Forensics and Security

Generic Windows Artifacts Windows 10 Notifications In the path \Users\<username>\AppData\Local\Microsoft\Windows\Notifications you can find the database appdb.dat (before Windows anniversary) or wpndatabase.db (after Windows Anniversary). Inside this SQLite database you can find the Notification table with all the notifications (in xml format) that may contain interesting data. Timeline Timeline is a …

smss.exe It’s called Session Manager. Session 0 starts csrss.exe and wininit.exe (OS services) while Session 1 starts csrss.exe and winlogon.exe (User session). However, you should see only one process of that binary without children in the processes tree. Also, more sessions apart from 0 and 1 may mean that RDP …

To compare Active Directory accounts against breached passwords you need access to your Active Directory with a specific privileged account, a password list with NTLM hashes and some PowerShell commands. But why should you do this? Password hashes of Domain accounts can be dumped locally from SAM, memory, remotely and …

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings finally today became useful to solve a problem of a Good friend and college of mine (Dear …

Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we see the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of …

A regular domain user can easily take over the entire Active Directory domain. While we still recommend that the print spooler service should be disabled on any system that does not need it, we also want to provide a temporary workaround to make the exploit ineffective, while allowing you to …

Administrators typically use Remote Desktop Protocol (RDP) in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks. However even though this protocol is widely used most of the times it is …

Why this post? The purpose of this guide is to view Active Directory from an attacker perspective. I will try to review different aspects of Active Directory and those terms that every pentester should control in order to understand the attacks that can be performed in a Active Directory network. …

Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalation Lateral Movement Powershell Remoting Remote Code Execution with PS Credentials Import a powershell module and execute its functions remotely Executing Remote Stateful commands Mimikatz Useful Tools Domain Privilege …

This article contains a list of PowerShell commands collected from various corners of the Internet which could be helpful during penetration tests or red team exercises. The list includes various post-exploitation one-liners in pure PowerShell without requiring any offensive (= potentially flagged as malicious) 3rd party modules, but also a …