An addition to the original Credential Guard bypass PoC, which consists in patching two global variables in wdigest.dll
module loaded by LSASS.
https://github.com/itm4n/Pentest-Windows/tree/main/CredGuardBypassOffsets
A simple PoC for creating false AppLocker hash cache entry for a file.
https://github.com/gtworek/PSBits/blob/master/CopyEAs/SetAppLockerHashCache.c
C++ implementation of the Perun's Fart Evasion technique
mitmproxy2swagger
Automatically converting mitmproxy captures to OpenAPI 3.0 specifications.
RITA
Real Intelligence Threat Analytics is a framework for detecting command and control communication through network traffic analysis.
LiveCloudKd & MemProcFs fixes for Windows 11 and WinDBG 10.0.22000
KernelCallbackTable-Injection
HalosUnhooker
An unhooker that will help you to remove AVs/EDRs hooks from NT API.
Simple tool called IOCTL_VOLSNAP_QUERY_NAMES_OF_SNAPSHOTS returns all snapshot, including hidden ones.
Volume Snapshot Service / Volume Shadow Copy
DLLirant
This tool automatize the DLL hijacking researches on a specified binary.
DelegationBOF
This tool uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
CVE-2018-25032 could potentially allow a Denial-of-Service (#DoS) attack. This bug was reported by Danilo Ramos of Eideticom, Inc. It has lain in wait 13 years before being found! The « bug » was introduced in zlib 1.2.2.2, with the addition of the Z_FIXED option. #vuln #informatique
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
Impacket : It is now possible to add a computer account via SMB from a NTLM Relay with ntlmrelayx
Mochi is a proof-of-concept C++ loader that leverages the ChaiScript embedded scripting language to execute code. It is based on the lcscript project that extends ChaiScript with native Windows API call support. Mochi was built to allow remote loading of ChaiScript files that orchestrate lower level code and execute offensive actions with the Windows API.
An explanation of SHA-1 hashes recorded in Amcache
%WINDIR%\AppCompat\Programs\Amcache.hve
https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/
Windows System Resource Usage Monitor (SRUM)
%WINDIR%\System32\SRU\SRUDB.dat
How to bypass the macOS privacy framework (TCC) using old app versions ?
https://wojciechregula.blog/post/macos-red-teaming-bypass-tcc-with-old-apps/
247365