I grew up as an insanely curious kid. My parents have seemingly endless numbers of stories of me taking things apart and trying to put them back together (sorry about the lawnmower, dad). There’s something about solving puzzles that has always captivated me.
As I got older and entered the…
This post was written together with Emily Leidy
People can have some strong preferences about how their files are laid out in Explorer. Some like the compact Details view. Others like the descriptive Content view with the Details pane. Some insane people even use Small Icons 😱. Explorer offers dozens…
Most teams I have worked with rely heavily on anecdotal evidence when it comes to evasion. If an operator is asked why they chose a technique over another, the most common response I have heard is “ because it worked last time.” In situations where we are encountering a new…
A few weeks ago, I reported a Local Privilege Escalation (LPE)affecting version <1.0.7 of EVGA’s Precision X1 performance software. This vulnerability was patched in version 1.0.7.
While looking at the services created by the application, I noticed that a driver service, “WinRing0_1_2_0,” was started on the system and correlated to…
Attacks against Windows kernel mode software drivers, especially those published by third parties, have been popular with many threat groups for a number of years. Popular and well-documented examples of these vulnerabilities are the CAPCOM.sys arbitrary function execution, Win32k.sys local privilege escalation, and the EternalBlue pool corruption. Exploiting drivers offers…
Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows Driver Model (WDM) kernel mode software driver meant to be used with the standard Mimikatz executable by prefixing relevant commands with an exclamation point (!). Mimidrv is undocumented and relatively underutilized…
Sysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. It presents a significant challenge for us as attackers as it has the ability to detect many indicators that we generate during operations, such as process creation, registry changes, file creation, among many…
With the rise in offensive .NET, particularly C#, tooling, we are seeing a great expansion in operational capability, especially with regards to running our code in memory (e.g. Cobalt Strike’s execute-assembly). While C# provides a great deal of functionality on the surface, sometimes we need to leverage functions of the…
Imported from my old blog at matterpreter.com
I’m really only writing this to save someone some time on an engagement and since there’s nothing detailed on the topic out there.
Today I was working and came across TCP port 8192, which I’ve seen a million times, and decided to poke…
I like security, picking up heavy things, and burritos. Adversary Simulation @ SpecterOps. github.com/matterpreter
