🫡
@drm
- 17 Followers
- 58 Following
- 88 Posts
RedTeam PentestingWe then discovered, that if Defender is not allowed to delete the file, it will try to re-connect with the account that triggered the coercion.
Where do the credentials come from? Well, if the same user is also interactively logged on, Defender will simply steal their token 🥷🏼
The code is here. As always, "Not tested in prod, use at your own risk".
All credit goes to YuG0rd, snovvcrash and fulc2um.
https://gist.github.com/ThePirateWhoSmellsOfSunflowers/912c5728bde1a7eba4bc99ff06b3f73c
dMSA are now supported by impacket (thanks fulc2um!), so its time for `badsuccessordumper.py` !
Almond OffSecFollowing @S3cur3Th1sSh1T's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
https://github.com/AlmondOffSec/DCOMRunAs
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
https://github.com/AlmondOffSec/DCOMRunAs
TIL there is a pure Powershell port of PassTheCert, by TheViperOne. Kudos 🫡
Did you know deleting a file in Wire doesn’t remove it from servers?
Team member @myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
https://offsec.almond.consulting/deleting-file-wire-doesnt-remove-it.html
#TPMSniffing: Elitebook x360 1040 G10: you can sniff the TPM via flash 25Q256JVEN (chip U367). CLK is 25Mhz.
Newer Windows clients often enforce signing ✍️ when using SMB fileshares.
To quickly deploy an SMB server with signing supported we implemented this in impacket's smbserver.py based on a prior work by @drm.
smbserver.py: add signing (NTLM/Kerberos) support, add read-only option by rtpt-romankarwacik · Pull Request #1975 · fortra/impacket
This pull requests adds the option to support signing for arbitrary clients in a domain. Most of the NetLogon code is based on this gist by @ThePirateWhoSmellsOfSunflowers. To use this functionalit...