Office Injector - Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM.
Shim Injector - Writes an undocumented shim data structure into the memory of another process that causes apphelp.dll to apply the “Inject Dll” fix on the process without registering a new SDB file on the system, or even writing such file to disk.
DefCon Presentation
🔗 Source:
https://github.com/deepinstinct/ShimMe
#windows #office #rpc #inject #lpe
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5
🔍 Deep Dive into Windows IPv6 TCP/IP
An overview of CVE-2024-38063, a remote code execution vulnerability in Windows IPv6 TCP/IP. Includes a technical summary, PoC instructions and a reproduction guide.
🔗 Research:
https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html
🔗 PoC:
https://github.com/ynwarcs/CVE-2024-38063
#windows #kernel #ipv6 #rce #poc
An overview of CVE-2024-38063, a remote code execution vulnerability in Windows IPv6 TCP/IP. Includes a technical summary, PoC instructions and a reproduction guide.
🔗 Research:
https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html
🔗 PoC:
https://github.com/ynwarcs/CVE-2024-38063
#windows #kernel #ipv6 #rce #poc
Malwaretech
CVE-2024-38063 - Remotely Exploiting The Kernel Via IPv6
Performing a root cause analysis & building proof-of-concept for CVE-2024-38063, a CVSS 9.8 Vulnerability In the Windows Kernel IPv6 Parser
🔥8👍3❤1
New article about privilege escalation via vulnerable MSI files. All roads lead to NT AUTHORIRTY\SYSTEM
🔗 Research:
https://cicada-8.medium.com/evil-msi-a-long-story-about-vulnerabilities-in-msi-files-1a2a1acaf01c
🔗 Source:
https://github.com/CICADA8-Research/MyMSIAnalyzer
#windows #msi #lpe
Please open Telegram to view this post
VIEW IN TELEGRAM
👍15🔥5❤4👏2
CVE-2024-30051 is an elevation of privilege vulnerability in Windows' DWM Core Library (dwmcore.dll). The flaw arises due to a heap-based buffer overflow in the
CCommandBuffer::Initialize method, triggered by a miscalculation during memory allocation.🖥 Affected versions
— Windows 10: 1507, 1607, 1809, 21H2, 22H2
— Windows 11: 21H2, 22H2, 23H2
— Windows Server: 2016, 2019, 2022
🔗 Source:
https://github.com/fortra/CVE-2024-30051
#windows #eop #dwm #research #poc
Please open Telegram to view this post
VIEW IN TELEGRAM
👍9🔥7❤4
⚙️From COM Object Fundamentals To UAC Bypasses
A 25-minute crash course covering Tokens, Privileges, UAC, COM, and ultimately bypassing UAC.
🔗Research:
https://www.youtube.com/watch?v=481SI_HWlLs
🔗Source:
https://github.com/tijme/conferences/tree/master/2024-09%20OrangeCon/code
#windows #com #uac #bypass
A 25-minute crash course covering Tokens, Privileges, UAC, COM, and ultimately bypassing UAC.
🔗Research:
https://www.youtube.com/watch?v=481SI_HWlLs
🔗Source:
https://github.com/tijme/conferences/tree/master/2024-09%20OrangeCon/code
#windows #com #uac #bypass
YouTube
From COM Object Fundamentals To UAC Bypasses - Tijme Gommers
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
🔥9❤8👍3
🔑 Three-Headed Potato Dog: NTLM and Kerberos Coercion
New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.
🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/
🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py
#ad #windows #dcom #relay #potato
New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.
🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/
🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py
#ad #windows #dcom #relay #potato
❤13👍3
📜 DGPOEdit
Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines
🔗 Source:
https://github.com/CCob/DGPOEdit
#ad #windows #gpo #policy
Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines
🔗 Source:
https://github.com/CCob/DGPOEdit
#ad #windows #gpo #policy
GitHub
GitHub - CCob/DRSAT: Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates…
Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machies - CCob/DRSAT
🔥6👍2
A new vulnerability related to capturing NTLMv2 hashes via Office URI schemes has been discovered. The http:// protocol can be used for attacks such as NTLM relay to a Domain Controller.
Microsoft 365 and Office 2019 versions are vulnerable, as they open remote files without warnings, unlike earlier versions. The exploit involves using a 302 redirect and abusing GPO misconfigurations to capture NTLMv2 hashes over SMB and HTTP.
🔗 Source:
https://github.com/passtheticket/CVE-2024-38200
#windows #office #ntlm #relay
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - passtheticket/CVE-2024-38200: CVE-2024-38200 & CVE-2024-43609 - Microsoft Office NTLMv2 Disclosure Vulnerability
CVE-2024-38200 & CVE-2024-43609 - Microsoft Office NTLMv2 Disclosure Vulnerability - passtheticket/CVE-2024-38200
🔥7👍2❤1
🚀 Elevating Privileges in Windows via Activation Cache Poisoning
A deep dive into CVE-2024-6769, which leverages two chained bugs to escalate privileges from medium to high integrity. The first stage involves remapping the root drive, followed by a DLL hijacking exploit. The second stage poisons the Activation Cache through the CSRSS process to gain full administrator access.
🔗 Research:
https://www.coresecurity.com/core-labs/articles/cve-2024-6769-poisoning-activation-cache-elevate-medium-high-integrity
🔗 Source:
https://github.com/fortra/CVE-2024-6769
#windows #privesc #dll #hijacking
A deep dive into CVE-2024-6769, which leverages two chained bugs to escalate privileges from medium to high integrity. The first stage involves remapping the root drive, followed by a DLL hijacking exploit. The second stage poisons the Activation Cache through the CSRSS process to gain full administrator access.
🔗 Research:
https://www.coresecurity.com/core-labs/articles/cve-2024-6769-poisoning-activation-cache-elevate-medium-high-integrity
🔗 Source:
https://github.com/fortra/CVE-2024-6769
#windows #privesc #dll #hijacking
10🔥10👍4❤🔥1
This media is not supported in your browser
VIEW IN TELEGRAM
An in-depth look at CVE-2024-30090, a vulnerability in Kernel Streaming, allowing privilege escalation via malformed IOCTL requests. By leveraging KS Event mishandling during 32-bit to 64-bit conversions, can exploit the bug pattern to gain arbitrary kernel mode access.
🔗 Research:
Proxying to Kernel - Part I
Proxying to Kernel - Part II
🔗 Source:
https://github.com/Dor00tkit/CVE-2024-30090
#windows #streaming #kernel #cve #poc
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥13👍9❤1😱1
A newly discovered vulnerability in BitLocker allows attackers to bypass encryption without physical access. By exploiting flaws in Windows Boot Manager and TPM interaction, attackers can intercept or extract the BitLocker recovery key during the boot process. This makes encrypted data vulnerable even without direct physical access.
🔗 Presentation:
https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver
🔗 Research:
https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/#conclusion
#windows #bitlocker #bitpixie #tpm
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥7❤3👍2
🖼 AnyDesk — Local Privilege Escalation (CVE-2024-12754)
A vulnerability in AnyDesk allows low-privileged users to perform arbitrary file read and copy operations with NT AUTHORITY\SYSTEM privileges. Exploitation is possible by manipulating the background image, creating symbolic links, and leveraging ShadowCopy, granting access to SAM, SYSTEM, and SECURITY files, ultimately leading to privilege escalation to administrator.
🔗 Source:
https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754
#windows #anydesk #lpe #cve
A vulnerability in AnyDesk allows low-privileged users to perform arbitrary file read and copy operations with NT AUTHORITY\SYSTEM privileges. Exploitation is possible by manipulating the background image, creating symbolic links, and leveraging ShadowCopy, granting access to SAM, SYSTEM, and SECURITY files, ultimately leading to privilege escalation to administrator.
🔗 Source:
https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754
#windows #anydesk #lpe #cve
🔥22👍3❤1
🛠 PsExeSVC - Remote Execution via Python
PsExeSVC is a Python-based tool that interacts with the PsExec service to execute remote commands without relying on Windows binaries. It enables privilege escalation, remote shell access, and user authentication via primary tokens, mimicking legitimate PsExec.exe behavior while bypassing security controls like EDR detection.
🔗 Research:
https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/
🔗 Source:
https://github.com/sensepost/susinternals
#windows #ad #psexec #edr #bypass
PsExeSVC is a Python-based tool that interacts with the PsExec service to execute remote commands without relying on Windows binaries. It enables privilege escalation, remote shell access, and user authentication via primary tokens, mimicking legitimate PsExec.exe behavior while bypassing security controls like EDR detection.
🔗 Research:
https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/
🔗 Source:
https://github.com/sensepost/susinternals
#windows #ad #psexec #edr #bypass
👍7🔥4❤2
🔍 Exploring NTDS.dit
This blog post examines the structure of the NTDS.dit file, which stores data for Active Directory. It also introduces DIT Explorer, a new open-source tool designed for analyzing NTDS.dit, demonstrating how it interprets the database to provide a structured view of the directory.
🔗 Research:
https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer
🔗 Source:
https://github.com/trustedsec/DitExplorer
#ad #windows #ntds #dnt
This blog post examines the structure of the NTDS.dit file, which stores data for Active Directory. It also introduces DIT Explorer, a new open-source tool designed for analyzing NTDS.dit, demonstrating how it interprets the database to provide a structured view of the directory.
🔗 Research:
https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer
🔗 Source:
https://github.com/trustedsec/DitExplorer
#ad #windows #ntds #dnt
1👍11🔥7👏2
A cross-platforms tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.
🚀 Features:
— Only requires a low privileges domain user account.
— Automatically gets the list of all domain controllers from the LDAP.
— Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
— Decrypts the passwords and prints them in cleartext.
— Outputs to a Excel file.
🔗 Source:
https://github.com/p0dalirius/FindGPPPasswords
#ad #windows #gpo #credentials
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥15👍5❤4🤔1
🔑 lsassStealer
lsassStealer is a tool designed to dump the memory of the Windows process "lsass.exe". The dump is performed entirely in RAM, then compressed using the zlib library and fragmented for transmission via UDP packets disguised as NTP packets. This method helps reduce detection by security solutions such as Windows Defender and advanced Endpoint Detection and Response (EDR) tools.
🔗 Source:
https://github.com/Aur3ns/lsassStealer
#windows #lsass #edr #bypass
lsassStealer is a tool designed to dump the memory of the Windows process "lsass.exe". The dump is performed entirely in RAM, then compressed using the zlib library and fragmented for transmission via UDP packets disguised as NTP packets. This method helps reduce detection by security solutions such as Windows Defender and advanced Endpoint Detection and Response (EDR) tools.
🔗 Source:
https://github.com/Aur3ns/lsassStealer
#windows #lsass #edr #bypass
GitHub
GitHub - Aur3ns/LsassStealer: Morpheus is an lsass stealer that extracts lsass.exe in RAM and exfiltrates it via forged and crypted…
Morpheus is an lsass stealer that extracts lsass.exe in RAM and exfiltrates it via forged and crypted NTP packets. For authorized testing only! - Aur3ns/LsassStealer
1🔥18🤯4👍3❤1
🔀 LdrShuffle
Code execution/injection technique using
🔗 Source:
https://github.com/RWXstoned/LdrShuffle
#windows #peb #dll #injection #evasion
Code execution/injection technique using
_LDR_DATA_TABLE_ENTRY structure manipulation in PEB to redirect EntryPoint of loaded DLLs. Allows code execution without using classic APIs like CreateRemoteThread or QueueUserAPC.🔗 Source:
https://github.com/RWXstoned/LdrShuffle
#windows #peb #dll #injection #evasion
1🔥9👍7❤1
🔥 MS-RPC-Fuzzer
PowerShell-based fuzzer that automates MS-RPC vulnerability research by dynamically creating RPC clients and fuzzing procedures with random inputs. Visualizes results through Neo4j graphs to help researchers identify potentially vulnerable RPC services.
🔗 Research:
https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/
🔗 Source:
https://github.com/warpnet/MS-RPC-Fuzzer
#rpc #fuzzing #windows #vulnerability #research
PowerShell-based fuzzer that automates MS-RPC vulnerability research by dynamically creating RPC clients and fuzzing procedures with random inputs. Visualizes results through Neo4j graphs to help researchers identify potentially vulnerable RPC services.
🔗 Research:
https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/
🔗 Source:
https://github.com/warpnet/MS-RPC-Fuzzer
#rpc #fuzzing #windows #vulnerability #research
2🔥15👍1
🔑 Golden DMSA
Critical vulnerability in Windows Server 2025 allows attackers with KDS root key access to generate passwords for all dMSA/gMSA accounts forest-wide. New research reveals design flaw in ManagedPasswordId structure - only 1,024 possible combinations makes brute-force trivial.
🔗 Research:
https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
🔗 Source:
https://github.com/Semperis/GoldenDMSA
#ad #windows #dmsa #kerberos #persistence
Critical vulnerability in Windows Server 2025 allows attackers with KDS root key access to generate passwords for all dMSA/gMSA accounts forest-wide. New research reveals design flaw in ManagedPasswordId structure - only 1,024 possible combinations makes brute-force trivial.
🔗 Research:
https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
🔗 Source:
https://github.com/Semperis/GoldenDMSA
#ad #windows #dmsa #kerberos #persistence
❤14🔥11👍4👎3🤔3
Forwarded from Whitehat Lab
GitHub
GitHub - synacktiv/GroupPolicyBackdoor: Group Policy Objects manipulation and exploitation framework
Group Policy Objects manipulation and exploitation framework - synacktiv/GroupPolicyBackdoor
Инструмент пост эксплуатации для различных манипуляций с GPO. Написан на
Впервые представлена на DEFCON 33
Примеры:
#backup
python3 gpb.py restore backup -d 'corp.com' -o './my_backups' --dc ad01-dc.corp.com -u 'john' -p 'Password1!' -n 'TARGET_GPO'
#inject
python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/ImmediateTask_create.ini --gpo-name 'TARGET_GPO'
Пример ini:
[MODULECONFIG]
name = Scheduled Tasks
type = computer
[MODULEOPTIONS]
task_type = immediate
program = cmd.exe
arguments = /c "whoami > C:\Temp\poc.txt"
[MODULEFILTERS]
filters =
[{
"operator": "AND",
"type": "Computer Name",
"value": "ad01-srv1.corp.com"
}]
GPO creation, deletion, backup and injections
Various injectable configurations, with, for each, customizable options (see list in the wiki)
Possibility to remove injected configurations from the target GPO
Possibility to revert the actions performed on client devices
GPO links manipulation
GPO enumeration / user privileges enumeration on GPOs
#gpo #redteam #windows
Please open Telegram to view this post
VIEW IN TELEGRAM
❤11👍5🔥4🤔1