Clik here to view.
Local Group Enumeration
I’ve found that one of the most useful features of PowerView (outside of its user hunting capabilities) is its ability to enumerate local group membership on remote machines. I’ve spoken about this...
View ArticleClik here to view.
Abusing GPO Permissions
A friend (@piffd0s) recently ran into a specific situation I hadn’t encountered before: the domain controllers and domain admins of the environment he was assessing were extremely locked down, but he...
View ArticleEmpire 1.5
Three months have elapsed since the Empire 1.4 release, and we have some awesome new features for our next release! The notes for Empire 1.5 are below, but a quick warning- this release modifies part...
View ArticleEmpire’s RESTful API
This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. [tl;dr] The Empire RESTful API is documented here on the Empire GitHub wiki. Last week,...
View ArticleClik here to view.
Running LAPS with PowerView
A year ago, Microsoft released the Local Administrator Password Solution (LAPS) which aims to prevent the reuse of local administrator passwords by setting, “…a different, random password for the...
View ArticleClik here to view.
Building an EmPyre with Python
The “EmPyre Series” 5/13/16 – Building an EmPyre with Python Our team has increasingly started to encounter well secured environments with a large number of Mac OS X machines. We realized that while...
View ArticleClik here to view.
OS X Office Macros with EmPyre
This post is part of the ‘EmPyre Series’ with some background and an ongoing list of series posts [kept here]. One of the (many) challenges with operating in an OS X heavy environment is initial...
View ArticleClik here to view.
Upgrading PowerUp With PSReflect
PowerUp is something that I haven’t written about much in nearly two years. It recently went through a long overdue overhaul in preparation for our “Advanced PowerShell for Offensive Operations”...
View ArticleClik here to view.
Where My Admins At? (GPO Edition)
Enumerating the membership of the Administrators local group on various computers is something we do on most of our engagements. This post will cover how to do this with Group Policy Object (GPO)...
View ArticleClik here to view.
A Case Study in Attacking KeePass
[Edit 7/1/16] I wanted to make a few clarifying notes as there have been some questions surrounding this writeup: You only need administrative rights to execute any WMI subscriptions and/or gather...
View ArticleClik here to view.
KeeThief – A Case Study in Attacking KeePass Part 2
Note: this post and code were co-written with my fellow ATD workmate Lee Christensen (@tifkin_) who developed several of the interesting components of the project. The other week I published the “A...
View ArticlePowerShell RC4
Every language needs an RC4 implementation. Despite its insecurities, RC4 is widely used due to its simple algorithm and the minimal amount of code it takes to implement it. Some people have even tried...
View ArticleClik here to view.
Command and Control Using Active Directory
‘Exotic’ command and control (C2) channels always interest me. As defenses start to get more sophisticated, standard channels that have been stealthy before (like DNS) may start to lose their efficacy....
View ArticleClik here to view.
Offensive Encrypted Data Storage
We generally try to keep off of disk as much as possible on engagements- there’s less to clean up and fewer chances of being caught. However, occasionally we have a need to store data on disk on a...
View ArticleClik here to view.
The Empire Strikes Back
We recently made some of the biggest changes to Empire since its release at BSidesLV in 2015. This post will summarize many of the modifications for the Empire 2.0 beta release, but also check out...
View ArticleClik here to view.
Empire Fails
Everyone makes mistakes, and we’re certainly no exception. Empire has suffered from a few security issues since its original release at BSides LV in 2015, and for a while, I’ve wanted to give some...
View ArticleClik here to view.
Kerberoasting Without Mimikatz
Just about two years ago, Tim Medin presented a new attack technique he christened “Kerberoasting“. While we didn’t realize the full implications of this at the time of release, this attack technique...
View ArticleClik here to view.
Make PowerView Great Again
Yesterday’s commit to the PowerSploit dev branch is the biggest set of changes to PowerView since its inception. I’ve spent the last month or so rewriting PowerView from the ground up, squashing a...
View ArticleClik here to view.
S4U2Pwnage
Several weeks ago my workmate Lee Christensen (who helped develop this post and material) and I spent some time diving into Active Directory’s S4U2Self and S4U2Proxy protocol extensions. Then, just...
View ArticleClik here to view.
The Most Dangerous User Right You (Probably) Have Never Heard Of
I find Windows user rights pretty interesting. Separate from machine/domain object DACLs, user rights govern things like “by what method can specific users log into a particular system” and are managed...
View Article