susMdT

#include <Core.h>
#include <Win32.h>
#include <Structs.h>
#include <Sleep.h>
#include <Utils.h>

SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

{

xpn

using System;
using System.Collections.Generic;
using System.DirectoryServices.Protocols;
using System.Globalization;
using System.Linq;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Security.Policy;
using System.Security.Principal;
using System.Text;

freefirex

#define _WIN32_WINNT 0x0502
#define WINVER 0x0502
#include <windows.h>
#include <errhandlingapi.h>
#include <process.h>
#include "beacon.h"

WINBASEAPI PVOID WINAPI KERNEL32$AddVectoredExceptionHandler (ULONG First, PVECTORED_EXCEPTION_HANDLER Handler);
DECLSPEC_IMPORT uintptr_t __cdecl MSVCRT$_beginthreadex(void *_Security,unsigned _StackSize,_beginthreadex_proc_type _StartAddress,void *_ArgList,unsigned _InitFlag,unsigned *_ThrdAddr);
DECLSPEC_IMPORT void __cdecl MSVCRT$_endthreadex(unsigned _Retval);

tothi

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

tothi

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

N4kedTurtle

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>

DWORD GetLsassPid() {

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

peewpw

# 64 bit compatible shellcode launcher
#
# The versions of this I've attempted to use appear to only work in 32bit Python (at least for 3.7-8).
# Hence why this was neede to solve a problem.
#
# based on work from:
#   http://www.debasish.in/2012/04/execute-shellcode-using-python.html
#   https://www.christophertruncer.com/shellcode-manipulation-and-injection-in-python-3/
#   https://stackoverflow.com/a/61258392
#

seajaysec

{
    "queries": [{
            "name": "List all owned users",
            "queryList": [{
                "final": true,
                "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
            }]
        },
        {
            "name": "List all owned computers",

yingray

package main

import (
	"bytes"
	"crypto/aes"
	"crypto/cipher"
	"encoding/hex"
	"fmt"
)

xenoscr

function Start-Hollow {
<#
.SYNOPSIS
	This is a proof-of-concept for process hollowing. There is nothing new here except
	maybe the use of NtCreateProcessEx which has some advantages in that it offers a
	convenient way to set a parent process and avoids the bothersome Get/SetThreadContext.
	On the flipside CreateRemoteThreadEx/NtCreateThreadEx are pretty suspicious API's.

	I wrote this POC mostly to educate myself on the mechanics of hollowing. It is possible
	to load the Hollow from an internal byte array straight into memory but I have not