Malware & Persistence

Hijacking DLLs in Windows

DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.

·wietzebeukema.nl·Sep 4, 2022

Hijacking DLLs in Windows

Beyond good ol’ Run key, Part 5

·hexacorn.com·Sep 4, 2022

Beyond good ol’ Run key, Part 5

Beyond good ol’ Run key, Part 36

·hexacorn.com·Sep 4, 2022

Beyond good ol’ Run key, Part 36

Beyond good ol’ Run key, Part 28

·hexacorn.com·Sep 4, 2022

Beyond good ol’ Run key, Part 28

MOF-tastic tricks or how to use MOF and powershell together

An extension of the last post, Embedding Powershell into Office Documents , I will be demonstrating that by using Managed Object Formats (MOF) and Powershell, we can attempt a few tricks to leverag…

·khr0x40sh.wordpress.com·Sep 4, 2022

MOF-tastic tricks or how to use MOF and powershell together

Hunting for GetSystem commands in offensive security tools

Here's how to hunt for GetSystem commands, which employ privilege escalation tactics to grant adversaries access to a victim’s SYSTEM account.

·redcanary.com·Sep 4, 2022

Hunting for GetSystem commands in offensive security tools

WTFBins

WTF, Bin?! This project aims to catalogue benign applications that exhibit suspicious behavior. These binaries can emit noise and false positives in threat hunting and automated detections. By cataloguing them here, the hope is to allow defenders to improve their detection rules and threat hunting queries.

·wtfbins.wtf·Sep 4, 2022

WTFBins

Persisting in svchost.exe with a Service DLL

·ired.team·Sep 4, 2022

Persisting in svchost.exe with a Service DLL

WTFBins

WTF, Bin?! This project aims to catalogue benign applications that exhibit suspicious behavior. These binaries can emit noise and false positives in threat hunting and automated detections. By cataloguing them here, the hope is to allow defenders to improve their detection rules and threat hunting queries.

·wtfbins.wtf·Sep 4, 2022

WTFBins

Hijacking DLLs in Windows

DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.

·wietzebeukema.nl·Apr 14, 2021

Hijacking DLLs in Windows

DLL SideLoading Teams and OneDrive

Cyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt Strike Beacons

·blog.cyble.com·Jul 31, 2022

DLL SideLoading Teams and OneDrive

Per-user services in Windows 10 and Windows Server - Windows Application Management

Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.

·docs.microsoft.com·Sep 9, 2022

Per-user services in Windows 10 and Windows Server - Windows Application Management

Windows 10 Services - batcmd.com

·batcmd.com·Sep 21, 2022

Windows 10 Services - batcmd.com

Demystifying the “SVCHOST.EXE” Process and Its Command Line Options

Understanding the “svchost.exe” process and its command line options

·nasbench.medium.com·Oct 31, 2022

Demystifying the “SVCHOST.EXE” Process and Its Command Line Options