Elevation of Privilege

MWR Labs: C3 - First Look

Sep 9, 2019

In this blog post I’m going to cover my first impressions of MWR Labs C3 project, through installation and setup to usage in a basic scenario.

TikiService is a new .NET Service Binary that allows you to run a TikiTorch payload via the Service Control Manager (à la PsExec). TikiTorch.cna has also been updated to create a new Cobalt Strike function: tikiexec, that automates its use. This blog post provides a brief overview and usage examples.

Covenant, Donut, TikiTorch

Aug 8, 2019

Covenant v0.1 was first released in February 2019 and has since received a lot of really good updates. v0.2 was released in May which added p2p comms over SMB named pipes, and v0.3 was released in August which added a brand new web interface. Even though it’s such a young project, it has really proven itself to be a capable tool for offensive operators. I’ve not taken a look at Covenant since v0.1.x but since providing some new additions to SharpSploit, it kinda got my geek going. One of my areas of interest is weaponising the Grunt stager.

The Return of Aggressor

Jun 6, 2019

FortyNorth Security recently posted an article detailing the process for leveraging MSBuild to execute unmanaged PowerShell, and automating it in Aggressor script for Cobalt Strike users. Being a native binary in the Windows OS, the use of MSBuild is a common AWL bypass technique, which is handy in relatively well locked down environments.

TikiVader

Jun 6, 2019

I’ve added a new experimental project to TikiTorch, called TikiVader. I originally thought of “vader” as a play-on for “evade”/“evader”, until I realised TikiVader was never meant to evade anything… but nevermind 😒

TikiSpawn & MSBuild

Jun 6, 2019

The main impetus behind this post was me experimenting with ways to leverage TikiSpawn with some of the popular lolbins.

Weaponizing Privileged File Writes with Windows Collector Service

Apr 4, 2019

In my previous post, I described how one could leverage CVE-2019-0841 to backdoor the LAPS AdmPwd.dll for EoP to NT AUTHORITY\SYSTEM. The obvious question is that if a machine is not using LAPS, what can you do…? Well Rich Warren provided one solution, by using the Windows Diagnostics Hub Standard Collector Service.

Weaponizing CVE-2019-0841 with LAPS

Apr 4, 2019

On April 9, Nabeel Ahmed annouced details of CVE-2019-0841 - the tl;dr being that it allows low privileged users to take Full Control of files owned by NT AUTHORITY\SYSTEM, which can lead to EoP. Nabeel published a comprehensive blog describing the vulnerability, PoC code and a video demonstration.

EWS - InstallApp

Mar 3, 2019

I recently created the EWSToolkit off the back of an assessment for Exchange Client Access Services. I realise I committed it with basically no explanation, so this blog post will serve as a quick introduction and a look at perhaps one of its more interesting features.

Weaponizing Privileged File Writes with Windows Collector Service

Rasta Mouse

MWR Labs: C3 - First Look

Posts

TikiService

Covenant, Donut, TikiTorch

The Return of Aggressor

TikiVader

TikiSpawn & MSBuild

Weaponizing Privileged File Writes with Windows Collector Service

Weaponizing CVE-2019-0841 with LAPS

EWS - InstallApp