Showing Articles About
windows
-
Riccardo Ancarani - 2 Feb 2023
Detecting OneNote Abuse
OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.
-
Tomas Rzepka - 28 Nov 2022
Looting Microsoft Configuration Manager
CMLoot is a PowerShell tool designed to extract and analyze files from Microsoft Configuration Manager network shares. The tool automates exploration of content libraries, helping security professionals discover potentially sensitive information like credentials, certificates, and configuration details. By examining Distribution Points and Content Library structures, CMLoot enables systematic file inventory and selective downloading of interesting files.
- Riccardo Ancarani
- 4 May 2022
Scheduled Task Tampering
This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.
- Tim Carrington
- 3 Aug 2021
Playing with PuTTY
This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #1
This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #2
This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #3
This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #4
This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.
- Henri Nurmi
- 21 Dec 2020
Sniff, there leaks my BitLocker key
A low-cost method was demonstrated to extract BitLocker encryption keys by sniffing the SPI bus of a Trusted Platform Module (TPM). The attack requires brief physical access to a target machine and can be performed using publicly available tools. By capturing TPM communication, the Volume Master Key can be retrieved and used to decrypt a BitLocker-protected drive.
- Alfie Champion James Coote
- 2 Nov 2020
Using and detecting C2 printer pivoting
A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.
- James Coote
- 6 Oct 2020
Introducing LDAP C2 for C3
A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #1
This article demonstrates detection techniques for PowerShell Empire's Command and Control (C2) traffic. Network indicators like default URIs, user agents, and server responses are analyzed to identify potential malicious communication patterns. A Snort rule is developed to detect these specific network traffic characteristics associated with PowerShell Empire.
- Alfie Champion Jordan LaRose
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #2
This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #3
This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #1
This article explores attack detection techniques for discovering valuable users in an Active Directory environment. It demonstrates methods for identifying kerberoastable and AS-REP roastable users through LDAP queries using tools like Rubeus and SharpSploit. Event Tracing for Windows (ETW) logging is used to capture and analyze reconnaissance activities in a cybersecurity lab setting.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #2
This article explores techniques for detecting file share enumeration and lateral movement in Windows environments. The lab demonstrates how to use Event Tracing for Windows (ETW) and Windows Event Logs to identify suspicious LDAP queries and file share access patterns. Specific focus is placed on using SharpShares to discover exposed file shares and detect potential security risks, including analysis of Group Policy Preference files.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #3
This article explores lateral movement techniques using C3 and Covenant to pivot through file shares in a Windows environment. The lab demonstrates detection strategies by analyzing file share access logs and Event Tracing for Windows (ETW) events to identify suspicious .NET module loading and communication patterns. Key detection techniques include monitoring file share object access logs and tracking anomalous CLR module loading in processes.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #4
This article explores lateral movement techniques using PsExec in Windows environments. It details detection strategies for identifying suspicious remote execution activities through Windows event logs and Sysmon telemetry. Key detection opportunities include monitoring service creation events, process creation logs, and named pipe interactions during remote command execution.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5
This article explores lateral movement techniques using Windows Management Instrumentation (WMI) in cybersecurity attack detection. The lab demonstrates detection strategies for both native WMIC commands and Impacket's wmiexec tool. Key detection opportunities include analyzing process creation events, network traffic patterns, and examining parent-child process relationships during WMI-based lateral movement attacks.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #1
This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #2
This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #1
This article demonstrates a technique for establishing initial access in a target environment using malicious Office macros. The lab walkthrough covers creating a PowerShell-based command and control payload embedded in a macro document. Detection strategies are explored through parent-child process analysis and Sysmon event log examination, with a focus on identifying anomalous process spawning from Office applications.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #2
This article explores attack detection techniques for initial access using the Koadic post-exploitation framework deployed via an HTA file. The lab focuses on identifying suspicious process and network connection relationships using Sysmon event logs. Key objectives include detecting anomalous binaries and network connections as potential indicators of compromise.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #3
This article details a multi-stage initial access attack technique used by the Cobalt Kitty group involving a malicious Word macro. The attack creates a scheduled task to execute an obfuscated PowerShell payload that ultimately injects a Cobalt Strike beacon into memory. The walkthrough explores detailed steps of crafting a beacon delivery mechanism while highlighting potential detection strategies.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #4
This article demonstrates creating a malicious Excel 4.0 Macro with Metasploit shellcode to obtain remote access on a Windows system. The lab walks through generating a Meterpreter payload, setting up a Metasploit listener, and executing the malicious macro. Memory forensics techniques using Volatility are explored to analyze the compromised host and detect stealthy code injection methods.
- 15 May 2020
Internet Exploiter: Understanding vulnerabilities in Internet Explorer
This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.
- 1 May 2020
Bypassing Windows Defender Runtime Scanning
This article details techniques for bypassing Windows Defender's runtime memory scanning by exploiting memory permission limitations. A method was developed using PAGE_NOACCESS memory permissions to prevent detection during suspicious API calls. A custom Metasploit extension called Ninjasploit was created to implement these bypass techniques.
- Robert Bearsby Timo Hirvonen
- 14 Feb 2020
Rethinking Credential Theft
Physmem2profit is a novel red team tool for credential theft that bypasses traditional LSASS process monitoring. The tool allows remote extraction of credential material by exposing and analyzing physical memory without directly interacting with the LSASS process. It provides an alternative approach to credential theft by leveraging memory forensics techniques on Windows systems.
- 6 Nov 2019
OU having a laugh?
A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.
- Tim Carrington
- 22 Feb 2019
AutoCAD - Designing a Kill Chain
A detailed analysis of potential cybersecurity vulnerabilities in AutoCAD reveals multiple attack vectors across the cyber kill chain. The research demonstrates how malicious actors can exploit AutoCAD's features like ActionMacros, AutoLisp scripts, and remote text functionality to gain code execution, establish persistence, and perform lateral movement. Multiple attack techniques were identified that could potentially compromise users in high-value industries through targeted AutoCAD-specific exploitation methods.
- 15 Feb 2019
Ventures into Hyper-V - Fuzzing hypercalls
A technical investigation explored fuzzing Hyper-V hypercalls using a custom kernel driver called Virdian Fuzzer (VIFU). The research systematically tested both documented and undocumented hypercalls in Microsoft's virtualization platform. The project involved complex technical analysis of hypercall mechanisms, address translation, and potential vulnerabilities in the Hyper-V architecture.
- 31 Oct 2018
Undisable Restricted Admin
Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.
- William Burgess
- 18 Jul 2018
Bypassing Memory Scanners with Cobalt Strike and Gargoyle
A novel technique for bypassing memory scanners using the Gargoyle method with Cobalt Strike is demonstrated. The approach involves periodically staging and removing a beacon payload from memory to evade detection by endpoint security solutions. By moving in and out of executable memory at timed intervals, the technique aims to avoid traditional memory scanning techniques.
- 11 Jul 2018
Passing-the-Hash to NTLM Authenticated Web Applications
This article details a Pass-the-Hash (PtH) attack technique against web applications using Windows NTLM authentication. The attack allows impersonation of domain users by injecting a user's NT hash to authenticate to web applications without knowing the actual password. A practical demonstration is provided using an Exchange 2013 server and Mimikatz to execute the attack.
- Jon Cave William Knowles
- 30 Jan 2018
Enumerating remote access policies through GPO
This article details techniques for enumerating remote access policies in Windows environments through Group Policy Objects. It explores how User Account Control (UAC) and User Rights Assignment (URA) settings impact remote authentication and lateral movement opportunities. PowerView extensions were introduced to help map computer objects with specific remote authentication configurations.
- 7 Jul 2017
Using Windows File Auditing to Detect Honeyfile Access
Windows file auditing offers a covert method for detecting unauthorized access to sensitive files on network shares. By configuring native Windows audit policies, detailed logs can be generated when interactions occur with specific "honeyfiles". This technique provides a low-noise, high-fidelity approach to monitoring potential security breaches on file systems.
- William Knowles
- 16 May 2017
DLL Tricks with VBA to Improve Offensive Macro Capability
This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.
- William Knowles
- 21 Apr 2017
Add-In Opportunities for Office Persistence
This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.
- 10 Mar 2017
A Window into Ring0
Sam Brown's presentation explores Windows kernel mode attack surfaces and vulnerabilities in modern systems. The talk covers techniques for finding bugs in kernel mode code and common exploitation methods for gaining system-level access. Brown discusses the increasing trend of attackers targeting kernel mode to bypass user account restrictions and sandboxing.
- 27 Jan 2017
A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
A novel technique for leaking kernel bitmap object addresses in Windows post-Anniversary Edition is detailed. The method exploits memory reuse in the kernel's paged pool by leveraging accelerator tables and bitmap object allocation. This approach provides a way to retrieve kernel object addresses after previous information leak protections were implemented.
- Ben Campbell
- 3 Jan 2017
Trust? Years to earn, seconds to break
An Active Directory security vulnerability involves the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (T2A4D) User-Account-Control flag. The vulnerability can allow attackers to exploit Kerberos protocol extensions and potentially compromise domain controllers through dangerous authentication delegation attacks. Mitigation strategies include carefully managing account delegation settings and protecting sensitive user accounts.
- 29 Nov 2016
Hello MS08-067, My Old Friend
A proof-of-concept exploit was developed for the MS08-067 vulnerability targeting 64-bit Windows Server 2003 x64 SP0. The work addressed the lack of publicly available exploits for 64-bit systems vulnerable to this critical remote code execution flaw. The article provides insights into the challenges of 64-bit exploit development without introducing new exploit techniques.
- Yong Chuan Koh
- 12 Oct 2016
Fuzzing the Windows kernel
A presentation by Yong Chuan Koh at HITB GSEC 2016 introduced a Python-based fuzzing framework for testing Windows kernel security. The framework is designed to be scalable and extensible for comprehensive kernel vulnerability detection. Presentation slides are available for download from the original source.
- Nils
- 12 Oct 2016
Windows Kernel Fuzzing
A distributed fuzzing technique was developed to target the Windows kernel and identify critical vulnerabilities. The approach focused on generating high-quality test cases to detect potential privilege escalation and sandbox breakout exploits. The fuzzing method scaled across hundreds of CPU cores to systematically assess the kernel's attack surface.
- David Chismon
- 7 Oct 2016
Accessing Internal Fileshares through Exchange ActiveSync
Exchange ActiveSync (EAS) can be exploited to access internal Windows file shares using only user mailbox credentials. The vulnerability was confirmed in Exchange 2013 and 2016 with near-default configurations. Attackers can list file share contents and download files by using specific EAS commands, potentially bypassing traditional access controls.
- Dave Hartley Luke Roberts
- 2 Sep 2016
Malicious Outlook Rules
XRulez is a tool that enables programmatic creation of malicious Outlook rules by injecting rules directly into Exchange servers. The tool allows attackers to create persistent remote code execution mechanisms via email triggers without requiring direct credential access. By exploiting MAPI sessions, malicious rules can be set up to execute payloads when specific email conditions are met.
- James Loureiro Georgi Geshev
- 15 Aug 2016
Platform Agnostic Kernel Fuzzing
Platform agnostic kernel fuzzing research developed a method for systematically testing system and library calls across Windows and POSIX kernels. The approach focused on effectively logging crashes, reproducing vulnerabilities, and scaling fuzzing across multiple virtual machines. The research provided a framework for identifying kernel-level bugs through comprehensive and methodical testing.
- 19 Apr 2016
Heap tracing with WinDbg and Python
This article demonstrates how to use Python and PyKd to create WinDbg scripts for heap tracing in Windows. The script hooks memory allocation functions like RtlAllocateHeap and RtlFreeHeap to log heap operations. The technique allows visualization of memory allocation patterns and can support exploit development by providing insights into heap behavior.
- Stuart Morgan
- 15 Apr 2016
Masquerading as a Windows System Binary Using Digital Signatures
This article demonstrates a technique for creating fake digital certificates that mimic Microsoft's code signing certificates. By generating certificates that look like they are from Microsoft and installing a custom root CA, malicious Windows binaries can be signed to appear legitimate. The method allows attackers to create executables that blend in with system processes and potentially evade initial detection.
- 5 Apr 2016
Windows Kernel Exploitation 101: Exploiting CVE-2014-4113
This article provides a detailed walkthrough of exploiting CVE-2014-4113, a Windows kernel vulnerability. The guide demonstrates the process of creating an exploit for Windows 7 SP1 32-bit by analyzing an original Anti-Virus vendor report. The goal is to make kernel exploitation more accessible to cybersecurity researchers.
- Stuart Morgan
- 1 Apr 2016
Persistence Architecture Matters
This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.
- Stuart Morgan
- 16 Mar 2016
When LanMan history reveals the present and future, but might just be lying to you
Windows password history hashes may contain seemingly random data even when LanMan hash storage is disabled. Analysis of these historical hashes can reveal password patterns and potentially help guess current user credentials during security assessments. Password history examination demonstrates how users often create predictable password sequences despite technical controls.
- Stuart Morgan
- 30 Sep 2015
Active Directory: Users in Nested Groups Reconnaissance
The article discusses a technique for efficiently discovering users in nested Active Directory groups using the LDAP_MATCHING_RULE_IN_CHAIN OID. New Metasploit commands were introduced to perform comprehensive Active Directory user and group reconnaissance, allowing identification of users in complex nested group structures. The method enables penetration testers to quickly identify users with administrative privileges across nested group hierarchies.
- Luke Jennings
- 2 Apr 2015
How to own any Windows network with group policy hijacking attacks
Group policy hijacking attacks can compromise Windows networks by intercepting and manipulating group policy traffic. The attacks exploit vulnerabilities in SMB signing and Kerberos authentication to gain SYSTEM-level access on domain-joined systems. Multiple attack vectors allow attackers to modify group policy settings and execute arbitrary code on target networks.
- Luke Jennings
- 13 Feb 2015
Practically Exploiting MS15-014 and MS15-011
The article details two Microsoft vulnerabilities (MS15-011 and MS15-014) that enable remote code execution on domain-joined Windows systems. These vulnerabilities can be exploited through a two-stage attack method to gain SYSTEM-level access by manipulating group policy and SMB signing configurations. A video demonstration shows how these vulnerabilities can be chained together to compromise hardened domain environments.
- Ben Campbell Jon Cave
- 16 Dec 2014
Digging into MS14-068, Exploitation and Defence
MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.
- Kostas Lintovois
- 31 Oct 2014
Windows Services - All roads lead to SYSTEM
This whitepaper examines security vulnerabilities in Windows services, focusing on configuration-related flaws that can lead to privilege escalation. It explores six key service areas where misconfigurations can provide attackers opportunities to execute arbitrary code with elevated system privileges. The document provides insights into assessing and remediating potential security risks in Windows service configurations.
- 15 Aug 2014
Windows 8 Kernel Memory Protections Bypass
A technique for bypassing Windows 8 kernel memory protections like SMEP and DEP is demonstrated by manipulating paging structures. The method allows modification of memory page flags to enable user-mode code execution in kernel-mode. By targeting isolated paging structures, an attacker can corrupt page table entries to circumvent kernel memory safeguards on 64-bit Windows systems.
- Nils Jon Butler
- 6 Sep 2013
MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit
A kernel pool overflow vulnerability in Windows 7's Win32k system was demonstrated at Pwn2Own 2013. The exploit involved manipulating message buffer allocations to corrupt kernel memory structures. By carefully controlling message handling and window object properties, kernel-mode code execution was achieved, enabling a sandbox escape in Google Chrome.
- Jon Butler Nils
- 6 Sep 2013
Polishing Chrome for Fun and Profit (NSC)
A presentation at the Nordic Security Conference detailed a full sandbox escape vulnerability in Google Chrome. The vulnerability was successfully exploited at the Pwn2Own 2013 hacking competition. Technical details of compromising Chrome's security mechanisms were demonstrated by MWR's Nils and Jon.
- Luke Jennings
- 18 Jul 2012
Incognito v2.0 Released
Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.
- 12 Dec 2011
Tell Us Your Incognito Ideas and Win One of 5 Lego Ninjas
Incognito, a tool for exploiting Windows access tokens launched in 2007, seeks community input on potential improvements. The project aims to enhance the tool's effectiveness by gathering feature suggestions from the information security community. As an incentive, five Lego Ninjas will be awarded to the best feature ideas submitted.
- Luke Jennings
- 16 Apr 2008
Security Implications of Windows Access Tokens
A whitepaper by Luke Jennings explores the security implications of Windows access tokens in enterprise environments. The document details how access token design can be exploited during penetration testing, highlighting systemic vulnerabilities in corporate security controls. The paper discusses the technical mechanisms of Windows access tokens and provides insights into potential post-exploitation techniques.
- Rafael Dominguez Vega
- 26 Oct 2007
FIST 2007 - Inspect a Gadget
A presentation by Rafael Dominguez Vega explores security vulnerabilities in Windows Vista Sidebar Gadgets. The research investigates potential attack vectors targeting these gadgets. Best practice recommendations are provided for mitigating security risks associated with sidebar gadget implementations.
- Rafael Dominguez Vega
- 27 Sep 2007
Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista
This white paper analyzes the security implications of Windows Vista's Sidebar Gadgets feature. It explores potential attack vectors and risks associated with the new technology. The document provides recommendations for a secure implementation of Sidebar Gadgets.
| Name | Description | Stars | Link |
|---|---|---|---|
| physmem2profit | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely | 402 | GitHub |