Windows
Privilege Escalation
- mimikatz
- Invoke-TheHash
- WinPEAS
- PowerSploit
- PowerView
- PywerView
- Because Python is cool
- Note that it may not have as many features as PowerView
- PowerShell Empire
- Also see the fork that's actually being updated: BC-SECURITY/Empire
- Searchable Empire Module Library
- UACME
- Defeat UAC
- Gopher
- Automatically discover low-hanging fruit
- EDR checks
- Detect AV/EDR/UBA/whatever
- Powershell: Invoke-EDRChecker
- C#: SharpEDRChecker
- SMBMap
- Enumerate samba shares
- Bypass AppLocker
- Run PowerShell w/ DLLs only
- WindowsEnum
- PowerShell script
- NOTE: Kinda old, from 2018 - sanity checks wouldn't be a bad idea
- windows-privesc-check
- Standalone executable
- NOTE: Kinda old, from 2015 - sanity checks wouldn't be a bad idea
- PrintNightmare
- dogwalk
- Abuse
diagcabfile in Outlook to get path traversal -> RCE on boot
- Abuse
- sam-the-admin
- Impersonate DA from standard user
- CVE-2021-42278, CVE-2021-42287
- EventViewerUAC_BOF
- TODO: Description
- siofra
- Identify + exploit DDL hijacking vulns
- nishang
- Offensive PowerShell framework
- Powerless
- Windows privesc script designed with OSCP labs in mind
- Access Token Manipulation
- JAWS
- Just Another Windows (enum) Script
Resources/Articles
Post-Exploit
TODO: Clean this up
- DSInternals
- Useful for C# dev against Windows
- (Unofficial) TTP checklist
- Just for sanity checks
- Phant0m
- Kill event logs
- Koadic
- Rootkit
- Dead project?
- SILENTTRINITY
- C2/post-exploit framework
- ssh-agent
- Dump registry hive
Computer\HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys - WARNING: This is an open issue on GitHub - check to see if MS has fixed this or kept it as "by design"
- Dump registry hive
- WebClient Abuse (WebDAV)
- Can be useful for coercing auth since it elicits HTTP auth instead of SMB (see PetitPotam)
- TODO: Link an actual tool (CrackMapExec, webclientservicescanner)
- CreateHiddenAccount
- Create hidden accounts w/ the registry
- WDigest Clear-Text Passwords
- TL;DR You can skip the NTLM hash if this isn't configured correctly
- Check the
UseLogonCredentialsetting
- suborner
- Create a hidden Windows account without invoking APIs that'd trigger event logs
- The article is really neat too: Suborner: A Windows Bribery for Invisible Persistence
- WMEye
- Lateral movement over WMI and remote MSBuild execution
- DumpNParse
- Combination LSASS dumper/parser
- win-brute-logon
- Install guest account, crack any local users
- SharpUp
- C# port of PowerUp-related functionality
- lsarelayx
- NTLM relaying tool
- Disable Powershell Logging
- Seatbelt
- Host-survery "safety checks"
- PowerShell-via-CSharp
- More for a reference than anything - this isn't hard in principle
- pinjectra
- C/C++ library that implements process injection techniques
Exploits
- SystemNightmare
- Print spool abuse
- Follina
- MS Office URI abuse (specifically
ms-msdtin this instance)
- MS Office URI abuse (specifically
- Proxy-Attackchain
- Full ProxyLogon attack chain
- CVE-2022-26809
- KernelHub
- All the kernel exploit POCs
Resources/Articles
- Abusing the MS Office protocol scheme
- SOCKS Proxy Relaying
- Microsoft Teams and Skype Logging Privacy Issue
- Stealing Access Tokens From Office Desktop Applications
- Hijacking DLLs in Windows
- ABUSING CVE-2022-26923 THROUGH SOCKS5 ON A MYTHIC C2 AGENT
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
- AAD Kill Chain
PetitPotam
- PetitPotam
- Coerce Windows hosts to authenticate to other machines
- ADCSPwn
- Petitpotam + relay to certificate service
- DFSCoerce
- TODO: description
- There's an update here
- ShadowCoerce
- PetitPotam via MS-DFSNM
- SpoolSample (PrinterBug)
- PetitPotam via MS-RPRN
- Coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface
References
PetitPotam
- MS-EFSR abuse (PetitPotam)
- MS-RPRN abuse (PrinterBug)
- MS-FSRVP abuse (ShadowCoerce)
- MS-DFSNM abuse (DFSCoerce)
- Other articles