Home | S3cur3Th1sSh1t
This post will cover a little project I did last week and is about Named pipe Impersonation in combination with Pass-the-Hash (PTH) to execute binaries as another user. Both techniques used are not new and often used, the
only thing I did here is combination and modification of existing tools. The current public tools all use PTH for network authentication only. The difference to this “new” technique is therefore, that you can also spawn a new shell or C2-Stager as the PTH user for local actions
and network authentication
Unfortunately I learned, that my technique can only be used for local actions, but not for network authentication, as Impersonation Tokens are restricted to that.
In the last years my team at r-tec was confronted with many different company environments, in which we had to search for vulnerabilities and misconfigurations. For customers, who have not yet carried out regular penetration tests, we recommend in the initial step to check systems on the Internet (DMZ) as well as internal systems for the most common critical attack techniques and vulnerabilities. This can be done with a predefined number of person-days. Anything found within this period will be included in the report. This approach provides an initial overview of the most critical vulnerabilities and risks from both external and internal threats. For such initial projects, we also recommend choosing an open scope. Here, any of the client’s systems will be examined, but also any attack techniques such as social engineering via phishing mails can be used.
In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for
Privilege Escalation and
Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations.
In the last months I was often asked about potential errors using PowerSharpPack or other PS1-scripts loading .NET assemblies via
[System.Reflection.Assembly]::Load(). The reason for theese messages is actually not an error or a bug, but the .NET AMSI Interface, which catches the binaries loaded via
[System.Reflection.Assembly]::Load(). Some of the public Powershell AMSI bypasses just don`t work for loaded .NET binaries and the error message is not self explanatory. Therefore I’m gonna show some examples and bypass methods in this post.
In a time full of ransomware as well as Advanced persistent Thread (APT) incidents the importance of detecting those attacking groups has become increasingly important. Some years ago the best tools/techniques for security incident detection and response included a SIEM-system filled with logs from IPS/IDS systems, proxies, firewalls, AV-logs and so on. In the recent years, an in my personal opinion increasingly relevant component has been added - “Endpoint detection and response - EDR” systems and or features. The features of those EDR systems include live monitoring of endpoints, data analysis, Threat-detection and blocking as well as Threat-hunting capabilities. In both, penetration tests and red-team engagements, these systems
can make it difficult to use the public offensive security toolings, as they are more often detected and blocked. However, theese systems have a weakness which allows attackers to bypass the protection. In this blog post I’m gonna summarize all EDR bypass methods I found so far.
In this post I’m telling a short story from an environment I faced some time ago and how to handle the situation bypassing
Constrained Language Mode and
Applocker using well known techniques. I recently had some time to take a look at the OffensiveNim repository by @byt3bl33d3r who did some really awesome work here. By looking at the code examples and fiddling around with some of them I found that this is pretty cool and has nice benefits. Therefore the seccond chapter is about my amusings with the Nim templates. C# binaries wrapped in Nim could have been used to bypass the windows protection mechanisms as well - for fun and profit. There will be nothing new in this blog post, everything used is already public. But maybe some of you will face a similar situation in the future - this post could maybe help you here.
This post will cover a little Excel Macro project by @0x23353435 and me. It was made during an engagement at a customers environment. They were using a password protected Excel-file as password manager. This post will show how to attack such szenarios and why people should not use this method for password storage.
This post will cover how to edit some open source Command & Control (C2) Frameworks source code for AV-Evasion. It will cover Powershell Empire, Pupy C2 and Covenant.
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.