Clik here to view.
PowerQuinsta
I wanted to do a quick writeup on one of PowerView‘s latest features- the ability to enumerate RDP sessions on remote machines. Qwinsta For those unfamiliar, qwinsta is a built in Windows command that...
View ArticleClik here to view.
Identifying Your Prey
[Note: This has been cross posted on the Adaptive Threat Division blog] User hunting is one of my favorite phases of an engagement. Whether it’s performed for lateral spread and escalation, or to...
View ArticleClik here to view.
Domain Trusts: We’re Not Done Yet
A few months ago, my colleague @sixdub and I presented our talk “Trusts You Might Have Missed” at BSides Chicago (the slides are posted here). We covered a lot of information that we’ve talked about in...
View ArticleClik here to view.
The Trustpocalypse
I’ve talked about domain trusts more than many people probably care about. A few weeks ago I posted “Domain Trusts: We’re Not Done Yet” – apparently there’s even more! I’ve said before that trusts will...
View ArticleEmpire 1.1
A few weeks ago, @sixdub and myself released a project called Empire at BSides Las Vegas (slides and video), and the response has been very positive. For those unfamiliar, Empire is a pure PowerShell...
View ArticleEmpire 1.2
It’s been a two weeks since since the release of Empire 1.1, but it’s already time for version 1.2! Here are the recent modifications: Components of the agent.ps1’s core shell functionality were...
View ArticleClik here to view.
Mimikatz and DCSync and ExtraSids, Oh My
Edit: Benjamin reached out and corrected me on a few points, which I’ve updated throughout the post. Importantly, with the ExtraSids (/sids) for the injected Golden Ticket, you need to specify...
View ArticleClik here to view.
Invoke-BypassUAC
User account control is a security mechanism introduced in Windows Vista that aims to allow users to operate in Windows (most of the time) without administrative privileges. Raphael Mudge has a great...
View ArticleClik here to view.
PowerView 2.0
PowerView is a tool that I’ve spoken frequently about on this blog. It debuted as part of the Veil-Framework in March of 2014, and has gone through a huge number of changes over the last year and a...
View ArticleClik here to view.
GPP and PowerView
A few months ago, Skip Duckwall asked me if it was possible, through PowerView, to enumerate what organizational units a particular group policy Globally Unique Identifier (GUID) applied to. Say you...
View ArticleEmpire 1.3
It’s been about two months since the release of Empire 1.2. We took a quick breather after coming down from our sprint to BSidesLV and the two follow-up releases. Part of this lull was to work on...
View ArticleClik here to view.
Abusing Active Directory Permissions with PowerView
One of my favorite presentations at Derbycon V was Sean Metcalf (@pyrotek3)’s talk “Red vs. Blue: Modern Active Directory Attacks & Defense“. In it, Sean had a section focused on “Sneaky AD...
View ArticleClik here to view.
Sheets on Sheets on Sheets
After a few requests, I’ve built out a series of cheat sheets for a few of the tools I help actively develop- PowerView, PowerUp, and Empire. I hope to illustrate the full functionality available in...
View ArticleEmpire, Meterpreter, and Offensive Half-life
A little over a week ago an interesting conversation started on security.stackexchange.com where someone asked about “Metasploit Meterpreter alternatives“. In the ensuing discussion two projects I...
View ArticleClik here to view.
Targeted Plaintext Downgrades with PowerView
Following my pattern of weaponizing Sean Metcalf‘s work in PowerView, I’m here with another update. Sean recently released a post titled “Dump Clear-Text Passwords for All Admins in the Domain Using...
View ArticleClik here to view.
Empire 1.4
It’s been another two months since the last major Empire point release, and development has continued to move along steadily. Empire has a TON of new modules from 10 different authors and a smattering...
View ArticleClik here to view.
Expanding Your Empire
[Note: This has been cross posted on the Adaptive Threat Division blog] This is the first in the ‘Empire Series’, a set of articles that will cover various aspects of Empire’s functionality and usage....
View ArticleClik here to view.
Nothing Lasts Forever: Persistence with Empire
This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. Code execution is great and remote control is awesome, but if you don’t have a persistence...
View ArticleEmpire’s CLI
This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. Recently, an Empire user requested that we build a ‘standalone payload generator’, similar...
View ArticleClik here to view.
PowerSCCM
I’m taking a quick break from our Empire series to bring you something my ATD teammate Matt Nelson and myself have been working on over the last month or so- a project called PowerSCCM. This is the...
View Article