| "Top 1000 values of registry.path",Count | |
| "HKLM\SYSTEM\ControlSet001\Services\WinDefend\Start","1,483" | |
| "HKLM\SYSTEM\ControlSet001\Services\UsoSvc\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start","1,477" | |
| "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\Sense\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdBoot\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdFilter\Start",6 | |
| "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv\Start",6 |
| #include <iostream> | |
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <psapi.h> | |
| typedef NTSTATUS(NTAPI* pLdrLoadDll) ( | |
| PWCHAR PathToFile, | |
| ULONG Flags, | |
| PUNICODE_STRING ModuleFileName, |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__) | |
| #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) | |
| #define WORKER_FACTORY_FULL_ACCESS 0xf00ff | |
| typedef struct _UNICODE_STRING { |
| # | |
| # multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality | |
| # | |
| # cmd separator is | | |
| # | |
| # practical example: export machine certificates (including non-exportable private key :)): | |
| # | |
| # mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export" | |
| # |
This exploit path will only imply if you have an interactive session on a domain joined workstation regardless the privilege of the account (it could be a low privileged account)
KrbRelayUp.exe relay -m shadowcred -f
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
| function Get-ProcessPipes{ | |
| param( | |
| [Parameter(Mandatory=$false)] | |
| [string]$CSV, | |
| [Parameter(Mandatory=$false)] | |
| [switch]$All | |
| ) | |
| Add-Type -TypeDefinition @" | |
| using System; |
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
| #!/usr/bin/env python3 | |
| from typing import Iterable, Union, Any | |
| # freq: frequency in Hz | |
| # zerolen: length of space bit in μs | |
| # onelen: length of mark bit in μs | |
| # repeats: number of times to repeat sequence | |
| # pause: time to wait in μs between sequences | |
| # bits: string of ones and zeros to represent sequence |
| #!/bin/bash | |
| # | |
| # patch ramdisk.img (for installing Magisk on x64 Android emulator) | |
| # | |
| # x86_64 on Android 12 (API Level 32) is supported/tested currently | |
| # | |
| # install AVD: | |
| # | |
| # sudo sdkmanager 'system-images;android-32;google_apis_playstore;x86_64' |