Windows PowerShell LLMNR/NBNS spoofer: Inveigh

Windows PowerShell LLMNR/NBNS spoofer Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted...

'Events data collection failure' Issue

Challenge Veeam ONE raises Events data collection failure against Veeam Backup & Replication or Hyper-V server. Cause Permissions, UAC configuration, and firewall settings need to be configured. Solution Troubleshooting Checks Verify that the account used to connect to Veeam Backup & Replication ...

Sherlock - Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities

PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities. Currently looks for: MS10-015 : User Mode to Ring KiTrap0D MS10-092 : Task Scheduler MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow MS13-081 : TrackPopupMenuEx Win32k NULL Page...

The vulnerability of the Windows operating system, which allows a hacker to bypass the certificate verification process

The vulnerability of the PowerShell script for the Windows operating system exists due to insufficient checking of input data. Exploiting this vulnerability allows a local attacker to bypass certificate verification...

Microsoft Windows PowerShell Security Feature Bypass Vulnerability (CVE-2017-0007)

Over the past few months, I have had the pleasure to work side-by-side with Matt Graeber @mattifestation and Casey Smith @subtee in their previous job roles, researching Device Guard user mode code integrity UMCI bypasses. If you aren't familiar with Device Guard, you can read more about it here:...

WMI Based Agentless Post-Exploitation PowerShell RAT: WMImplant

WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant will likely require local administrator permissions on the targeted machine. It is designed to run both...

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

Github Repository Owners Targeted by Data-Stealing Malware

Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots. Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were...

Can't create the PVS connector - error returned at Test Credentials - "Failed to validate the Domain User and Password."

Configuration settings appeared correct but reviewing the unidesk-pvs-connector.log.json displayed the below: HandlerHelper: 'Application Error while processing 'Command' 'CreatePowerShellSessionCommand'': 'DefaultTitle="", MessageID="PowerShellCreateSession",...

Malware That Targets Both Microsoft, Apple Operating Systems Found

Researchers came across a malicious Word document last week that doesn’t discriminate between OS platforms. The malicious Word document is designed to spread malware on either Mac OS X or Microsoft Windows, depending on where it’s opened. Like many other strains of malware these days, the sample,...

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

Dr0p1t-Framework 1.2 - A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ? In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ; Features Framework works with Windows and Linux Download executable on target system and...

How to configure PowerShell SDK and execute commands remotely in XenApp/XenDesktop 7.x

To configure PowerShell SDK to execute PowerShell commands remotely in XenApp/XenDesktop 7.x...

CVE-2017-0007

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."...

Security feature bypass

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."...

CVE-2017-0007

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."...

CVE-2017-0007

Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."...

CVE-2017-0007

CVE-2017-0007 is a Device Guard security feature bypass in Windows 10 (Gold/1511/1607) and Windows Server 2016 where sign-checked PowerShell scripts could be modified without breaking the signature, allowing execution of unsigned/malicious code. Root cause: Device Guard’s validation of certain el...