One of the many ways to install third-party applications on workstations and servers in corporate environments is to push MSI-installation packages using GPO’s. However, the use of MSI-packages can, if not created securely, leave systems vulnerable to various privilege escalation vulnerabilities. Even Microsoft’s own MSI-parser, MSIEXEC, can in certain situation leave a Windows system vulnerable to privilege escalation.
Mimikatz Under The Hood
The ability of Mimikatz to extract the NTLM hash of users at runtime from Windows has always fascinated me. Although alternatives exist (as explored in previous blog posts), there may still be situations during Red Team engagements where live credential extraction from LSASS is wanted. In those situations, defense evasion tactics such as heavily modifying Mimikatz or using another implementation of Mimikatz are common.
Another alternative to LSASS dumping
Protecting the frontline building a secure Windows 10 client
The threat landscape has changed over the last decade, which means securing and protecting your valuable assets and intellectual property is a multi-layered approach, and definitely now more than ever includes normal workstations.
We are leveraging and taking advantage of the cloud and its capabilities, which enables our workforce and employees to bring their work with them. This is our new world, and attackers can and will take advantage. Having that in mind, it is crucial for any enterprise to pay some serious attention to workstation security and hardening.
By reading along, we strive to give an idea of how you can design and build a fundamental foundation and standardization for your workstation security.
Unpatched privilege escalation vulnerability in Intel Driver & Support Assistant.
The dangers of MSSQL features – Impersonation & Links
Microsoft has added a tremendous amount of functionality to MSSQL throughout the years, which enables developers and database administrators to do all sorts of neatness to complete their tasks. Today it does not take long to build a webpage and populate it with data collected from multiple sources, and even present it in a professional manor. This is of course great; It is possible to produce something of value in a short amount of time, but it can also expose your infrastructure in ways you might not suspect. In this blog post, I will dive into two MSSQL features; Impersonation and SQL Database Links and end it off with a Zero-to-Hero type attack, simulating a webpage vulnerable to SQL injection, which eventually leads to a complete domain compromise. Sounds interesting? Lets go!
The reappearance of HTTP Request Smuggling
Not too long ago, a colleague and I came across this almost forgotten attack vector, which swiftly resurfaced when Portswigger added it to their portfolio of web vulnerability checks in their fantastic tool, Burp. This attack is quite interesting and different from the usual web vulnerabilities such as SQL injection and path traversal, which, unfortunately, we still see in the wild. In this blog post I will shed some light on what HTTP Request Smuggling is and why it should, once again, be taken seriously.