⭐️ Privileger

Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:

— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.

Thanks to:
@Michaelzhm

https://github.com/MzHmO/Privileger

#ad #windows #privilege #lsa

🔑 Dumping LSA: a story about task decorrelation

Discover the art of bypassing EDRs by decorrelating attack tool behavior. This post explains the process of remote LSA secrets dumping and reveals techniques to retrieve a Windows computer's BOOTKEY without EDR detection.

🔗 Source:
https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/

#lsa #sam #dump #edr #bypass

👻 Ghost in the PPL: BYOVDLL

This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/

#lsa #lsass #ppl #dll #maldev

👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS

In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/

#lsa #lsass #ppl #dll #maldev

👻 Ghost in the PPL Part 3: LSASS Memory Dump

In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling MiniDumpWriteDump, loading arbitrary DLLs into LSASS via the WinSock2 Autodial feature, and dynamically resolving addresses.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/

#lsa #lsass #ppl #dll #maldev