Windows

Privilege Escalation

• mimikatz
  • pypykatz
• Invoke-TheHash
• WinPEAS
• PowerSploit
• PowerView
• PywerView
  • Because Python is cool
  • Note that it may not have as many features as PowerView
• PowerShell Empire
  • Also see the fork that's actually being updated: BC-SECURITY/Empire
  • Searchable Empire Module Library
• UACME
  • Defeat UAC
• Gopher
  • Automatically discover low-hanging fruit
• EDR checks
  • Detect AV/EDR/UBA/whatever
  • Powershell: Invoke-EDRChecker
  • C#: SharpEDRChecker
• SMBMap
  • Enumerate samba shares
• Bypass AppLocker
• Run PowerShell w/ DLLs only
• WindowsEnum
  • PowerShell script
  • NOTE: Kinda old, from 2018 - sanity checks wouldn't be a bad idea
• windows-privesc-check
  • Standalone executable
  • NOTE: Kinda old, from 2015 - sanity checks wouldn't be a bad idea
• PrintNightmare
• dogwalk
  • Abuse diagcab file in Outlook to get path traversal -> RCE on boot
• sam-the-admin
  • Impersonate DA from standard user
  • CVE-2021-42278, CVE-2021-42287
• EventViewerUAC_BOF
  • TODO: Description
• siofra
  • Identify + exploit DDL hijacking vulns
• nishang
  • Offensive PowerShell framework
• Powerless
  • Windows privesc script designed with OSCP labs in mind
• Access Token Manipulation
  • Primary Access Token Manipulation
  • Ret2pwn
    • Part 1
    • Part 2
    • To be continued?
• JAWS
  • Just Another Windows (enum) Script

Resources/Articles

• Windows LPE
• PayloadsAllTheThings
• Mark-of-the-Web from a red team's perspective
• "Fileless" UAC Bypass Using sdclt.exe

Post-Exploit

TODO: Clean this up

• DSInternals
  • Useful for C# dev against Windows
• (Unofficial) TTP checklist
  • Just for sanity checks
• Phant0m
  • Kill event logs
• Koadic
  • Rootkit
  • Dead project?
• SILENTTRINITY
  • C2/post-exploit framework
• ssh-agent
  • Dump registry hive Computer\HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys
  • WARNING: This is an open issue on GitHub - check to see if MS has fixed this or kept it as "by design"
• WebClient Abuse (WebDAV)
  • Can be useful for coercing auth since it elicits HTTP auth instead of SMB (see PetitPotam)
  • TODO: Link an actual tool (CrackMapExec, webclientservicescanner)
• CreateHiddenAccount
  • Create hidden accounts w/ the registry
• WDigest Clear-Text Passwords
  • TL;DR You can skip the NTLM hash if this isn't configured correctly
  • Check the UseLogonCredential setting
• suborner
  • Create a hidden Windows account without invoking APIs that'd trigger event logs
  • The article is really neat too: Suborner: A Windows Bribery for Invisible Persistence
• WMEye
  • Lateral movement over WMI and remote MSBuild execution
• DumpNParse
  • Combination LSASS dumper/parser
• win-brute-logon
  • Install guest account, crack any local users
• SharpUp
  • C# port of PowerUp-related functionality
• lsarelayx
  • NTLM relaying tool
• Disable Powershell Logging
• Seatbelt
  • Host-survery "safety checks"
• PowerShell-via-CSharp
  • More for a reference than anything - this isn't hard in principle
• pinjectra
  • C/C++ library that implements process injection techniques

Evasion

• Veil
  • WARNING: Don't install w/ apt! As of 2023-10-23, the package is broken and won't work until it's updated to be updated.

Exploits

• SystemNightmare
  • Print spool abuse
• Follina
  • MS Office URI abuse (specifically ms-msdt in this instance)
• Proxy-Attackchain
  • Full ProxyLogon attack chain
• CVE-2022-26809
  • Remote RPC RCE, but exploit code doesn't seem readily available
  • Best candidate: yuanLink
  • May be able to pay here
• KernelHub
  • All the kernel exploit POCs

Resources/Articles

• Abusing the MS Office protocol scheme
• SOCKS Proxy Relaying
• Microsoft Teams and Skype Logging Privacy Issue
• Stealing Access Tokens From Office Desktop Applications
• Hijacking DLLs in Windows
• ABUSING CVE-2022-26923 THROUGH SOCKS5 ON A MYTHIC C2 AGENT
• Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
• AAD Kill Chain

PetitPotam

• PetitPotam
  • Coerce Windows hosts to authenticate to other machines
• ADCSPwn
  • Petitpotam + relay to certificate service
• DFSCoerce
  • TODO: description
  • There's an update here
• ShadowCoerce
  • PetitPotam via MS-DFSNM
• SpoolSample (PrinterBug)
  • PetitPotam via MS-RPRN
  • Coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface

References

PetitPotam

• MS-EFSR abuse (PetitPotam)
• MS-RPRN abuse (PrinterBug)
• MS-FSRVP abuse (ShadowCoerce)
• MS-DFSNM abuse (DFSCoerce)
• Other articles
  • [FR] PetitPotam Slides
  • Using PetitPotam to NTLM Relay to Domain Administrator
  • ired.team Lab
  • Derbycon - The Unintended Risks of Trusting Active Directory

Protocols

• Encrypting File System Remote (MS-EFSRPC)
• Print System Remote Protocol (MS-RPRN)
• File Server Remote VSS Protocol (MS-FSRVP)
• Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM)