Chad Duffey
Blue Team -> Exploit Development & things in-between
Featured
Moving SYSVOL to a new disk
This post covers how to move SYSVOL to a new disk. It’s a little tricky because of the junction points and it is definately worth trying in a lab environment first to get comfortable. You should also engage Microsoft support during the process if that is an option for you....
Using IL NOP's with dnSpy
If you’ve used dnSpy to make a simple modification to a binary you’ll know that it’s often as simple as finding the section of code requiring a small change, right click, “modify method”, then compile. Often though, the code you are looking at in dnSpy cannot be easily edited and...
Converting ETL to EVTX in 'real time' (for Azure App Proxy Front End Logs)
The ask: Ensure that the front end logs from the Azure Application Proxies are flowing into the SEIM via Windows Event Forwarding (WEF). This post outlines the current challenges with the ask, and provides an approach for converting .ETL logs to .EVTX format as they arrive. Azure Application Proxy Overview...
Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication
This post is based on a recent project requirement: Windows Domain joined Linux workstations must use machine account Kerberos to authenticate and request workstation certificates from Microsoft Certificate Services. We will cover the detail a little further down, but at a high level this can be achieved with: CES/CEP Configured...
Rubber Ducky on MacOS
I’ve been spending a big chunk of my time on an IAM project at work there and there hasn’t been much free time for “hacker crap” because of the deadlines attached to the project. In an effort to clear my mind I thought I’d take the rubber ducky for a...
edgegdi.dll for persistence
Overview There’s a .dll which just about every process on my Windows machine is interested in called edgegdi.dll. Unfortunately, the dll: edgegdi.dll isn’t there (or anywhere on the system). You’ll see the status (NAME NOT FOUND) in any procmon trace you look at which makes it interesting for persistence at...
Vulnserver Exploit vs Windows Defender Exploit Guard
This post evaluates the protection Windows Defender Exploit Guard can offer a vulnerable application. We’re using vulnserver as an example, but thinking about it in the context of real applications that might still have unpatched vulnerabilities. Checking whether there are exploit guard capabilities that could offer protection even if the...
Regular
Moving SYSVOL to a new disk
This post covers how to move SYSVOL to a new disk. It’s a little tricky because of the junction points and it is definately worth trying in a lab environment first to get comfortable. You should also engage Microsoft support during the process if that is an option for you....
Using IL NOP's with dnSpy
If you’ve used dnSpy to make a simple modification to a binary you’ll know that it’s often as simple as finding the section of code requiring a small change, right click, “modify method”, then compile.
Wordpress Backdoor
I recently discovered what appeared to be a backdoor installed in my wordpress site. This post is two parts. The first part is a complete ramble you should skip if you are just here for the malware/backdoor.
HTB - Search
Another highly recommended Active Directory lab for attackers and defenders looking to sharpen their AD skills.
Restricting Lateral Movement in a Windows Environment
A link to a blog post I worked on for Palantir with help from friends at SpecterOps regarding SMB based lateral movement
Windows Privilege Abuse - Auditing, Detection, and Defense
A link to a blog post I worked on for Palantir with help from friends at SpecterOps regarding Windows Privileges
Managing Browser Extensions at Scale
A link to a blog post I worked on for Palantir showing the DevOps workflow we designed to better manage Browser Extensions
Attack Surface Reduction Recommendations
A link to a blog post I worked on for Palantir showing the approach we used to deploy Attack Surface Reduction rules
Using Microsoft CES/CEP for Linux Workstation Certificate Enrollment with Kerberos Workstation Authentication
This post is based on a recent project requirement: Windows Domain joined Linux workstations must use machine account Kerberos to authenticate and request workstation certificates from Microsoft Certificate Services.
Shadow Credentials
Elad Shamir’s post on Shadow Credentials is the right place to read the details of this interesting approach: https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab. He documented the approach back in June, 2018. Short Version for Blue Teamers: The way I simplify (probably oversimplify) this when talking to people about it is: There’s an Active Directory...
Exploit Dev practice - tiny buffer; leverage existing register values
Going back to learn more about things i really enjoy (exploit development) rather than spending so much time on the things i mostly do at work (infrastructure).
Exploit Dev practice - small buffer; restoring ESP
Going back to learn more about things i really enjoy (exploit development) rather than spending so much time on the things i mostly do at work (infrastructure).
OpenShift from scratch - Part 2 > Basic Configuration for CRC on Windows
Start / Stop / Delete:
OpenShift from scratch - Part I > Windows installation
BLUF: (Bottom line(s) up front because you probably don’t really need this post at all; the setup of code ready containers is really simple. The post just captures some of the quirks i ran into) [1] Download Code Ready Containers from Redhat. Start here: https://developers.redhat.com/products/codeready-containers/overview [2] Extract the .zip file...
Hello world for Azure Graph (PowerShell)
When i need quick PowerShell example to make sure i have configured the hosting/infrastructure/egress-allow correctly i use this small example.
Scripting big GPO ACL changes based on groups
Sometime’s it makes sense to remove the “Apply Group Policy” right from the everyone group and slowly add users from specific groups as a way to roll out the change.
WinDBG Notes
// This post will be updated regularily. Don’t rely on it, i’m learning.
Rubber Ducky on MacOS
I’ve been spending a big chunk of my time on an IAM project at work there and there hasn’t been much free time for “hacker crap” because of the deadlines attached to the project.
Jekyll being painful
Quick post for future me:
Adjusting Group Policy (Deny 'Apply GPO') ACE's via PowerShell
The use case i needed to solve looked like this:
WDAC Notes
The place to learn the most about Windows Defender Application Control (WDAC) the fastest is youtube. Matt Graeber put together an amazing set of tutorials, and if you’re trying to learn how to do it the way a pro does, i’d recommend making them your first stop.
Wireguard on Ubuntu
Very quick post to remind me how to set up the Wireguard client for Ubuntu quickly:
Windows 20H2 changes
Comparison of Windows 10 2004 and Windows 10 20H2 installations that might assist others who need to check off some of these things in their pre-deployment security review.
edgegdi.dll for persistence
Overview
Quick and Simple WiFi Testing with besside-ng
I’ve been using Bettercap for a while now, and i love it but i saw a post on the weekend that reminded me the value in going back to look at other tools.
DLL Hijack for Cisco Anyconnect
Note 1: the best place to learn a lot about dll hijacking is https://institute.sektor7.net; the main purpose of this post is to capture my notes while applying some of the techniques taught by sektor7 in a real world example
Exploit Guard Mistakes
This post details the mistakes I’ve made using and tuning Exploit Guard.
Exploit Guard vs Process (DLL) Injection
In the previous post we evaluated Exploit Guard controls against a simple buffer overflow vulnerability in a test application. We used Matt Graeber’s Exploit Guard documentation as a guide.
Vulnserver Exploit vs Windows Defender Exploit Guard
This post evaluates the protection Windows Defender Exploit Guard can offer a vulnerable application.
Deploying Azure Functions
We’re going to try to move the main random password code from the previous blog post to Azure ‘Functions’ - the Azure serverless offering.
Deploying Azure Web Services Manually
Looking into how we’d deploy, scale and secure a web service on Azure. Starting right at the very basics - a hand jammed basic web service deployed from inside VS Code.
Ansible & PowerShell
Leveraging ansible and powershell together for remote management.
Windows Persistence
Notes while working through the (excellent) Sektor7 windows persistence course. Important point: don’t just rely on the notes here. They’re mainly reminders for me :) It’s the templates and tools as well as extra context that makes the training really valuable. (Tools include things like scripts to AES encrypt and...
VMWare Workstation Automation (on Windows)
First up, enable the GUI so that you can get familiar with the (REST) API.
Docker Day
Spending the day going over Docker topics.
Windows Malware Creation Notes
I recently worked through Sektor7’s “Red Team Operator - Malware Development”.
Cross Compile Windows binaries on Linux
Very quick note for something that usually takes me too long to find :)
Infrastructure Notes - Azure site-to-site VPN
Extending the on site lab network to an Azure VNET.
X-Forwarded-For Header
The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or...
10 minute personal VPN
Quick VPN endpoint all to yourself using your Azure (or AWS) subscription based on the Trail of Bits Algo project:
Infrastructure Notes - Linux Host Security
Using Andrew Malett’s ‘Linux Host Security’ course on Pluralsight
Infrastructure Notes - Azure Key Vault
Using Gary Grudzinskas ‘Securing Virtual Machines with Azure Key Vault’ training course on Pluralsight
HTB - Forest (Hacking Active Directory walk-through)
A HTB lab based entirely on Active Directory attacks.
CVE-2020-0796 Mitigations
Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
Active Directory - Physical Disk Access to Domain Administrator in just a few minutes
If you get access to the unencrypted disk of a domain controller you can take NTDS.dit away and do horrible things with it offline. The most common approach seems to be extracting the secrets from the directory. I recommend ropnops blog for more detail.
WinDBG for User-Mode Debugging
WinDBG is the right way to go to analyze windows crash dumps if you have builds that are throwing a blue screen. For a really large percentage of those cases you can get to a reasonable answer with the analyze -v command. As long as you are comfortable setting up...
Active Directory - Recover deleted objects quickly
You’re going to panic when something important is accidentally deleted. It’s scary. In the old days it was a little painful as well. Deleted objects had their links stripped (memberships) and the most appropriate recovery was via the last backup if you wanted things the way they really were. (Tombstone...
YubiHSM for code signing
This might save someone a few hours working out the steps to set up and use a YubiHSM for code signing. This nifty little device seems to work flawlessly for small volume code signing work. YubiCo actually do a good job of publishing performance metrics on the product site but...
Active Directory - How Smart Card Logon Works
The Smart card logon process goes like this:
Active Directory - Modify a system owned attribute
First of all, you shouldn’t do this. But in case you are hell bent on making a mess the following steps will allow you to modify objects that Active Directory would otherwise block you from changing.
Windows Security - No disk encryption equals root level access in five minutes or less
After showing this to friend today i thought i should also write it down for quick reference. There’s nothing new here, this trick has been around forever - but it’s the best, quickest example i have of how unencrypted windows disks are dangerous from a data theft perspective, but also...
Infrastructure Notes - AWS VPC
(Notes based mainly on the content from Ben Piper’s excellent pluralsight course)
Infrastructure Notes - Azure AD PTA
Infrastructure Notes - Azure AD Pass-through Authentication
LDAPS across disparate namespaces
That title is a mouthful, and there’s probably a better way to say it, but here’s the situation:
Infrastructure Notes - Azure Virtual Machine Scaling
Azure Virtual Machine Scale Sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule
Scapy 101 and an old Windows IPv6 DoS
Quickstart notes for when you need that perfect packet.
Debugging Notes - GDP Cheatsheet
Debugging Notes for linux processes
Infrastructure Notes - Azure Storage Overview
Infrastructure Notes: Azure Storage Overview
Infrastructure Notes - Azure Network Design Overview
Designing and implementing Azure networking capabilities is a critical part of your cloud solution. You’ll need to make networking design decisions to properly support your workloads and services.
Infrastructure Notes - AWS Route 53
Working through Ben Piper’s excellent course on Pluralsight: AWS Networking Deep Dive: Route 53 DNS. This post captures the notes i took along the way.
Try not to get too fancy with Active Directory Backup
Active Directory does a few important things whenever it is backed up or restored to keep it working the way it was intended. For that reason (in most situations) it is important that we don’t get too fancy with alternatives to the traditional ‘system state backup’.
Cleaning House - SANS Pen test
We’re moving house, so the old SANS Pentesing posters and notes are headed for the recycle bin :(
When NTLM is used for Windows Login (Kerberos unavailable)
I’m working on a larger post about the various types of login (network, local, rdp etc) and what each of them presents to an attacker; but i wanted to first understand a little more about NTLM based logon to a Windows/Active Directory environment.
IPSec for Windows Firewall Exceptions
Generally speaking, a DENY rule in Windows firewall will override any ALLOW.
Getting Crafty with LAPS permissions
Recent requirement to modify the access to LAPS attributes in one of our directories. We had a specific class of computer objects that we did not want all of our usual LAPS readers to be able to retrieve the local password for.
Exploiting Vulnserver
While i was working through the OSCE I remember folk were looking for something that would be roughly as challenging as the exam to practice the full fuzz RCE, full remote shell lifecycle.
Skeleton Key
Writes a new password to memory on the host (“mimikatz”) that will work in addition to the realpassword for any user.
Silver ticket (in short)
An attacker has obtained a long term key for a service account. Often obtained via kerberoast against accounts with a SPN and offline cracking; but also via taking credentials from a compromised machine with mimikatz. PAC validation can fight this by verifying the PAC but it is rare.
Overpass the hash
Kerberos version pass the hash where we take the ntlm hash (mimikatz can get this from memory for you) and work towards a TGT with it. Possible because the NT hash is used to support Kerberos RC4 encryption (RC4-HMAC-MD5).
Infrastructure Security Review
Cheap and cheerful approach to front up with for your next infrastructure security office hours:
Golden Ticket (in short)
The attacker has retrieved the krbtgt long term key. The attacker can then create a forged TGT for any domain account because they are able to encrypt the request with the krbtgt long term key. There’s a small hitch with TGT’s older than 20 mins because they are sometimes verified;...
Cracking PDF
You need to convert to export the hash to an appropriate format first:
Change Windows File or Folder ACL from shell
You find a file called file.txt that wont allow you to do what you want despite having what you believe to be enough permissions:
Crank up nmap on unknown port
Quick tip to dial an nmap enumeration to 11 if needed.
Inputs.conf
[WinEventLog://Application] disabled = false index = wineventlog sourcetype = wineventlog