Clik here to view.
Reflective DLL Injection with PowerShell
Normally when you load a DLL in Windows, you call LoadLibrary. LoadLibrary takes the file path of a DLL and loads it in to memory. In addition to the DLL being on disk, the DLL will show up when tools...
View ArticleClik here to view.
Modifying Mimikatz to be Loaded Using Invoke-ReflectiveDLLInjection.ps1
This is a follow up to my article about reflectively loading DLLs using PowerShell. This will walk you through the relatively simple process of modifying mimikatz to be loadable using the reflective...
View ArticleClik here to view.
Implementing Remote LoadLibrary and Remote GetProcAddress Using PowerShell...
Recently I have been working on reflective DLL injection in to remote processes in PowerShell. I encountered a problem; I need to call LoadLibrary to load libraries in the remote process and then call...
View ArticleClik here to view.
Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s /...
Currently there are a few ways to dump Active Directory and local password hashes. Until recently, the techniques I had seen used to get the hashes either relied on injecting code in to LSASS or using...
View ArticleClik here to view.
Avoiding PowerShell Command Injection & Unicode Issues
PowerShell exposes a powerful set of functionality and is increasing in popularity for server management tasks. This post aims to help penetration testers identify issues that may be found when...
View ArticleClik here to view.
Intercepting Password Changes With Function Hooking
Last week, Mubix published a malicious Windows password filter DLL (http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html). The idea is simple, by installing this...
View ArticleClik here to view.
PowerShell and Token Impersonation
This post will discuss bringing incognito-like functionality to PowerShell in the form of a new PowerShell script (Invoke-TokenManipulation), with some important differences. I’ll split this post up in...
View ArticleClik here to view.
Injecting Logon Credentials With PowerShell
In this article I will introduce a new script, Inject-LogonCredentials, that uses PowerShell (specifically, the Invoke-ReflectivePEInjection script) to inject credentials in memory. I’ll start with a...
View ArticleClik here to view.
Cracking Open PowerShell’s Constrained Runspace
Recently at the PowerShell Summit, Lee Holmes and I did a talk on PowerShell security. One of the demonstrations we did showed how to find and exploit a command injection bug in a constrained runspace....
View Article
