Elevation of Privilege

Weaponizing Privileged File Writes with Windows Collector Service

Apr 4, 2019

In my previous post, I described how one could leverage CVE-2019-0841 to backdoor the LAPS AdmPwd.dll for EoP to NT AUTHORITY\SYSTEM. The obvious question is that if a machine is not using LAPS, what can you do…? Well Rich Warren provided one solution, by using the Windows Diagnostics Hub Standard Collector Service.

Weaponizing CVE-2019-0841 with LAPS

Apr 4, 2019

On April 9, Nabeel Ahmed annouced details of CVE-2019-0841 - the tl;dr being that it allows low privileged users to take Full Control of files owned by NT AUTHORITY\SYSTEM, which can lead to EoP. Nabeel published a comprehensive blog describing the vulnerability, PoC code and a video demonstration.

EWS - InstallApp

Mar 3, 2019

I recently created the EWSToolkit off the back of an assessment for Exchange Client Access Services. I realise I committed it with basically no explanation, so this blog post will serve as a quick introduction and a look at perhaps one of its more interesting features.

TikiTorch

Mar 3, 2019

When TikiTorch was first released in February, it consisted of a single .NET assembly. Almost exactly a month later, I commited an update that increased that to four assemblies.

This blog post will cover what these assemblies are and how to use them.

GPO Abuse - Part 2

Jan 1, 2019

Before we can really dive into modifying GPOs, we need to try and understand some of the intricacies of how they’re updated normally in GPMC and AD. Because believe me, it aint as simple as it appears.

GPO Abuse - Part 1

Jan 1, 2019

Group Policy Objects (GPOs) is a subject I’ve wanted to write about for a long time and I’m happy to have finally started.

AmsiScanBuffer Bypass - Part 4

Dec 12, 2018

As 2018 rapidly comes to an end, I thought I’d close out the year by clearing up some confusions over this AmsiScanBuffer bypass and why it appears to fail under some circumstances.

AmsiScanBuffer Bypass - Part 3

Nov 11, 2018

In Part 2, we engineered a delivery method for the AmsiScanBuffer Bypass discussed in Part 1. In this post, we’ll make some modifications to the bypass itself.

AmsiScanBuffer Bypass - Part 2

Oct 10, 2018

In Part 1, we had a brief look at the AmsiScanBuffer bypass technique. We found some circumstances where the bypass code would be identified as malicious before it could be executed (which turned out to be a simple string detection), and modified the code to circumvent this.

In this post, we’ll explore a delivery method to help stage a Cobalt Strike / Empire / <insert framework here> agent. As with Part 1, this is not about some 1337 code drop - it’s a demonstration of how I walked through engineering the final result.

So, let’s get cracking.

AmsiScanBuffer Bypass - Part 1

Oct 10, 2018

Andre Marques recently posted a pretty nice write-up for circumventing AMSI, based on previous work by CyberArk.

Weaponizing Privileged File Writes with Windows Collector Service

Rasta Mouse

Weaponizing Privileged File Writes with Windows Collector Service

Weaponizing CVE-2019-0841 with LAPS

EWS - InstallApp

TikiTorch

GPO Abuse - Part 2

GPO Abuse - Part 1

AmsiScanBuffer Bypass - Part 4

AmsiScanBuffer Bypass - Part 3

AmsiScanBuffer Bypass - Part 2

AmsiScanBuffer Bypass - Part 1