FortyNorth Security recently posted an article detailing the process for leveraging MSBuild to execute unmanaged PowerShell, and automating it in Aggressor script for Cobalt Strike users. Being a native binary in the Windows OS, the use of MSBuild is a common AWL bypass technique, which is handy in relatively well locked down environments.
The main impetus behind this post was me experimenting with ways to leverage TikiSpawn with some of the popular lolbins.
In my previous post, I described how one could leverage CVE-2019-0841 to backdoor the LAPS
AdmPwd.dll for EoP to
NT AUTHORITY\SYSTEM. The obvious question is that if a machine is not using LAPS, what can you do…? Well Rich Warren provided one solution, by using the Windows Diagnostics Hub Standard Collector Service.
I recently created the EWSToolkit off the back of an assessment for Exchange Client Access Services. I realise I committed it with basically no explanation, so this blog post will serve as a quick introduction and a look at perhaps one of its more interesting features.
Before we can really dive into modifying GPOs, we need to try and understand some of the intricacies of how they’re updated normally in GPMC and AD. Because believe me, it aint as simple as it appears.
Group Policy Objects (GPOs) is a subject I’ve wanted to write about for a long time and I’m happy to have finally started.