Windows Scheduler Credential Stealer

by Vince
in Blog
Hits: 714

In the one-liner below, we are able to pop a credentials box and attempt to steal credentials.  If we remove the pipe and what follows, we would see the output at the command line.  With the pipe and what follows, we output it into a file.  And since Public is public, we can easily write into that location.

Read more

CrackMapExec : The Basics

by Vince
in Blog
Hits: 776

The description states:  "CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions."

This is one of those tools that I've used from time to time when another one of my tools wasn't doing what I wanted it to do.  That happened recently and I decided to make a big cheat sheet with a list of commands.  The following is a subset,  the basics, and if you're not familiar with this tool, it might be worth exploring.

Read more

Antivirus Evasion -> Exclusions

by Vince
in Blog
Hits: 894

In the real world, systems have endpoint protection installed and a lot of the tools we'd like to drop on the system will get detected.  Loading in memory is definitely an option but let's say we want to drop some tools onto the file system.  One option is to look at what is installed to hopefully find a product that has endpoint exclusions.  For example, Desktop Central from Manage Engine requires exclusions and if we can use that directory for our files, we can evade endpoint protection.

For our test, we're going to use the EICAR test file.  Some background in case you're unfamiliar with this test file:  ' The European Institute for EICAR developed the EICAR antimalware test file. The EICAR test file is a legitimate DOS program that is detected as malware by antivirus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". ' 

Read more