Automating the Pass-The-Ticket attack
AutoPtT enumerates Kerberos tickets and performs Pass-the-Ticket (PtT) attacks interactively or step by step. It is a standalone alternative to Rubeus or Mimikatz for this attack, implemented in C++ and Python.
Local Admin Account Creation and the SAMR API
This post compiles multiple techniques to create local administrator accounts on Windows systems, from basic commands to the lowest-level SAMR API calls. It serves as a resource for Purple Teams to test detection capabilities against this common persistence method.
Creating Shadow Copies with VSS API
On Windows 11, the built-in vssadmin can list, delete or resize Shadow Copies, but Microsoft removed the ability to create them. However, you can still do it by interacting directly with the Volume Shadow Copy Service (VSS) API.
SAMDump - Stealthy SAM Dumping Using VSS and NTAPIs
SAMDump extracts Windows SAM and SYSTEM files using Volume Shadow Copy Service (VSS) with multiple exfiltration options and XOR obfuscation.
Getting RCE in an AWS service (Amazon MWAA)
Amazon Managed Workflows for Apache Airflow (MWAA) is a managed service to run Apache Airflow on AWS without managing infrastructure. However, most installations are affected by CVE-2024-39877, an SSTI vulnerability which allows remote code execution.
DoubleTeam - Python listener based on tmux and socat
Using socat, tmux and Python threading, DoubleTeam launches a new tmux window for each incoming reverse shell. It supports simultaneous listening on many ports and automatically resumes listening on the port after spawning the tmux window.
MemorySnitcher and the power of NtReadVirtualMemory
Creating vulnerable (on purpose) programs to leak the NtReadVirtualMemory address for stealthier API resolution (no GetProcAddress, GetModuleHandle or LoadLibrary in the IAT).
NimDump - Stealthy LSASS Dumping Using Only NTAPIs in Nim
NimDump is a port of NativeDump written in Nim, designed to dump the LSASS process using only NTAPI functions.