Putting the team in red team

One of the more common questions we receive during a red team scoping call or RFP Q&A call is, how many dedicated consultants will be involved in the assessment? There is no “correct” answer to this question, and ultimately, the answer as to how red team engagements are staffed comes down to how the consultancy…

The post Putting the team in red team appeared first on TrustedSec.

Continue reading Putting the team in red team

Diving into pre-created computer accounts

I was on an engagement where I simply could not elevate privileges, so I had to become creative and look deep into my old bucket (bucket being my head) of knowledge, and this resulted in some fun stuff. I had found that the client had a vulnerable certificate template also known as ESC1 that allowed…

The post Diving into pre-created computer accounts appeared first on TrustedSec.

Continue reading Diving into pre-created computer accounts

Diving into pre-created computer accounts

I was on an engagement where I simply could not elevate privileges, so I had to become creative and look deep into my old bucket (bucket being my head) of knowledge, and this resulted in some fun stuff. I had found that the client had a vulnerable certificate template also known as ESC1 that allowed…

The post Diving into pre-created computer accounts appeared first on TrustedSec.

Continue reading Diving into pre-created computer accounts

g_CiOptions in a Virtualized World

With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced…

The post g_CiOptions in a Virtualized World appeared first on TrustedSec.

Continue reading g_CiOptions in a Virtualized World

Persisting XSS With IFrame Traps

XSS Iframe Traps Longer Running XSS Payloads An issue with cross-site scripting (XSS) attacks is that our injected JavaScript might not run for an extended period of time. It may be a reflected XSS vulnerability where we’ve tricked our user into clicking a link, but when they land on the page where we were able…

The post Persisting XSS With IFrame Traps appeared first on TrustedSec.

Continue reading Persisting XSS With IFrame Traps

Making SMB Accessible with NTLMquic

This week, I dusted off my reading list and saw that I’d previously bookmarked an interesting article about the introduction of SMB over QUIC. The article from Microsoft showed that Windows was including support for SMB to be used over the QUIC protocol, which should immediately spark interest for anyone who includes SMB attacks as…

The post Making SMB Accessible with NTLMquic appeared first on TrustedSec.

Continue reading Making SMB Accessible with NTLMquic

CVE-2022-24696 – Glance by Mirametrix Privilege Escalation

When investigating my laptop, I stumbled upon something interesting that resulted in privilege escalation. I use a Lenovo ThinkPad X1 Extreme Gen 1, which has an installed software named Glance, for my day-to-day work. The purpose of this software is to use the advanced web camera to figure out if you are speaking when the…

The post CVE-2022-24696 – Glance by Mirametrix Privilege Escalation appeared first on TrustedSec.

Continue reading CVE-2022-24696 – Glance by Mirametrix Privilege Escalation

Expanding the Hound: Introducing Plaintext Field to Compromised Accounts

Introduction When doing an Internal Penetration Test, it is not uncommon to run BloodHound at one point or another. In case you are not familiar with BloodHound, it’s a tool that automatically fires off a bunch of LDAP queries and Windows API calls to collect various data in an Active Directory environment. Data can range…

The post Expanding the Hound: Introducing Plaintext Field to Compromised Accounts appeared first on TrustedSec.

Continue reading Expanding the Hound: Introducing Plaintext Field to Compromised Accounts

Manipulating User Passwords Without Mimikatz

There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the-Hash is not an option. You don’t have their NT hash or…

The post Manipulating User Passwords Without Mimikatz appeared first on TrustedSec.

Continue reading Manipulating User Passwords Without Mimikatz

Object Overloading

Using an OS binary to carry out our bidding has been a tactic employed by Red Teamers for years. This eventually led to us coining the term LOLBIN. This tactic is typically used as a way of flying under the radar of EDR solutions or to bypass application whitelisting by surrounding our code in the…

The post Object Overloading appeared first on TrustedSec.

Continue reading Object Overloading