Microsoft Windows Active Directory Privilege Escalation Multiple Vulnerabilities (CVE-2021-42278; CVE-2021-42287)

Multiple Privilege Escalation vulnerabilities exists in Microsoft Windows Active Directory. Successful exploitation of this vulnerability could allow a remote attacker to easily elevate their privilege to that of a domain admin once he compromise a regular user in the domain...

Odin - Central IoC Scanner Based On Loki

Odin is a central IoC scanner based on Loki General Info This application Loki latest version and download it on all machines using a powershell script and run it then this app receives the respose from all machines and parse the feed in CSV form. Requirements 1. Python +3.5 2. PyQT5 3. psutil 4...

Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers

Microsoft is urging customers to patch two security vulnerabilities in Active Directory domain controllers that it addressed in November following the availability of a proof-of-concept PoC tool on December 12. The two vulnerabilities — tracked as CVE-2021-42278 and CVE-2021-42287 — have a severi...

Two Active Directory Bugs Lead to Easy Windows Domain Takeover

A proof-of-concept tool has been published that leverages two Windows Active Directory bugs fixed last month that, when chained, can allow easy Windows domain takeover. In a Monday alert, Microsoft urged organizations to immediately patch the pair of bugs, tracked as CVE-2021-42287 and...

SharpLAPS - Retrieve LAPS Password From LDAP

The attribute ms-mcs-AdmPwd stores the clear-text LAPS password. This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory. Require either: Account with ExtendedRight or Generic All Rights Domain Admin...

This One Time on a Pen Test: I Know...Everything

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. It...

CVE-2020-1472/Zerologon. As an IT manager should I worry?

TL;DR Yes, apply the update from Microsoft. The new MS08-067? CVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered and named Zerologon by Tom Tervoort at Secura. It does not require authentication. It can...

Vulnerability fixed in Samba

Ubuntu has fixed a vulnerability in Samba. The vulnerability potentially allows a malicious party to obtain domain administrator rights. The vulnerability with reference CVE-2020-1472 in Samba in that case should be exploited in conjunction with a vulnerable Microsoft domain controller to be...

Exploit for CVE-2020-1472

CVE-2020-1472 Netlogon Remote Protocol Call MS-NRPC Privileg...

Microsoft Windows Netlogon Remote Protocol (MS-NRPC) uses insecure AES-CFB8 initialization vector

Overview The Microsoft Windows Netlogon Remote Protocol MS-NRPC reuses a known, static, zero-value initialization vector IV in AES-CFB8 mode. This allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and potentially obtain domain administrator...

Exploit for CVE-2020-1472

CVE-2020-1472 Checker & Exploit Code for CVE-2020-1472 aka Z...

Exploit for Improper Input Validation in Microsoft

PoC exploit for CVE-2020-1350, a remote code execution vulnerability in Windows DNS Server. Achieves Domain Admin on Domain Controllers running Windows Server 2003 up to Windows Server 2019. The script is written in Bash and is designed to be run from a Linux host on a Windows Active Directory...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Netwrix Account_Lockout_Examiner

CVE-2020-15931 Netwrix Account Lockout Examiner 4.1 Domai...

Revisiting old tools

Many, many years ago I was onsite and noticed that a company's internal website had checked out their website using the subversion code versioning system. This subversion archive contained the site's web.config which has a set of credentials for SQL server, which through many steps led to domain...

Honeyroasting. How to detect Kerberoast breaches with honeypots

Introduction As we know one of the main issues facing defenders, especially in large environments, is protecting against threat actors after they gain a foothold in the environment. If an attacker lands on a domain-joined PC, the attack surface is massive, and it is vital to detect them as quickl...

Ghost in the shell: Investigating web shell attacks

Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft’s Detection and...

CVE-2020-7984

SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the...

Design/Logic Flaw

SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the...

CVE-2020-7984

SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the...

Customer Guidance for the Dopplepaymer Ransomware

Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymerransomware. There is misleading information circulating about Microsoft Teams, along with references to RDP BlueKeep, as ways in which this malware spreads. Our security research teams have investigated and...