Powershell
InvokeADCheck – A PowerShell Module for Assessing Active Directory
Introduction During an Active Directory (AD) assessment, I found myself struggling with a collection of individual PowerShell scripts and their formatting—or rather, the lack thereof. The various PowerShell scripts included public, as well as proprietary, scripts that were used for retrieving Active Directory objects and their attributes. Faced with resource and time constraints within the team, I proposed to try to come up with a better, more efficient way to conduct some of the checks that we do during an AD assessment. Inspired in part by the excellent work of Sean Metcalf, the author of Invoke-TrimarcADChecks, my colleague Justin (Justin–P) and I (N1ck3nd) set out to develop what would ultimately become the InvokeADCheck PowerShell module.
ACE to RCE
tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to run arbitrary executables.
During a recent assessment I found a new way to abuse Access Control Entries in a misconfigured Active Directory instance. Before jumping into the juicy bits, I’d first like to explain what these misconfigurations are, how we find them and finally how to abuse them. If you have preexisting knowledge on this topic you can jump to the section titled ‘A new way of abusing GenericWrite‘.
Resurrecting an old AMSI Bypass
While working on DoubleAgent as part of the Introduction To Red Teaming course we’re developing for RingZer0, I had a look at Anti-Malware Scan Interface (AMSI) bypasses. One of the objectives I had was to find a new way to evade AMSI. As with my DoubleAgent work, this did not lead to the identification of a novel finding, but instead revealed that old techniques can be revived with minimal work. This blog post describes how to resurrect the original DLL hijack documented by Cn33liz by extending it to simply define the typically exported functions found in amsi.dll in a fake DLL. This gives a low privileged user an AMSI bypass if they can write to a directory.
MAPI over HTTP and Mailrule Pwnage
History In December 2015 Silent Break Security wrote about “Malicious Outlook Rules” and using these to get a remote shell. This was great, we could now use those credentials found through brute-forcing OWA instances or a phishing page. The only issue I had with this was the fact that you needed to setup a local instance of the mailbox, which at times could be time consuming and also felt like overkill.
Bringing the hashes home with reGeorg & Empire
Is not a hack until you are 3 tunnels deep – Ian de Villiers
External assessments. It’s about not only finding flaws but also looking at ways you can chain lower and medium-level vulnerabilities together, to be utterly devastating and gain full access.
After situational awareness phase, pulling in all of my reconnaisance scans and input, I was left with typical results one might expect: missing patches here, little misconfiguration there, the typical…
Page 1 of 1