Decoding Powershell Base64 Encoded commands in CyberChef

Firstly, you need some Powershell Base64 commands, you could search your security logs or Sysmon logs for these, or simply generate some yourself!

powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand bgBlAHQAIAB1AHMAZQByACAAcwBlAGMAYQB1AGQAaQB0ACAAUABAADUANQB3ADAAcgBkADEAMgAzACEAIAAvAEEARABEADsAbgBlAHQAIAB1AHMAZQByACAAcwBlAGMAYQB1AGQAaQB0ACAALwBhAGMAdABpAHYAZQA6AHkAZQBzADsAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAALwBhAGQAZAAgAHMAZQBjAGEAdQBkAGkAdAA=

Next, we head over to Cyber Chef!

https://gchq.github.io/CyberChef/

Now we copy the base64 component to the INPUT window:

We add the “From Base64” operation into our RECIPE! Read more “Decoding Powershell Base64 Encoded commands in CyberChef” →

Infection Monkey Overview

Have you ever wanted to see what would occur in an environment if a worm was a make its way in? I often work with customers to show them about lateral movement from a human operated perspective however sometimes it’s useful for people to visualise this better and to demonstrate what could occur if a worm was set loose. A great tool to help with this is Infection Monkey from Guardicore (https://www.guardicore.com/

High Level View

The process steps are as follows:

Scope Exercise
Prepare Environment
Deploy Infection Monkey Server (Monkey Island)
- Configure Server Credentials
Monkey Configuration
Release Monkey/s
Review
Report

Read more “Infection Monkey Overview” →

Windows 11 Privilege Escalation via UAC Bypass (GUI based)

Introduction

Ok these are a really simple UAC bypass from a userland GUI perspective. This is about increasing process integrity levels – it’s not about performing LPE from low integrity to high/SYSTEM with no interaction. These clearly work in older version of Windows as well but since Windows 11 will be the current version in the near future I thought it was fun to re-visit these!

And just to be clear, a medium integrity process as an administrator user will have the following privileges:

What we are talking about here is to move to a high integrity process without knowing credentials or having the secure desktop launch. Read more “Windows 11 Privilege Escalation via UAC Bypass (GUI based)” →

Razer Privilege Escalation Vulnerability

“And I looked and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.”

Firstly, Kudos to @j0nh4t for finding this!

I woke up this morning to see twitter fun with a LPE discovered in the Razer driver installation. Basically, when you plug a Razer mouse into a Windows machine, it will download (via windows update) and execute a process as system which has user interaction. This interface includes an install path selector, with this a right click + SHIFT (LULZ) on whitespace will allow you to launch a command prompt/PowerShell window (as SYSTEM).

Windows Remote Management 101

Windows Remote Management is easy if you are using a domain joined machine and have a CA. But what if you are off the domain and you want to connect to WINRM that has an HTTPS listener? (by default WINRM uses HTTP on TCP 5985, you can clearly chop out the TLS related configs in the example scripts and they will work for plain old WINRM)

This is useful from a sysadmin and penetration testing/red team perspective. Now obviously you could export the certificates and import them into your store, however that’s more work. So, let’s look at how we ignore revocation, CA name and Computer Name checks.

WinRM via HTTPS (self-signed)

Windows Security Fundamentals & LPE

Introduction

Recently I decided to do the Red Team Operator: Privilege Escalation in Windows Course by Sektor7 (thanks for the recommendation Justin!). I thought I’d write some notes but also create a quick blog covering some of the Windows fundamental areas. It’s easy to actually forget how this stuff is at a detailed level so figured it helps both myself and the world to share a snippet. I’m litterally listening to the course as I type this, I’ve just imported an OVA to vmware workstation so this is litterally live! (I’m 7 video modules in!)

There’s some key parts around Windows Security Architecture that is important to know, the course does cover this off at the start so I thought I’d share a tiny bit of my notes. Read more “Windows Security Fundamentals & LPE” →

Penetration Testing

Overview

Penetration testing is the activity of conducting security testing with the aim of identifying and exploiting vulnerabilities to identify strengths and weaknesses. I include strengths because I believe it’s important for security testing to promote both positive and negative findings. I also think that there is a huge mis conception with what penetration is, what it helps with and how to best get value from a penetration test.

My definition isn’t too far from the NCSC one: https://www.ncsc.gov.uk/information/check-penetration-testing

A penetration test is a security assurance activity, but it’s one of many activities that I recommend people conduct. This is however largely only adopted by the few, for many a penetration test is a compliance tick box, either from a regulatory or contractual requirement.

When looking at a system a penetration test is not usually the most efficient starting point, especially if it’s from a black box perspective. Read more “Penetration Testing” →

Why are ransomware attacks so devastating? – Part 1

Introduction

“Ransomware is a major issue!”

Hang on maybe we need to re-phrase that:

“Weak security postures are a major issue!”

or perhaps.. why not both!

I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.

Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.

Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1” →

Audit NTDS.DIT using DSINTERNALS

Ok this assumes you know how to get the NTDS.DIT and SYSTEM registry hive out from a domain controller, if you don’t go looking, we might have blogged a few ways to do that! Now then, firstly, let’s Install DSInternals. From PowerShell 5 onwards you can simply run:

Install-Module -Name DSInternals -Force

You will likely need to set your execution policy:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Now to dump the hashes we use: Read more “Audit NTDS.DIT using DSINTERNALS” →

Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)

I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.

To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.

Mimikatz

Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.

To gain system we launch mimikatz from an admin shell and run:

privilege::debug

token::elevate

Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)” →