Microsoft will be introducing Administrator Protection into Windows 11, so I wanted to have an understanding of how this technology works and how it interacts with existing offensive tooling. While this technology is just a thin wrapper around a separate account, there are a few nuances such as who is permitted to access these accounts, as well as existing UAC bypasses which are still effective against the new "backdoorless" Administrator Protection. This post explores these nuances in detail.| XPN InfoSec Blog
This course is for practitioners who want to emulate adversaries without malware, without traditional C2 infrastructure, and without unnecessary footprint.| ZephrSec - Adventures In Information Security
GoClipC2: A covert Windows clipboard-based C2 channel for VDI/RDP environments. Bypasses network monitoring with encrypted Base64 messaging.| ZephrSec - Adventures In Information Security
Exploring Azure Arc’s overlooked C2aaS potential. Attacking and Defending against its usage and exploring usecases.| ZephrSec - Adventures In Information Security
When I originally posted the blog post that lived on this page a lot of CTI professionals got sad and had a go at me. My view of Offensive CTI is using TA knowledge to better improve red team and offensive security for defence. There is also an element of| ZephrSec - Adventures In Information Security
Manipulating Git Histories to Obscure the Truth| ZephrSec - Adventures In Information Security
One of the things that I love about my role at SpecterOps is getting to dig into various technologies and seeing the resulting research being used in real-time. This post will explore one such story of how I was able to go from a simple request of recovering credentials from a database backup, to reverse engineering how SQL Server encryption works, finding some new methods of brute-forcing database encryption keys.. and finally identifying a mistake in ManageEngine’s ADSelfService product w...| XPN InfoSec Blog
Introducing Living off the Land Searches (LOLSearches), using advanced search operators with SharePoint and Explorer to help in Red Teams.| ZephrSec - Adventures In Information Security
This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling I've written and some of the fun along the way.| ZephrSec - Adventures In Information Security
In this post we’re going to focus on some ADFS internals. We’ll be looking at OAuth2, and how it underpins the analogues to Entra ID security features like Device Registration and Primary Refresh Tokens.| XPN InfoSec Blog
As part of our ongoing research of the IBM i platform we monitor news and updates related to the platform. Two weeks ago IBM published a support article about a compatibility issue affecting IBM i Access Client Solutions (ACS) when running on Windows 11 24H2. The “no man’s land” between system boundaries is always a playground for hackers, and this article was fascinating because it pointed to the Local Security Authority subsystem of Windows:| Silent Signal Techblog
All the lessons I’m sharing here are based on what I learned/observed during my experiment.| Hack.Learn.Share
I’m almost 90% complete drafting this post when I came across this talk by @rad9800 that discusses the same topic. I’m still publishing this anyhow because I don’t want my efforts to go to waste and this post contains some ideas not mentioned in the talk.| Hack.Learn.Share
Last March, I tweeted something about converting WinAPI functions to their native counterparts. One of the WinAPIs I’m trying to convert is CreateProcess. Finally, after several months of on and off research, trials, and coding, I have successfully developed a PoC to launch a process using the native API NtCreateUserProcess()!| Hack.Learn.Share
Lately, I came across with KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.| Hack.Learn.Share
The use of libraries for development is great especially if you’re a beginner and wanted something that will surely work right out of the box and wanted to save time.| Hack.Learn.Share
Have you ever wanted to write malware (for educational purposes) but don’t know how/where to start? How about writing a custom implant to bypass an AV for an engagement but time is very limited? Or you just simply want to write malware to upskill and/or better understand how Windows API works but are too lazy to start working on it.| Hack.Learn.Share
Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.| Hack.Learn.Share
When I started my journey in Malware Development and AV/EDR Evasion, most of the articles and blog posts I have read recommended the use of syscalls. By using syscalls, an adversary can bypass detection controls (such as user-land Hooking) by jumping into the kernel-mode. Evasion is possible in this case since AV/EDR systems can only monitor an application’s behaviour in user-mode. Another advantage is the fact that any Windows API functions used will not be referenced in the import table.| Hack.Learn.Share
IntroductionIt was 20 November, and I was just starting to wonder what I would do during the next month. I had already left my previous job, and the new one would only start in January. Playing with PS4 all month might sound fun for some people, but I knew I would get bored quickly.Even though I have some limited red teaming experience, I always felt that I wanted to explore the excitement of getting Domain Admin – again. I got my first DA in ˜2010 using pass-the-hash, but that was a loooo...| Jump ESP, jump!
Originally presented at SOCON-2024, and continuing the series into post-exploitation techniques against Identity Providers, in this blog post we'll look at Ping, OneLogin and Entra ID. I'll discuss how post-exploitation techniques effective against Okta apply to other providers, release new tools for post-exploitation, and look at what proves to be effective when critical assets lie beyond an Identity Provider portal.| XPN InfoSec Blog
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, silver tickets, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.| XPN InfoSec Blog
BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner.| ZephrSec - Adventures In Information Security
This post will walk through various services within the Azure catalogue and look at potential attack paths.| ZephrSec - Adventures In Information Security
