A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Level Up! - Practical Windows Privilege Escalationjakx_
For attackers, obtaining access to a Windows workstation with limited privileges can really put a damper on your day. Low privileged access can be a roadblock for even the most skilled "undocumented administrators". Local administrator access to a windows machine within an active directory domain often results in the ability to compromise the whole domain. This talk will walk through how attackers and defenders can learn to identify and exploit practical Windows privilege escalation vectors on the Windows 7 OS.
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Level Up! - Practical Windows Privilege Escalationjakx_
For attackers, obtaining access to a Windows workstation with limited privileges can really put a damper on your day. Low privileged access can be a roadblock for even the most skilled "undocumented administrators". Local administrator access to a windows machine within an active directory domain often results in the ability to compromise the whole domain. This talk will walk through how attackers and defenders can learn to identify and exploit practical Windows privilege escalation vectors on the Windows 7 OS.
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
How to Become a Thought Leader in Your NicheLeslie Samuel
Are bloggers thought leaders? Here are some tips on how you can become one. Provide great value, put awesome content out there on a regular basis, and help others.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Talk given by Cem Gürkök, Lead InfoSec Engineer at Salesforce, at DockerCon 16 in June 2016
Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment.
In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.
Project: Malware Analysis
CS 6262 Project 3
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
Scenario
• Analyzing Windows Malware
• You got a malware sample from the wild. Your task is to discover what
malware does by analyzing it
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering
• Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
Scenario
• In our scenario, you are going to analyze the given malware with tools
that we provide.
• The tools help you to analyze the malware with static and dynamic
analysis.
• Objective
1. Find which server controls the malware (the command and control (C2)
server)
2. Discover how the malware communicates with the command and control
(C2) server
• URL and Payload
3. Discover what activities are done by the malware payload
• Attack Activities
Scenario
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating of malware (stage 2), and downloading payload (stage 3) are required to
be allowed (set as default option)
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available
commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please download and install the latest version or update your virtual box.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download links
• http://ironhide.gtisc.gatech.edu/vm_2018.7z
• http://bombshell.gtisc.gatech.edu/vm_2018.7z
• Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd
• Please install 7zip or p7zip
• Windows, Linux and MacOs: http://www.7-zip.org/download.html
• Unarchive the 7z file
• Password: GTVM!
https://www.virtualbox.org/wiki/Downloads
http://ironhide.gtisc.gatech.edu/vm_2018.7z
http://bombshell.gtisc.gatech.edu/vm_2018.7z
http://www.7-zip.org/download.html
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
Project Structure
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (same login name as Canvas) after running this
• update.sh
• This script updates the VM if any further update has been made by TA
• DO NOT execute the scri.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
3. • This talk is not about
• Kernel level exploits
• Race conditions
• Heap/stack any form of overflows
• A pentester’s approach on a network
• jibber jabber from experience
• Real world examples
• Design issues, misconfigurations, binary planting, permission issues, forensics,
hash passing/spraying etc.
5. Administrator to System is trivial
• psexec -s -i -d cmd.exe
• Token impersonation/stealing
• C:> at /interactive 14:50 cmd.exe (schtasks in Win 7 and higher)
20. Other places / software
• Autologon [HKLMSoftwareMicrosoftWindows
NTCurrentVersionWinlogon]
• HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions
• Search the OS using dir /s and findstr /S /I (.xlsx, .docx, .pdf etc.)
• Search the Windows registry using reg query
22. Disk Image data
• Search for *.vmdk, *.vdi, *.vhd, *.qed
• Vmware, Virtual and Virtual PC disk images
• ISO files, Ghost images, Daemon tool images etc.
• Memory snapshopts (*.vmem files for example)
• Volatility FTW!
26. I came, I saw, I passed the hash
• use exploit/windows/smb/psexec
• Windows Credential Editor + net use + sysinternals psexec
• Windows Credential Editor + net use + wmiexec.py (Impacket)
• Good way to identify if the user is local admin on any other machine
31. Message Passing
• Passing a message via SendMessage to the message loop of the main
thread of the program
• Shatter attack allowed cross process message passing between
unprivileged process and a privileged thread.
• Can be used to pass a message to a windowed system object running
on a thread as NT AuthoritySYSTEM
• CB_DIR, LB_DIR etc.
38. Abusing load paths
• A binary can call code from external link libraries (DLLs)
• Static Runtime loading
• Dynamic loading using kernel32.LoadLibrary()
• Both can be abused because the path is (most likely) user controlled
Not exhaustive. Will not know entire list till program is decompiled and all LoadLibraryA() calls are traced. Loadlibrary may exist in uncalled functions.
Not exhaustive. Will not know entire list till program is decompiled and all LoadLibraryA() calls are traced. Loadlibrary may exist in uncalled functions.