A while ago I read some posts by Patrik Hudak (0xpatrick) about finding subdomain takeover candidates. At the time there was a tool called subjack that is supposed to automate the process of checking if a subdomain can be taken over. I say “supposed to” because subjack is written in Go and I am far,…
All posts in redteam
Update to Get-RBCD-Threaded: Including WriteDacl and WriteProp
In my previous post on resource-based constrained delegation (RBCD), I created a tool called Get-RBCD-Threaded to enumerate AD environments for possible RBCD attack paths. Get-RBCD-Threaded worked by finding AD users, groups, and computer objects that had either GenericAll, GenericWrite, or WriteOwner privileges on another computer object. These permissions would allows you to modify the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity…
Getting Rastamouse’s AmsiScanBufferBypass to Work Again
When I need to bypass AMSI, I tend to use RastaMouse‘s AmsiScanBufferBypass. Rastamouse has a few blog posts that cover how it works. The basics of it is this: Load amsi.dll, then patch the AmsiScanBuffer() function so that it always returns AMSI_RESULT_CLEAN. This allows for your nasty payloads to execute without AMSI ruining your day.…
DLL Search Order Hijacking with vmms.exe / Hyper-V
In one of my darker moments, I decided to install Hyper-V on my Windows 10 desktop. While looking into other issues on my system, I noticed that during sytstem startup vmms.exe, which is related to Hyper-V, was looking for a DLL in a directory I had added to my path. To test out if this…
Unprivileged Zoom Persistence Part 2 – COM Hijacking
In a previous post I discussed how to do user persistence with the Zoom client by abusing its folder permissions to drop a DLL and patching the Zoom.exe binary. Zoom fixed the issue of dropping an arbitrary DLL to be loaded by Zoom by adding a check for loaded DLLs, and patching the binary is…
Privilege Escalation and Persistence through Steam Install Scripts
Note: These issues were last tested with the Steam version shown below: After playing around looking for DLL side-loading issues in System32, I started looking around on my system outside of System32 for any interesting applications I had installed that could be leveraged. One application that immediately caught my eye was Steam, since its installation…
Covenant C2 Infrastructure with Azure Domain Fronting
In a previous post I discussed to setup basic redirectors with Covenant C2. In this post, I hope to show you how to use domain fronting through an Azure CDN for your C2 traffic. A lot of this is based on another post I read from ar-infosec that you can find here. What is Domain…
Privilege Escalation with Canon MX490 Printer Drivers
As part of my “research” I created a tool called “Get-Writable” that will search for .exe and .dll files that are world writable. You pass Get-Writable a directory path, and it will recursively look through every directory to find files. I had Get-Writable start at the “C:\” root to try and find all writable .exe’s…
Unprivileged User Persistence with Zoom
*** UPDATE: It looks like the most recent version of Zoom has fixed the issue of loading an unsigned DllSafeCheck.dll. This persistence technique no longer works. Thank you to @LadhaAleem for bringing this to my attention. See the Patching Zoom.exe section for details on how this can be bypassed. Zoom has been in security news…
DLL Side-loading and Zero-width Spaces
My previous post discussed using appverif.exe and DLL side-loading to execute a payload on a system. The advantage of using a legitimate Microsoft signed binary such as appverif.exe to load and execute your DLL was to bypass anti-virus and application whitelisting. One drawback to this technique is that you are executing appverif.exe outside of its…