentation
- LogServiceCrash
- POC code to crash Windows Event Logger Service
- SharpCrashEventLog
- C# port of LogServiceCrash
- EventCleaner
- A tool mainly to erase specified records from Windows event logs, with additional functionalities.
- Ghost In The Logs
- This tool allows you to evade sysmon and windows event logging, my blog post about it can be found here
- Invoke-Phant0m
- This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
- Log-killer
- Clear all your logs in [linux/windows] servers
- MuteSysmon
- A PowerShell script to prevent Sysmon from writing its events
- Windwos-EventLog-Bypass
- Use subProcessTag Value From TEB to identify Event Log Threads. Use NtQueryInformationThread API and I_QueryTagInformation API to get service name of the thread. Auto kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
- EvtMute
- This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.
- Ghost-In-Logs-PurplePower
- Ballgag
- A tool used to clear Windows Event Logs without invoking wevtutil
- Invoke-Phant0m
- Articles/Writeups
- Event Tracing for Windows Evasion/Avoidance
- General
- Tampering with Windows Event Tracing: Background, Offense, and Defense - Palantir
- Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor - Philip Tsukerman(2019)
- what's wrong with Etw - redp(2020)
- Hiding Your .NET – ETW - Adam Chester(2020)
- Another method of bypassing ETW and Process Injection via ETW registration entries. - modexp(2020)
- Another method of bypassing ETW and Process Injection via ETW registration entries. - modexp(2020)
- Detecting process injection with ETW - @_lpvoid(2021?)
- Data Only Attack: Neutralizing EtwTi Provider - slaeryan(2021)
- Design issues of modern EDRs: bypassing ETW-based solutions - Binarly(2021)
- etw blogposts - redplait
- Another method of bypassing ETW and Process Injection via ETW registration entries. - odzhan(2020)
- Disabling Event Tracing for Windows (ETW) - Unprotect.it
- EtwPatching - D1rkMtr
- Patching Event Tracing for Windows, by overwriting "call ntdll!EtwpEventWriteFull" inside ntdll!EtwEventWrite , the patched call do the actual Event Writing
- Talks
- Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors - Claudiu Teodorescu, Igor Korkin, Andrey Golchikov(BHEU2021)
- Slides
- Event Tracing for Windows (ETW) is a built-in feature, originally designed to perform software diagnostics, and nowadays ETW is essential for Endpoint Detection & Response (EDR) solutions. ETW is deeply integrated into the Windows kernel and involved in many API calls to trace OS events. ETW functions are used by numerous EDRs, business and academic projects to respond to security threats. The bad news for defenses is that ETW is vulnerable: malware countermeasures can disable ETW making the whole class of EDRs totally useless...
- Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors - Claudiu Teodorescu, Igor Korkin, Andrey Golchikov(BHEU2021)
- Tools
- TiEtwAgent
- PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
- wtrace
- Command line tracing tool for Windows, based on ETW.
- HidingFromETW
- PoC for detecting and evading ETW detection of .Net Assembly.Load
- AMSI-ETW-Patch
- General
- PowerShell Related
- PowerShell Constrained Language Mode
- Articles/Blogposts/Writeups
- A Critique of Logging Capabilities in PowerShell v6
- Introduces 'PowerShell Upgrade Attack'
- A Critique of Logging Capabilities in PowerShell v6
- Talks/Presentations/Videos
- Isolated to Constrained Language Mode - Living within the Confines - Christopher Truncer(BSidesDC2018)
- This talk will cover what constrained language mode is, what works, and what doesn’t compared with the tools you are likely used to using. I’ll talk about building out tools in constrained language mode, the frustrations, and tips to make it easier. I’ll also cover existing tools for operating within a constrained language mode environment, and add a new update to WMImplant based on my approach to building out constrained language mode capabilities.
- PowerShell Constrained Language Mode Enforcement and Bypass Deep Dive - Matt Graeber(2020)
- Isolated to Constrained Language Mode - Living within the Confines - Christopher Truncer(BSidesDC2018)
- Tools
- PoSH_Bypass
- PoSHBypass is a payload and console proof of concept that allows an attatcker or for that matter a legitimate user to bypass PowerShell's 'Constrianed Language Mode, AMSI and ScriptBlock and Module logging'. The bulk of this concept is the combination of 3 separate pieces of research, I've stuck these 3 elements together as my first attempt at non 'Hello World!' C# project.
- PoSH_Bypass
- Articles/Blogposts/Writeups
- PowerShell Module Logging
- PowerShell Script Block Logging
- Articles/Blogposts/Writeups
- A Critique of Logging Capabilities in PowerShell v6
- Introduces 'PowerShell Upgrade Attack'
- Some PowerShell Logging Observations - mrt-f.com
- Bypass for PowerShell ScriptBlock Warning Logging of Suspicious Commands - cobbr.io(2017)
- PowerShell ScriptBlock Logging Bypass - cobbr.io(2017)
- Exploring PowerShell AMSI and Logging Evasion - Adam Chester(2018)
- A Critique of Logging Capabilities in PowerShell v6
- Articles/Blogposts/Writeups
- PowerShell Constrained Language Mode
- System Calls
- See Native API(Syscalls & WinAPI)
- Tools
- Look in the Redteam Page under implant dev for windows.
- SysWhispers
- SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
- SysWhispers2
- SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
- SysWhispers is dead, long live SysWhispers! - klezvirus(2022)
- SysWhispers3
- SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
- Sysmon
- Articles/Blogposts/Writeups
- Sysmon Enumeration Overview - @./pwn(2017)
- Sysmon doing lines - hexacorn(2017)
- Sysmon doing lines, part 3 - hexacorn(2018)
- Sysmon doing lines, part 4 - hexacorn(2018)
- Operating Offensively Against Sysmon - Carlos Perez(2018)
- Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology - Matt Graber(BlackHatUSA2018)
- Subverting Sysmon materials
- Evading Sysmon DNS Monitoring - Adam Chester(2019)
- Sysmon Image File Name Evasion - NtRaiseHardError(2020)
- Sysmon Internals - From File Delete Event to Kernel Code Execution - NtRaiseHardError(2020)
- Talks/Presentations/Videos
- Tools
- Shhmon - Neuter Sysmon by unloading its driver
- Sysmon configuration bypass finder
- Detect possible sysmon logging bypasses given a specific configuration
- Articles/Blogposts/Writeups
- Windows User Account Control(UAC)
- 101
- User Account Control - docs.ms
- User Account Control Step-by-Step Guide - docs.ms
- User Account Control - Steven Sinofsky(blogs.msdn)](https://blogs.msdn.microsoft.com/e7/2008/10/08/user-account-control/)
- Inside Windows Vista User Account Control - docs.ms
- User Account Control: Inside Windows 7 User Account Control - Mark Russinovich(2016)
- How User Account Control Works - docs.ms
- Abuse Elevation Control Mechanism: Bypass User Account Control - MITRE ATT&CK(2021)
- User Account Control – What Penetration Testers Should Know - cobalstrike.com
- Articles/Blogposts/Writeups
- Anatomy of UAC Attacks - b33f
- Reading Your Way Around UAC (Part 1) - James Forshaw(2017)
- Exploiting Environment Variables in Scheduled Tasks for UAC Bypass - James Forshaw(2017)
- Farewell to the Token Stealing UAC Bypass - James Forshaw(2018)
- Accessing Access Tokens for UIAccess - James Forshaw(2019)
- CQLabs – How UAC bypass methods really work - Adrian Denkiewicz(2020)
- In this article, we will analyze a couple of knowns, still working, UAC bypasses – how they work, what are the requirements, and potential mitigation techniques. Before we dive into this, we need to briefly explain what UAC is.
- UACMe 3.5, WD and the ways of mitigation - hfiref0x(2020)
- UAC bypasses from COMAutoApprovalList - hfiref0x(2020)
- Abusing COM & DCOM objects - Haboob(2020)
- Talks/Presentations/Videos
- Not a Security Boundary: Bypassing User Account Control - Matt Nelson(Derbycon2017)
- Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.
- FromALPC to UAC-Bypass - @hakril(2017)
- Not a Security Boundary: Bypassing User Account Control - Matt Nelson(Derbycon2017)
- Papers
- Testing UAC on Windows 10 - Ernesto Fernandez(2017)
- User Account Control (UAC) is a mechanism implemented in Windows systems from Vista to prevent malicious software from executing with administrative privileges without user consent. However, this mechanism does not provide a secure solution to that problem, since can be easily bypassed in some ways, something we will show by means of different methods such as DLL hijacking, token impersonation or COM interface elevation, also we will show a new method which we have developed based on a previous one. Moreover, this new Proof of Concept has been ported to the Metasploit Framework as a new module, which indeed is the only UAC bypass module that works in the latest Windows 10 build version.
- Testing UAC on Windows 10 - Ernesto Fernandez(2017)
- Bypasses
- Fileless UAC Bypass in Windows Store Binary - Activecyber.us(2019)
- UAC Bypass via SPPLUAObject Class
- ALPC-BypassUAC
- UAC Bypass with mmc via alpc
- Bypassing Windows User Account Control (UAC) and ways of mitigation - Parvez(2014)
- Bypassing User Account Control (UAC) using TpmInit.exe - uacmeltdown.blogspot
- UAC Bypass in System Reset Binary via DLL Hijacking - activecyber.us
- Bypassing UAC on Windows 10 using Disk Cleanup
- Research on CMSTP.exe
- Methods to bypass UAC and load a DLL over webdav
- Bypassing UAC using App Paths - enigma0x3(2017)
- “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking
- Fileless UAC Bypass using sdclt
- Eventvwr File-less UAC Bypass CNA - @vysecurity.(2016)
- UAC Bypass or a Story of Three Elevations - xi-tauw(2017)
- How to bypass UAC in newer Windows versions - zcool(Oct2018)
- Fileless UAC Bypass in Windows Store Binary - activecyber.us
- User Account Control & odbcad32.exe - secureyourit.co.uk
- More Than a Penetration Test (Microsoft Windows CVE-2019–1082) - Michal Bazyli(2019)
- UAC bypass through Trusted Folder abuse - Jean Maes(2020)
- Fileless_UAC_bypass_WSReset
- Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe) - abcdef(2019)
- Slui File Handler Hijack LPE
- UAC_bypass_windows_store
- SilentClean UAC bypass via binary planting
- UAC Bypass by Mocking Trusted Directories - David Wells(2018)
- Bypassing Windows 10 UAC with mock folders and DLL hijacking - Ax Sharma(2020)
- Offense and Defense – A Tale of Two Sides: Bypass UAC - Anthony Giandomenico(2020)
- SystemPropertiesAdvanced.exe DLL Hijacking UAC Bypass - egre55
- UAC_Exploit
- Talks & Presentations
- Tools
- UACME
- Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
- DccwBypassUAC
- This exploit abuses the way "WinSxS" is managed by "dccw.exe" by means of a derivative Leo's Davidson "Bypass UAC" method so as to obtain an administrator shell without prompting for consent. It supports "x86" and "x64" architectures. Moreover, it has been successfully tested on Windows 8.1 9600, Windows 10 14393, Windows 10 15031 and Windows 10 15062.
- Bypass-UAC
- Bypass-UAC provides a framework to perform UAC bypasses based on auto elevating IFileOperation COM object method calls. This is not a new technique, traditionally, this is accomplished by injecting a DLL into "explorer.exe". This is not desirable because injecting into explorer may trigger security alerts and working with unmanaged DLL's makes for an inflexible work-flow. To get around this, Bypass-UAC implements a function which rewrites PowerShell's PEB to give it the appearance of "explorer.exe". This provides the same effect because COM objects exclusively rely on Windows's Process Status API (PSAPI) which reads the process PEB.
- Fileless_UAC_bypass_WSReset
- ByeIntegrity — Windows UAC Bypass
- Bypass UAC by hijacking a DLL located in the Native Image Cache
- ByeIntegrity 2.0 — Windows UAC Bypass
- Bypass UAC by abusing the Internet Explorer Add-on installer
- ByeIntegrity 3.0 — Windows UAC Bypass
- Bypass UAC by abusing the Security Center CPL and hijacking a shell protocol handler
- byeintegrity8-uac
- SharpBypassUAC
- UACME
- 101
- Specific Techniques
- CMD Obfuscation
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon(Derbycon2018)
- Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses. However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild? In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities. In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques - all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries. I will conclude this talk by giving a live demo of my cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.
- Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon(Derbycon2018)
- Tools
- Debuggers
- Batch, attach and patch: using windbg’s local kernel debugger to execute code in windows kernel
- In this article I am going to describe a way to execute code in windows kernel by using windbg local kernel debugging. It’s not a vulnerability, I am going to use only windbg’s legal functionality, and I am going to use only a batch file (not powershell, or vbs, an old style batch only) and some Microsoft’s signed executables (some of them that are already in the system and windbg, that we will be dumped from the batch file). With this method it is not necessary to launch executables at user mode (only Microsoft signed executables) or load signed drivers. PatchGuard and other protections don’t stop us. We put our code directly into kernel memory space and we hook some point to get a thread executing it. As we will demonstrate, a malware consisting of a simple batch file would be able to jump to kernel, enabling local kernel debugging and using windbg to get its code being executed in kernel.
- Batch, attach and patch: using windbg’s local kernel debugger to execute code in windows kernel
He*'s Gate- Heaven's Gate
- 101
- Ten years later, malware authors are still abusing 'Heaven's Gate' technique - Catalin Cimpanu (2019)
- Heaven's Gate: 64-bit code in 32-bit file - defjam(2011)
- Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching - George Nicolaou(2012)
- This post presents the research conducted under the domain of dynamic processor mode (or context) switching that takes place prior to the invocation of kernel mode functions in 32bit processes running under a 64bit Windows kernel. Processes that are designed and compiled to execute under a 32bit environment get loaded inside the Windows-on-Windows64 ( WoW64 ) subsystem and are assigned threads running in IA-32e compatibility mode ( 32bit mode ). When a kernel request is being made through the standard WoW64 libraries, at some point, the thread switches to 64bit mode, the request is executed, the thread switches back to compatibility mode and execution is passed back to the caller. The switch from 32bit compatibility mode to 64bit mode is made through a specific segment call gate referred to as the Heaven’s Gate, thus the title of this topic. All threads executing under the WoW64 environment can execute a FAR CALL through this segment gate and switch to the 64bit mode. The feature of mode switch can also be viewed from the security and maliciousness point of view. It can be used as an anti reverse engineering technique for protecting software up to the malicious ( or not ) intends of cross process generic library injection or antivirus and sandbox evasion. The result of this research is a library named W64oWoW64 which stands for Windows64 On Windows On Windows64.
- Rise of the dual architecture usermode rootkit - MalwareTech(2013)
- The 0x33 Segment Selector (Heavens Gate) - MalwareTech(2014)
- Articles/Blogposts/Writeups
- Code obFU(N)scation mixing 32 and 64 bit mode instructions - giula
- Closing “Heaven’s Gate” - Alex Ionescu(2015)
- Crowbar: Breaking through Heaven’s Gate - KrabsOnSecurity
- Heaven's Gate: 64-bit code in 32-bit file - roy_g_biv(2009)
- The power of WOW64 - int0h(2009)
- Anti-Anti-Debugging via WOW64 - int0h(2011)
- DLL Injection and WoW64 - Corsix.org(2010)
- Mixing x86 with x64 code - ReWolf(2011)
- Heaven’s gate and a chameleon code (x86/64) - Hexacorn(2015)
- Jumping into heaven’s gate - Yarden Shafir(2018)
- Hooking Heaven’s Gate — a WOW64 hooking technique - Hoang Bui(2019)
- How to Hook 64-Bit Code from WOW64 32-Bit Mode - Ruslan Valiakhmetov(2020)
- Deep Hooks: Monitoring native execution in WoW64 applications – Part 1 - Yarden Shafir, Assaf Carlsbad(2018)
- A Pony Hidden in Your Secret Garden - David Cohen(2019)
- Pony is the name of the malware
- VB2019 paper: Exploring Emotet, an elaborate everyday enigma - Luca Nagy(2019)
- Based on Sophos detection numbers, the Emotet trojan is the most widespread malware family in the wild. Since its appearance more than five years ago, it has been – and remains – the most notorious and costly active malware. Emotet owes its reputation to its constant state of evolution and change. The malware’s rapid advancement helps support its highly sophisticated operation. This paper will discuss the reverse engineering of its components, as well as the capabilities and features of Emotet: a detailed overview of its multi-layered operation, starting with the spam lure, the malicious attachments (and their evolution), and the malware executable itself, from its highly sophisticated packer to its C2 server communications.
- WoW64 internals ...re-discovering Heaven's Gate on ARM
- "Heaven’s Gate" Một kĩ thuật cũ nhưng hiệu quả - Tran Trung Kien(2020)
- How to Hook 64-Bit Code from WOW64 32-Bit Mode It was originally published on https://www.apriorit.com/ - apriorit.com(2020)
- GuLoader: Peering Into a Shellcode-based Downloader - Umesh Wanve(2020)
- WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques - Stephen Eckels(2020)
- Talks/Presentations/Videos
- Tools
- Heavens-Gate-2.0
- "Unable to find any properly implemented/working code that works on Windows 10, I have decided to open the Heaven's Gate on my own. Yes, this one is working on an updated Windows 10 (as of 22th July 2017) Tested on Windows 7 too"
- HeavenInjector
- Simple proof of concept code for injecting libraries on 64bit processes from a 32bit process
- rewolf-wow64ext
- Helper library for x86 programs that runs under WOW64 layer on x64 versions of Microsoft Windows operating systems. It enables x86 applications to read, write and enumerate memory of a native x64 applications. There is also possibility to call any x64 function from 64-bits version of NTDLL through a special function called X64Call(). As a bonus, wow64ext.h contains definitions of some structures that might be useful for programs that want to access PEB, TEB, TIB etc.
- W64oWoW64
- wow64pp
- An easy to use header only heavens gate implementation based on wow64ext X64Call however not using inline assembly allowing it to work on other compilers like MinGW.
- gopherheaven
- Go implementation of the Heaven's Gate technique
- Heavens-Gate-2.0
- 101
- Hell's Gate
- 101
- Hells Gate - smelly__vx(@RtlMateusz), am0nsec(@am0nsec)
- "However, we are happy to report that we havelifted the veil, we have identified an approach capable of programmatically aggregating syscalls, at run-time, shedding us of unnecessary dependencies. For the sake of brevity, this paper will primarily focus on dynamically retrieving syscalls. This paperassumes you possess knowledge pertaining to both Windows internals and the Windows PE file format."
- Hells Gate - smelly__vx(@RtlMateusz), am0nsec(@am0nsec)
- Articles/Blogposts/Writeups
- Implementing Direct Syscalls Using Hell’s Gate - N4kedTurtle(2020)
- Reading memory of x64 process from x86 process - ReWolf(2012)
- wow64ext library update - ReWolf(2012)
- WoW64 internals: Tale of GetSystemFileCacheSize - ReWolf(2013)
- wow64ext finally compatible with Windows 8 - ReWolf(2013)
- WoW64 internals: Unexpected behaviour of NtQueryDirectoryObject - ReWolf(2015)
- Tools
- Hell's Gate
- Original C Implementation of the Hell's Gate VX Technique
- HellsGatePoC
- C# Hell's Gate
- C# Implementation of the Hell's Gate VX Technique
- BananaPhone
- Hell's Gate
- 101
- Heresy's Gate
- Articles/Blogposts/Writeups
- Tools
- Heaven's Gate
- In-Memory Execution
*Injection
- Loading-after-execution
- Tools
- foolavc
- This project is foolav continuation. Original foolav was offered only as x86 executable, used single encoding for externally kept payload file. Once foolav is executed, payload is loaded into memory and executed as a shellcode in separate thread. foolavc on the other hand supports both x86 and x86_64 architectures, allows use of both internal (built-in) or external payloads. Those can be interpreted in one of three ways: shellcode, DLL and EXEcutable.
- MemoryModule
- MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.
- foolavc
- Tools
- Native Binaries/Functionality
- Research on CMSTP.exe
- Methods to bypass UAC and load a DLL over webdav
- rundll32 lockdown testing goodness
- Hack Microsoft Using Microsoft Signed Binaries - Pierre-Alexandre Braeken
- Hack Microsoft Using Microsoft Signed Binaries - BH17 - pierre - alexandre braeken
- Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like
f0xffffe0010c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10? We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.
- Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like
- RogueMMC
- Execute Shellcode And Other Goodies From MMC
- Research on CMSTP.exe
- Path Obfuscation
- DOS File Path Magic Tricks - Carrie Roberts(2020)
- In this article I give a variety of examples of how to refer to the notepad.exe executable from the C:\Windows\System32 directory using various path notations. I also discuss how some of these tricks can be used to annoy or fool system administrators and information security analysts.
- DOS File Path Magic Tricks - Carrie Roberts(2020)
- Reading Physical Memory
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks - Yuriy Bulygin, Mikhail Gorobets, Andrew Furtak, Alex Bazhaniuk(BHUSA2017
- Slides
- In this work we analyzed two recent trends. The first trend is the growing threat of firmware attacks which include recent disclosures of Vault7 Mac EFI implants. We will detail vulnerabilities and attacks we discovered recently in system firmware including UEFI, Mac EFI and Coreboot which could lead to stealth and persistent firmware implants.
- Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks - Yuriy Bulygin, Mikhail Gorobets, Andrew Furtak, Alex Bazhaniuk(BHUSA2017
- Tools
- VirtToPhys
- "VirtToPhys is a small POC to demonstrate how you can calculate the physical address for a kernel virtual address when exploiting driver bugs that allow you to map physical memory. VirtToPhys uses MsIo.sys, a WHQL signed driver that gives you colorful lights on your RAM (?lolwut), CVE-2019-18845. Hat tips and full credits to @UlfFrisk for his very insightful MemProcFS project and @hFireF0X for KDU."
- Physmem drivers
- This repo is a collection of various vulnerable (mostly physical memory exposing) drivers. No more deeper analysis was done on them, so some might not work. Also, there is no PoC available. So for short, if you want to use any of these, reverse them yourself to figure out how to use.
- MemProcFS
- The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.
- physmem2profit
- Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
- VirtToPhys
- Polymorphism
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon 2013)
- Description: Think of the last time you got sick. Your immune system is an amazing piece of machinery, but every now and then, something gets past it. Antivirus evasion techniques can become more effective when modeled after infectious diseases. This talk highlights many of the antivirus evasion techniques in use today. Going further, this talk shows how genetic algorithms can quickly and repeatedly “evolve” code to evade many malicious code detection techniques in use today.
- Antivirus Evasion through Antigenic Variation (Why the Blacklisting Approach to AV is Broken) - Trenton Ivey, Neal Bridges(Derbycon 2013)
- Papers
- Tools
- Enneos
- Evolutionary Neural Network Encoder of Shenanigans. Obfuscating shellcode with an encoder that uses genetic algorithms to evolve neural networks to contain and output the shellcode on demand.
- MorphAES
- MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
- Enneos
- Process-Argument Spoofing
- Process Un-Linking
- Process 'Hardening'
- Hiding Process Memory via Anti Forensic Techniques - Ralph Palutke, Frank Block, Patrick Reichenberger, Dominik Stripeika(DFRWS USA2020)
- With this paper, we present three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective. Two of these techniques manipulate kernel structures, namely Page Table Entries and the structures responsible for managing user space memory regions, while the third one utilizes shared memory and hence does not require elevated privileges. As a proof of concept, we implemented all techniques for the Windows and Linux operating systems, and subsequently evaluated these with both, memory forensics and live analysis techniques. Furthermore, we discuss and evaluate several approaches to detect our subversion techniques and introduce two Rekall plugins that automate the detection of hidden memory for the shared memory scenario.
- Bypassing VirtualBox Process Hardening on Windows - James Forshaw(2017)
- This blog post will describe the implementation of Oracle’s VirtualBox protected process and detail three different, but now fixed, ways of bypassing the protection and injecting arbitrary code into the process. The techniques I’ll present can equally be applied to similar implementations of “protected” processes in other applications.)
- Hiding Process Memory via Anti Forensic Techniques - Ralph Palutke, Frank Block, Patrick Reichenberger, Dominik Stripeika(DFRWS USA2020)
- REPL
- Sandbox Detection & Evasion
- See RT.md
- Signatures
- CMD Obfuscation
- 101
- Credential Access
- Want to learn this stuff? What should you know/study?
- Windows Authentication Concepts
- Windows Logon Scenarios
- Windows Authentication Architecture
- Security Support Provider Interface Architecture
- Credentials Processes in Windows Authentication
- Group Policy Settings Used in Windows Authentication
- 101
- An Overview of KB2871997 - msrc-blog.ms
- Increasing complexity of retrieving clear-text creds
- Cached and Stored Credentials Technical Overview - docs.ms(2016)
- Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
- Cached and Stored Credentials - ldapwiki
- Windows Credential Management, Logon Sessions and the Double Hop Problem - Acebond(2019)
- "I wanted to provide a quick overview on Windows credential management in relation to penetration testing, why passwords are not always stored in memory and the Double Hop problem."
- Fantastic Windows Logon types and Where to Find Credentials in Them - Chirag Salva, Anas Jamal(2021)
- Hunting for credentials and building a credential type reference catalog - wunderwuzzi(2020)
- Using built-in OS indexing features for credential hunting - wunderwuzzi(2020)
- An Overview of KB2871997 - msrc-blog.ms
- Articles/Blogposts/Writeups
- Collection/Overview of techniques
- Dump Windows password hashes efficiently - Part 1(2011)
- Dumping user passwords in plaintext on Windows 8.1 and Server 2012 - labofapenetrationtester
- Intercepting Password Changes With Function Hooking - clymb3r(2013)
- Dumping Windows Credentials
- Hunting for Credentials Dumping in Windows Environment - Teymur Kheirhabarov - ZeroNights(2017)
- Dumping Clear-Text Credentials - NetbiosX(2018)
- Dump-Clear-Text-Password-after-KB2871997-installed - 3gstudent
- Extracting credentials from a remote Windows system - Living off the Land - bitsadmin.in(2020)
- Where we can find different kinds of passwords in the operating system? - Paula Januszkiewicz(2020)
- MITRE ATT&CK T1003 Credential Dumping - Süleyman Özarslan(2020)
- In this article, we review: the fundamentals of the credential dumping technique; resources targeted by adversaries for credential dumping; its use cases by threat actors and malware; the most used OS resources for credential dumping; 11 red team exercises for this technique
- DMA
- The True Story of Windows 10 and the DMA-protection - Sami Laiho
- This blog post will tell you if / how Windows 10 protects against DMA (Direct Memory Access) bases attacks used against BitLocker and other encryption mechanisms by stealing the encryption key from the memory of a running computer. The story might be long(ish) but rest assured you want to read it through.
- The True Story of Windows 10 and the DMA-protection - Sami Laiho
- From a Memory Dump
- Specific Programs
- SecretsDump Demystified - Mike Benich(2020)
- Password Managers: Under the Hood of Secrets Management - ISE
- Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.
- Collection/Overview of techniques
- 3rd Party
- Erlang Portmapper Daemon
- PulseSecure
- Solarwinds Orion
- SolarFlare Release: Password Dumper for SolarWinds Orion - mubix(2020)
- solarflare
- Credential Dumping Tool for SolarWinds Orion
- Exploitation of Remote WCF Vulnerabilities
- Fun with SolarWinds Orion Cryptography - HD Moore(2018)
- SolarWinds Orion Cryptography
- Utilities for decrypting and hashing SolarWinds Orion credentials
- Active Directory Environment
- Articles/Blogposts/Writeups
- Dumping Domain Password Hashes - pentestlab.blog
- How Attackers Dump Active Directory Database Credentials - adsecurity.org
- Compromising Plain Text Passwords In Active Directory
- Safely Dumping Domain Hashes, with Meterpreter - Rapid7
- Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide
- This guide shows how you can use an improved version of Ntdsutil and a new Active Directory® database mounting tool in Windows Server® 2008 to create and view snapshots of data that is stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting the domain controller or AD LDS server. A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files.
- Pwning with Portals: How Rick Sanchez Dumps DITs - deadjakk
- How To Export LAPS Passwords from Active Directory with Powershell - Danny(2021)
- Articles/Blogposts/Writeups
- AWS
- Articles/Blogposts/Writeups
- AutoLogon
- Tools
- DecryptAutoLogon
- Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
- DecryptAutoLogon
- Tools
- Azure
- Articles/Blogposts/Writeups
- PowerShell, Azure, and Password Hashes in 4 steps - FortyNorth Security
- this blog post will walk you through the process of obtaining hashes from a domain controller within Azure using PowerShell.
- PowerShell, Azure, and Password Hashes in 4 steps - FortyNorth Security
- Articles/Blogposts/Writeups
- Clipboard
- CredSSP
- DPAPI
- Articles/Blogposts/Writeups
- TBAL: an (accidental?) DPAPI Backdoor for local users a.k.a how a convenience feature undermined a security feature - vztekoverflow(2018)
- In this article, we have demonstrated that in some scenarios, the default Windows configuration leads to the SHA‑1 hash of the user’s password being stored to the disk in a way that is retrievable without any further knowledge about the password. We argue that this is an issue for DPAPI, because if the secret necessary for decrypting the master key was to be stored on the disk by design, Microsoft could have kept on using the NTLM hash it uses in domain settings (and supposedly used in the first implementation of DPAPI). We then demonstrated how this attack can be executed using readily available tools.
- EntropyCapture: Simple Extraction of DPAPI Optional Entropy - Matt Merrill(2022)
- TBAL: an (accidental?) DPAPI Backdoor for local users a.k.a how a convenience feature undermined a security feature - vztekoverflow(2018)
- Talks/Presentations/Videos
- Tools
- Invoke-WCMDump
- PowerShell Script to Dump Windows Credentials from the Credential Manager
- SharpCryptUnprotectData
- Use CryptUnprotectData() to decrypt DPAPI encrypted data on Windows using your current user context. Might be handy if you don't have the domain backup key or the user's password.
- EntropyCapture
- Simple Extraction of DPAPI pOptionalEntropy value using API Hooking
- Invoke-WCMDump
- Articles/Blogposts/Writeups
- Dumping NTDS.dit
- Articles/Blogposts/Writeups
- How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller
- Extracting Password Hashes From The Ntds.dit File
- Obtaining NTDS.Dit Using In-Built Windows Commands - Cyberis(2014)
- Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1 - mubix
- Getting Hashes from NTDS.dit File - swordshield.com
- Extracting Hashes and Domain Info From ntds.dit - ropnop
- Practice ntds.dit File Part 2: Extracting Hashes - Didier Stevens
- Tools
- adXtract
- DIT Snapshot Viewer
- DIT Snapshot Viewer is an inspection tool for Active Directory database, ntds.dit. This tool connects to ESE (Extensible Storage Engine) and reads tables/records including hidden objects by low level C API. The tool can extract ntds.dit file without stopping lsass.exe. When Active Directory Service is running, lsass.exe locks the file and does not allow to access to it. The snapshot wizard copies ntds.dit using VSS (Volume Shadow Copy Service) even if the file is exclusively locked. As copying ntds.dit may cause data inconsistency in ESE DB, the wizard automatically runs esentutil /repair command to fix the inconsistency.
- NTDSXtract - Active Directory Forensics Framework
- This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
- NTDSDumpEx
- NTDS.dit offline dumper with non-elevated
- NTDS-Extraction-Tools
- Automated scripts that use an older version of libesedb (2014-04-06) to extract large NTDS.dit files
- gosecretsdump
- This is a conversion of the impacket secretsdump module into golang. It's not very good, but it is quite fast. Please let me know if you find bugs, I'll try and fix where I can - bonus points if you can provide sample .dit files for me to bash against.
- Articles/Blogposts/Writeups
- Dumping Process Memory
- 101
- MiniDumpWriteDump function - docs.ms
- Writes user-mode minidump information to the specified file.
- MiniDumpWriteDump function (minidumpapiset.h) - docs.ms
- minidump.c File Reference - ReactOS
- Why is SeDebugPrivilege enabled in PowerShell? - Lee Holmes(2017)
- This is enabled by .NET when PowerShell uses the System.Diagnostics.Process class in .NET, which it does for many reasons. One example is the Get-Process cmdlet. Another example is the method it invokes to get the current process PID for the $pid variable. Any .NET application that uses the System.Diagnostics.Process class also enables this privilege.
- MiniDumpWriteDump function - docs.ms
- Articles/Blogpost/Writeups
- MiniDumpWriteDump via COM+ Services DLL - modexp(2019)
- Dumping Process Memory with Custom C# Code - 3xpl01tc0d3r(2019)
- SassyKitdi: Kernel Mode TCP Sockets + LSASS Dump - @zerosum0x0(2020)
- This post describes a kernel mode payload for Windows NT called "SassyKitdi" (LSASS + Rootkit + TDI). This payload is of a nature that can be deployed via remote kernel exploits such as EternalBlue, BlueKeep, and SMBGhost, as well as from local kernel exploits, i.e. bad drivers.
- How to Capture a Minidump: Let Me Count the Ways - John Robbins(2020)
- The curious case of Realtek and LSASS - Henri Hambartsumyan(2020)
- Code Note 0x2: ATPMiniDump - P. Boonyakarn(2020)
- Mimikatz Under The Hood - Magnus Stubman(2021)
- Deception in Depth - LSASS Injection - spookysec(2021)
- Dumping LSASS in memory undetected using MirrorDump - Ceri Coburn(2021)
- Lsass Memory Dumps are Stealthier than Ever Before - Asaf Gilboa(2021)
- Dumping LSASS with SharpShere - James Coote(2021)
- A physical graffiti of LSASS: getting credentials from physical memory for fun and learning - @AdeptsOf0xCC
- Tools
- KsDumper
- Dumping processes using the power of kernel space!
- PyKDumper
- PykDumper is mimimkatz inspired PyKD based script that retrieves and decrypt usernames,logonservers and credentials from the lsass process.
- SassyKitdi
- Kernel Mode TCP Sockets + LSASS Dump (Rust Shellcode)
- MiniDumpWriteDump BOF
- MiniDump
- C# implementation of mimikatz/pypykatz minidump functionality to get credentials from LSASS dumps.
- MiniDumpWriteDumpPoC
- This is a function hook that allows to access the buffer generated by MiniDumpWriteDump before it gets to disk. Once accessed, it will encrypt the buffer and send it through a socket to a given host.
- minidump
- Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory.
- TransactedSharpMiniDump
- Implementation of b4rtiks's SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets.
- LsassSilentProcessExit
- Command line interface to dump LSASS memory to disk via SilentProcessExit
- PPLdump
- This tool implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping the memory of any PPL as an administrator.
- AndrewSpecial
- AndrewSpecial, dumping lsass' memory stealthily and bypassing "Cylance" since 2019.
- SnoopyOwl
- ntfsDump
- Use to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
- Chalumeau
- Chalumeau is automated,extendable and customizable credential dumping tool based on powershell and python.
- CredBandit
- Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel
- KsDumper
- 101
- Internal Monologue
- 101
- Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- In secure environments, where Mimikatz should not be executed, an adversary can perform an Internal Monologue Attack, in which they invoke a local procedure call to the NTLM authentication package (MSV1_0) from a user-mode application through SSPI to calculate a NetNTLM response in the context of the logged on user, after performing an extended NetNTLM downgrade.
- Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
- Articles/Blogposts/Writeups
- Tools
- selfhash
- Selfhash allows you to get password hashes of the current user. This tool doesn't requere high privileges i.e. SYSTEM, but on another hand it returns NTLM Challenge Response, so you could crack it later.
- selfhash
- 101
- Keylogger
- Articles/Blogpost/Writeups
- Papers
- You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger
- Keyloggers are a prominent class of malware that harvests sensitive data by recording any typed in information. Key- logger implementations strive to hide their presence using rootkit-like techniques to evade detection by antivirus and other system protections. In this paper, we present a new approach for implementing a stealthy keylogger: we explore the possibility of leveraging the graphics card as an alterna- tive environment for hosting the operation of a keylogger. The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA, without any hooks or modifications in the kernel’s code and data structures besides the page table. The evaluation of our pro- totype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead.
- You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger
- Tools
- Puffadder
- Puffader is an opensource, hidden and undetectable keylogger for windows written in Python 2.7 which can also capture screenshots, mouse window clicks and clipboard data.
- Puffadder
- Local Account
- Win Brute Logon (Proof Of Concept)
- Crack any Microsoft Windows users password without any privilege (Guest account included)
- Win Brute Logon (Proof Of Concept)
- Local Phishing
- Articles/Blogposts/Writeups
- Tools
- Pickl3
- Pickl3 is Windows active user credential phishing tool. You can execute the Pickl3 and phish the target user credential.
- FakeLogonScreen
- FakeLogonScreen is a utility to fake the Windows logon screen in order to obtain the user's password. The password entered is validated against the Active Directory or local machine to make sure it is correct and is then displayed to the console or saved to disk.
- Pickl3
- Logon
- Capturing Windows 7 Credentials at Logon Using Custom Credential Provider
- The quick lowdown: I wrote a DLL capable of logging the credentials entered at logon for Windows Vista, 7 and future versions which you can download at http://www.leetsys.com/programs/credentialprovider/cp.zip. The credentials are logged to a file located at c:\cplog.txt. Simply copy the dll to the system32 directory and run the included register.reg script to create the necessary registry settings.
- LogonCredentialsSteal * Hook msv1_0!SpAcceptCredentials from LSASS.exe and dump [...] in cleartext to text file.
- Capturing Windows 7 Credentials at Logon Using Custom Credential Provider
- Local Files
- Articles/Blogposts/Writeups
- Tools
- windows_sshagent_extract
- PoC code to extract private keys from Windows 10's built in ssh-agent service
- windows_sshagent_extract
- Local Security Authority Subsystem Service(LSA & LSASS)
- 101
- Articles/Blogposts/Writeups
- Windows LSA secrets - passcape.com
- Dumping LSA Secrets - @spottheplanet(2019)
- Dumping Lsass.exe to Disk Without Mimikatz and Extracting Credentials - @spotheplanet
- Some ways to dump LSASS.exe - Mark Mo
- Extract credentials from lsass remotely - hackndo
- Bypassing SACL Auditing on LSASS - James Forshaw(2017)
- Hidden Gems in Windows: The Hunt is On - Nate Caroe(2019)
- Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10 - RedCursor.com.au(2020)
- Dumping LSASS without Mimikatz with MiniDumpWriteDump == Reduced Chances of Getting Flagged by AVs - @spotheplanet
- Protecting the LSASS.EXE process with RunAsPPL - adamcouch.co.uk
- Credential Dumping: Local Security Authority (LSA|LSASS.EXE) - Yashika Dhir(2020)
- Mimikatz Under The Hood - Magnus Stubman(2021)
- Tools
- Dumpert
- Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products. This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike, while not touching disk and evading AV/EDR monitored user-mode API calls.
- AndrewSpecial
- AndrewSpecial, dumping lsass' memory stealthily and bypassing "Cilence" since 2019.
- PhysMem2Profit
- Physmem2profit can be used to create a minidump of a target host's LSASS process by analysing physical memory remotely. The intention of this research is to propose an alternative approach to credential theft and create a modular framework that can be extended to support other drivers that can access physical memory. Physmem2profit generates a minidump (.dmp) of LSASS that can be further analyzed with Mimikatz. The tool does not require Cobalt Strike but should work fine over beacon with a SOCKS proxy.
- Blogpost
- Talk
- lsassy
- Python library to remotely extract credentials on a set of hosts
- Blogpost
- SharpMiniDump
- Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses: dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
- PPLKiller
- Tool to bypass LSA Protection (aka Protected Process Light) I’ve noticed there is a common misconception that LSA Protection prevents attacks that leverage SeDebug or Administrative privileges to extract credential material from memory, like Mimikatz. LSA Protection does NOT protect from these attacks, at best it makes them slightly more difficult as an extra step needs to be performed.
- Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10 - Acebond(2020)
- Spraykatz
- Spraykatz is a tool without any pretention able to retrieve credentials on Windows machines and large Active Directory environments. It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.
- SharpKatz
- Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
- SharpSecDump
- .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py. By default runs in the context of the current user.
- Dumpert
- Mimikatz/Similar
- Official
- Using
- Unofficial Guide to Mimikatz
- Mimikatz Overview, Defenses and Detection
- Mimikatz Logs and Netcat
- Dumping a Domains worth of passwords using mimikatz
- Mass mimikatz - hacklikeapornstar
- Reading DPAPI Encrypted Secrets with Mimikatz and C++ -ired.team
- How to add a Module in Mimikatz?
- howto ~ scheduled tasks credentials - Benjamin Delpy(2017)
- There are somes ways to get scheduled tasks passwords
- howto ~ credential manager saved credentials - Benjamin Delpy(2017)
- mimikatz offline addendum - francesco picasso
- How-it-Works
- mimikatz: deep dive on lsadump::lsa /patch and /inject - Dimitrios Slamaris
- Walk-through Mimikatz sekurlsa module -
- So in this post, I propose you to follow the steps I used in an attempt to understand the sekurlsa::tspkg command and reproduce its operations with WinDbg on a LSASS dump from a Windows 7 SP1 64-bits machine. We will find the secrets in the dump, and then decrypt them.
- Exploring Mimikatz - Part 1 - WDigest - Adam Chester
- Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD - Matteo Malvica(2020)
- Defense
- Other
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
- Windows Credential Guard & Mimikatz - nviso
- Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz - Scott Sutherland
- Mimikatz 2.0 - Brute-Forcing Service Account Passwords
- If everything about that ticket-generation operation is valid except for the NTLM hash, then accessing the web application will result in a failure. However, this will not cause a failed logon to appear in the Windows® event log. It will also not increment the count of failed logon attempts for the service account. Therefore, the result is an ability to perform brute-force (or, more realistically, dictionary-based) password checks for such a service account, without locking it out or generating suspicious event log entries.
- Golden Tickets
- Skeleton Key
- DCSync
- Mimikatz and DCSync and ExtraSids, Oh My - harmj0y
- Active Directory Attack - DCSync - c0d3xpl0it
- Play with katz, get scratched - Skelsec(2020)
- BetterSafetyKatz
- Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
- pypykatz
- pypykatz
- Mimikatz implementation in pure Python
- pypykatz_server
- pypykatz_dn
- pypykatz
- MsvpPasswordValidate Hooking
- MsvpPasswordValidate hooking - Federico Lagasta
- Dumping local credentials by hooking MsvpPasswordValidate in NtlmShared.dll
- HppDLL
- Source code for HppDLL - local password dumping using MsvpPasswordValidate hooks.
- MyHashDump
- Project to inject into lsass and use a function hook on MsvpPasswordValidate to collect hashes.
- MsvpPasswordValidate hooking - Federico Lagasta
- NPLogonNotify()
- NPLogonNotify function (npapi.h) - docs.ms
- MPR calls this function to notify the credential manager that a logon event has occurred, allowing the credential manager to return a logon script. The NPLogonNotify function is implemented by a credential manager DLL (see Remarks).
- Getting Windows Passwords in ClearText - Aaladha(2020)
- NPPSpy
- Simple (but fully working) code for NPLogonNotify(). The function obtains logon data, including cleartext password.
- NPLogonNotify function (npapi.h) - docs.ms
- NTLM-related
- Info
- Cracking
- Articles/Blogposts/Writeups
- Live off the Land and Crack the NTLMSSP Protocol
- Last month Bleeping Computer published an article about PKTMON.EXE, a little known utility in Windows 10 that provides the ability to sniff and monitor network traffic. I quickly wondered if it would be feasible to use this utility, and other native tools within Windows, to capture NTLMv2 network authentication handshakes. TL;DR: Yes it is possible and I wrote a Python3 script called NTLMRawUnHide that can extract NTLMv2 password hashes from packet dumps of many formats!
- Live off the Land and Crack the NTLMSSP Protocol
- Tools
- NTLMRawUnhide.py
- NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The tool was developed to extract NTLMv2 hashes from files generated by native Windows binaries like NETSH.EXE and PKTMON.EXE without conversion.
- NTLMRawUnhide.py
- Articles/Blogposts/Writeups
- Leaking
- Password Filter DLL
- PasswordStealing -PSBits
- "Password stealing DLL I wrote around 1999, some time before Active Directory was announced. And of course it still works. First, it was written in 32-bit Delphi (pardon my language) and when it stopped working as everything changed into 64-bit - in (so much simpler when it comes to Win32 API) C, as I did not have 64-bit Delphi. The original implementation was a bit more complex, including broadcasting the changed password over the network etc. but now it works as a demonstration of an idea, so let's keep it as simple as possible. It works everywhere - on local machines for local accounts and on DCs for domain accounts."
- Credential Access – Password Filter DLL - NetbiosX
- PasswordStealing -PSBits
- Password Spraying
- Linux
- Raining shells on Linux environments with Hwacha
- Hwacha
- Hwacha is a tool to quickly execute payloads on
*Nix based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.
- Hwacha is a tool to quickly execute payloads on
- Articles/Blogposts/Writeups
- Tools
- DomainPasswordSpray
- DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
- DomainPasswordSpray
- DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. It will automatically generate a userlist from the domain which excludes accounts that are expired, disabled locked out, or within 1 lockout attempt.
- NTLM - Open-source script from root9B for manipulating NTLM authentication
- This script tests a single hash or file of hashes against an ntlmv2 challenge/response e.g. from auxiliary/server/capture/smb The idea is that you can identify re-used passwords between accounts that you do have the hash for and accounts that you do not have the hash for, offline and without cracking the password hashes. This saves you from trying your hashes against other accounts live, which triggers lockouts and alerts.
- CredNinja
- A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter.
- passpr3y
- This is a fire-and-forget long-running password spraying tool. You hand it a list of usernames and passwords and walk away. It will perform a horizontal login attack while keeping in mind lockout times, erroneous responses, etc... Set it up on your attack box at the beginning of an assessment and check back for creds gradually over time. Output is intended to be easy to read through and grep. Focus is on simplicity.
- Spray
- A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)
- Sharphose
- SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike's execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. SharpHose takes into consideration the domain password policy, including fine grained password policies, in an attempt to avoid account lockouts. Fine grained password policies are enumerated for the users and groups that that the policy applies to. If the policy applied also to groups, the group users are captured. All enabled domain users are then classified according to their password policies, in order of precedence, and marked as safe or unsafe. The remaining users are filtered against an optional user-supplied exclude list. Besides just spraying, red team operators can view all of the password policies for a domain, all the users affected by the policy, or just view the enabled domain users. Output can be sent directly to the console or to a user-supplied output folder.
- DomainPasswordSpray
- Linux
- Physical Memory
- Tools
- VirtToPhys
- VirtToPhys is a small POC to demonstrate how you can calculate the physical address for a kernel virtual address when exploiting driver bugs that allow you to map physical memory. VirtToPhys uses MsIo.sys, a WHQL signed driver that gives you colorful lights on your RAM (?lolwut), CVE-2019-18845. Hat tips and full credits to @UlfFrisk for his very insightful MemProcFS project and @hFireF0X for KDU.
- physmem2profit
- Blogpost
- Physmem2profit can be used to create a minidump of a target host's LSASS process by analysing physical memory remotely. The intention of this research is to propose an alternative approach to credential theft and create a modular framework that can be extended to support other drivers that can access physical memory. Physmem2profit generates a minidump (.dmp) of LSASS that can be further analyzed with Mimikatz. The tool does not require Cobalt Strike but should work fine over beacon with a SOCKS proxy.
- VirtToPhys
- Tools
- RDP
- Articles/Blogposts/Writeups
- Vol de session RDP - Gentil Kiwi
- Passwordless RDP Session Hijacking Feature All Windows versions - Alexander Korznikov
- Dumping RDP Credentials - NetbiosX
- Dumping Plaintext RDP credentials from svchost.exe - n00py(2021)
- RdpThief – Extracting Clear Text Passwords from mstsc.exe using API Hooking - Stella Sebastian(2021)
- Tools
- SharpRDPDump
- Create a minidump of TermService for clear text pw extraction
- SharpRDPDump
- Articles/Blogposts/Writeups
- SeTrustedCredManaAccess
- Articles/Blogposts/Writeups
- Tools
- forkatz
- Credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege
- forkatz
- Service Accounts
- Tools
- serviceFu
- Automates credential skimming from service accounts in Windows Registry
- serviceFu
- Tools
- Tokens
- Articles/Blogposts/Writeups
- Tools
- tokenduplicator
- Tool to start processes as SYSTEM using token duplication
- Koh
- Koh is a C# and and Beacon Object File (BOF) toolset that allows for the capture of user credential material via purposeful token/logon session leakage.
- tokenduplicator
- Volume Shadow Copy Service
- WDigest
- Web Browsers
- SharpCookieMonster
- Extracts cookies from Chrome.
- Blogpost
- SharpCookieMonster
- Wifi(saved)
- Tools
- credgrap_ie_edge
- Extract stored credentials from Internet Explorer and Edge
- quarkspwdump
- Dump various types of Windows credentials without injecting in any process.
- SessionGopher
- SessionGopher is a PowerShell tool that uses ff to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
- CredCrack
- CredCrack is a fast and stealthy credential harvester. It exfiltrates credentials recusively in memory and in the clear. Upon completion, CredCrack will parse and output the credentials while identifying any domain administrators obtained. CredCrack also comes with the ability to list and enumerate share access and yes, it is threaded! CredCrack has been tested and runs with the tools found natively in Kali Linux. CredCrack solely relies on having PowerSploit's "Invoke-Mimikatz.ps1" under the /var/www directory.
- pysecdump
- pysecdump is a python tool to extract various credentials and secrets from running Windows systems. It currently extracts:
- LM and NT hashes (SYSKEY protected); Cached domain passwords; LSA secrets; Secrets from Credential Manager (only some)
- Remote-Desktop-Caching-
- This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an attacker did on a compromised host. It is extremely useful for a forensics team to extract timestamps after an attack on a host to collect evidences and perform further analysis.
- credgrap_ie_edge
- Want to learn this stuff? What should you know/study?
- Discovery
- 101
- Talks/Presentations/Videos
- Post Exploitation: Striking Gold with Covert Recon - Derek Rook(WWHF19)
- You're on a covert penetration test focusing on the client's monitoring and alerting capabilities. You've just established a foothold, maybe even elevated to admin, but now what? You want to know more about the internal network but careless packet slinging will get you caught. Join me on a mining expedition where you can't swing your pick axe without striking gold. We'll be mining logs, pilfering connection statistics, and claim jumping process network connections. Without leaving the comfort of your beachhead, you'll be shouting "Eureka!" in no time.
- Post Exploitation: Striking Gold with Covert Recon - Derek Rook(WWHF19)
- AD
- AppLocker
- Articles/Blogposts/Writeups
- Tools
- Browser Cookies
- cookie_crimes
- Read local Chrome cookies without root or decrypting
- cookie_crimes
- COM
- Endpoint Protections
- Articles/Blogposts/Writeups
- Tools
- EDRHunt
- EDRHunt scans Windows services, drivers, processes, registry, wmi for installed EDRs (Endpoint Detection And Response).
- EDRHunt
- Event Log
- Files
- Articles/Blogposts/Writeups
- Build a Query to Search the Windows Index from PowerShell - Dr Scripto(2012)
- Guest blogger, James O’Neill, discusses using Windows PowerShell to build a query to search the Windows Index.
- Hey, Scripting Guy! Weekend Scripter: Using the Windows Search Index to Find Specific Files - Dr Scripto(2010)
- Reading Windows Sticky Notes - two06(2020)
- Red Team Enumeration: A corner rarely explored - Mohammed Danish(2020)
- StickyReader
- Read Sticky Notes from Windows 10
- Unmanaged file searching with Filesearcher.exe - Jean-François Maes(2020)
- Build a Query to Search the Windows Index from PowerShell - Dr Scripto(2012)
- Tools
- Snaffler
- Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
- diskover
- File system crawler, disk space usage, file search engine and file system analytics powered by Elasticsearch
- FileSearcher
- Unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough.
- Snaffler
- Articles/Blogposts/Writeups
- Logs
- Articles/Blogposts/Writeups
- Mail
- Articles/Blogposts/Writeups
- Tools
- NetworkCapture
- Articles/Blogposts/Writeups
- Tools
- RPC
- Sitrep
- Articles/Blogposts/Writeups
- Windows Driver and Service enumeration with Python - slacker007(2015)
- Finding Hidden Treasure on Owned Boxes: Post-Exploitation Enumeration with wmiServSessEnum - RedXORBlue(2019)
- TLDR: We can use WMI queries to enumerate accounts configured to run any service on a box (even non-started / disabled), as well as perform live session enumeration. Info on running the tool is in the bottom section.
- Detecting Hypervisor Presence On Windows 10 - Daax Rynd
- Windows information gathering using Powershell: a brief cheatsheet - Andrea Fortuna(2019)
- Get Process List with Command Line Arguments - mubix(2020)
- What was my IP? Ask DoSvc on Windows 10 - Forense nella Nebbia(2018)
- Windows Event IDs and Others for Situational Awareness - @spotheplanet
- Tools
- Articles/Blogposts/Writeups
- User Awareness
- [Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks - @spotheplanet]
- T1010: Application Window Discovery - @spotheplanet
- T1087: Account Discovery & Enumeration - @spotheplanet
- Oh, Behave! Figuring Out User Behavior - Oddvar Moe(2021) * Tool
- General Tools
- PyStat
- Advanced Netstat For Windows
- pspy
- pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea. The tool gathers it's info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
- forgetmenot
- local looting script in python
- SharpPrinter
- SharpPrinter is a modified and console version of ListNetworks. As an example, one could execute SharpPrinter.exe through Cobalt Strike's Beacon "execute-assembly" module.
- wmiServSessEnum
- multithreaded .net tool that uses WMI queries to enumerate active user sessions and accounts configured to run services (even those that are stopped and disabled) on remote systems
- MemScan
- Quick Proof of Concept for reading a processes memory and searching for a specific string.
- RidRelay
- Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
- Eavesarp
- A reconnaissance tool that analyzes ARP requests to identify hosts that are likely communicating with one another, which is useful in those dreaded situations where LLMNR/NBNS aren't in use for name resolution.
- Blogpost
- hunter
- (l)user hunter using WinAPI calls only
- NetRipper
- NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.
- NCC Group Scrying
- A tool for collecting RDP, web and VNC screenshots all in one place
- SharpLeftOvers
- PyStat
- Lateral Movement
- Articles/Blogposts/Writeups
- Using Credentials to Own Windows Boxes - Part 1 (from Kali) - ropnop
- Authenticated Remote Code Execution Methods in Windows
- Lateral Movement and Persistence: tactics vs techniques - hexacorn(2018)
- Offensive Lateral Movement - Hausec
- Lateral Movement - Riccardo Carrani(2019)
- Description of User Account Control and remote restrictions in Windows Vista - support.ms
- LAteral Movement Encryption technique (a.k.a. The "LAME" technique) - dotelite.gr(2018)
- Talks/Presentations/Videos
- The Industrial Revolution of Lateral Movement - Tal Be'ery, Tal Maor(BH USA17)
- Look what you could be up against soon - FX, Hadez(Offensivecon2020)
- Lateral movement is essential for offensive operations during CNO. Exploiting the inherent trust relationships is what makes spreading within the chewy inside of a network so easy once the crunchy outside is broken. But what if the chewy inside is bitchy and challenges you everywhere you want to go? That's what P3KI is all about: To make the chewy inside more bitchy. Hear about how we intend to make your life harder and why the often dismissed "social engineering" aspect might become essential in cases where you face a network employing P3KI's technology deployed.
- AppInit.dlls
- BGInfo
- DCOM
- Lateral movement using excel application and dcom(2017)
- Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript - Matt Nelson(2017)
- New lateral movement techniques abuse DCOM technology - Philip Tsukerman(2018)
- Lateral Movement Using internetexplorer.Application Object (COM) - homjxi0e(2018)
- Lateral Movement with PowerPoint and DCOM - Attactics(2018)
- T1175: Lateral Movement via DCOM - @spotheplanet
- I Like to Move It: Windows Lateral Movement Part 2 – DCOM - Dominic Chell(2020)
- Desired State Configuration
- DLL Hijacking
- Excel
- Excel4.0 Macros - Now With Twice The Bits! - Philip Tsukerman
- Excel4-DCOM
- PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
- Invoke-ExShellcode.ps1 - Philts
- Lateral movement and shellcode injection via Excel 4.0 macros
- NTLM Relay
- Pass-The-Hash
- 101
- Articles/Blogposts/Writeups
- Puff Puff PSExec - Jonathan Renard
- PsExec and the Nasty Things It Can Do
- An overview of what PsExec is and what its capabilities are from an administrative standpoint.
- Pass-the-Hash is Dead: Long Live Pass-the-Hash - harmj0y
- Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy - harmj0y
- Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012
- Still Passing the Hash 15 Years Later
- The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
- Pass-the-Hash in Windows 10 - Lukasz Cyra(2019)
- Attackers have used the Pass-the-Hash (PtH) attack for over two decades. Its effectiveness has led to several changes to the design of Windows. Those changes influenced the feasibility of the attack and the effectiveness of the tools used to execute it. At the same time, novel PtH attack strategies appeared. All this has led to confusion about what is still feasible and what configurations of Windows are vulnerable. This paper examines various methods of hash extraction and execution of the PtH attack. It identifies the prerequisites for the attack and suggests hardening options. Testing in Windows 10 v1903 supports the findings. Ultimately, this paper shows the level of risk posed by PtH to environments using the latest version of Windows 10.
- Et tu Kerberos - Christopher Campbell
- For over a decade we have been told that Kerberos is the answer to Microsoft’s authentication woes and now we know that isn’t the case. The problems with LM and NTLM are widely known- but the problems with Kerberos have only recently surfaced. In this talk we will look back at previous failures in order to look forward. We will take a look at what recent problems in Kerberos mean to your enterprise and ways you could possibly mitigate them. Attacks such as Spoofed-PAC- Pass-the-Hash- Golden Ticket- Pass-the-Ticket and Over-Pass-the-Ticket will be explained. Unfortunately- we don’t really know what is next – only that what we have now is broken.
- Battle Of SKM And IUM How Windows 10 Rewrites OS Architecture - Alex Ionescu - BHUSA2015
- Psexec: The Ultimate Guide - Adam Bertram
- Pass the Hash with Kerberos - mubix
- This blog post may be of limited use, most of the time, when you have an NTLM hash, you also have the tools to use it. But, if you find yourself in a situation where you don’t have the tools and do happen to have kerberos tools, you can pass the hash with it.
- Pass-The-Hash with RDP in 2019 - Acebond
- Named Pipe Pass-the-Hash - s3cur3th1ssh1t(2021)
- Tools
- smbexec
- A rapid psexec style attack with samba tools
- Blogpost that inspired it
- pth-toolkit I.e Portable pass the hash toolkit
- A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems
- SharpNoPSExec
- Get file less command execution for lateral movement.
- smbexec
- PS-Remoting
- 101
- Articles/Blogposts/Writeups
- Protocol Handler
- Articles/Blogposts/Writeups
- Tools
- PoisonHandler
- This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.
- PoisonHandler
- Port-Forwarding & Proxies
- Port Forwarding in Windows - WindowsOSHub
- WinPortPush
- win PortPush is a small PowerShell utility used for pivoting into internal networks upon compromising a Windows public-facing host.
- RDP
- Remote Desktop Services Shadowing – Beyond the Shadowed Session - Roman Maximov(2020)
- [RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an organisation - Kevin Beaumont])(https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6)
- RDPInception - MDsec
- The RDP Through SSH Encyclopedia - Carrie Roberts
- I have needed to remind myself how to set up RDP access through an SSH connection so many times that I’ve decided to document it here for future reference. I hope it proves useful to you as well. I do “adversary simulation” for work and so I present this information using terms like “attacker” and “target” but this info is also useful for performing system administration tasks.
- Remote Desktop tunneling tips & tricks - Maurizio Agazzini
- Jumping Network Segregation with RDP - Rastamouse
- Revisiting Remote Desktop Lateral Movement - 0xthirteen(2020)
- Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
- Registry-related
- Articles/Blogposts/Writeups
- Tools
- WMIReg
- This PoC was started from a code snippet of @harmj0y's that I thought was pretty cool. Using the StdRegProv management class through WMI, you are able to read and write to local and remote registry keys. This doesn't seem very special, but the biggest advantage is that remote registry interaction is done through WMI, therefore it does not require the Remote Registry service to be enabled/started on the remote host!
- WMIReg
- SCM
- Articles/Blogposts/Writeups
- Tools
- Services
- Articles/Blogposts/Writeups
- Tools
- MoveScheduler
- "MoveScheduler is another weekend binge that focuses on lateral movement via several different methods of scheduling tasks"
- SharpMove
- SCShell
- SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.
- MoveScheduler
- ShadowMove
- ShadowMove: A Stealthy Lateral Movement Strategy - Amirreza Niakanlahiji, Jinpeng Wei, Md Rabbi Alam, Qingyang Wang, Bei-Tseng Chu(2020)
- Advanced Persistence Threat (APT) attacks use various strategies and techniques to move laterally within an enter- prise environment; however, the existing strategies and tech- niques have limitations such as requiring elevated permissions, creating new connections, performing new authentications, or requiring process injections. Based on these characteristics, many host and network-based solutions have been proposed to prevent or detect such lateral movement attempts. In this paper, we present a novel stealthy lateral movement strategy, ShadowMove, in which only established connections between systems in an enterprise network are misused for lateral move- ments. It has a set of unique features such as requiring no elevated privilege, no new connection, no extra authentication, and no process injection, which makes it stealthy against state- of-the-art detection mechanisms. ShadowMove is enabled by a novel socket duplication approach that allows a malicious process to silently abuse TCP connections established by be- nign processes. We design and implement ShadowMove for current Windows and Linux operating systems. To validate the feasibility of ShadowMove, we build several prototypes that successfully hijack three kinds of enterprise protocols, FTP, Microsoft SQL, and Window Remote Management, to perform lateral movement actions such as copying malware to the next target machine and launching malware on the target machine. We also confirm that our prototypes cannot be de- tected by existing host and network-based solutions, such as five top-notch anti-virus products (McAfee, Norton, Webroot, Bitdefender, and Windows Defender), four IDSes (Snort, OS- SEC, Osquery, and Wazuh), and two Endpoint Detection and Response systems (CrowdStrike Falcon Prevent and Cisco AMP).
- Hijacking connections without injections: a ShadowMoving approach to the art of pivoting - Adepts of 0xCC
- Faxing Your Way to SYSTEM — Part Two - Yarden Shafir & Alex Ionescu(2020)
- ShadowMove: Lateral Movement by Duplicating Existing Sockets - @spotheplanet
- Windows ShadowMove Socket Duplication
- The tool (/POC) is a simple programming exercise in order to replicate the socket duplication technique explained in ShadowMove: A Stealthy Lateral Movement Strategy.
- ShadowMove: A Stealthy Lateral Movement Strategy - Amirreza Niakanlahiji, Jinpeng Wei, Md Rabbi Alam, Qingyang Wang, Bei-Tseng Chu(2020)
- SMB
- Articles/Blogposts/Writeups
- Tools
- CrackMapExec
- A swiss army knife for pentesting networks
- CrackMapExec
- SSH
- WinRM
- 101
- Articles/Blogposts/Writeups
- Windows Remote Management - dmcxblue
- WS-Management COM: Another Approach for WinRM Lateral Movement - bohops(2020)
- WinRM Penetration Testing - Yashika Dhir(2020)
- Lateral Movement Using WinRM and WMI - Tony Lambert(2017)
- Lateral Movement – WinRM - pentestlab.blog(2018)
- T1028: WinRM for Lateral Movement - @spottheplanet
- Tools
- Evil-WinRM
- The ultimate WinRM shell for hacking/pentesting
- WS-Management COM: Another Approach for WinRM Lateral Movement - BOHOPS(2020)
- WSMan-WinRM
- A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object
- rudder
- rudder is a Python package to run commands remotely on Windows, macOS or nix systems using PowerShell Remoting/WinRM or SSH.
- Evil-WinRM
- WMI
- 101
- Articles/Blogposts/Writeups
- T1047: WMI for Lateral Movement - @spottheplanet
- Lateral Movement: WMI - Pavandeep Singh(2020)
- No Win32_Process Needed – Expanding the WMI Lateral Movement Arsenal - Philip Tsukerman
- Lateral Movement in an Environment with Attack Surface Reduction - Michael Bielenberg(2019)
- I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription - Dominic Chell(2020)
- Papers
- Tools
- WMI Shell Tool
- The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.
- WMIcmd
- A command shell wrapper using only WMI for Microsoft Windows
- WMIHACKER
- A Bypass Anti-virus Software Lateral Movement Command Execution Tool
- WMI Shell Tool
- WSH
- (Ab)Using 'Legitimate' Applications Already Installed
- How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent - Angelo Ruwantha
- Code exec through admin access to eset admin console
- Abusing Common Cluster Configuration for Lateral Movement
- Tech sites have published articles that walk a Windows Systems Administrator through the process of adding a machine account to the Local Administrators group on another machine. These accounts end in a in Active Directory. While this may be useful for simplifying the installation of clusters such as Lync, Exchange, or SQL Server, it’s not always the best idea. Servers that are set up in this way weaken the overall security posture of the cluster, and ultimately the organization, by allowing a single vulnerability or misconfiguration on one server the ability to move laterally without having to escalate privileges or compromise additional credentials. Using SQL Server as the example, any user who has READ permissions to a database essentially has SYSTEM-level permissions on a remote server. We’ll walk through that path below.
- Abusing Firefox in Enterprise Environments - MDSec
- How I Hacked Into Your Corporate Network Using Your Own Antivirus Agent - Angelo Ruwantha
- Tools
- PoisonHandler
- This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.
- PoisonHandler
- Articles/Blogposts/Writeups
- Collection
- 101
- Articles/Blogposts/Writeups
- Digging Up the Past: Windows Registry Forensics Revisited - David Via
- Pillage Exchange - Digby
- Pillaging .pst Files - Digby
- File Server Triage on Red Team Engagements - harmj0y
- No one expect command execution!
- Decrypting IIS Passwords to Break Out of the DMZ
- Recovering Plaintext Domain Credentials from WPA2 Enterprise on a Compromised Host - zc00l(2018)
- Generic
- Pillager
- Pillager is designed to provide a simple means of leveraging Go's strong concurrency model to recursively search directories for sensitive information in files. Pillager does this by standing on the shoulders of a few giants. Once pillager finds files that match the specified pattern, the file is scanned using a series of concurrent workers that each take a line of the file from the job queue and hunt for sensitive pattern matches. The available pattern filters can be defined in a rules.toml file or you can use the default ruleset.
- RawCopy
- Commandline low level file extractor for NTFS
- Pillager
- Browser
- Adamantium-Thief
- Get chromium based browsers: passwords, credit cards, history, cookies, bookmarks, autofill.
- BrowserStealer
- EvilSelenium
- EvilSelenium is a tool that weaponizes Selenium to attack Chromium based browsers.
- Adamantium-Thief
- CC
- SearchForCC
- A collection of open source/common tools/scripts to perform a system memory dump and/or process memory dump on Windows-based PoS systems and search for unencrypted credit card track data.
- SearchForCC
- Certificates
- CertStealer
- A .NET tool for exporting and importing certificates without touching disk.
- CertStealer
- Code Storage
- dvcs-ripper
- Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
- cred_scanner
- A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
- dvcs-ripper
- KeePass
- MS Office
- Invoke-WordThief
- This script runs multithreading module that connects to a remote TCP server, monitors active (opened) Microsoft Word documents (.doc,.docx,etc') and extracting their text using Word application's COM Object. The script adds HKCU registry (no admin needed) Run key, so this script runs persistently.
- Invoke-WordThief
- Outlook
- PCAP/Live Interface
- Packet sniffing with powershell
- net-creds
- Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.
- PCredz
- This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
- Skype
- skype log viewer
- Download and View Skype History Without Skype This program allows you to view all of your skype chat logs and then easily export them as text files. It correctly organizes them by conversation, and makes sure that group conversations do not get jumbled with one on one chats.
- skype log viewer
- Teams
- Your Microsoft Teams chats aren’t as private as you think.. - Harley(2021)
- PoSH_Teams_Message_Theif
- Quick and dirty PoSH code to read teams messages
- User Behavior
- Veracrypt
- VeraCryptThief
- VeraCryptThief by itself is a standalone DLL that when injected in the VeraCrypt.exe process, will perform API hooking via Detours, extract the clear-text credentials and save them to a file.
- VeraCryptThief
- VirtualBox
- VMware
- VMInjector
- VMInjector is a tool designed to bypass OS login authentication screens of major operating systems running on VMware Workstation/Player, by using direct memory manipulation.
- VMInjector
- Exfiltration
- Articles/Blogposts/Writeups
Windows Technologies
- Alternate Data Streams
- 101 *
- AppLocker
- 101
- AppLocker - docs.ms
- This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
- What Is AppLocker? - docs.ms
- AppLocker design guide - docs.ms
- AppLocker deployment guide - docs.ms
- AppLocker technical reference - docs.ms
- How AppLocker works - docs.ms
- Security considerations for AppLocker - docs.ms
- AppLocker - docs.ms
- Articles/Blogposts/Writeups
- Getting Started With AppLocker - John Strand(2019)
- Script Rules in AppLocker - technet
- DLL Rules in AppLocker
- Application Whitelisting Using Microsoft AppLocker
- Harden Windows with AppLocker – based on Case study Part 1 - oddvar.moe
- Harden Windows with AppLocker – based on Case study part 2 - oddvar.moe
- AppLocker Case study: How insecure is it really? Part 1 oddvar.moe
- AppLocker Case study: How insecure is it really? Part 2](https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/)
- Talks/Presentations/Videos
- 101
- Application Shims
- 101
- Talks/Presentations/Videos
- Abusing Native Shims for Post Exploitation - Sean Pierce(2015)
- Shims offer a powerful rootkit-like framework that is natively implemented in most all modern Windows Operating Systems. This talk will focus on the wide array of post-exploitation options that a novice attacker could utilize to subvert the integrity of virtually any Windows application. I will demonstrate how Shim Database Files (sdb files / shims) are simple to create, easy to install, flexible, and stealthy. I will also show that there are other far more advanced applications such as in-memory patching, malware obfuscation, evasion, and system integrity subversion. For defenders, I am releasing 6 open source tools to prevent, detect, and block malicious shims.
- Abusing Native Shims for Post Exploitation - Sean Pierce(2015)
- AutoDiscover
- BitLocker
- 101
- ClickOnce Applications
- ClickOnce - Wikipedia
- ClickOnce security and deployment - docs.ms
- ClickOnce Deployment for Windows Forms - docs.ms
- ClickOnce Applications in Enterprise Environments - Remko Weijnen
- ClickOnce is a Microsoft technology that enables an end user to install an application from the web without administrative permissions.
- Eight Evil Things Microsoft Never Showed You in the ClickOnce Demos (and What You Can Do About Some of Them) - Chris Williams
- Credential Guard/Device Guard/Application Guard
- 101
- Protect derived domain credentials with Windows Defender Credential Guard - docs.ms(2017)
- How Windows Defender Credential Guard works - docs.ms(2017)
- Device Guard signing - docs.ms(2017)
- Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 - docs.ms(2019)
- Microsoft Defender Application Guard overview - docs.ms(2021
- Microsoft Edge support for Microsoft Defender Application Guard - docs.ms(2021)
- Windows 10 Device Guard and Credential Guard Demystified - Priyanka Pillai(2021)
- Application Guard testing scenarios - docs.ms(2020)
- Windows Defender Application Control and virtualization-based protection of code integrity - docs.ms(2021)
- Frequently asked questions - Microsoft Defender Application Guard - docs.ms(2021)
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Sneaking Past Device Guard - Philip Tsukerman(HITB2019 Amsterdam)
- This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables. All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service most of these techniques with an update (except for one which will be serviced as CVE-2018-8417).
- Sneaking Past Device Guard - Philip Tsukerman(HITB2019 Amsterdam)
- Tools
- 101
- Containers
- 101
- (Distributed) Component-Object-Model(COM)
- 101
- Component Object Model - Wikipedia
- Distributed Component Object Model - Wikipedia
- [DCOM Technical Overview - docs.ms(2014]((https://docs.microsoft.com/en-us/previous-versions//cc722925(v=technet.10)?redirectedfrom=MSDN)
- The Component Object Model - docs.ms
- COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents) and ActiveX (Internet-enabled components) technologies.
[[MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol - docs.ms](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0)- Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.
[[MS-RPCE]: Remote Procedure Call Protocol Extensions - msdn.ms](https://msdn.microsoft.com/en-us/library/cc243560.aspx)- Guide(to COM) - docs.ms
- This guide introduces the Microsoft Component Object Model (COM).
- COM Fundamentals - docs.ms
- COM Objects and Interfaces - docs.ms
- COM is a technology that allows objects to interact across process and computer boundaries as easily as within a single process. COM enables this by specifying that the only way to manipulate the data associated with an object is through an interface on the object. When this term is used in this documentation, it refers to an implementation in code of a COM binary-compliant interface that is associated with an object.
- COM Reference - docs.ms
- COM Glossary
- The COM Elevation Moniker - docs.ms
- "The COM elevation moniker allows applications that are running under user account control (UAC) to activate COM classes with elevated privileges. For more information, see Focus on Least Privilege."
- Articles/Blogposts/Writeups
- Component Object Model Technical Overview - The ActiveX Core Technology Reference(1999)
- Mike Panitz's Introduction to COM
- The Component Object Model: Technical Overview(1994)
- This paper is adapted from an article appearing in Dr. Dobbs Journal, December 1994.
- Exploiting .NET Managed DCOM - James Forshaw(2017)
- One of the more interesting classes of security vulnerabilities are those affecting interoperability technology. This is because these vulnerabilities typically affect any application using the technology, regardless of what the application actually does. Also in many cases they’re difficult for a developer to mitigate outside of not using that technology, something which isn’t always possible. I discovered one such vulnerability class in the Component Object Model (COM) interoperability layers of .NET which make the use of .NET for Distributed COM (DCOM) across privilege boundaries inherently insecure. This blog post will describe a couple of ways this could be abused, first to gain elevated privileges and then as a remote code execution vulnerability.
- Finding and Identifying JScript/VBScript Callable COM Objects - Christopher Paschen(2019
- Abusing Catalog Hygiene to Bypass Application Whitelisting - BOHOPS(2019)
- COM and the PowerThIEf - Rob Malsen
- The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication - Airbus(2020)
- Discovering and exploiting McAfee COM-objects (CVE-2021-23874) - Denis Skvortcov(2021)
- Persisting our implant like the CIA - Vincent Van Mieghem
- Automating Microsoft Office to Achieve Red Teaming Objectives - wunderwuzzi(2021)
- COM Objects P.1: The Hidden Backdoor in Your System - Amr Thabet(2021)
- COM Hijacking Creative Cloud - Huskyhacks(2021)
- Playing around COM objects - PART 1 - Mohamed Fakroud(2022)
- Talks/Presentations/videos
- Exploiting DCOM - Yoshiaki Komoriya, Hidenobu Seki(2002)
- COM in Sixty Seconds! (well minutes more likely) - James Forshaw(Infiltrate2017)
- COM Under The Radar Circumventing Application Control Solutions - Jimmy Bayne(BSides Charm2019)
- Application Control is the practice of restricting unauthorized code execution. Application Whitelisting (AWL) is the most popular approach, which permits code execution from trusted applications based on managed policies and rules. This talk will highlight several ways to bypass AWL policies using the Component Object Model (COM) and provide recommendations to defend against such techniques.
- COM-PROMISE Attacking Windows development environments - Stan Hegt - (Nullcon Goa2020)
- Slides
- In this talk we will demonstrate how compiling, reverse engineering or even just viewing source code can lead to compromise of a developer’s workstation. With the emergence of code sharing platforms such as GitHub, it has become common practice to download and view potentially untrusted code. However, due to the way in which integrated development environments for Windows interact with code and the Component Object Model (COM), such behavior can be exploited by attackers to achieve remote code execution. Our research presents full and practical exploit chains for Visual Studio that demonstrate that opening (not running!) code is dangerous. Expect a journey into COM, type libraries and the inner workings of Visual Studio.
- Exploiting Windows COM/WinRT ServicesExploiting Windows COM/WinRT Services - Xuefeng Li, Zhiniang Peng(2021)
- The Component Object Model (COM) and Windows Runtime (WinRT) are widely used in windows systems, they are often used for cross-process communication and UWP Application. Both of them provide large attack surfaces for hackers to hunt for LPE, RCE and Sandbox Escape vulnerabilities. In the past year, we have found more than 100 bugs in COM/WinRT service. We classify these vulnerabilities according to their different types (UAF, OOB READ/WRITE, Type Confusion, Arbitrary READ/WRITE). We'll share how we found these bugs and our exploit tricks for some of these bugs.
- Papers
- The Dangers of Per-User COM Objects - Jon Larimer(2011)
- Automating the enumeration of possibleDCOM vulnerabilities - Axel Boesenach(2018)
- This paper describes the research into DCOM applications that might be used forlateral movement on Microsoft Windows domains. ’Living off the land’ techniquesare used more and more by attackers, but also pentesters and red teams. The re-search builds on the previous methods and their correlations to develop an auto-mated manner to enumerate these DCOM applications that might provide lateralmovement.
- COM Hijacking
- Articles/Blogposts/Writeups
- Hunting COM Objects - Charles Hamilton(2019)
- Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32 - BOHOPS(2018)
- COM Hijacking – Windows Overlooked Security Vulnerability - Yaniv Assor
- Abusing COM objects - 0xpat
- Hunting COM Objects - Charles Hamilton(2019)
- Hunting COM Objects (Part Two) - Brett Hawkins(2019)
- Talks/Presentations/Videos
- COM Hijacking Techniques - David Tulis(Derbycon2019
- Slides
- The COM interface lies at the core of Windows, and subtle registry changes can interfere with this the OS in unexpected ways. COM hijacking allows an attacker to load a library into a calling COM-enabled process. It?s a feature, not a bug. While it is commonly used for persistence, some famous COM hijacks have led to more severe exploits. COM hijacking is already used by several families of malware, and it?s time that pentesters caught up on how to abuse this feature. This presentation will cover COM hijacking from start to finish; showing how discover hijackable COM objects, how to use them offensively, and how to make the calling process remain stable. The blue team will not be forgotten; the talk will cover detection strategies for identifying and defending against COM hijacks.
- Dancing with COM - Deep dive into understanding Component Object Model - DuMp-GuY TrIcKsTeR(2021)
- Content: What is The Microsoft Component Object Model (COM); Functionality of COM; COM in Registry (Tools - COM viewers); COM Client-Server (Using Powershell/.NET COM Client); Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin); Interesting way of using COM Method in LokiBot malware sample
- COM Hijacking Techniques - David Tulis(Derbycon2019
- Articles/Blogposts/Writeups
- COM Proxying
- Articles/Blogposts/Writeups
- Proxying COM For Stable Hijacks - leolobeek(2019)
- Hooking COM Objects: Intercepting Calls to COM Interfaces - apriorit.com(2014)
- The current article was written to help you get familiar with the procedure of implementing COM interface hooking. Here you’ll find: theory, functional code samples, and clear explanations.
- Articles/Blogposts/Writeups
- Tools
- Helpful
- COM_Mapper
- COMMethodSearcher
- Script that searches through all COM objects for any methods containing a key word of your choosing.
- DCOMrade
- Article
- Powershell script for enumerating vulnerable DCOM Applications
- Go OLE
- Go bindings for Windows COM using shared libraries instead of cgo.
- ReaCOM
- Discovery
- OxidBindings
- Extract all IP of a computer using DCOM without authentication (aka detect network used for administration)
- COM_Mapper
- A tool to create COM class/interface relationships in neo4j. It is designed to be run once on a developer system, and it will take a few hours to complete. Once completed, a user can issue cypher queries via Neo4j and get COM class/interface relationships. This is very much a quick and dirty prototype that was created to serve my needs for doing Microsoft Office OLE research. Please feel free to expand or shoot me ideas to make this better.
- Windows Feature Hunter (WFH)
- Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common “vulnerabilities” or “features” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.
- SharpComHijack
- Dumps com objects that can be hijacked for persistence. Information pulled from task scheduler
- DCKFinder: Dangling COM Keys Finder
- A simple utility to locate COM registry keys referencing DLL or EXE which are not on the system anymore.
- OxidBindings
- Hijacking
- acCOMplice
- MessageBox
- PoC dlls for Task Scheduler COM Hijacking
- PS1jacker
- Ps1jacker is a tool for generating COM Hijacking payload.
- COMProxy
- A COM client and server for testing COM hijack proxying. If you are running a COM hijack, proxying the legitimate COM server may result in better stability, thats the idea around this PoC.
- COM-Hijacking
- An example of COM hijacking using a proxy DLL.
- Lateral Movement
- DVS
- D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
- DVS
- Privilege Escalation
- COMahawk
- Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322
- COMahawk
- Helpful
- Execution
- Building a COM Server for Initial Execution - leoloobeek(2020)
- This post will expand on previous research and cover writing your own COM server DLL, loading it from scripting languages with registration-free activation, and discussion around weaponization and OPSEC. This was a personal journey that helped me learn a lot more about what happens when you create and use a COM object from JScript. I will also be releasing a PoC COM server that runs provided shellcode.
- Tools
- COMRunner
- A simple COM server which provides a component to run shellcode. Also includes a Windows JScript file to load the COM server and create the object with registration-free activation. This PoC COM server provides an object with a method that takes in base64 encoded shellcode and a method to run the shellcode.
- COMRunner
- Building a COM Server for Initial Execution - leoloobeek(2020)
- Serialization/Marshalling
- Programming with
- C#
- C/C++
- Python
- VBA
- 101
- Containers(Windows)
- (Windows )Cryptography
- 101
- Articles/Blogposts/Writeups
- Windows File Confusion: Masquerading Unsigned Binaries as Signed Ones - Matt Graeber(2013)
- Inside Code Signing - Thomas 'toto' Kollbach(2014)
- Masquerading as a Windows System Binary Using Digital Signatures - Stuart Morgan(2016)
- Code Signing Certificate Cloning Attacks and Defenses - Matt Graeber(2017)
- MetaTwin – Borrowing Microsoft Metadata and Digital Signatures to “Hide” Binaries - Joe Vest(2017)
- Borrowing Microsoft Code Signing Certificates - lopi(2017)
- Application of Authenticode Signatures to Unsigned Code - mattifestation(2017)
- Hijack Digital Signatures – PowerShell Script - pentestlab.blog(2017)
- NSIS ReadCustomerData without invalidating SignTool Digital Signature - Jrklein(2018)
- Digital Certificates - Models for Trust and Targets for Misuse - Tomislav Peričin(2019)
- Breaking the Windows Authenticode security model - Tomislav Peričin(2019)
- Signing .jar files with an existing certificate on Windows - Chad Duffey(2020)
- Verifying Windows binaries, without Windows - William Woodruff(2020)
- Code Signing on a Budget - @Jackson_T(2020)
- "Summary: This post goes over how attackers could use search engines to find and abuse legitimate code-signing certificates. With this technique, I was able to find a valid code-signing certificate belonging to a leading tech company and disclosed it to them. This isn't particularly novel but I'm writing this to raise defensive awareness that abusing code-signing certificates is not limited to well-resourced attackers."
- Uncovering and Disclosing a Signature Spoofing Vulnerability in Windows Installer: CVE-2021-26413 - Ron Waisberg(2021)
- PE Authenticode - Romain Thomas
- This tutorial explains how to process and verify PE authenticode with LIEF
- Talks/Videos
- Papers
- Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates - Kristian Kozak, Bum Jun Kwon, Doowon Kim, Tudor Dimitras(2018)
- "Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carry- ing valid digital signatures. However, the underground trade that allows miscreants to acquire such certificates is not well understood. In this paper, we take a step toward illuminating this trade by investigating the certificate black market from two separate perspectives. First, we identify 4 leading vendors of Authenticode certificates, we document how they conduct business, and we estimate their market share. Second, we dig deeper into the demand for code signing certificates by collecting a dataset of recently signed malware and by using it to study the relationships among malware developers, malware families, and certificates. We also establish indirect links be- tween these two data sets by inferring that 5 certificates found in our signed malware samples had likely been purchased from one of the black market vendors we observed. Using this approach, we document a apparent shift in the methods that malware authors employ to obtain valid digital signatures. While prior studies have reported that most of the code signing certificates used by malware had been issued to legitimate developers and later compromised, we report that, in 2017, this method is not prevalent anymore. Instead, we gather evidence consistent with a stable underground market that represents the leading source of code signing certificates for malware authors. We also find that the need to bypass platform protections such as Microsoft Defender SmartScreen plays an important role in driving the demand for Authenticode certificates. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy."
- Subverting Trust in Windows - Matt Graeber(2020)
- On Challenges in Verifying Trusted Executable Files in Memory Forensics - DanielUrozRicardo J.Rodríguez(2020)
- "Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time."
- Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates - Kristian Kozak, Bum Jun Kwon, Doowon Kim, Tudor Dimitras(2018)
- Tools
- CarbonCopy
- A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
- certerator
- This is the code relating to a project to simplify the act of creating a CA, signing a binary with the CA and then installing the CA on the target machine. It investigates the extent to which this can be achieved without the benefit of a GUI and shows how this can be modified to generate valid EV certificates which are trusted by Windows. It is intended for penetration testers who are looking to install an implant binary which looks as legitimate as possible. None of these techniques are new, but it is hoped that this tool and project will make them easier and more accessible.
- LimeLighter
- "A tool which creates a spoof code signing certificates and sign binaries and DLL files to help evade EDR products and avoid MSS and sock scruitney. LimeLighter can also use valid code signing certificates to sign files. Limelighter can use a fully qualified domain name such as acme.com."
- Jsign
- Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB) and scripts (PowerShell, VBScript, JScript, WSF). Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.
- Microsoft Authenticode Code Signing in Linux with Jsign - SSL.com(2021)
- "In this how-to we’ll cover using Jsign from the Linux command line for OV/IV code signing and EV code signing. Because Jsign is Java based, you can also use it on Windows and MacOS systems."
- uthenticode
- uthenticode (stylized as μthenticode) is a small cross-platform library for verifying Authenticode digital signatures.
- winchecksec
- Checksec, but for Windows: static detection of security mitigations in executables
- CurveBall (CVE-2020-0601) - PoC
- "CVE-2020-0601, or commonly referred to as CurveBall, is a vulnerability in which the signature of certificates using elliptic curve cryptography (ECC) is not correctly verified."
- SigFlip
- SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) in a way that doesn't affect or break the existing authenticode signature, in other words you can change PE file checksum/hash by embedding data (i.e shellcode) without breaking the file signature, integrity checks or PE file functionality.
- Append Payload to Signed NSIS Executable Installer File
- "This program allows you to embed a payload containing custom user data into an executable generated by NSIS (Nullsoft Scripted Installer System) and signed with Microsoft SignTool.exe (or similar). This is tested and working with the NSIS ReadCustomerData Function. Windows recognizes the original digital signature since we are just adding arbitrary data and did not modify the code."
- CarbonCopy
- DLLs
- 101
- What is a DLL? - support.ms
- Dynamic-Link-Library - Wikipedia
- DLL Hell - Wikipedia
- Dynamic-Link Library Redirection - doc.ms
- Applications can depend on a specific version of a shared DLL and start to fail if another application is installed with a newer or older version of the same DLL. There are two ways to ensure that your application uses the correct DLL: DLL redirection and side-by-side components. Developers and administrators should use DLL redirection for existing applications, because it does not require any changes to the application. If you are creating a new application or updating an application and want to isolate your application from potential problems, create a side-by-side component.
- DynamicLinkLibraries.pdf - Winnitor
- DLLsForHackers
- Dlls that can be used for side loading and other attack vectors. This Dll will not cause deadlock since it only use functions that are DllMain safe as described below.
- Building Windows DLLs with MinGW - Transmission Zero
- Articles/Blogposts/Writeups
- What is
*.localfile in windows ? - abcdef(2020) - Debugging DLL’s – 3 techniques to help you get started - Jean-François Maes(2020)
- Using Pragmas to Create a Proxy DLL - Kontza(2007)
- This article explains a way to create a Proxy DLL employing the MSVC compiler
'#pragma comment'feature.
- This article explains a way to create a Proxy DLL employing the MSVC compiler
- Quickpost: DllDemo - Didier Stevens(2017)
- How to turn a DLL into a standalone EXE - Hasherezade(2016)
- Staying Hidden on the Endpoint: Evading Detection with Shellcode - Evan Pena, Casey Erikson
- Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D - Evan Pena, Ruben Boonen, Brett Hawkins
- edgegdi.dll for persistence - Chad Duffey(2020)
- Abusing Delay Load DLLs for Remote Code Injection - Bryan Alexander(2017)
- What is
- Talks/Presentations/Videos
- Memory-Based Library Loading: Someone Did That Already. - Casey Rosini(Derbycon2017)
- The technique of using memory-based library loading has been around for a number of years. It is available in different forms and for different operating systems. It has been popularized in the security-space with long-standing techniques perhaps even longer than some are aware. And here I thought that I found or did some new evasion. This talk discusses a library for Windows that is still maintained but has been seemingly overlooked for over a decade (or has it?), and how it can be used against the next-generation securing of the digitals.
- Memory-Based Library Loading: Someone Did That Already. - Casey Rosini(Derbycon2017)
- Tools
- CMDLL
- the most basic DLL ever to pop a cmd.
- DLL_to_EXE
- Converts a DLL into a ready-to-use EXE.
- DllToShellCode
- Fast Conversion Windows Dynamic Link Library To ShellCode
- DLLoader
- Surrogate DLL carrier for debugging purposes.
- DLL loading shellcode
- Shellcode to load an appended Dll
- MaliciousDLLGenerator
- DLL Generator for side loading attack
- MinGW DLL Example
- This is an example Win32 DLL and console application. It is intended to demonstrate how to build DLLs using MinGW, and utilise their functionality within a client application.
- DLL-Template
- Simple skeleton for a CPP DLL
- CMDLL
- DLL Hijacking
- See DLL Stuff
- DLL Hollowing
- See DLL Hollowing
- DLL Proxying
- See DLL Proxying
- 101
- DPAPI
- 101
- Articles/Blogposts/Writeups
- DPAPI Primer for Pentesters - WebstersProdigy(2013)
- Grab the Windows secrets! - decoder.cloud(2017)
- DPAPI exploitation during pentest and password cracking - Jean-Christophe Delaunay
- Happy DPAPI! - ZenaForensics
- ReVaulting! Decryption and opportunities - Reality Net System Solutions
- Windows ReVaulting - digital-forensics.it
- TBAL: an (accidental?) DPAPI Backdoor for local users - vztekoverflow
- Operational Guidance for Offensive User DPAPI Abuse - harmj0y
- Offensive Encrypted Data Storage (DPAPI edition) - harmj0y
- A Case Study in Attacking KeePass - harmj0y
- Reading DPAPI Encrypted Secrets with Mimikatz and C++ -ired.team
- Retrieving DPAPI Backup Keys from Active Directory - Michael Grafnetter
- The Blackbox of DPAPI the gift that keeps on giving - Bartosz Inglot(OPCDE2017)
- Talks & Presentations
- The BlackBox of DPAPI: The Gift That Keeps on Giving - Bart Inglot
- DPAPI and DPAPI-NG: Decryption Toolkit - Paula Januskiewicz
- Protecting browsers’ secrets in a domain environment - Itai Grady
- All popular browsers allow users to store sensitive data such as credentials for online and cloud services (such as social networks, email providers, and banking) and forms data (e.g. Credit card number, address, phone number) In Windows environment, most browsers (and many other applications) choose to protect these secrets by using Window Data Protection API (DPAPI), which provides an easy method to encrypt and decrypt secret data. Lately, Mimikatz, a popular pentest/hacking tool, was updated to include a functionality that allows highly-privileged attackers to decrypt all of DPAPI secrets. In this talk, I will analyze the Mimikatz Anti-DPAPI attack targeting the Domain Controller (DC) which puts all DPAPI secrets in peril and show how it can be defeated with network monitoring.
- Decrypting DPAPI data - Jean-Michel Picod, Elie Bursztein
- give me the password and I'll rule the world: dpapi, what else? - Francesco Picasso
- DPAPI exploitation during pentest and password cracking - Jean-Christophe Delaunay
- ReVaulting! Decryption and opportunities - Francesco Picasso
- Windows credentials manager stores users’ credentials in special folders called vaults. Being able to access such credentials could be truly useful during a digital investigation for example, to gain access to other protected systems. Moreover, if data is in the cloud, there is the need to have the proper tokens to access it. This presentation will describe vaults’ internals and how they can be decrypted; the related Python Open Source code will be made publicly available. During the session, credentials and vaults coming from Windows 7, Windows 8.1 and Windows 10 will be decrypted, focusing on particular cases of interest. Finally, the presentation will address the challenges coming from Windows Phone, such as getting system-users’ passwords and obtaining users’ ActiveSync tokens.
- Tools
- dpapick
- DPAPIck is a forensic toolkit, written in Python and designed to easily deal with Microsoft DPAPI blob decryption in an offline and cross-platform way.
- Windows DPAPI Lab
- My own DPAPI laboratory. Here I put some ongoing works that involve Windows DPAPI (Data Protection API). It's a lab, so something could not work: please see "How to Use".
- The LaZagne Project
- LaZagne uses an internal Windows function called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved. LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod and Elie Bursztein for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.
- DataProtectionDecryptor v1.06 - Nirsoft
- dpapick
- Device Guard
- 101 *
- ETW
- 101
- Event Tracing - docs.ms
- About Event Tracing - docs.ms
- Using Event Tracing - docs.ms
- Writing an Instrumentation Manifest - docs.ms(2018)
- Applications and DLLs use an instrumentation manifest to identify their instrumentation providers and the events that the providers write. A manifest is an XML file that contains the elements that identify your provider. The convention is to use .man as the extension for your manifest. The manifest must conform to the event manifest XSD.
- Event Metadata Overview - docs.ms
- ETW: Event Tracing for Windows 101 - @spothteplanet
- Introduction to Threat Intelligence ETW - NtRaiseHardError(2020)
- Windows10EtwEvents
- Events from all manifest-based and mof-based ETW providers across Windows 10 versions
- Articles/Blogposts/Writeups
- Logging Keystrokes with Event Tracing for Windows (ETW) - SRT Team(2016)
- Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging - Matt Graeber(2019)
- Hidden Treasure: Intrusion Detection with ETW, Part 1 - Zac Brown(2017)
- SilkETW: Because Free Telemetry is … Free! - Ruben Boonnen
- Tampering with Windows Event Tracing: Background, Offense, and Defense - Palantir
- Getting started with Event Tracing for Windows in C# - Alex Khanin
- ETW Event Tracing for Windows and ETL Files - Nicole Ibrahim
- Talks/Videos
- Hidden Treasure: Detecting Intrusions with ETW - Zac Brown(2017)
- Production tracing with Event Tracing for Windows (ETW) - Doug Cook(2017)
- ETW - Monitor Anything, Anytime, Anywhere - Dina Goldshtein(NDC Oslo 2017)
- You’ll learn how to diagnose incredibly complex issues in production systems such as excessive garbage collection pauses, slow startup due to JIT and disk accesses, and even sluggishness during the Windows boot process. We will also explore some ways to automate ETW collection and analysis to build self-diagnosing applications that identify high CPU issues, resource leaks, and concurrency problems and produce alerts and reports. In the course of the talk we will use innovative performance tools that haven’t been applied to ETW before — flame graphs for visualising call stacks and a command-line interface for dynamic, scriptable ETW tracing. ETW is truly a window into everything happening on your system, and it doesn’t require expensive licenses, invasive tools, or modifying your code in any way. It is a critical, first-stop skill on your way to mastering application performance and diagnostics.
- Tools
- CollectDotNetEvents.ps1
- A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
- krabsetw
- KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
- PerfView
- PerfView is a free performance-analysis tool that helps isolate CPU and memory-related performance issues. It is a Windows tool, but it also has some support for analyzing data collected on Linux machines. It works for a wide variety of scenarios, but has a number of special features for investigating performance issues in code written for the .NET runtime.
- WindowsEventLogMetadata
- Event metadata collected across all manifest-based ETW providers on Window 10 1903
- NiftyETWProviders.json
- TLGMetadataParser.psm1
- Retrieves TraceLogging metadata from a file.
- EtwExplorer
- SilkETW & SilkService
- SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools. For easy consumption, output data is serialized to JSON. The JSON data can either be written to file and analyzed locally using PowerShell, stored in the Windows eventlog or shipped off to 3rd party infrastructure such as Elasticsearch.
- WEPExplorer
- This tool is very helpful when you want to explore all the Windows Event providers installed on your system and what kind of metadata they have. The Explorer GUI sports a comprehensive filter that helps you sift through a complex provider's metadata.
- TamperETW
- PoC to demonstrate how CLR ETW events can be tampered.
- CollectDotNetEvents.ps1
- 101
- Event Log
- See L-SM-TH.md
- Articles/Blogposts/Writeups
- Faxes & Printers
- 101
[[MS-RPRN]: Print System Remote Protocol - docs.ms](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1)[[MS-RPRN]: Print System Remote Protocol - msdn.ms](https://msdn.microsoft.com/en-us/library/cc244528.aspx)
- Articles/Blogposts/Writeups
- 101
- Fibers
- 101
- Articles/Blogposts/Writeups
- File Extensions
- Common file name extensions in Windows - support.ms
- File Types - docs.ms
- This topic explains how to create new file types and how to associate your app with your file type and other well-defined file types. Files with a shared common file name extension (.doc, .html, and so on) are of the same type. For example, if you create a new text editor, then you can use the existing .txt file type. In other cases, you might need to create a new file type.
- The case of the missing file extensions - NCCGroup(2014)
.libary-msdesktop.ini.lnkautorun.inf.mum.mui.pif* Program information file - Wikipedia.local.theme
- Hooking in Windows
- 101
- Why do Windows functions all begin with a pointless MOV EDI, EDI instruction? - Raymond Chen(2011)
- Why don’t Windows functions begin with a pointless MOV EDI,EDI instruction on x86-64? - Raymond Chen(2022)
- Windows Inline Function Hooking - Tom Wilson(2015)
- Bypass EDR’s memory protection, introduction to hooking - Hoang Bui(2019
- Windows API Hooking - @spotheplanet
- The different ways of hooking - Ch40zz(2015)
- Userland API Monitoring and Code Injection Detection - dtm(2018)
- "The following document is a result of self-research of malicious software (malware) and its interaction with the Windows Application Programming Interface (WinAPI). It details the fundamental concepts behind how malware is able to implant malicious payloads into other processes and how it is possible to detect such functionality by monitoring communication with the Windows operating system. The notion of observing calls to the API will also be illustrated by the procedure of hooking certain functions which will be used to achieve the code injection techniques."
- PE Parsing and Defeating AV/EDR API Hooks in C++ - Solomon Sklash(2020)
- Endpoint Detection and Response: How Hackers Have Evolved - Matthew Eidelberg(2021)
- General
- API Monitoring and Hooking for Offensive Tooling - @spotheplanet
- Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams - @modexpblog
- API Hooking – Tales from a Hacker’s Hook Book - Shiran Grinberg(2020)
- Worried about EDR hooking catching you out? - benpturner(2020)
- Hooking - alphaSeclab
- collection of articles+tools. Last updated in 2020
- hooking-by-example
- "A series of increasingly complex programs demonstrating function hooking on 64 bit Windows. Culminating in a program that hooks mspaint to make it always paint orange."
- A Comprehensive Guide to Hooking Windows APIs with Python - Vadim N, Ivan Komarov(2021)
- PyHook
- Offensive API Hooking - Ilan Kalendarov(2021)
- Hook Heaps and Live Free - Arash Parsa(2021)
- Hooking Syscalls
- Hooking Techniques
- API/Function/In-Line Hooking
- 101
- x86 API Hooking Demystified - Jurriaan Bremer(2012)
- Inline Hooking for Programmers (Part 1: Introduction) - MalwareTech(2015
- X64 Function Hooking by Example - Kyle Halladay(2020)
- Manually Implementing Inline Function Hooking - securehat(2021)
- Windows API hooking. Simple C++ example. - cocomelonc(2022)
- Tools
- Microsoft Detours
- Detours
- "Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form."
- DetoursNT
- Detours with just single dependency - NTDLL
- minhook
- MinHook.NET
- "The (C#) library has the capability of inline hooking native API calls, utilising .NET delegates for both the detoured and original function that is commonly called with the detour."
- MinHook.NET RastaMoue fork
- An experimental fork of CCob's MinHook.NET project.
- List of API Hook Libraries
- Juno
- A Windows managed method detouring library that supports both x86 and x64 detours.
- diStormX
- AppInitHook
- Global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process.
- 101
- DLL Hooking
- DLL Proxying
- see 'DLL Proxying' under
DLL-Related->Proxying
- see 'DLL Proxying' under
- Hardware Breakpoint Hooking
- Export-Address Table Hooking
- Import-Address Table(IAT) Hooking
- Articles/Blogposts/Writeups
- Userland hooking, IAT - c0llateral(2009)
- IAT Hooking Revisited - John Leitch(2011)
- Import address table (IAT) hooking is a well documented technique for intercepting calls to imported functions. However, most methods rely on suspicious API functions and leave several easy to identify artifacts. This paper explores different ways IAT hooking can be employed while circumventing common detection mechanisms.
- Hooking Series PART I : Import Address Table Hooking - ReLearEx(2017
- IAT Function Hooking - dzzie
- Offensive IAT Hooking - Ege Balci(2018
- IAT hooking - F3real(2019
- Import Adress Table (IAT) Hooking - @spotheplanet
- Papers
- Study on the API Hooking Method Based on the Windows - Wan-Kyung Kim, Woo-Young Soh, Kyung Sung(2009
- "Recently, malicious attacks for Windows operate through Window API hooking in the Windows Kernel. This paper presents the API hooking attack and protection techniques based on Windows kernel. Also this paper develops a detection tool for Windows API hooking that enables to detect dll files which are operated in the kernel. Proposed tool can detect behaviors that imports from dll files or exports to dll files such as kernel32.dll, snmpapi.dll, ntdll.dll and advapidll.dll, etc.. Test results show that the tool can check name, location, and behavior of API in testing system."
- Study on the API Hooking Method Based on the Windows - Wan-Kyung Kim, Woo-Young Soh, Kyung Sung(2009
- Tools
- hooks
- A DLL that performs IAT hooking
- IAT patcher
- Article
- Persistent IAT hooking application (for PE files).
- win32_hook.h
- hooks
- Articles/Blogposts/Writeups
- Forced-Exception
- 101
- Articles/Blogposts/Writeups
- Hardware-Breakpoints/Vector-Exception Hooking
- 101
- Articles/Blogposts/Writeups
- Hooking via Vectored Exception Handling - UC
- Vectored Exception Handling, Hooking Via Forced Exception - Hoang Bui(2019)
- Hardware breakpoints and exceptions on Windows - Ling
- FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking - Peter Winter-Smith(2020)
- StealthHook - A method for hooking a function without modifying memory protection - x86matthew(2022)
- Tools
- Hypervisor Hooking
- 101
- Articles/Blogposts/Writeups
- Tools
- hyperbone
- Minimalistic VT-x hypervisor with hooks
- KasperskyHook
- Hook system calls on Windows by using Kaspersky's hypervisor
- hyperbone
- Interrupt-Descriptor-Table Hooking
- Articles/Blogposts/Writeups
- Handling Interrupt Descriptor Table for fun and profit - kad(2002)
- Hooking IDT - Dejan Lukan(2014
- Hooking Series PART II: Interrupt Descriptor Table Hooking - ReLearEx(2017
- Interrupt Descriptor Table - @spotheplanet
- EDR Bypass : How and Why to Unhook the Import Address Table - Alice Climent-Pommeret(2022)
- Tools
- IDTClient.c
- Windows x86 Interrupt Descriptor Table (IDT) hooking driver
- IAT-Hooking
- IAT Hooking POC (x86 / x64) - Hook functions through the IAT.
- IDTClient.c
- Articles/Blogposts/Writeups
- Mini-Filters
- Articles/Blogposts/Writeups
- Msv
- Nirvana Hooks
- Hooking Nirvana: Stealthy Instrumentation Techniques for Windows 10 - Alex Ionescu(REcon2015)
- [Windows 10 Hooking Nirvana explained -
- Windows x64 System Service Hooks and Advanced Debugging - nick.p everdox(2013)
- Instrumentationcallback and advanced debugging - nick.p everdox(2013)
- Windows 10 Hooking Nirvana explained - Vyacheslav Rusakov(2016)
- Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection - splinter_code(2020)
- Hooking via InstrumentationCallback - qaz_qaz(2022)
- x86 Nirvana Hooks & Manual Syscall Detection - Conor Richard(2022)
- syscall-detect
- System Service Dispatch Table(SSDT)
- 101
- Articles/Blogposts/Writeups
- Tools
- ProcessIsolator
- Utility to hook SSDT of specific process and transfer control to a service (usermode app) for handling to determine action allow/deny API call etc. currenly only NTAPI/WIN32K logging is supposeted no handlers were implemented. Ideally this should use virtualization to hook LSTAR CSTAR MSRs and don't implement own KiSystemCall.
- Hackshield Bypass for Windows Xp/7
- SHD
- Ssdt Hook Detection tool packaged into a small cli utility. The drivers are packed as resources in the cli tool and are extraced upon use. Currently only tested on Win7SP1x86, Win7SP1x64.
- ProcessIsolator
- Tools
- VirtualTable(C++)
- Tools
- WoW32/64
- See
's-gatesection.
- See
- C#/.NET
- Articles/Blogposts/Writeups
- Tools
- DotNetHooking
- Sample use cases of the .NET native code hooking technique
- PlayHooky
- PlayHooky is a simple C# Class that can be used to hook C# Methods at runtime. PlayHooky works on both .NET and Mono of any version, and Unity 4-5+ as long as you are running Windows x86/x64.
- Loader2
- Open.WinKeyboardHook
- A simple and easy-to-use .NET managed wrapper for Low Level Keyboard hooking.
- Loader1
- Nova Hook is an open source VB.NET cheat loader currently built for CS:GO
- GlobalHook
- Simple global keyboard, mouse hook and simulation library written C#
- DotNetHook
- A hook proof of concept with no native dependencies. Hook both .NET methods (even framework methods) and Native methods entirely in .NET.
- MonoHook
- hook C# method at runtime without modify dll file (such as UnityEditor.dll)
- Dendrobate
- Managed code hooking template.
- Unhook BitDefender
- DotNetHooking
- API/Function/In-Line Hooking
- Un-Hooking
- Articles/Blogposts/Writeups
- Why Usermode Hooking Sucks – Bypassing Comodo Internet Security - George Nicalaou(2012)
- You’re Off the Hook: Blinding Security Software - Alex Matrosov, Jeff Tang(ZeroNights2016)
- Universal Unhooking: Blinding Security Software - Jeffrey Tang(2017)
- Defeating Userland Hooks (ft. Bitdefender) - dtm(2019)
- Adventures in Dynamic Evasion - Matt Hand(2020)
- User-mode API hooks and bypasses - dumpco.re(2020)
- Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs - @spottheplanet
- Thread and Process State Change - Yarden Shafir(2021)
- Pushing back on userland hooks with Cobalt Strike - Ralphael Mudge(2021)
- Does Acrobat Reader Unload Injection of Security Products? - Natalie Zargarov(2022)
- A practical guide to bypassing userland API Hooking - Muhaimin Dzulfakar
- Finding hooks with windbg - Oliver Bachtik(2022)
- Hook Integrity Checks - passthehashbrowns(2021)
- Techniques(too lazy to actually sort these right now - FIXME)
- Defeating Antivirus Real-time Protection From The Inside - Kuba Gretzky(2016)
- Defeating Userland Hooks (ft. Bitdefender) - dtm(2019)
- User-mode API hooks and bypasses - Magnus Stubman(2021)
- Bypassing PESieve and Moneta (The "easy" way....?) - Arash Parsa(2022)
- Bring(Build) your own functions
- Detect & Jump Past the hooks
- Do-it-Yourself Loading (Avoid the hooks)
- Overwrite the specific bytes in memory that are the hook with your own
- Read clean copy of DLL from disk and map into memory
- Full DLL Unhooking with C++ - @spotheplanet
- Classic API Unhooking to Bypass EDR Solutions - Brendan Ortiz(2021)
- EDR Evasion: Unhooking DLL's Part 1 - makosec(2021
- NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll - x86Matthew(2022)
- Perun's Fart(Clean copy of NTDLL from in-memory, vs from on-disk
- Talks/Presentations/Videos
- Tools
- Memfuck
- MemFuck: Bypassing User-Mode Hooks - winternl.com
- A PoC designed to bypass all usermode hooks in a WoW64 environment.
- UnhookMe
- UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware
- minhook
- Shellycoat
- Shellycoat is a utility designed to aid in bypassing User-Mode hooks utilised by AV/NGAV/EDR/Sandboxes/DLP etc. to gain visibility into potentially suspicious actions since SSDT hooking was made obsolete with the advent of Kernel Patch Protection(KPP)/Patch Guard in x64 systems.
- Probatorum EDR Userland Hook Checker
- Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonSklash, who has great blogs on a variety of security topics (https://www.solomonsklash.io). He wrote most of this code; I just cleaned it up a bit.
- RefleXXion
- RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
- hook-buster
- A compact tool for detecting AV/EDR hooks in default Windows libraries.
- HalosUnhooker
- "HalosUnhooker is an unhooker that will help you to remove AVs/EDRs hooks from NT API. Whats special about HalosUnhooker is that it uses Halo's Gate technique to get the original syscall ID of a hooked NT API which will be used to restore the NT API stub, effectively removing the hooks. Because HalosUnhooker uses Halo's Gate technique to get the original syscall ID, it doesnt touch anything from disk."
- ReloadLibrary
- ReflectiveDLLRefresher
- NewNtdllBypassInlineHook
- Load a fresh new copy of ntdll.dll via file mapping to bypass API inline hook.
- HooksFinder
- MineSweeper
- NtdllUnpatcher
- Celeborn
- HookHunter
- Antivirus-Artifacts
- Anti-virus artifacts. Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro, and WebRoot
- Celeborn
- Userland API Unhooker Project
- Memfuck
- Articles/Blogposts/Writeups
- Kernel-Mode Hooking
- Articles/Blogposts/Writeups
- Windows x64 System Service Hooks and Advanced Debugging - nick.p.everdox(2013)
- This article will explain how we can work alongside patchguard to hook system services in a less invasive way, but still retain the powerful aspects behind it.
- Windows x64 System Service Hooks and Advanced Debugging - nick.p.everdox(2013)
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Rendering Ransomware Detection and EDR Products Blind - Rene Kolga(BSidesSLC 2020)
- EPP/EDR Unhooking their protections - Daniel Feichter(DeepSec2020)
- Slides
- Enclosed you will find the video of our virtual appearance at the DeepSec 2020 about strengths and weaknesses of EPP/EDR products. In the first step, we go into the basics of the Windows OS architecture. In the second step we take a closer look at two mechanisms which can be used by EPP/EDR products under Windows. Afterwards we look at possibilities how these mechanisms can be bypassed by an attacker. And at the end we also take a short look at what defenders can do to prevent these attacks
- Papers
- Tools
- Unsorted
- HookLib
- The functions interception library written on pure C and NativeAPI with UserMode and KernelMode support
- APIunhooker
- C++ function that will automagically unhook a specified Windows API
- Crystal Anti-Exploit Protection 2012
- CoreHook
- A library that simplifies intercepting application function calls using managed code and the .NET Core runtime
- subhook
- SubHook is a super-simple hooking library for C and C++ that works on Windows, Linux and macOS. It supports x86 only (32-bit and 64-bit).
- ddimon
- Monitoring and controlling kernel API calls with stealth hook using EPT
- mhook(2014)
- InfinityHook
- PolyHook
- PolyHook 2.0
- UnhookMe
- UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware
- HookLib
- Unsorted
- 101
- LNK Files
- 101
[[MS-SHLLINK]: Shell Link (.LNK) Binary File Format - docs.ms](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943)- Specifies the Shell Link Binary File Format, which contains information that can be used to access another data object. The Shell Link Binary File Format is the format of Windows files with the extension "LNK".
- Windows Shortcut File format specification - liblnk
- This document is intended as a working document for the Windows Shortcut File (LNK) format specification. Which should allow existing Open Source forensic tooling to be able to process this file type.
- Articles/Blogposts/Writeups
- You down with LNK? - Nathan Drier(2012)
- Tracking threat actors through .LNK files - Michel Conene(2017)
- .LNK downloader and bitsadmin.exe in malicious Office document - Michel Coene(2017)
- Pwned by a Shortcut - Tom Melo(2018)
- Persistence – Shortcut Modification - Pentestlab.blog(2019)
- Deep Dive: A LNK in the Chain - John Ferrell(2019)
- Analyzing the Windows LNK file attack method - 0xd3xt3r(2019)
- Suspected Sapphire Mushroom (APT-C-12) malicious LNK files - @mattnotmax(2020)
- LNK & ISESteroids Powershell dropper - Max Kersten(2020)
- The Missing LNK — Correlating User Search LNK files - Ashley Frazer(2020)
- Using Shell Links as zero-touch downloaders and to initiate network connections - Jan Kopriva(2020)
- CVE-2020-0729: Remote Code Execution Through .LNK Files - Trend Micro Research Team(2020)
- [CVE49] Microsoft Windows LNK Remote Code Execution Vulnerability - CVE-2020-1299 - linhlhq(2020
- Abusing LNK "Features" for Initial Access and Persistence - V3ded(2021
- EmbedExeLnk - Embedding an EXE inside a LNK with automatic execution - x86Matthew(2022)
- Talks/Presentations/Videos
- Papers
- The Meaning of Linkfiles In Forensic Examinations - Harry Parsonage(2010)
- A look at the practical value to forensic examinations of dates and times, and object identifiers in Windows shortcut files.
- The Meaning of Linkfiles In Forensic Examinations - Harry Parsonage(2010)
- Tools
- 101
- MS-SQL Server
- 101
- Articles/Blogposts/Writeups
- Tools
- DAFT: Database Audit Framework & Toolkit
- This is a database auditing and assessment toolkit written in C# and inspired by PowerUpSQL.
- Evil SQL Client (ESC)
- Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, b…
- QuickSQL
- QuickSQL is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.
- SqlClient
- POC for .NET mssql client for accessing database data through beacon
- DAFT: Database Audit Framework & Toolkit
- Named Pipes
- 101
- Articles/Blogposts/Writeups
- Tools
- AsyncNamedPipes
- Quick PoC to send and receive messages over Named Pipes asynchronously.
- Named-Pipe-Sniffer
- getnamedpipes.cs
- AsyncNamedPipes
- PowerShell
- PowerShell Logging
- 101
- Articles/Blogposts/Writeups
- Tools
- DisablePSLogging.cs
- One of the many ways one could disabled PS logging/AMSI if there's prior code execution.
- DisablePSLogging.cs
- PowerShell Profiles
- 101
- Understanding the Six PowerShell Profiles - Dr Scripto(devblogs.ms)
- About Profiles - docs.ms(2017)
- How-to: Configure the PowerShell startup profile [$Profile] - ss64.com
- Understanding different (Six and more!) PowerShell profiles - Mohit Goyal
- PowerShell for Beginners (Part 6): PowerShell Profiles and the ISE - Patrick Gruenauer
- Articles/Blogposts/Writeups
- 101
- PowerShell without PowerShell
- 101
- Articles/Blogposts/Writeups
- Custom Runspace
- Executing PowerShell scripts from C# - docs.ms
- Calling C# code in Powershell and vice versa - Karthik Kk
- How to run PowerShell Core scripts from .NET Core applications - keithbabinec(2020)
- How to execute PowerShell script or cmdlets from C# code? - Mitesh Sureja(2018)
- Project: NotPowerShell
- We don’t need powershell.exe - decoder.cloud(2017)
- Powershell CLM Bypass Using Runspaces - Shaksham Jaiswal(2019)
- Tools
- InsecurePowerShell
- InsecurePowershell is a fork of PowerShell Core v6.0.0, with key security features removed.
- InsecurePowerShellHost
- InsecurePowerShellHost is a .NET Core host process for InsecurePowerShell, a version of PowerShell Core with key security features removed.
- PowerTools
- This project focuses on allowing the execution of Powershell functionality without the use of Powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the Powershell scripts.
- UnmanagedPowerShell
- Executes PowerShell from an unmanaged process.
- PowerShdll
- Run PowerShell with dlls only.
- NoPowerShell
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
- A Powerful New Tool: PowerLine - BHIS(2017)
- PowerLine
- Running into environments where the use of PowerShell is being monitored or is just flat-out disabled? Have you tried out the fantastic PowerOps framework but are wishing you could use something similar via Meterpreter, Empire, or other C2 channels? Look no further! In this talk, Brian Fehrman talks about his new PowerLine framework. He overviews the tool, walks you through how to use it, shows you how you can add additional PowerShell scripts with little effort, and demonstrates just how powerful (all pun intended) this little program can be!
- psfire
- simple demo of using C# & System.Management.Automation.dll to run powershell code (b64 encoded) without powershell.exe
- PowerShellArmoury
- The PowerShell Armoury is meant for pentesters, "insert-color-here"-teamers and everyone else who uses a variety of PowerShell tools during their engagements. It allows you to download and store all of your favourite PowerShell scripts in a single, encrypted file.
- InsecurePowerShell
- PowerShell Logging
- PowerShell Desired State Configuration
- Documentation
- DSCompromised: A Windows DSC Attack Framework - Matt Hastings, Ryan Kazanciyan - BH Asia16
- DSCompromised
- PowerShell framework for managing and infecting systems via Windows Desired State Configuration (DSC) DSC is a built-in feature in Windows Management Framework 4.0 (PowerShell v4) and is installed natively on Windows operating systems beginning with Server 2012 R2 and Windows 8.1.
- Privileges
- 101
- Privilege Constants (Authorization) - docs.ms
- Privileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.
- Privilege Constants (Authorization) - docs.ms
- 101
- Processes
- 101
- RPC
- 101
- Articles/Blogposts/Writeups
- Tools
- Search Connectors
- 101
- Search Connector Description Schema - docs.ms
- Introduces the Search Connector Description schema that is used by Windows Explorer libraries and federated search providers. The schema specifies the structure and requirements for Search Connector Description files
(*.searchConnector-ms)and forsearchConnectorDescriptionTypeelements of the Shell Library Description(*.library-ms)files.
- Introduces the Search Connector Description schema that is used by Windows Explorer libraries and federated search providers. The schema specifies the structure and requirements for Search Connector Description files
- Search Connector Description Schema - docs.ms
- Articles/Blogposts/Writeups
- 101
- Services
- 101
- About Services - docs.ms
- The service control manager (SCM) maintains a database of installed services and driver services, and provides a unified and secure means of controlling them. The database includes information on how each service or driver service should be started. It also enables system administrators to customize security requirements for each service and thereby control access to the service.
- Service Control Handler Function - docs.ms
- Each service has a control handler, the Handler function, that is invoked by the control dispatcher when the service process receives a control request from a service control program. Therefore, this function executes in the context of the control dispatcher.
- About Services - docs.ms
- Articles/Blogposts/Writeups
- Tools
- ExploitRemotingService
- A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on
*nix.
- A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on
- ExploitRemotingService
- 101
- Windows Privileges & Tokens
- 101
- Access token - Wikipedia
- Access Tokens - docs.ms
- An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token. The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges.
- Credentials Processes in Windows Authentication - docs.ms
- How Access Tokens Work - docs.ms
- Articles/Blogposts/Writeups
- Introduction to Windows tokens for security practitioners - Will Burgess(2020)
- [About Windows Process/Thread Tokens and Pass The Hash - Kevin Dick(2019)]
- Windows Privilege Abuse: Auditing, Detection, and Defense - Palantir(2019)
- Token Manipulation Attacks (Part 1: Introduction to Tokens and Privileges) - Susan Ghosh(2019)
- Give Me Back My Privileges! Please? - itm4n(2019)
- I want to tell you the story of a service account which lost all its powers (a.k.a. privileges). Windows world is getting increasingly ruthless and when the system considers you are not worthy, this is what happens. Fortunately for our service account, all is not lost, there’s still hope. In this merciless world, you can always turn to the old sages to find some comfort and support. Among them, the Task Scheduler might be willing to help and restore what was lost, provided that you ask kindly…
- Accessing Access Tokens for UIAccess - James Forshaw(2019)
- Sharing a Logon Session a Little Too Much - James Forshaw(2020)
- Understanding and Abusing Process Tokens — Part I - seemant bisht(2020)
- The impersonation game - decoder.cloud(2020)
- Don't Use SYSTEM Tokens for Sandboxing (Part 1 of N) - James Forshaw(2020)
- Game Over Privileges - Acebond(2020)
- Talks/Presentations/Videos
- Abusing Access Tokens for UAC Bypasses - James Forshaw(ZeroNights18)
- UAC, specifically Admin-Approval mode, has been known to be broken ever since it was first released in Windows Vista. Most of the research of bypassing UAC has focused on abusing bad elevated application behavior, auto elevation or shared registry and file resources. However, UAC was fundamentally broken from day one due to the way Microsoft implemented the security around elevated processes, especially their access tokens. This presentation will go into depth on why this technique works, allowing you to silently gain administrator privileges if a single elevated application is running. It will describe how Microsoft tried to fix it in Windows 10, and how you can circumvent their defences. It will also go into detail on a previously undocumented technique to abuse the assumed, more secure, Over-The-Shoulder elevation on Windows 10.
- Understanding Windows Access Token Manipulation - Justin Bui(Hushcon2019)
- Finding alternatives to winlogon.exe to steal SYSTEM access tokens from.
- The Backup Operators Guide to the Galaxy - Dave Mayer
- Backup Operator accounts are ubiquitous and often overlooked by both blue and red teams.These accounts have abusable permissions and are rarely maintained properly.In this talk we will examine and demonstrate novel techniques to stealthily compromise Active Directory through the Backup Operator?s account.We will use the Backup Operator account to gain local Admin privilege, establish persistence, and pivot laterally throughout a domain.However, all is not lost in that we can further lockdown our systems and enable auditing measures to deter and detect these attacks.
- Abusing Access Tokens for UAC Bypasses - James Forshaw(ZeroNights18)
- Papers
- Tools
- PrimaryTokenTheft
- Steal a primary token and spawn cmd.exe using the stolen token.
- One Token to Rule Them All: Post-Exploitation Fun in Windows Environments - Luke Jennings
- Token Kidnapping's Revenge -
- FullPowers
- FullPowers is a Proof-of-Concept tool I made for automatically recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.
- PrimaryTokenTheft
- 101
- Windows Communication Foundation
- 101
- Articles/Blogposts/Writeups
- Windows Communication Foundation(WCF) FAQ: Part I - Shivprasd(C#Corner)
- Abusing Insecure Windows Communication Foundation (WCF) Endpoints - Fabius Watson
- Exploitation of Remote WCF Vulnerabilities - Versprite
- Abusing WCF Endpoints for Fun and Profit
- Finding and Exploiting .NET Remoting over HTTP using Deserialisation - Sorush Dalili
- Talks/Presentations/Videos
- Windows Management Instrumentation
- 101
- Official Documentation
- WMI Reference - docs.ms
- Introduction to CIM Cmdlets - MS
- A Description of the Windows Management Instrumentation (WMI) Command-Line Utility (Wmic.exe) - support.ms
- wmic - docs.ms
- WMIC - Take Command-line Control over WMI - docs.ms
- Using Windows Management Instrumentation Command-line - docs.ms(2009)
- WMI Classes - docs.ms
- Access to WMI Namespaces - docs.ms
- WMI Tasks: Accounts and Domains - docs.ms
- WMI Tasks -- Services - docs.ms
- WMI Tasks: Files and Folders - docs.ms
- Search for files using WMI - Jaap Brasser
- Using the PowerShell CIM cmdlets for fun and profit - Dr Scripto
- Use PowerShell and WMI to Get Processor Information - Dr Scripto
- Using the Get-Member Cmdlet - docs.ms
- Get-Process - docs.ms
- General
- (Book) Understanding WMI Scripting: Exploiting Microsoft's Windows Management Instrumentation in Mission-Critical Computing Infrastructures - Alain Lissoir
- Articles/Blogposts/Writeups
- Examples of WMIC commands for Windows .NET SERVER Family - cs.cmu.edu(2002)
- WMIC Command Line Kung-Fu - tech-wreck.blogspot.com(2009)
- Playing with MOF files on Windows, for fun & profit - dimanche(2011)
- MOF-tastic tricks or how to use MOF and powershell together - khr0x40sh(2014
- WMIS: The Missing Piece of the Ownage Puzzle - Christopher Campbell, Exorcyst(2013)
- PowerShell and Events: WMI Temporary Event Subscriptions - Boe Prox(2013)
- Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI) - Carlos Perez(2013)
- Thoughts on Exploiting a Remote WMI Query Vulnerability - Matt Graeber(2015)
- WMI Process Watcher - Vault7 Leaks
- A technique to asynchronously detect when a process is created using WMI.
- WMI object correlation using 'ASSOCIATORS OF'- Matt Graeber(2015)
- A Novel WMI Persistence Implementation - Counter Threat Unit Research Team(Dell2016)
- Creeping on Users with WMI Events: Introducing PowerLurk - Sw4mp_f0x(2016)
- A Brief Usage Guide for Wmic - xorrior(2016)
- Getting Started with WMI Weaponization – Part 2 - Alexander Leary
- Getting Started with WMI Weaponization – Part 5 - Alexander Leary(2017)
- Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) - Matthew Dunwoody(2017)
- Lateral Movement Using WinRM and WMI - Tony Lambert(2017)
- Post Exploitation Using WMIC (System Command) - hackingarticles.in(2018)
- Windows Userland Persistence Fundamentals - FuzzySecurity
- Detecting & Removing an Attacker’s WMI Persistence - David French(2018)
- An intro into abusing and identifying WMI Event Subscriptions for persistence - @rebootuser(2019)
- Papers
- Presentations/Talks/Videos
- WMI AttacksFrom Theory To Practice -
- Abusing Windows Management Instrumentation (WMI) - Matthew Graeber(BH USA 2015)
- Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI). With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events. This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.
- Building Better Backdoors with WMI - Alexander Leary(Derbycon2017)
- Slides
- This presentation will provide a brief overview of WMI, and how creating WMI providers can be leveraged to create a reliable and covert persistence mechanism for offensive security professionals to use.
- Basic Offensive Application of MOF Files in WMI Scripting - Devon Bordonaro(BSidesCharm2018)
- A basic introduction on how to use MOF files and the Windows Management Instrumentation (WMI) database to alter how programs execute and implement your own processes. Join us for a walkthrough of MOF design and an overview of the vulnerabilities presented by the WMI database. Finally, learn how the hardest part of using MOF files is making yourself known to the user.
- Fud WMI for lateral movement (PoC) - ##BsidesDub 2019##
- This repository contains the PowerShell WMI based Proof of Concept for advanced lateral movement as presented at BsidesDub 2019.The main goal of this project was to demonstrate the techniques an attacker might use to bypass detection mechanisms using many techniques in real-life condition.It implement random class name derivation mechanism, payload obfuscation, in-memory execution without any call to IEX nor IWR for the stage 1 dropper and an EventViewer logs removal through WMI un-subscription method.
- Reference
- Tools
- WMI_Backdoor
- A PoC WMI backdoor presented at Black Hat 2015
- cme-wmi
- Experimental plugin for CrackMapExec that adds a new protocol based on pure WMI : all of CrackMapExec's traffic passes via DCOM (TCP/135 and dynamic ports).
- WMIOps
- This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
- WMImplant
* This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
- PowerProvider
- WheresMyImplant: A C# Bring-Your-Own-Land toolkit
- A Bring Your Own Land Toolkit that Doubles as a WMI Provider
- WMI_Backdoor
- Windows Notification Facility
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet - Alex Ionescu, Gabrielle Viala
- Slides
- All Windows researchers know about RPC and ALPC, and the attack surface provided through the kernel's system call layer. As they know about shared memory, the object manager, the registry, and countless other more 'creative' kernel mechanisms which allow cross-process data sharing and communication, such as raw ETW or atom tables.
- Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet - Alex Ionescu, Gabrielle Viala
- Tools
- wnfun
- WNF Utilities 4 Newbies (WNFUN) is the repository for the Python scripts and C tools that Gabrielle Viala (@pwissenlit) and Alex Ionescu (@aionescu) wrote for their BlackHat 2018 presentation on the Windows Notification Facility.
- wnfun
- Windows Remote Management
- 101
- Windows Remote Management - Wikipedia
- Windows Remote Management - docs.ms
- Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. The WS-Management protocol specification provides a common way for systems to access and exchange management information across an IT infrastructure. WinRM and Intelligent Platform Management Interface (IPMI), along with the Event Collector are components of the Windows Hardware Management features.
- Installation and configuration for Windows Remote Management - docs.ms
- winrs - docs.ms
- Articles/Blogposts/Writeups
- WinRM is my Remote Access Tool - Raphael Mudge(2015)
- Lateral Movement – WinRM - Pentestlab.blog(2018)
- Group Policies: Enabling WinRM for Windows Client Operating Systems (Windows 10, Windows 8, Windows 7) - Patrick Gruenauer(2018)
- Hacking Windows Remote Management (WinRM) - Securethelogs(2019)
- WinRM - JPCert
- WinRM Penetration Testing - Raj Chandel(2020)
- Evil-Winrm : Winrm Pentesting Framework - Raj Chandel(2020)
- Talks/Presentations/Videos
- Tools
- winrs - docs.ms
- Scripting in Windows Remote Management - docs.ms
- Evil-WinRM
- "The ultimate WinRM shell for hacking/pentesting"
- CSharpWinRM
- .NET 4.0 WinRM API Command Execution
- WinRMDLL
- C++ WinRM API via Reflective DLL
- WSMan-WinRM
- A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object.
- pywinrm
- pywinrm is a Python client for the Windows Remote Management (WinRM) service. It allows you to invoke commands on target Windows machines from any machine that can run Python.
- winrm.py - CrackMapExec
- Metasploit
- WinRb/WinRM
- Ruby library for Windows Remote Management
- 101
- Windows Sandbox
- 101
- Articles/Blogposts/Writeups
- Windows Scripting Host
- 101
- Windows Scripting Host - Wikipedia
- Windows Script Host - docs.ms
- The following sections provide information about Windows Script Host along with a reference section that documents the object model.
- wscript - docs.ms
- Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.
- Scripting - docs.ms
- Windows Script is a comprehensive scripting infrastructure for the Microsoft® Windows® platform. Windows Script provides two script engines, Visual Basic® Scripting Edition and Microsoft JScript®, which can be embedded into Windows Applications. It also provides an extensive array of supporting technologies that makes it easier for script users to script Windows applications.
- Articles/Blogposts/Writeups
- VBS
- 101
- Malicious Butler
- The Remote Malicious Butler Did It! - Tal Be'ery, Chaim Hoch(BHUSA 2015)
- An Evil Maid attack is a security exploit that targets a computing device that has been left unattended. An evil maid attack is characterized by the attacker's ability to physically access the target multiple times without the owner's knowledge. On BlackHat Europe 2015, Ian Haken in his talk "Bypassing Local Windows Authentication to Defeat Full Disk Encryption" had demonstrated a smart Evil Maid attack which allows the attacker to bypass Bitlocker disk encryption in an enterprise's domain environment. The attacker can do so by connecting the unattended computer into a rogue Domain Controller and abusing a client side authentication vulnerability. As a result, Microsoft had released a patch to fix this vulnerability and mitigate the attack. While being a clever attack, the physical access requirement for the attack seems to be prohibitive and would prevent it from being used on most APT campaigns. As a result, defenders might not correctly prioritize the importance of patching it. In our talk, we reveal the "Remote Malicious Butler" attack, which shows how attackers can perform such an attack, remotely, to take a complete control over the remote computer. We will dive into the technical details of the attack including the rogue Domain Controller, the client-side vulnerability and the Kerberos authentication protocol network traffic that ties them. We would explore some other attack avenues, all leveraging on the rogue Domain Controller concept. We would conclude with the analysis of some practical generic detection and prevention methods against rogue Domain Controllers.
- Slides
- The Remote Malicious Butler Did It! - Tal Be'ery, Chaim Hoch(BHUSA 2015)
C# & .NET Stuff
- 101
- .NET & .NET Core
- 101
- Overview of .NET Framework - docs.ms
- Introduction to .NET Core - docs.ms
- .NET Core CLI overview - docs.ms
- .NET Standard - docs.ms
- Tour of .NET - docs.ms
- This article offers a guided tour through some of the key features of the .NET.
- .NET architectural components - docs.ms
- A .NET app is developed for and runs in one or more implementations of .NET. Implementations of .NET include the .NET Framework, .NET Core, and Mono. There is an API specification common to all implementations of .NET that's called the .NET Standard. This article gives a brief introduction to each of these concepts.
- Common Language Runtime (CLR) overview - docs.ms
- An Introduction to Writing .NET Executables for Pentesters - Peew.pw(2017
- Application Domains
- AppDomain Class - docs.ms
- Represents an application domain, which is an isolated environment where applications execute. This class cannot be inherited.
- AppDomain Class - docs.ms
- Internals
- Ninja Patching .NET - Jon McCoy(Dojocon2010)
- Hacking .NET Applications at Runtime: A Dynamic Attack - Jon McCoy(Defcon18)
- Attacking .Net at Runtime - Jonathan McCoy(2013)
- This paper will introduce methodology forattacking .NET programs at runtime. Thisattack will grant control over the targetsvariables, core logic, and the GUI. Thisattack is implemented with .NET code,and is heavily based on reflection.
- .NET Method Internals - Common Intermediate Language (CIL) Basics - @mattifestation(2014)
- Acquiring .NET Objects from the Managed Heap - Topher Timzen(2015)
- This paper will describe how to use any instantiated objectin the .NET CLR managed heap as if it were declared locally.It will be shown that by referencing object pointers fromthe managed heap, an attacker control objects being used inan application. Reflective techniques will be discussed and asignature will be introduced to find any object on the managedheap
- Attacking Microsoft’s .NET Framework Through CLR - Yu Hong, Shikang Xing(HITB2018AMS)
- In this talk, we first introduce managed execution environment and managed code under .NET Framework and discuss the security weaknesses of this code execution method . After that, we show a exploit for SQL Server through CLR and our automated tools for this exploitation. We will introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET Applications.
- .NET Malware Threat: Internals and Reversing - Alexandre Borges(Defcon2019)
- Hijacking .NET to Defend PowerShell - Amanda Rosseau
- Abstract—With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis
- How .NET executables are loaded - repnz(2019)
- Common Language Runtime: Who? why? how? - Mez0
- Common Language Runtime 2: In memory execution - Mez0
- Managed vs Unmanaged code
- What is "managed code"? - docs.ms
- When working with .NET Framework, you will often encounter the term "managed code". This document will explain what this term means and additional information around it.
- What is "managed code"? - docs.ms
- Papers
- Reflection’s Hidden Power: “Modifying Programs at Run-Time”
- This paper will demonstrate using Reflection to take control over a DotNet (.Net)compiled code. The focus of this paper will be on how to use Reflection to navigate and gainaccess to values and functionality that would normally be off limits. This paper will be gearedfor any DotNet programmer (focus will be in C#). No special knowledge of Reflection isnecessary. The basic concept of Reflection and DotNet will be given, along with some lighttraining on using reflection. This paper is written for the DotNet v2.0 and v3.5 versions ofDotNet. Examples will be given on attacks, like forcing a program to change values and executefunctionality
- ASM in .NET: The old is new again - Jon McCoy(2015)
- This paper will cover running raw Machine Code(ASM) from within .NET. As we all know .NET runson IL(Intermediate Language) also known as “Managed byte code”. A program can declare an unsafesection of code and drop out from the managed area to run something like unmanaged C++ or the like.This paper will show how to run raw/unmanaged ASM in a normal safe C# application.
- Reflection’s Hidden Power: “Modifying Programs at Run-Time”
- 101
- C#
- 101
- A tour of the C# language - docs.ms
- C# (pronounced "See Sharp") is a modern, object-oriented, and type-safe programming language. C# has its roots in the C family of languages and will be immediately familiar to C, C++, Java, and JavaScript programmers. This tour provides an overview of the major components of the language in C# 8 and earlier.
- A tour of the C# language - docs.ms
- Learning
- Get started with C# - docs.ms
- Inside a C# program - docs.ms
- The section discusses the general structure of a C# program, and includes the standard "Hello, World!" example.
- C# 101 - Channel9 MSDN
- Reflection
- Scripting/ClearScript
- ClearScript
- A library for adding scripting to .NET applications. Supports V8 (Windows, Linux, macOS) and JScript/VBScript (Windows).
- ClearScript FAQtorial
- Cutting Edge : A Look at ClearScript - Dino Esposito(2014 docs.ms)
- ClearScript
- Tactics
- Getting Started in Covert .NET Tradecraft for Post-Exploitation – Kyle Avery(BHIS2021)
- "This Black Hills Information Security (BHIS) webcast will cover OPSEC safe fork-n-run execution with Cobalt Strike, .NET log sources available to network defenders and security vendors, and obfuscation of public C# tools to evade EDR products consistently."
- Getting Started in Covert .NET Tradecraft for Post-Exploitation – Kyle Avery(BHIS2021)
- 101
- Detection
- Interesting DFIR traces of .NET CLR Usage Logs - MenaSec(2019)
- Hijacking .NET to Defend PowerShell - Amanda Rosseau
- Abstract—With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis
- Sniper
- Informational
- .NET & .NET Core
- Training
- Discovery
- Clipboard
- Clippi-B
- Steals clipboard data written in c#, executable by cobalt-strike or any other unmanaged CLR loader. you'll need costura.fody NuGet package to compile. Targets .NET 4.0 or above, but is potentially backwards compatible with 3.5 if you use an older costura fody NuGet (untested)
- Clippi-B
- ActiveDirectory
- Recon-AD
- As a proof of concept, we[OutflankNL] developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script. This tool should help you moving away from PowerShell and .NET when enumerating Active Directory and help you stay under the radar from the latest monitoring and defense technologies being applied within modern environments.
- SharpView
- Recon-AD
- Browser
- SharpChromium
- SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta.
- SharpChromium
- File Discovery/Hunting
- SharpShares
- Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
- SauronEye
- Search tool to find specific files containing specific words, i.e. files containing passwords..
- SharpDirLister
- A .NET 4.0 application that uses an optimized file search algorithm that will output a full directory / file listing of a drive in a matter of seconds and at the end it will compress it to a .gz
- SharpFiles
- SharpFinder
- Searches for files matching specific criteria on readable shares within the domain.
- SharpShares
- The goal of SharpShares is to be able to parse different input types and run across a network(s) to find SMB services, authenticate, and pull the ACLs for each share.
- SharpShares
- Network Services
- SharpSSDP
- SSDP Service Discovery
- SharpSSDP
- Processes
- SharpProcEnum
- .NET tool for enumeration processes and dumping memory.
- SharpProcEnum
- Printers
- SharpPrinter
- Printer is a modified and console version of ListNetworks
- SharpPrinter
- Screenshots
- ScreenShooter
- C# program to take a full size screenshot of the window. Takes in 0 or 1 flag for a filename.
- Blogpost
- ScreenShooter
- Services
- AtYourService
- C# .NET Assembly and python script for Service Enumeration. Queries all services on a host and filters out services running as LocalSystem, NT Authority\LocalService, and NT Authority\NetworkService
- AtYourService
- Situational Awarness
- Reconerator
- This is a custom .NET assembly which will perform a number of situational awareness activities.
- Scout
- Scout is a .NET assembly used to perform recon on hosts during a pentest. Specifically, this was created as a way to check a host before laterally moving to it.
- SitRep
- SitRep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required.
- SharpAppLocker
- C# port of the Get-AppLockerPolicy PS cmdlet
- Seatbelt
- Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
- HastySeries
- A C# toolset to support offensive operators to triage, asses and make intelligent able decisions. Provided operators access to toolsets that can be integrated into other projects and workflow throughout a Red Team, Pentest or host investigation. We built this toolset over a period of a few days, hence the tool prefix of "Hasty".
- Reconerator
- User-Hunting
- SharpSniper
- Find specific users in active directory via their username and logon IP address
- SharpSniper
- Web
- SharpWitness
- SharpWitness is my attempt at cobbling together a C# version of EyeWitness by Christopher Truncer. It still barely functions right now, but will hopefully become more useful once I put some dev time into it.
- SharpFruit
- A C# penetration testing tool to discover low-haning web fruit via web requests.
- SharpShot
- Capture screenshots from .NET, using either native Windows APIs or .NET methods. Screenshots can be saved to disk using a randomly generated file name, or output to the console in base64 encoded form (does not touch disk).
- SharpWitness
- WMI
- SharpStrike
- SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session.
- SharpStrike
- Clipboard
- Execution Tactics/Techniques
- 101
- Articles/Blogposts/Writeups
- Create a Trimmed Self-Contained Single Executable in .NET Core 3.0 - talkingdotnet.com
- The 68 things the CLR does before executing a single line of your code - mattwarren.org
- In Process Execute Assembly and Mail Slots - N4kedTurtle(2020)
- SharpNado - Teaching an old dog evil tricks using .NET Remoting or WCF to host smarter and dynamic payloads - redxorblue
- SharpNado is proof of concept tool that demonstrates how one could use .Net Remoting or Windows Communication Foundation (WCF) to host smarter and dynamic .NET payloads. SharpNado is not meant to be a full functioning, robust, payload delivery system nor is it anything groundbreaking. It's merely something to get the creative juices flowing on how one could use these technologies or others to create dynamic and hopefully smarter payloads. I have provided a few simple examples of how this could be used to either dynamically execute base64 assemblies in memory or dynamically compile source code and execute it in memory. This, however, could be expanded upon to include different kinds of stagers, payloads, protocols, etc.
- Detecting and Advancing In-Memory .NET Tradecraft - Dominic Chell(2020)
- Talks/Presentations/Videos
- .NET Manifesto - Win Friends and Influence the Loader - Casey Smith(Derbycon2019)
- Everything you never wanted to know about .NET manifests and influencing binary loading. A growing number of security tools, both offensive and defensive rely on the .NET Framework. This talk will focus on a narrow but important aspect. We will cover Application and Machine configuration files, as well as Registration-Free and Side-By-Side Assembly loading. What do all these have in common?Manifests. XML manifest can influence how the Operating System locates and executes binaries. We will explore additional concepts around influencing assembly loads. This talk will provide excellent insight into how these mechanisms work. How they can be subverted, and how they can be instrumented to aid defenders.
- Staying # & Bringing Covert Injection Tradecraft to .NET - The Wover, Ruben Boonen(BlueHat IL 2020)
- As .NET has taken over as the preferred platform for development on Windows, many attackers have chosen to take advantage of its features for post-exploitation tradecraft. Legitimate APIs can be leveraged for nearly every imaginable task, managed code can be loaded and executed from memory with extraordinary ease, and scalable monitoring for suspicious usage of .NET APIs is a problem yet to be solved. However, offensive .NET tools are still hindered by a fundamental weakness: the inability to leverage unmanaged code (such as the Win32/NT APIs) safe from observation by EDR. Managed code must eventually invoke unmanaged code in order to interface with the operating system. It is here that the attacker may be caught in the hooks of any system keen on watching for fundamentally malicious behavior. To expose the depth of tradecraft still unexplored in .NET and highlight the fragility of many existing detections, we will detail the tools we have built for evading these hooks. All of our efforts have been integrated into SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. Over the past few months we have added numerous new tools and techniques for loading and executing unmanaged code safely from .NET. Unmanaged APIs may be safely accessed and modules loaded either from memory or from disk in the new DInvoke API, a dynamic replacement for .NET's PInvoke API. It also includes manual mapping, a generic syscall wrapper, a new technique we call Module Overloading, and more. Additionally, we have added a modular process injection API that allows tool developers to build their own injection technique. Simply select an allocation and injection primitive, pass in any options, and execute the result with your preferred payload. This exposes all possible design decisions to the user, and allows for easy adaptation when existing tools fail. In our talk we will focus on explaining the fundamental tradecraft behind these new developments, the challenges and requirements associated with them, and how they can be adapted to suit your needs. Additionally, we will discuss how SharpSploit can be combined with other open-source projects to be integrated into a red team's tooling. As much as possible, we will also discuss how to counter and detect the techniques that we have developed. Finally, we will explain the community-focused development of these projects and how you too can contribute to advance open-source .NET tradecraft
- .NET Manifesto - Win Friends and Influence the Loader - Casey Smith(Derbycon2019)
- Papers
- Tools
- SharpCollection - Flangvik
- Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
- SharpGen
- SharpGen is a .NET Core console application that utilizes the Rosyln C# compiler to quickly cross-compile .NET Framework console applications or libraries.
- SharpCompile
- SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
- NetLoader
- Loads any C# binary from filepath or url, patching AMSI and bypassing Windows Defender on runtime
- AppDomainExample
- A .NET tool that uses AppDomain's to enable dynamic execution and escape detection.
- SharpAttack
- SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
- PowerSharpPack
- Many usefull offensive CSharp Projects wraped into Powershell for easy usage.
- peloader.cs
- This scripts loads a base64 encoded x64 PE file (eg: Mimikatz or a Meterpreter) into memory and reflectively executes it.
- RunSharp
- Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
- GrayFrost
- GrayFrost is a C++ DLL delivery system for C# payloads. Once compiled, GrayFrost can be injected into .NET applications using any DLL injection technique you wish!
- RunPE
- C# Reflective loader for unmanaged binaries.
- RunasCs
- RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials.
- RunDLL.Net
- Execute .Net assemblies using Rundll32.exe
- Fork-n-Run
- Experimenting with reusable components for fork n' run operations.
- ExecuteAssembly
- ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.
- SharpZipRunner
- Executes position independent shellcode from an encrypted zip. Get PIC code from your assembly either by using donut or metasploit or cobaltstrike RAW format.
- DllExport
- .NET DllExport with .NET Core support (aka 3F/DllExport)
- RunDllMShim
- A bridge DLL to make calling a managed assembly/type/method from an unmanaged dll invoker rundll32.exe easier)
- Marauders Map
- The internal attacker toolkit heavily inspired by the folks of MDSec and their SharpPack, highly recommend checking that post out. The Marauders Map is meant to be used on assessments where you have gained GUI access to an enviornment. The Marauders Map is a DLL written in C#, enriched by the DllExport project to export functions that can serve as an entrypoint of invocation for unmanaged code such as rundll32.
- CSharpExec
- This project can use both the current context and credentials to connect to a remote host, copy the payload, and then create and start a service. Once the service is running, it will then remove it.
- CSharpRunAs
- Run As... In C#...
- DInvoke
- Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
- InMemoryNET
- Exploring in-memory execution of .NET
- CoreSploit
- A Post-Exploitation Framework written for .NET 5.0 (Previously known as .NET Core)
- SharpMapExec
- A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.
- ExecutionTesting.cs
- Execute process under a different PID and retrieve the output.
- metasploit-execute-assembly
- Custom Metasploit post module to executing a .NET Assembly from Meterpreter session
- Vanara
- A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.
- AggressiveGadgetToJScript
- A Cobalt Strike Aggressor script to generate GadgetToJScript payloads
- Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks) - TheWover
- go-dotnet
- Go wrapper for the .NET Core Runtime.
- go-execute-assembly
- Allow a Go process to dynamically load .NET assemblies
- SharpDllProxy
- Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
- Massaging your CLR: Preventing Environment.Exit in In-Process .NET Assemblies - Peter Winter-Smith(2020
- Ceramic
- A simple dotNET 5.0 application I built to do common Red Teaming things for me. This way no dotnet core and will run on Linux and windows. Think of this like a multi tool om for educational red teaming.
- AppLocker-Bypass
- Bypassing AppLocker with C#
- SharpCollection - Flangvik
- Adversary Simulation
- PurpleSharp
- PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
- PurpleSharp
- Assemblies & AppDomains
- 101
- Assemblies in .NET - docs.ms
- Assemblies form the fundamental units of deployment, version control, reuse, activation scoping, and security permissions for .NET-based applications. An assembly is a collection of types and resources that are built to work together and form a logical unit of functionality. Assemblies take the form of executable (.exe) or dynamic link library (.dll) files, and are the building blocks of .NET applications. They provide the common language runtime with the information it needs to be aware of type implementations.
- Strong-named assemblies - docs.ms
- Global Assembly Cache - docs.ms
- Working with Assemblies and the Global Assembly Cache - docs.ms
- Application Domains and Assemblies How-to Topics - docs.ms
- The following sections contain links to all How-to topics found in the conceptual documentation for programming with application domains and assemblies.
- Assemblies in .NET - docs.ms
- Articles/Blogposts/Writeups
- Tools
- Execution of
- Articles/Blogposts/Writeups
- RunDLL32 your .NET (AKA DLL exports from .NET) - Adam Chester
- In this post I wanted to look at a technique which is by no means new to .NET developers, but may prove useful to redteamers crafting their tools... exporting .NET static methods within a DLL... AKA using RunDLL32 to launch your .NET assembly.
- Running a .NET Assembly in Memory with Meterpreter - Thomas Hendrickson
- Shellcode: Loading .NET Assemblies From Memory(2019)
- RunDLL32 your .NET (AKA DLL exports from .NET) - Adam Chester
- Tools
- DotNetToJScript
- Articles/Blogposts/Writeups
- Executing C# Assemblies from Jscript and wscript with DotNetToJscript - @spottheplanet
- Advanced TTPs – DotNetToJScript (Part 1) - Jerry Odegaard(2020)
- Advanced TTPs – DotNetToJScript – Part 3 - Jerry Odegaard(2020)
- CSharp, DotNetToJScript, XSL - RastaMouse
- Extracting DotNetToJScript’s PE Files - Didier Stevens(2018)
- Tools
- DotNetToJScript
- This file is part of DotNetToJScript - A tool to generate a JScript which bootstraps an arbitrary .NET Assembly and class.
- DotNetToJScript
- Articles/Blogposts/Writeups
- Inject-as-Shellcode
- Articles/Blogposts/Writeups
- Tools
- CLRVoyance
- CLRvoyance is a shellcode kit that supports bootstrapping managed assemblies into unmanaged (or managed) processes. It provides three different implementations of position independent shellcode for CLR hosting, as well as a generator script for quickly embedding a managed assembly in position independent shellcode.
- Donut
- Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
- CLRVoyance
- From Native Code
- Tools
- CLRHosting
- Library for reflectively loading .NET Assemblies using only the unmanaged CLR Hosting APIs provided by mscoree.dll. This imitates how the Windows Loader loads .NET EXEs and DLLS. This is the most OpSec friendly way to load Assemblies, since it is bootstrapped by an unmanaged executable (and is therefore harder to reverse) and does not use any .NET Framework libraries (such as System.Reflection). Because the result is an unmanaged PE-formatted EXE or DLL, the result may be injected into processes using standard process injection techniques. Therefore, managed Assemblies may be injected into unmanaged processes. Additionally, unmanaged on-disk stagers (written in C/C++) may be built that load .NET payloads (written in C#, etc.).
- DotNetReflectiveLoading
- This project is the culmination of playing around with the native application CLR hosting APIs. It provides the ability to reflectively load and execute code from .NET assemblies, and will be a bit of an exploration of the COM and reflection facilities underpinning .NET on Windows.
- AssemblyLoader
- Loads .NET Assembly Via CLR Loader
- Donut
- "Donut contains a CLR Host loader that is converted to shellcode"
- CLRHosting
- Tools
- Articles/Blogposts/Writeups
- 101
- DInvoke
- DInvoke
- Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
- Primer to DInvokes Injection API and a tale of token duplication and command-line spoofing on the cheap - Jean Maes(2021)
- D/Invokify PPID Spoofy & BlockDLLs - Rasta Mouse(2020)
- Process Injection using DInvoke - Rasta Mouse
- Syscalls with D/Invoke - RastaMouse2021
- Primer to DInvokes Injection API and a tale of token duplication and command-line spoofing on the cheap - Jean Maes(2021)
- DInjector
- Collection of shellcode injection techniques packed in a D/Invoke weaponized DLL
- DInvokeProcessHollowing
- BetterSafetyKatz
- Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
- NoAmci
- A PoC for using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). .Net tradecraft can be compressed, encoded (encrypted if required) in order to keep the assembly size less than 1MB, then embedded as a resource to be loaded after patching amsi.dll memory.
- DInvoke
- MSBuild-related
- MS-SQL-related
- Attacking SQL Server CLR Assemblies - Scott Sutherland
- During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
- Attacking SQL Server CLR Assemblies - Scott Sutherland
- Payloads
- SharPyShell
- tiny and obfuscated ASP.NET webshell for C# web applications
- TCPRelayInjecter2
- Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
- Salsa Tools
- Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.
- CasperStager
- PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
- SharPyShell
- Exfiltration
- Tools
- SharpBox
- sharpbysentinel
- FireEater
- FireEater allows a user to interact with the Windows firewall through .NET APIs. Requires Admin privs.
- Tools
- Privilege Escalation
- SharpUp
- SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented.
- Net-GPPPassword
- .NET/C# implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
- Active Directory
- Grouper2
- Find vulnerabilities in AD Group Policy
- SharpExchangePriv
- A C# implementation of PrivExchange by
@_dirkjan. Kudos to @g0ldenGunSec, as I relied on his code.
- A C# implementation of PrivExchange by
- Grouper2
- Patches
- Watson
- Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
- Watson
- Registry
- Reg1c1de: Windows Registry Privesc Scanner
- Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well.
- Blogpost
- Reg1c1de: Windows Registry Privesc Scanner
- Services
- SneakyService
- A simple C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
- SneakyService
- SharpUp
- Collection
- Sharp-Profit
- "Sharp-Profit is a C# version of my Profit script. This version can be utilized with Cobalt Strike's execute-assembly function."
- Browser
- FirePwd.Net
- FirePwd.Net is an open source tool wrote in C# to decrypt Mozilla stored password.
- SharpWeb
- SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.
- FirePwd.Net
- File-Hunting
- SharpSearch
- Search files for extensions as well as text within.
- SharpSearch
- Monitoring
- WireTap
- .NET 4.0 Project to interact with video, audio and keyboard hardware.
- SharpLogger
- Keylogger written in C#
- WireTap
- Sharp-Profit
- Persistence
- Scheduled Tasks
- General
- SharpStay
- .NET project for installing Persistence
- SharpHide
- Technique Whitepaper
- Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
- SharpStay
- Golden Tickets
- GoldenTicket
- This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
- GoldenTicket
- Registry-related
- Reg_Built
- C# Userland Registry RunKey persistence
- Reg_Built
- Scheduled Tasks
- Articles/Blogposts/Writeups
- Tools
- Task Scheduler
- Provides a .NET wrapper for the Windows Task Scheduler. It aggregates the multiple versions, provides an editor and allows for localization.
- Task Scheduler
- Services
- Unstoppable Service
- A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
- Unstoppable Service
- Credential Attacks
*
* SharpCGHunter
* SharpHook
* SharpHook is inspired by the SharpRDPThief project, It uses various API hooks in order to give us the desired credentials. In the background it uses the EasyHook project, Once the desired process is up and running SharpHook will automatically inject its dependencies into the target process and then, It will send us the credentials through EasyHook's IPC server.
* SharpHandler
* This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it.
* CloneVault
* CloneVault allows a red team operator to export and import entries including attributes from Windows Credential Manager. This allows for more complex stored credentials to be exfiltrated and used on an operator system. It is aimed at making it possible to port credentials that store credential material in binary blobs or those applications that store data in custom attributes. There are many use cases, please see our demonstration of cloning access to Microsoft OneDrive on the MDSec Blog
- Process Memory
- Writing Minidumps in C# - docs.ms
- Dumping Process Memory with Custom C# Code - 3xplo1tcod3r
- SharpDump
- SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
- ATPMiniDump
- Dumping LSASS memory with MiniDumpWriteDump on PssCaptureSnapShot to evade WinDefender ATP credential-theft.
- Blogpost
- SafetyKatz
- SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
- KittyLitter
- This project was made for an upcoming event. It is comprised of two components, KittyLitter.exe and KittyScooper.exe. This will bind across TCP, SMB, and MailSlot channels to communicate credential material to lowest privilege attackers.
- Clipboard
- SharpClipboard
- C# Clipboard Monitor
- Blogpost
- SharpClipHistory
- SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
- SharpClipboard
- Credentials on Disk/Stored in files
- SharpCloud
- SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
- SharpCloud
- DPAPI
- SharpDPAPI
- SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
- DonPAPI
- SharpDPAPI
- Fake UI Prompt
- Tools
- SharpLocker
- SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. It is written in C# to allow for direct execution via memory injection using techniques such as execute-assembly found in Cobalt Strike or others, this method prevents the executable from ever touching disk. It is NOT intended to be compilled and run locally on a device.
- SharpLoginPrompt
- This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system.
- ICU
- Cred Prompt Phishing
- SharpLocker
- Tools
- Kerberos
- Rubeus
- Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.https://www.slideshare.net/aj0612/a-study-on-net-framework-for-red-team-part-i
- Rubeus
- LLMNR/NBNS Spoofing
- InveighZero
- Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool
- InveighZero
- Multi-Tools
- SafetyKatz
- SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
- SafetyKatz
- Password Spray
- SharpSpray
- SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
- SharpSpray
- Proxy
- FreshCookies
- C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
- FreshCookies
- Password Spraying
- SharpDomainSpray
- SharpDomainSpray is a very simple password spraying tool written in .NET. It takes a password then finds users in the domain and attempts to authenticate to the domain with that given password.
- SharpDomainSpray
- RDP
- RdpThief
- RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.
- Blogpost
- HookedRDP
- SharpRDPCheck
- Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
- RdpThief
- Vault Credentials
- SharpEdge
- C# Implementation of Get-VaultCredential - Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext. This script was inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
- SharpEdge
- ActiveDirectory-related
- ADFSpoof
- A python tool to forge AD FS security tokens. - Meant to be used with ADFSDump
- ADFSDump
- ADFSDump is a tool that will read information from Active Directory and from the AD FS Configuration Database that is needed to generate forged security tokens. This information can then be fed into ADFSpoof to generate those tokens. - Meant to be used with ADFSpoof
- SharpAdidnsdump
- c# implementation of Active Directory Integrated DNS dumping (authenticated user)
- SprayAD
- This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon. When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help evading detection while password spraying.
- ADFSpoof
- Process Memory
- Lateral Movement
- Multiple
- .NET Remoting
- DCOM
- SharpCOM
- SharpCOM is a c# port of Invoke-DCOM
- SharpExcel4-DCOM
- Port of Invoke-Excel4DCOM
- SharpCOM
- MSSQL
- Lateral movement via MSSQL: a tale of CLR and socket reuse - Juan Manuel Fernandez, Pablo Martínez
- Recently, our Red Team had to deal with a restricted scenario, where all traffic from the DMZ to the main network was blocked, except for connections to specific services like databases and some web applications. In this article, we will explain how we overcame the situation, covering the technical details. We also introduce mssqlproxy, a tool for turning a Microsoft SQL Server into a socks proxy.
- Lateral movement via MSSQL: a tale of CLR and socket reuse - Juan Manuel Fernandez, Pablo Martínez
- NTLM
- RDP
- Articles/Blogposts/Writeups
- Tools
- SharpRPD
- Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
- SharpDoor
- SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file, for opsec considerations SharpDoor still using cmd.exe to run sc services to impersonating as trustedinstaller in the future will be avoiding cmd.exe usage, currently only support for Windows 10.
- SharpRDP
- Blogpost
- Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
- SharpRPD
- Registry
- SCShell
- Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
- SCShell
- SMB
- CSExec
- This is an example for how to implement psexec (from SysInternals Suite) functionality, but in open source C#. This does not implement all of the psexec functionality, but it does implement the equivalent functionality to running: psexec -s \target-host cmd.exe
- SharpInvoke-SMBExec
- A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script.
- SharpSMBSpray
- Spray a hash via smb to check for local administrator access
- CSExec
- WinRM
- CSharp-WinRM
- .NET 4.0 WinRM API Command Execution
- CSharp-WinRM
- WMI
- SharpWMI
- SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
- SharpInvoke-WMIExec
- A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
- SharpWMI
- Evasion
- Articles/Blogposts/Writeups
- DotNet Core: A Vector For AWL Bypass & Defense Evasion - bohops
- AppLocker Bypass – Assembly Load - pentestlab.blog
- Hiding Your .NET – ETW - Adam Chester(2020)
- Red Team Tradecraft: Loading Encrypted C# Assemblies In Memory - Mike Gualtieri(2020
- Bring your own .NET Core Garbage Collector - Paul Laine(2020)
- Dynamic Invocation in .NET to bypass hooks - Jean-Francois Maes(2020
- TLDR: This blogpost showcases several methods of dynamic invocation that can be leveraged to bypass inline and IAT hooks. A proof of concept can be found here: DInvisibleRegistry
- Abusing .NET Core – Evasion - pentestlaboratories.com
- Defeating EDRs using Dynamic invocation - Jean-Francois Maes(Mayhem2021 RTV)
- Abstract: How can red team operators emulate covert operations and operate at the same level as a real threat group? EDR solutions can make the life of a red team operator significantly harder. Dynamic invocation (also known as D/Invoke) – a sub branch of the popular “Sharpsploit” project, can help with evading those pesky EDR’s and execute your payloads successfully. In this presentation, we will go over D/Invokes capabilities and how to leverage them in your red team operations. https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/
- Bypassing Anti-Viruses by C#.NET Programming - Damon Mohammadbagher
- Crimson Forge
- Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures. It achieves this by rewriting the input code utilizing the following two techniques: Shuffling: Instructions are shuffled into a new order at the basic block level. This is a reliable technique and does not modify the size of resulting binary; Alterations: Instructions are swapped with functional equivalents, effectively de-optimizing them. New instructions are inserted into the same graph used by the Shuffling technique, allowing them to be reordered as well.
- LoGiC .NET
- LoGiC.NET is a free and open-source .NET obfuscator that uses dnlib for folks that want to see how obfuscation works with more complex obfuscations than Goldfuscator for example.
- Assembly.Lie – Using Transactional NTFS and API Hooking to Trick the CLR into Loading Your Code “From Disk” - redxorblue.com
- Talks/Presentations/Videos
- Simple Windows Application Whitelisting Evasion - Casey Smith(ShmooCon 2015)
- Quick Retooling in .Net for Red Teams - Dimitry Snezhkov(CircleCityCon2018
- Quick Retooling in .Net for Red Teams PowerShell gave us a super-highway of convenient building blocks for offensive toolkits and operational automation. However, use of standalone .Net implants may be a desirable option in cases where PowerShell is heavily inspected and logged. While there are great toolkits to invoke unmanaged PowerShell or directly interface with .Net CLR - they are also statically compiled, and therefore easier identified by the defense. Red Teams are faced with specific challenges when they need to retool quickly in the field with .Net payloads. Can .Net toolkits accomplish their goals while maintaining flexibility, quick in-field retooling and operational security in the face of current detection mechanisms? We think so. This talk walks through some of the options present to the operators for .Net code compilation and presents ideas for extensibility of .Net tools at runtime, with the help of Dynamic Language Runtime (DLR). We will dive deeper into operational security lessons learned from dynamic code compilation. We will attempt to move beyond static nature of .Net assemblies into reflective DLR, achieving on-the-fly access to native Windows API. We will also discuss some methods of hiding sensitive aspects of execution in managed code memory. We will also touch on ways to help Defense fingerprint the attacks involving dynamic compilation of .Net assemblies, use of DLR and building blocks of offensive tooling involved in the process. A concept tool built on these ideas will be presented and released. It will be used as basis for our discussion.
- Tools
- tvasion
- Anti virus evasion based on file signature change via AES encryption with Powershell and C# AV evasion templates which support executable and Powershell payloads with Windows executable, Powershell or batch output. Developed with Powershell on Linux for Windows targets :)
- AVIator
- Antivirus evasion project
- PEunion
- PEunion bundles multiple executables (or any other file type) into a single file. Each file can be configured individually to be compressed, encrypted, etc. In addition, an URL can be provided for a download to be executed. The resulting binary is compiled from dynamically generated C# code. No resources are exposed that can be harvested using tools like Resource Hacker. PEunion does not use managed resources either. Files are stored in byte[] code definitions and when encryption and compression is applied, files become as obscure as they can get.
- Self-Morphing C# Binary
- C# binary that mutates its own code, encrypts and obfuscates itself on runtime
- Inception-Framework
- Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
- SharpLoadImage
- Hide .Net assembly into png images
- BlockETW
- .Net Assembly to block ETW telemetry in current process
- SharpPack
- Blogpost
- SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
- tvasion
- Articles/Blogposts/Writeups
- Script Repos/Good Stuff
- GhostPack
- SharpSploit
- SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
- Sharp-Suite
- FuzzySecurity: 'My musings with C#'
- OffensiveCSharp-matterpreter
- This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".
- bytecode-api
- C# library with common classes, extensions and additional features in addition to the .NET Framework. BytecodeApi implements lots of extensions and classes for general purpose use. In addition, specific classes implement more complex logic for both general app development as well as for WPF apps. Especially, boilerplate code that is known to be part of any Core DLL in a C# project is likely to be already here. In fact, I use this library in many of my own projects. For this reason, each class and method has been reviewed numerous times. BytecodeApi is highly consistent, particularly in terms of structure, naming conventions, patterns, etc. The entire code style resembles the patterns used in the .NET Framework itself. You will find it intuitive to understand.
- OutlookToolbox
- OutlookToolbox is a C# DLL that uses COM to do stuff with Outlook. Also included is a Cobalt Strike aggressor script that uses Outlooktoolbox.dll to give it a graphical and control interface.
- Blogpost
- OffensiveDLR
- Toolbox containing research notes & PoC code for weaponizing .NET's DLR
- RedTeamCSharpScripts - Mr-Un1k0d3r
- CSharpScripts - Arno0x
- Named Pipes
- This is a proof of concept / pattern concept for creating a client/server communication model with named pipes in C#. In this example, a client passes a message to the server over a named pipe which is then executed as a command on the server. The standard out and standard error are redirected back to the client over the named pipe and printed to the terminal screen.
- Utiltiies
- Compression
- MiddleOut
- This tool was created to compress files through the command line and will work with Cobalt Strike's execute-assembly.
- MiddleOut
- Files
- FileWriter
- .NET project for writing files to local or remote hosts
- LockLess
- LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
- FileWriter
- Scheduled Tasks
- Creating Scheduled Tasks(C#) - StackOverflow
- Creating a Task Using NewWorkItem Example - docs.ms
- SharpTask
- SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port. This code is compatible with Cobalt Strike.
- Unsorted
- SharpWebServer
- A Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes. To be used for serving payloads on compromised machines for lateral movement purposes.
- C# CmdLineHelper.cs Command line Parser
- Cecil
- Mono.Cecil is a library to generate and inspect programs and libraries in the ECMA CIL form.
- SharpWebServer
- Compression
Powershell Things
- 101
- Why I Choose PowerShell as an Attack Platform - @mattifestation(2012)
- The PowerSploit Manifesto - @mattifestation(2015)
- PowerShell is Not Special - An Offensive PowerShell Retrospective - @mattifestation(2017)
- APTs ❤️PowerShell You Should Too - Anthony Rose, Jake Krasnov(Defcon Safe Mode RTV)
- Quite often, you may have heard people mention, “Why should you bother learning PowerShell, isn’t it dead?” or “Why not just use C#?” Many individuals in the offensive security field have a common misconception that PowerShell is obsolete for red team operations. Meanwhile, it remains one of the primary attack vectors employed by Advanced Persistent Threats (APTs). APTs are known for implementing sophisticated hacking tactics, techniques, and procedures (TTPs) to gain access to a system for an extended period of time. Their actions typically focus on high-value targets, which leave potentially crippling consequences to both nation-states and corporations. It is crucial that Red Teams accurately emulate real-world threats and do not ignore viable attack options. For this talk, we will walk through how many threat actors adapt and employ PowerShell tools. Our discussion begins with examining how script block logging and AMSI are powerful anti-offensive PowerShell measures. However, the implementation of script block logging places a technical burden on organizations to conduct auditing on a substantial amount of data. While AMSI is trivial to bypass for any capable adversary. Finally, we will demonstrate APT-like PowerShell techniques that remain incredibly effective against the latest generation of network defenses.
- Learning
- Articles/Blogposts/Writeups
- PowerShell 101 - Carlos Perez
- Get-Help: An Intro to PowerShell and How to Use it for Evil - Jared Haight
- Brosec
- Brosec is a terminal based reference utility designed to help us infosec bros and broettes with usefuPowershelll (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
- Talks/Presentations/Videos
- PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility - Satoshi Tanda(CodeBlueTokyo2017)
- Slides
- Code
- This talk will discuss how to gain greater visibility into managed program execution, especially for PowerShell, using a .NET native code hooking technique to help organizations protect themselves from such advanced attacker techniques. In this session, we will demonstrate how to enhance capabilities provided by AMSI and how to overcome its limitations, through a realistic implementation of the technique, all while analyzing the internals of .NET Framework and the PowerShell engine.
- Defensive Coding Strategies for a High-Security Environment - Matt Graeber - PowerShell Conference EU 2017
- How sure are you that your PowerShell code is prepared to handle anything that a user might throw at it? What if the user was an attacker attempting to circumvent security controls by exploiting a vulnerability in your script? This may sound unrealistic but this is a legitimate concern of the PowerShell team when including PowerShell code in the operating system. In a high-security environment where strict AppLocker or Device Guard rules are deployed, PowerShell exposes a large attack surface that can be used to circumvent security controls. While constrained language mode goes a long way in preventing malicious PowerShell code from executing, attackers will seek out vulnerabilities in trusted signed code in order to circumvent security controls. This talk will cover numerous different ways in which attackers can influence the execution of your code in unanticipated ways. A thorough discussion of mitigations against such attacks will then follow.
- APTs LOVE PowerShell and Why You Should Too - Anthony Rose & Jake Krasnov(Defcon28RedTeamVillage)
- "Quite often, you may have heard people mention, “Why should you bother learning PowerShell, isn’t it dead?” or “Why not just use C#?” Many individuals in the offensive security field have a common misconception that PowerShell is obsolete for red team operations. Meanwhile, it remains one of the primary attack vectors employed by Advanced Persistent Threats (APTs). APTs are known for implementing sophisticated hacking tactics, techniques, and procedures (TTPs) to gain access to a system for an extended period of time. Their actions typically focus on high-value targets, which leave potentially crippling consequences to both nation-states and corporations. It is crucial that Red Teams accurately emulate real-world threats and do not ignore viable attack options. For this talk, we will walk through how many threat actors adapt and employ PowerShell tools. Our discussion begins with examining how script block logging and AMSI are powerful anti-offensive PowerShell measures. However, the implementation of script block logging places a technical burden on organizations to conduct auditing on a substantial amount of data. While AMSI is trivial to bypass for any capable adversary. Finally, we will demonstrate APT-like PowerShell techniques that remain incredibly effective against the latest generation of network defenses.
- PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility - Satoshi Tanda(CodeBlueTokyo2017)
- Articles/Blogposts/Writeups
- File Parsing
- Logging
- Discovery
- AD
- Powersploit-PowerView
- PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
- PowerShell-AD-Recon
- AD PowerShell Recon Scripts
- PowEnum
- PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s). PowEnum also leverages PowerSploit Get-GPPPassword and Harmj0y's ASREPRoast.
- Powersploit-PowerView
- Files
- SessionGopher
- SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
- CC_Checker
- CC_Checker cracks credit card hashes with PowerShell.
- SessionGopher
- LocalHost
- PowerView
- HostRecon
- Memory & Processes
- Powershell Live-Memory Analysis Tools: Dump-Memory, Dump-Strings, Check-MemoryProtection - @mattifestation(2012)
- Invoke-ProcessScan
- Gives context to a system. Uses EQGRP shadow broker leaked list to give some descriptions to processes.
- SQLite
- PSSQLite PowerShell Module
- PowerShell module to query SQLite databases
- PSSQLite PowerShell Module
- WebBrowser
- BrowserGatherer
- Fileless Extraction of Sensitive Browser Information with PowerShell
- BrowserGather
- Fileless Extraction of Sensitive Browser Information with PowerShell. This project will include various cmdlets for extracting credential, history, and cookie/session data from the top 3 most popular web browsers (Chrome, Firefox, and IE). The goal is to perform this extraction entirely in-memory, without touching the disk of the victim. Currently Chrome credential and cookie extraction is supported.
- BrowserGatherer
- AD
- Execution
- Articles/Blogposts/Writeups
- Meterpreter New Windows PowerShell Extension - Carlos Perez(2016)
- Introducing PowerShell into your Arsenal with PS>Attack - Jared Haight(Derbycon206)
- PS>Attack is a custom tool that was created to make it easier for Penetration Testers to incorporate PowerShell into their bag of tricks. It combines a lot of the best offensive tools from the offensive PowerShell community into a custom, encrypted console that emulates a PowerShell environment. It also includes a custom command, "Get-Attack" to act a search engine for attacks making it easy to find the right attack for any situation. In this presentation we will cover how PowerShell can be used during every part of a penetration test and how PS>Attack can help make the whole process a lot easier.
- Tools
- Invoke-ReflectivePEInjection.ps1
- This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process.
- Managing Privileges using PoshPrivilege - Boe Prox(2015)
- Invoke-ReflectivePEInjection.ps1
- Add-Type & Reflection
- 101
- Add-Type - docs.ms
- Adds a Microsoft .NET Core class to a PowerShell session.
- Add-Type - SS64
- Add-Type vs. [reflection.assembly] in PowerShell - Tim Curwick(2013)
- Using Add-Type in a PowerShell script that is run as a Scheduled Task - Craig Tolley(2016)
- Add-Type - docs.ms
- 101
- Constrained-Language Mode
- 101
- About Language Modes - docs.ms
- Explains language modes and their effect on PowerShell sessions.
- PowerShell Constrained Language Mode - PowerShell Team(2017)
- A Comparison of Shell and Scripting Language Security - PowerShell Team
- About Language Modes - docs.ms
- Articles/Blogposts/Writeups
- AppLocker CLM Bypass via COM - MDSec
- Detecting and Preventing PowerShell Downgrade Attacks - Lee Holmes(2017)
- Simple Bypass for PowerShell Constrained Language Mode - DaveHardy20(2017)
- Powershell Constrained Language Mode ByPass - @spottheplanet
- Exploiting PowerShell Code Injection Vulnerabilities to Bypass Constrained Language Mode - @mattifestation(2017)
- A Look at CVE-2017-8715: Bypassing CVE-2017-0218 using PowerShell Module Manifests - enigma0x3(2017)
- Pentesting and .hta (bypass PowerShell Constrained Language Mode) - Josh Graham(2018)
- Bypassing Applocker and Powershell constrained language mode - DarthSidious
- Powershell CLM Bypass Using Runspaces - Shaksham Jaiswal(2019)
- Constrained Language Mode Bypass When __PSLockDownPolicy Is Used - Carrie Roberts(2022)
- Talks/Presentations/Videos
- Tools
- DotNetToJScript Constrained/Restricted LanguageMode Breakout
- This repository is based on a post by @xpn, more details available here. Xpn's post outlines a bug of sorts where ConstrainedLanguage, when enforced through AppLocker does not prevent COM invocation. Because of this it is possible to define a custom COM object in the registry and force PowerShell to load a Dll. On load it is possible to change the LanguageMode to FullLanguage and break out of the restricted shell. This repo is a variation on this technique where a DotNetToJScript scriptlet is used to directly stage a .Net assembly into the PowerShell process.
- PoSH_Bypass
- PoSHBypass is a payload and console proof of concept that allows an attatcker or for that matter a legitimate user to bypass PowerShell's 'Constrianed Language Mode, AMSI and ScriptBlock and Module logging'. The bulk of this concept is the combination of 3 separate pieces of research, I've stuck these 3 elements together as my first attempt at non 'Hello World!' C# project.
- PSByPassCLM
- Bypass for PowerShell Constrained Language Mode
- powershellveryless
- Constrained Language Mode + AMSI bypass all in one(Currently Blocked without modification)
- DotNetToJScript Constrained/Restricted LanguageMode Breakout
- 101
- C# in PS
- Articles/Blogposts/Writeups * Weekend Scripter: Run C# Code from Within PowerShell - Dr Scripto(2013) * Using CSharp (C#) code in Powershell scripts - Stefan Gobner(2010) * PowerShell – .NET Scripting how to ? - audministrator * Executing C# code using PowerShell script - Adam Furmanek(2016) * Use .Net Code (C#) and DLLs in Powershell - Hannes Hayashi(2016) * Powershell: How do you add inline C#? - Dot Jim(2018) * Add-Type - docs.ms * Adds a Microsoft .NET Core class to a PowerShell session. * Add-Type - SS64 * Add-Type vs. [reflection.assembly] in PowerShell - Tim Curwick(2013) * Using Add-Type in a PowerShell script that is run as a Scheduled Task - Craig Tolley(2016)
- Access Managed Code from Unmanaged Code
- Native interoperability - docs.ms
- "The following articles show the various ways of doing "native interoperability" in .NET."
- Platform Invoke (P/Invoke) - docs.ms
- Platform Invocation Services - Wikipedia
- How to: Call Native DLLs from Managed Code Using PInvoke - docs.ms
- Functions that are implemented in unmanaged DLLs can be called from managed code using Platform Invoke (P/Invoke) functionality. If the source code for the DLL is not available, P/Invoke is the only option for interoperating. However, unlike other .NET languages, Visual C++ provides an alternative to P/Invoke. For more information, see Using C++ Interop (Implicit PInvoke).
- pinvoke
- A library containing all P/Invoke code so you don't have to import it every time. Maintained and updated to support the latest Windows OS.
- Native interoperability - docs.ms
- Download Cradles
- Dropping Executables with Powershell - @mattifestation(2011)
- PowerShell: In-Memory Injection Using CertUtil.exe - mov a, xbx(2018)
- In this blog post I will discuss the steps to use PowerShell, Invoke-CradleCrafter and Microsoft’s Certutil.exe to craft a payload and one-liner that can be used to evade the latest version of Windows Defender (as of this writing), as well as tips for not getting caught by Intrusion Detection Systems and behavior analysis.
- Invoke-Cradlecrafter - Daniel Bohannon
- PowerShell Remote Download Cradle Generator & Obfuscator
- Execution Policy
* 15 Ways to Bypass the PowerShell Execution Policy - NetSPI
- Tools
- Bat Armor
- Bypass PowerShell execution policy by encoding ps script into bat file.
- Bat Armor
- Tools
- In-Memory
- Articles/Blogposts/Writeups
- PowerSyringe - PowerShell-based Code/DLL Injection Utility - @mattifestation(2011)
- In-Memory Managed Dll Loading With PowerShell - @mattifestation(2012)
- [Surgical .NET Dissection - Using PowerShell Proxy Functions to Extend Get-Member - @mattifestation]
- Deep Reflection - Defining Structs and Enums in PowerShell - @mattifestation(2012)
- Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)
- In-Memory Managed Dll Loading With PowerShell - @mattifestation(2012)
- Working with Unmanaged Callback Functions in PowerShell - @mattifestation(2013)
- With a little bit of work, you can bind a scriptblock to an unmanaged callback function in PowerShell. The key to accomplishing this is by casting a scriptblock as a non-generic delegate that has the function signature of the desired callback function. Fortunately, creating non-generic delegates is made easy with my Get-DelegateType function.
- Simple CIL Opcode Execution in PowerShell using the DynamicMethod Class and Delegates - @mattifestation(2013)
- It is possible to assemble .NET methods with CIL opcodes (i.e. .NET bytecode) in PowerShell in only a few lines of code using dynamic methods and delegates.
- PowerShell – Run a .Net Assembly DLL from in Memory - audministrator(2014)
- PowerShell – Run Assembly that is not registered in the GAC - audministrator(2014)
- PowerShell load .Net Assembly - PsCustomObject(2019)
- One common technique is loading .Net assemblies in PowerShell script or module to leverage functionalities otherwise not available natively in PowerShell. There are multiple methods we can use to add assemblies to PowerShell which we’re going to explore in the post.
- Articles/Blogposts/Writeups
- Nishang
- Nishang
- Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
- Hacking In Windows Using Nishang With Windows PowerShell, Like A Boss! - serenity-networks.com
- Nishang
- Powershell without Powershell
- Articles/Blogposts/Writeups
- Empire without PowerShell.exe
- Powershell without Powershell to bypass app whitelist
- We don’t need powershell.exe - decoder.cloud
- PowerShell: In-Memory Injection Using CertUtil.exe
- Run PowerShell without Powershell.exe — Best tools & techniques - Bank Security
- PowerOPS: PowerShell for Offensive Operations
- The Evolution of Offensive PowerShell Invocation - Lee Christensen
- Talks & Presentations
- Tools
- AwesomerShell
- Talk
- This is the awesomershell application code that was presented with the Gray Hat PowerShell talk.
- OffensivePowerShellTasking
- Run multiple PowerShell scripts concurrently in different app domains. Solves the offensive security problem of running multiple PowerShell scripts concurrently without spawning powershell.exe and without the scripts causing problems with each other (usually due to PInvoke'd functions).
- PowerLessShell
- PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.
- NoPowerShell
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No
System.Management.Automation.dllis used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe:rundll32 NoPowerShell.dll,main.
- NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No
- p0wnedShell
- p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET).
- UnmanagedPowerShell
- nps - Not PowerShell
- Execute powershell without powershell.exe
- PSShell
- PSShell is an application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It doesn't need to be "installed" so it's very portable.
- PowerShdll
- Run PowerShell with rundll32. Bypass software restrictions.
- PowerOPS
- PowerOPS is an application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a powershell runspace environment (.NET). It intends to include multiple offensive PowerShell modules to make the process of Post Exploitation easier.
- PowerLine
- Presentation
- Running into environments where the use of PowerShell is being monitored or is just flat-out disabled? Have you tried out the fantastic PowerOps framework but are wishing you could use something similar via Meterpreter, Empire, or other C2 channels? Look no further! In this talk, Brian Fehrman talks about his new PowerLine framework. He overviews the tool, walks you through how to use it, shows you how you can add additional PowerShell scripts with little effort, and demonstrates just how powerful (all pun intended) this little program can be!
- AwesomerShell
- Articles/Blogposts/Writeups
- Through LoLBins
- Reflection
- Reflective DLL Injection
- Reflective DLL Injection with PowerShell - clymb3r(2013)
- Invoke-DllInjection.ps1 - PowerSploit
- Injects a Dll into the process ID of your choosing.
- PowerPwning: Post-Exploiting By Overpowering PowerShell - Joe Bialek(Defcon21)
- Reflective PE Injection
- Invoke-ReflectivePEInjection.ps1 - PowerSploit
- This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process.
- Reflective PE Injection In Windows 10 1909 - HUBBL3(2020)
- Invoke-ReflectivePEInjection.ps1 - PowerSploit
- Registry
- Running Shellcode
- Invoke-Shellcode.ps1 - PowerSploit
- Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
- Invoke-Shellcode.ps1 - PowerSploit
- Runspaces
- Token Manipulation
- 101
- Use PowerShell to Duplicate Process Tokens via P/Invoke - Dr Scripto(2012)
- "Summary: Guest blogger, Niklas Goude, shows how to use P/Invoke to duplicate process tokens from LSASS to elevate privileges."
- Use PowerShell to Duplicate Process Tokens via P/Invoke - Dr Scripto(2012)
- Articles/Blogposts/Writeups
- Tools
- 101
- WinAPI Access
- Articles/Blogposts/Writeups
- Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)
- It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
- List All Win32/Native Functions Declared/Used By PowerShell - @mattifestation(2012)
- Low-Level Windows API Access From PowerShell - b33f(2013/14?)
- Get-PEB – A Tool to Dump the Process Environment Block (PEB) of Any Process - @mattifestation(2013)
- PowerShell and Win32 API Access - harmj0y(2014)
- Use PowerShell to Interact with the Windows API: Part 1 - devblogs.msdn(2014)
- Accessing the Windows API in PowerShell via internal .NET methods and reflection - Matt Graeber(2012)
- It is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
- Deep Reflection - Defining Structs and Enums in PowerShell - Matt Graeber(2012)
- Easily Defining Enums, Structs, and Win32 Functions in Memory - Matt Graeber(2014)
- Low-Level Windows API Access From PowerShell - b33f(2016)
- Properly Retrieving Win32 API Error Codes in PowerShell - @mattifestation(2016)
- Writing about Windows API functions in Powershell - Dmitriy Kim(2020)
- Accessing the Windows API in PowerShell via internal .NET methods and reflection - @mattifestation(2012)
- Tools
- PSReflect
- Easily define in-memory enums, structs, and Win32 functions in PowerShell
- PSReflect
- Articles/Blogposts/Writeups
- Articles/Blogposts/Writeups
- Persistence * Practical Persistence with PowerShell - Matt Graeber(2013) * Nothing Lasts Forever: Persistence with Empire - harmj0y(2016)
- Credential Attacks
- Articles/Blogposts/Writeups
- Process Dump
- Dump-Clear-Text-Password-after-KB2871997-installed
- Auto start Wdigest Auth,Lock Screen,Detect User Logon and get clear password.
- Out-Minidump.ps1
- Generates a full-memory minidump of a process.
- MimiDbg
- PowerShell oneliner to retrieve wdigest passwords from the memory
- PowerMemory
- Exploit the credentials present in files and memory. PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.
- mimikittenz
- mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
- Dump-Clear-Text-Password-after-KB2871997-installed
- GPO
- PShell Script: Extract All GPO Set Passwords From Domain
- This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!
- PShell Script: Extract All GPO Set Passwords From Domain
- Mimikatz
- mimikittenz
- A post-exploitation powershell tool for extracting juicy info from memory.
- mimikittenz
- Broadcast Name Resolution Poisoning (BNRP)
- Inveigh
- Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
- Inveigh
- Privilege Escalation
- Local Phishing
- Tools
- PowerUp
- PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
- Sherlock
- PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
- Get-System-Techniques
- PowerUp
- Lateral Movement
- DCOM
- PS-Remoting
- Secrets of PowerShell Remoting - Don Jones, Tobias Weltner(2018)
- Introduced in Windows PowerShell 2.0, Remoting is one of PowerShell's most useful, and most important, core technologies. It enables you to run almost any command that exists on a remote computer, opening up a universe of possibilities for bulk and remote administration. Remoting underpins other technologies, including Workflow, Desired State Configuration, certain types of background jobs, and much more. This guide isn't intended to be a complete document of what Remoting is and does, although it does provide a good introduction. Instead, this guide is designed to document all the little configuration details that don't appear to be documented elsewhere.
- Secrets of PowerShell Remoting - Don Jones, Tobias Weltner(2018)
- ScheduleTask
- Invoke-CommandAs
- Invoke Command as System/User on Local/Remote computer using ScheduleTask.
- Invoke-CommandAs
- Evasion
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
- PowerShell Secrets and Tactics - Ben0xA(Derbycon2016)
- It used to be that most people were just starting to hear about PowerShell. Over the last 3 years, this has changed dramatically. We now see Offensive and Defensive PowerShell tools, exploits specifically leveraging PowerShell and WMI, and more organizations are starting to be intentional for detection and monitoring of PowerShell scripts and commands. With this visibility, it is becoming a game of cat and mouse to leverage and detect PowerShell. In this talk, I will highlight some secrets I use to ensure my PowerShell exploits are successful and some unique tactics which will bypass common defensive controls. I will also walk you through the creation of a custom PowerShell C# DLL which you can use to compromise your target. If you want to code with me, be sure to bring a laptop with Visual Studio 2013 or later installed.
- Goodbye Obfuscation, Hello Invisi Shell: Hiding Your Powershell Script in Plain Sight - Omer Yair(Derbycon2018)
- “The very concept of objective truth is fading out of the world. Lies will pass into history.” George Orwell. Objective truth is essential for security. Logs, notifications and saved data must reflect the actual events for security tools, forensic teams and IT managers to perform their job correctly. Powershell is a prime example of the constant cat and mouse game hackers and security personnel play every day to either reveal or hide the “objective truth” of a running script. Powershell’s auto logging, obfuscation techniques, AMSI and more are all participants of the same game playing by the same rules. We don’t like rules, so we broke them. As a result, Babel-Shellfish and Invisi-Shelltwo new tools that both expose and disguise powershell scripts were born. Babel-Shellfish reveals the inner hidden code of any obfuscated script while Invisi-Shell offers a new method of hiding malicious scripts, even from the Powershell process running it. Join us as we present a new way to think about scripts.
- APTs <3 PowerShell and Why You Should Too - Anthony Rose, Jake Krasnov(DefconSafeMode RTV 2020)
- PowerShell Secrets and Tactics - Ben0xA(Derbycon2016)
- Tools
- HiddenPowerShellDll
- This .Net class library is used to run PowerShell scripts from c #. The bypasses are executed and then the scriptblock that invokes the stager is executed. Using the DllExport package the .Net DLL exports a function that allows it to be executed via rundll32 and this results in a bypass of the default AppLocker rules
- HiddenPowerShellDll
- Constrained-Language Mode
- See above.
- Crypters
- Xencrypt
- This tool is intended as a demo for how easy it is to write your own crypter. It works for its intended purpose and I will not patch it to make it suitable for yours.
- Xencrypt
- Obfuscation
- Invoke-Obfuscation
- Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
- Articles/Blogposts/Writeups
- argfuscator - Obfuscating and randomizing PowerShell arguments - Jeff White(2017)
- Pulling Back the Curtains on EncodedCommand PowerShell Attacks - Jeff White(2017)
- PowerShell Obfuscation using SecureString - @Wietze(2020)
- TL;DR - PowerShell has built-in functionality to save sensitive plaintext data to an encrypted object called
SecureString. Malicious actors have exploited this functionality as a means to obfuscate PowerShell commands. This blog post discussesSecureString, examples seen in the wild, and presents a tool that helps analyse SecureString obfuscated commands.
- TL;DR - PowerShell has built-in functionality to save sensitive plaintext data to an encrypted object called
- pOWershell obFUsCation - N1CFURY
- Talks/Presentations/Videos
- Defeating The Latest Advances in Script Obfuscation - Mark Mager(Derbycon2016)
- Defeating The Latest Advances in Script Obfuscation Mark Mager Mark Mager - @magerbomb In this age of increasingly sophisticated and devastating malware, adversaries still rely on a multitude of scripting languages and frameworks (e.g. JavaScript, VBA, PowerShell, VBScript) as key components of an attack scenario. These scripts tend to employ obfuscation techniques in order to obscure their true intent and avoid detection by endpoint protection products. Though significant advances have been made in recent years in packing and obfuscating compiled binaries, script obfuscation can still be defeated with time and a determined analyst. This talk will cover some of the most recently seen advanced obfuscation techniques employed by APTs, exploit kits, and other malware authors along with proven methods for circumventing and decoding these techniques. I will then apply these methods to guide the audience through the deobfuscation of a fully obfuscated script. Audience members will walk away with a solid understanding of how common obfuscation techniques are employed in scripting languages along with how they can be defeated.
- Invoke-CradleCrafter: Moar PowerShell obFUsk8tion by Daniel Bohannon
- Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niques') -Join'') - Daniel Bohannon(Derbycon2017)
- Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad? A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches. Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend. Approaches for evading these detection techniques will be discussed and demonstrated. Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.
- Defeating The Latest Advances in Script Obfuscation - Mark Mager(Derbycon2016)
- Tools
- PyFuscation
- Obfuscate powershell scripts by replacing Function names, Variables and Parameters.
- Invoke-CradleCrafter v1.1
- Invoke-Confusion.ps1
- PowerAvails
- Powerob
- An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
- Powerglot
- Powerglot encodes offensive powershell scripts using polyglots
- PyFuscation
- De-Obfuscate
- Revoke-Obfuscation
- Articles/Blogposts/Writeups
- Tools
- PowerShell: ConvertFrom-SecureString decoder
- A simple, pure JavaScript implementation decoding PowerShell's SecureString objects for analysis.
- Babel-Shellfish
- Deobfuscate Powershell scripts right before execution. Babel-Shellfish allows to both log and scan through AMSI deobfuscated scripts. If a script is found mallicious it will stop its execution.
- CLM-Base64
- Blogpost
- This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode. Since this is constrained language mode compliant, it will also run in Full Language Mode.
- PowerAvails
- PowerAvails Powershell .NET Operating system
- PowerShell: ConvertFrom-SecureString decoder
- Invoke-Obfuscation
- Exfiltration
- Articles/Blogposts/Writeups
- Payloads
- Talks/Presentations/Videos
- Malicious payloads vs. deep visibility: a PowerShell story - Daniel Bohannon(PSConEU19)
- This talk draws from over four years of Incident Response experience to lay out a technical buffet of in-the-wild malicious PowerShell payloads and techniques. In addition to diving deep into the mechanics of each malicious example, this presentation will highlight forensic artifacts, detection approaches and the deep visibility that the latest versions of PowerShell provides security practitioners to defend their organizations against the latest attacks that utilize PowerShell.
- Malicious payloads vs. deep visibility: a PowerShell story - Daniel Bohannon(PSConEU19)
- Generators
- nps_payload
- This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources.
- psWar.py
- Code that quickly generates a deployable .war for a PowerShell one-liner
- nps_payload
- **Samples
- JSRat-Py
- implementation of JSRat.ps1 in Python so you can now run the attack server from any OS instead of being limited to a Windows OS with Powershell enabled
- ps1-toolkit
- This is a set of PowerShell scripts that are used by many penetration testers released by multiple leading professionals. This is simply a collection of scripts that are prepared and obfuscated to reduce level of detectability and to slow down incident response from understanding the actions performed by an attacker.
- JSRat-Py
- Signatures
- DigitalSignature-Hijack.ps1
- PoCSubjectInterfacePackage
- A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.
- Talks/Presentations/Videos
- Miscellaneous Useful Things
- Invoke-VNC
- Powershell VNC injector
- Invoke-BSOD
- A PowerShell script to induce a Blue Screen of Death (BSOD) without admin privileges. Also enumerates Windows crash dump settings. This is a standalone script, it does not depend on any other files.
- Invoke-SocksProxy
- Creates a Socks proxy using powershell.
- PowerShell-Suite
- There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. - b33f
- Powershell-SSHTools
- A bunch of useful SSH tools for powershell
- random-powershell
- Various PowerShell scripts that have come in handy but aren't important enough for their own repository
- Invoke-VNC
- Utilities
- 7Zip4Powershell
- Powershell module for creating and extracting 7-Zip archives
- 7Zip4Powershell
- Servers
- Dirty Powershell Webserver
- Pode
- Pode is a PowerShell framework that runs HTTP/TCP listeners on a specific port, allowing you to host REST APIs, Web Pages and SMTP/TCP servers via PowerShell. It also allows you to render dynamic HTML using PSHTML files.
- PowerHub
- Webserver frontend for powersploit with functionality and niceness.
- Harness
- Harness is remote access payload with the ability to provide a remote interactive PowerShell interface from a Windows system to virtually any TCP socket. The primary goal of the Harness Project is to provide a remote interface with the same capabilities and overall feel of the native PowerShell executable bundled with the Windows OS.
Windows Code Injection Techniques
- 101
- 3 Base Primitive Categories
- Process Spawning Techniques
- Injecting During Process Initialization
- Injecting into Running Processes
- One day I'll sort the articles/techniques into each.
- Articles/Blogposts/Writeups that aren't about one sepcific technique
- Windows API index - docs.ms
- The following is a list of the reference content for the Windows application programming interface (API) for desktop and server applications.
- Ten process injection techniques: A technical survey of common and trending process injection techniques - Ashkan Hosseini(2017)
- Memory Injection like a Boss - Noora Hyvärinen(2018)
- Process Injection - Part I - 3xpl01tc0d3r(2019)
- The state of advanced code injections - David Korczynski(2019)
- Process Injection: a primer - RedCanary(2020)
- Experts from Red Canary, VMware Carbon Black, MITRE ATT&CK, and Microsoft break down the many facets of the Process Injection technique.
- Hidden in plain sight? - @casheeew(BlackHoodie2018)
- PoC Examples
- Windows API index - docs.ms
- Generic
* GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections - x-c3ll(2020)
* Injecting Code into Windows Protected Processes using COM - Part 1 - James Forshaw(P0)
* Injecting Code into Windows Protected Processes using COM - Part 2 - James Forshaw(P0)
- PoCs
- demos - hasherezade
- Injectopi
- Injectopi is a set of tutorials that I've decided to write down in order to learn about various injection techniques in the Windows' environment.
- InjectProc - Process Injection Techniques
- pinjectra
- PoCs
- CreateRemoteThread
- APC
- 101
- Asynchronous Procedure Calls - docs.ms
- Inside NT's Asynchronous Procedure Call - Albert Almeida(2002)
- Remote Windows Kernel Exploitation Step into the Ring 0 - Barnaby Jack
- Windows Process Injection: Asynchronous Procedure Call (APC) - modexp(2019)
- APC Series: User APC API - Ori Damari(2020)
- APC Series: User APC Internals - Ori Damari(2020)
- Informational
- Kernel to User land: APC injection - Vault7Leaks
- Examining the user-mode APC injection sensor introduced in Windows 10 build 1809 - Souhail Hammou
- Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor - Philip Tsukerman(2019)
- The Curious Case of QueueUserAPC - Dwight Hohnstein(2019)
- Process Injection - Part V - 3xpl01tc0d3r(2019)
- Userland-Specific
- Kernel-Specific
- Performing
- Tools
- PoC
- Inject-dll-by-APC
- APC Internals Research Code
- injdrv
- injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC.
- APCInjector
- Windows Kernel Driver dlls injector using APC
- APC-PPID
- Adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread and spoof the Parent Process.
- 101
- Atom Bombing
- 101
- AtomBombing – A New Code Injection Attack - ENISA(2016)
- AtomBombing: Injecting Code Using Windows’ Atoms - Tal Liberman(BSidesSF(2017)
- In this talk we present a code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). At the time of its release (October 2016), AtomBombing went undetected by common security solutions that focused on preventing infiltration. AtomBombing affects all Windows versions. In particular, we tested it against Windows 10 and Windows 7. Unfortunately, this issue cannot be patched by Microsoft since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
- Info
- Dridex’s Cold War: Enter AtomBombing - Magal Baz, Or Safran(2017)
- Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing - MS(2017)
- AtomBombing Evasion and Detection
- Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques - Ratnesh Pandey(2019)
- Performing
- PoC
- 101
- Breaking BaDDEr
- 'Code-less' Injection
- Command Line and Environment Variables
- Console Window Class
- Ctrl Injection
- DLL Injection
- 101
- Dynamic-link library
- DllMain entry point - docs.ms
- Exporting from a DLL - docs.ms
- DLL injection - Wikipedia
- A More Complete DLL Injection Solution Using CreateRemoteThread - Drew_Benton(2007)
- DLL Injection and WoW64 - corsix(2010)
- Windows DLL Injection Basics - Brad Antoniewicz(2013)
- DLL/PIC Injection on Windows from Wow64 process - modexp(2015)
- Articles/Blogposts/Writeups
- Informational
- Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7 - securityxploded
- DLL Injection and Windows 8 - nagareshwar.securityxploded(2012)
- Using SetWindowsHookEx for DLL Injection on Windows - Dejan Lukan(2013)
- MapViewOfFile or NTmapViewOfSection ?
- "NtmapViewOfSection is a low level function in ntdll. All what MapViewOfSection does is just some small extra, like security checks, sanitizing, etc. Or it might be a simple wrapper. The point is that there isn't any special case where you should use this or that. They both do the same thing. - Unc3nZureD"
- Performing
- Process Injection - Part II - 3xpl01tc0d3r(2019)
- Inject All the Things - Shut up and hack - deniable.org(2017)
- [DLL Injection Part 0: Understanding DLL Usage - Mark Wolters(2015(https://warroom.rsmus.com/dll-injection-part-0-understanding-dll-usage/)
- DLL Injection Part 1: SetWindowsHookEx - malarkey(2015)
- DLL Injection Part 2: CreateRemoteThread and More - malarkey(2015)
- DLL Injection - pentestlab.blog(2017)
- DLL Injection and Hooking
- Delivering custom payloads with Metasploit using DLL injection - blog.cobalstrike
- DLL Injection via a Custom .NET Garbage Collector - @spottheplanet
- Informational
- Tools
- DLL-Injection - mwwolters
- dll_inject_test
- dllinjector
- dll injection tool that implements various methods
- Bleak
- A Windows native DLL injection library that supports several methods of injection.
- Lunar
- A lightweight native DLL mapping library that supports mapping directly from memory
- injectAllTheThings
- Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
- MemJect
- Simple Dll injector loading from memory. Supports PE header and entry point erasure. Written in C99.
- Windows-DLL-Injector
- 101
- Reflective Dll Injection
- 101
- Reflection (computer programming) - Wikipedia
- HS-P005_ReflectiveDllInjection.pdf - Stephen Fewer(2008)
- Whitepaper on reflective DLL injection. Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) loader.
- Reflective DLL Injection - Stephen Fewer(2008)
- Alternate hosting of paper
- Loading a DLL from memory - Joachim Bauch(2010)
- Explaining Reflective DLL Injection in 2 min - by Miss Smurfette(2020)
- Info
- Reflective DLL Injection with PowerShell - clymb3r(2013)
- Upgrade your DLL to Reflective DLL - Ionut Popescu(2015)
- An Improved Reflective DLL Injection Technique - Dan Staples(2015)
- Cross-Architecture Reflective DLL Injection - Dan Staples(2015)
- ThreadContinue - Reflective DLL Injection Using SetThreadContext() and NtContinue(2017)
- DLL Injection - Pentestlab.blog(2017)
- Inject Dll From Memory Into A Remote Process (InjectLibraryFromMemory_HYPD - Hypodermic) - Vault7Leaks
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis - zerosum0x0(2017)
- Reflective DLL Injection - dtm(2017)
- sRDI – Shellcode Reflective DLL Injection - Nick Landers(2017)
- Performing
- Portable Executable (P.E.) Code Injection: Injecting an Entire C Compiled Application - Ciro Sisman Pereira(2008)
- Loading Win32/64 DLLs "manually" without LoadLibrary() - xenotron(2014)
- How to load DLLs by allocating memory and loading the DLL from file/memory and then relocating/importing.
- Reflective DLL Injection - @spotheplanet
- [Exploit Development 5: Reflective DLL Injection - Thomas(2017)]
- Reflective DLLs and You - cplsec(2018)
- "This post is about reflective dynamic link libraries (DLL) and will do a simple walk-through on how to write one. This is a technique developed by Stephen Fewer and will use his code to make the magic happen. I realize this is a topic that has been discussed several times so I’m going to keep this post simple and tight."
- Windows - Process Injection Technique: Reflective DLL Injection - t0rchwo0d(2019)
- Detection
- Detecting Reflective Injection - Andrew King(DEFCON 20)
- This talk will focus on detecting reflective injection with some mildly humorous notes and bypassing said protections until vendors start actually working on this problem. It seems amazing that reflective injection still works. Why is that? Because programmers are lazy. They don't want to write new engines, they want to write definitions for an engine that already exists. So what do we do about it? Release a $5 tool that does what $50 AV has failed epically at for several years now...oh and it took me a week or so...Alternately, you could license it to vendors since their programmers are lazy.
- What is Reflective DLL Injection and how can be detected? - Andrea Fortuna(2017)
- Detecting Reflective Injection - Andrew King(DEFCON 20)
- PoCs
- Tools
- ReflectiveDLLInjection - Stephen Fewer
- Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.
- MemJect
- Simple Dll injector loading from memory. Supports PE header and entry point erasure. Written in C99.
- doublepulsar-usermode-injector
- A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
- RemoteFunctions
- LoadLibrary, GetModuleHandle and GetProcAddress calls for remote processes
- ReflectiveDLLInjection - apriorit
- This tool demonstrates various remote dll injection methods.
- ImprovedReflectiveDLLInjection
- An improvement of the original reflective DLL injection technique by Stephen Fewer of Harmony Security
- injectAllTheThings
- Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
- ReflectCmd
- A simple reflective dll example
- Pazuzu
- Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory. This can be useful in various scenarios.
- Injectora
- x86/x64 manual mapping injector using the JUCE library
- ReflectCmd
- A simple reflective dll example
- MemoryModule
- MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.
- Windows Manage Reflective DLL Injection Module - Metasploit
- sRDI - Shellcode Reflective DLL Injection
- sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.
- ReflectivePELoader - BenjaminSoelberg
- ReflectiveDLLInjection - Stephen Fewer
- 101
- DNS Client API
- Process Doppelganging
- 101
- Lost in Transaction: Process Doppelgänging - Tal Liberman, Eugene Kogan(BHEU 2017)
- Slides
- Process Hollowing is a technique first introduced years ago by attackers to thwart the mitigation capabilities of security products. However, most of today's solutions are able to detect and prevent such notorious attacks. In this talk, we will present a new technique, dubbed Process Doppelgänging, which has similar advantages but is much harder to detect - let alone prevent.
- What is Process Doppelganging & How is it Executed? - Suvarna Trigune(2018)
- TAU-TIN - Process Doppelgang Evasion Technique - esullivan(2017)
- Lost in Transaction: Process Doppelgänging - Tal Liberman, Eugene Kogan(BHEU 2017)
- Information
- Process Doppelgänging – a new way to impersonate a process - hasherezade(2017)
- Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions - Mohit Kumar(2017)
- Process Doppelgänging meets Process Hollowing in Osiris dropper - hasherezade(2018)
- On Process Doppelganging and developing an unpacker for it - KrabsOnSecurity(2018)
- In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass - Eoin Carroll, Cedric Cochin, Steve Povolny, Steve Hearnden(2019)
- Process Doppelganging Notes - hyp3rv3locity(2020)
- Process Doppelganging - @spotheplanet
- Performing
- PoCs
- Process Refund
- process_doppelganging
- "My implementation of enSilo's Process Doppelganging (PE injection technique)"
- Start-Eidolon.ps1
- Detection
- 101
- DoppelGate
- 101
- Info
- Performing
- Detection
- PoC
- DoppelGate
- DoppelGate relies on reading ntdll on disk to grab syscall stubs, and patches these syscall stubs into desired functions to bypass Userland Hooking.
- DoppelGate
- DoubleAgent
- Earlybird Injection
- 101
- Info
- Hackers Found Using A New Code Injection Technique to Evade Detection - Mohit Kumar(2018)
- DorkBot: An Investigation - Mark Lechtik(2018)
- [The “Early Bird Special” – a new twist on the “Early Bird” injection technique - Avi Lamay(2019)]
- Performing
- Detection
- PoC
- Extra Window Bytes
- Fibers
- Gargoyle
- 101
- Info
- Performing
- Detection
- Hunting for Gargoyle Memory Scanning Evasion - Aliz Hammond(2018)
- Gargoyle Hunting In-Depth — Presented by Aliz Hammond(InfoSec in the City2020)
- Detecting certain user-mode code-hiding techniques, such as Josh Lospinoso's 'Gargoyle', is almost impossible from user-space. In this talk, I will examine Gargoyle, and explain how it can be detected from kernel mode. I will first walk through using WinDbg to locate hidden code and then write a Volatility plugin to turn this process into a practical method of detecting real-world attacks — in the process, adding a reliable method of differentiating these from legitimate behavior. No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.
- [HookTracer: A System for Automated and Accessible API Hooks Analysis - Andrew Case, Mohammad M.Jalalzai, Md Firoz-Ul-Amin, Ryan D.Maggio, Aisha Ali-Gombe, Mingxuan Sun, Golden G.Richard III(2019)]
- The use of memory forensics is becoming commonplace in digital investigation and incident response, as it provides critically important capabilities for detecting sophisticated malware attacks, including memory-only malware components. In this paper, we concentrate on improving analysis of API hooks, a technique commonly employed by malware to hijack the execution flow of legitimate functions. These hooks allow the malware to gain control at critical times and to exercise complete control over function arguments and return values. Existing techniques for detecting hooks, such the Volatility plugin apihooks, do a credible job, but generate numerous false positives related to non-malicious use of API hooking. Furthermore, deeper analysis to determine the nature of hooks detected by apihooks typically requires substantial skill in reverse engineering and an extensive knowledge of operating systems internals. In this paper, we present a new, highly configurable tool called hooktracer, which eliminates false positives, provides valuable insight into the operation of detected hooks, and generates portable signatures called hook traces, which can be used to rapidly investigate large numbers of machines for signs of malware infection.
- Hunting for Ghosts in Fileless Attacks - Buddy Tancio(2019)
- Hunting for a fileless threat can be a tedious and labor-intensive task for any analyst. It is, most often than not, extremely time-consuming and requires a significant amount of data gathering. On top of that, the traditional tools, methods, and defenses seem to be less effective when dealing with these almost invisible threats. Threat actors are frequently using attack techniques that work directly from the memory or using legitimate tools or services pre-installed in the system to achieve their goals (Trend Micro, 2017). It is a popular technique among targeted attacks and advanced persistent threats (APT), and now it has been adopted by conventional malware such as trojans, ransomwares, and even the most recent emerging threat – cryptocurrency miners. In some incidents, searching for a malicious file that resides in the hard drive seems to be insufficient. This study explores the different variations of fileless attacks that targeted the Windows operating system and what kind of artifacts or tools can provide clues for forensic investigation.
- PoC
- dotnet-gargoyle
- A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
- dotnet-gargoyle
- GhostWriting Injection
- 101
- A paradox: Writing to another process without openning it nor actually writing to it - txipi(2007)
- A paradox: Writing to another process without openning it nor actually writing to it
- A paradox: Writing to another process without openning it nor actually writing to it - txipi(2007)
- Informational
- Performing
- PoCs
- 101
- Process Herpaderping
- 101
- Info
- Process Herpaderping
- Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped.
- Process Herpaderping – Windows Defender Evasion - NetbiosX(2021)
- Process Herpaderping
- Performing
- Detection
- PoC
- Process Hollowing
- 101
- Process Hollowing - John Leitch
- Process Hollowing
- Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed.
- Information
- [Analyzing Malware Hollow Processes - Eric Monti(2011)(https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/)
- Understanding Process Hollowing - Andrea Fortuna(2017)
- RunPE: a practical example of Process Hollowing technique - Andrea Fortuna(2017)
- 7th Meetup – Reversing and Investigating Malware Evasive Tactics – Hollow Process Injection - Monnappa(2017)
- New Wave of Hancitor Comes with New Evasive Techniques - Roy Moshailov(2016)
- What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection - Monnappa K A(BlackHatUSA2017)
- Paper
- Hollow process injection is a code injection technique used by the malware authors to blend in with legitimate processes on the system and remain undetected; there are documented procedures to detect hollow process injection. This presentation focuses on undocumented hollow process injection techniques.
- Performing
- PoCs
- EvasiveProcessHollowing
- Proof of concept code which demonstrate a few of the "evasive process hollowing" techniques analyzed in the white paper "What Malware Authors Don't want you to know - Evasive Hollow Process Injection" written by Monnappa K A. The PoC code can be used as a testbed to replicate the memory forensics findings discussed in the white paper.
- ProcessHollowing
- Simple Process Hollowing in C#
- EvasiveProcessHollowing
- Malware
- Tools
- TikiTorch
- TikiTorch was named in homage to CACTUSTORCH by Vincent Yiu. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
- TikiTorch
- 101
- Inject-Me
- 101
- Inject Me x64 Injection-less Code Injection - DeepInstinct(2019)
- Malware authors are always looking for new ways to achieve code injection, as it enables them to run their code in remote processes. Code Injection allows hackers to better hide their presence, gain persistence and leverage other processes’ data and privileges. Finding and implementing new, stable methods for code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions or limited by native OS protections. Inject-Me is a new method to inject code into a remote process in x64. Inject-Me is in fact “injection-less”, meaning that the remote (target) process is manipulated to read data from the injecting process, copy and execute it. The manipulation is mainly based on abusing ReadProcessMemory and calling conventions in X64. In addition to presenting Inject-Me, we mention a generalized approach to copying data in remote processes to recreate shellcode from the injecting process.
- Please Inject me, a X64 code injection - Alon Weinberg(DeepInstinct2019)
- Please Inject me, a X64 code injection - Alon Weinberg(Defcon27)
- Inject Me x64 Injection-less Code Injection - DeepInstinct(2019)
- Info
- Performing
- Detection
- PoC
- 101
- Kernel Callback Table
- 101
- Info
- FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines - Andrea Allievi, Elia Florio
- You Failed ! - ivanlef0u.tuxfamily.org(2007)
- Kernel exploitation – r0 to r3 transitions via KeUserModeCallback - j00ru(2010)
- Callgate to user : nt!KeUserModeCallback & ROP / MDL - zer0mem(2013)
- How to run userland code from the kernel on Windows - Thierry Franzetti(2014)
- How to run userland code from the kernel on Windows – Version 2.0 - Edouard S(2016)
- North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign - MalwareBytes(2022)
- Performing
- Detection
- PoC
- KnownDLLs Cache Poisoning
- 101
- Windows Code Injection: Bypassing CIG Through KnownDlls - James Forshaw(2019)
- TL;DR; This blog post describes a technique to inject a DLL into a process using only Duplicate Handle process access (caveats apply) which will also bypass Code Integrity Guard.
- Windows Process Injection: KnownDlls Cache Poisoning - odzhan(2019)
- Windows Code Injection: Bypassing CIG Through KnownDlls - James Forshaw(2019)
- Info
- Performing
- Injection into a Process Using KnownDlls - Kotik Anton(2012)
- In his article, we will consider an interesting, universal and rarely used method of code injection into a Windows process using KnownDlls sections. To demonstrate the method work we will develop a sample project to inject into all running processes and intercept some calls from ws2_32.dll.
- Injection into a Process Using KnownDlls - Kotik Anton(2012)
- Detection
- PoC
- 101
- Mapping Injection
- Multiple Provider Router (MPR) DLL and Shell Notifications
- 101
- Info
- Performing
- Detection
- PoC
- NINA
- 101
- [NINA: x64 Process Injection (NINA: No Injection, No Allocation x64 Process Injection Technique.) - NtRaiseHardError(2020)]
- 101
- NtCreate
- PE Injection
- 101
- PE Format - docs.ms
- PE Format notes - corkami
- Portable Executable File Format - Johannes Plachy
- CONSTANT INSECURITY: (PECOFF) Portable Executable FIle Format - Mario Vuksan, Tomislav Pericin(BHUSA2011)
- Injecting code into executables with C - Michal Strehovsky(2007)
- Portable Executable Injection For Beginners - MalwareTech(2013)
- PE injection explained - Advanced memory code injection technique - Emeric Nasi(2014)
- Some thoughts about PE Injection - Andrea Fortuna(2018)
- Code Injection - Process PE Injection Basics - Emeric Nasi(2019)
- Powershell PE Injection: This is not the Calc you are looking for! - b33f
- Info
- Performing
- [PE Section Header Injection using Code Cave - ]
- Reflective PE Injection in Windows 10 1909 - HUBBL3
- [RedDev Series #1] PE Injection Trick - Chiam Yj(2020)
- Bypassing AV via in-memory PE execution - bats3c(2020)
- Detection
- See the Logging, System Monitoring and Threat Hunting Page.
- PoCs
- PE-Inject - DelphiBasics(2010)
- PE-inject - Michal Strehovsky
- ReflectivePELoader
- POC Reflective PE loader for DLL injection.
- SimplePELoader
- A very simple PE loader for loading DLL's into memory without using LoadLibrary
- Mandark
- Tiny 64-bit RunPE written in C#
- Loader
- C# Loader with BlackBone
- RunPE
- Code that allows running another windows PE in the same address space as the host process.
- loadlibrayy
- x64 PE injector with kernel handle elevation and thread hijacking capabilities
- Invoke-ReflectivePEInjection - PowerSploit
- Invoke-ReflectivePEInjection.ps1 - empire
- darkarmour
- 101
- PowerLoader(Ex)
- Print Spooler
- 101
- Performing
- Detection
- PoC
- PROPagate
- 101
- PROPagate – a new code injection trick - Hexacorn(2017)
- Propagate – yet another follow-up (hypothetical clipboard execution version) - Hexacorn(2018)
- PROPagate – a new code injection trick – 64-bit and 32-bit - Hexacorn(2017)
- PROPagate follow-up #2 – Some more Shattering Attack Potentials - Hexacorn(2018)
- Info
- Performing
- Detection
- PoC
- CLIPBRDWNDCLASS
- 101
- Service Control Handler
- 101
- Info
- Performing
- Detection
- PoC
- Shatter
- 101
- Shattering By Example - Brett Moore(BHUSA2004)
- Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows. - Foon(2002)
- Shattering By Example. - Brett Moore(2003)
- Code injection via return-oriented programming - Wayne Low(2012)
- Windows Process Injection: WordWarping, Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline - odzhan(2019
- Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC - odzhan(2020)
- List of
- WordWarping https://www.hexacorn.com/blog/2019/04/23/wordwarper-new-code-injection-trick/
- Hyphentension
- AutoCourgette
- Streamception
- Oleum
- ListPlanting
- Treepoline
- 101
- Stack Bomber
- 101
- Info
- Performing
- Detection
- PoC
- Pinjectra
- Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
- Pinjectra
- Thread Execution Hijacking
- 101
- Info
- Ten process injection techniques: A technical survey of common and trending process injection techniques - Ashkan Hosseini(2017)
- PE 1nj3ct10n and Thread Hijacking For Malware Analysis - Alparslan Akyıldız academy(2019)
- Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques - Ratnesh Pandey
- Performing
- Detection
- PoC
- InjectThread.c
- ThreadBoat
- Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application.
- cThreadHijack
- Beacon Object File (BOF) for remote process injection via thread hijacking
- ThreadLocal Storage Injection
- 101
- Info
- Performing
- Detection
- PoC
- Tooltips/Common Controls
- 101
- Info
- Performing
- Detection
- PoC
- Windows Notification Facility
- 101
- Info
- Performing
- Detection
- PoC
- WinSock Helper Functions(WSHX)
- 101
- Info
- Performing
- Detection
- PoC
- Zombify - herpaderping?
- Zombie Processes as a HIPS Bypass - Malwaretech(2014)
- ZombifyProcess
- create a standard Windows process in a suspended state, write our malicious code to the processes’ memory; the PEB and the EPROCESS structures will still be that of the original process, causing the HIPS to see the now malicious process as a legitimate signed executable (this is not RunPE or dynamic forking, because we don’t unmap the original executable and replacing it with our malicious one, as thos can be detected in multiple ways).
- Tradecraft Tips
- Unsorted
- New method of injection - w4kfu(2011)
- I disovered a new method of injection (I don't know if it is really new) in a malware dropped by duqu. So I want to share it with you and as usual write a p0c. Edit : This method is not new, apparently it have been using by game cheats for years, but instead of using ZwUnmapViewOfSection they use FreeLibrary.
- New method of injection - w4kfu(2011)