0xthem.blogspot.com
Incursus Absconditus: Temporal Persistence with bitsadmin and schtasks
http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
Saturday, March 8, 2014. Temporal Persistence with bitsadmin and schtasks. Leaving a Key Under the Mat -. On a recent engagement, I ran into a well-meaning individual who, after being briefed about our team's access to their network, decided to reboot compromised hosts and change user credentials in the middle of the testing. After losing multiple shells that weren't actually being detected, I decided to spend that evening after work creating a method to let myself back in. Remotely Mutable C2 Addressing.
0xthem.blogspot.com
Incursus Absconditus: March 2014
http://0xthem.blogspot.com/2014_03_01_archive.html
Saturday, March 8, 2014. Temporal Persistence with bitsadmin and schtasks. Leaving a Key Under the Mat -. On a recent engagement, I ran into a well-meaning individual who, after being briefed about our team's access to their network, decided to reboot compromised hosts and change user credentials in the middle of the testing. After losing multiple shells that weren't actually being detected, I decided to spend that evening after work creating a method to let myself back in. Remotely Mutable C2 Addressing.
0xthem.blogspot.com
Incursus Absconditus: October 2014
http://0xthem.blogspot.com/2014_10_01_archive.html
Tuesday, October 14, 2014. Self-removing PE's with Remote Thread Injection. There has been a great deal of sharing of client side techniques of late, so I thought I'd toss out a tip. A means to have a PE executable terminate and delete itself while running on a modern Windows system. The technique we will use is not new, but is one I discovered independently while tinkering with thread injection techniques a few years back. Since many people are familiar with the CreateThread. As many people are using Py...
0xthem.blogspot.com
Incursus Absconditus: Hijacking SSH to Inject Port Forwards
http://0xthem.blogspot.com/2015/03/hijacking-ssh-to-inject-port-forwards.html
Friday, March 13, 2015. Hijacking SSH to Inject Port Forwards. During red team post exploitation I sometimes run into jump boxes leading to test environments, production servers, DMZs, or other organizational branches. As these systems are designed to act as couriers of outbound traffic, hijacking SSH sessions belonging to other users can be useful. So what do you do when you have full control over a jump box and want to leverage another user's outbound SSH access to tunnel into another segment? OpenSSH ...
0xthem.blogspot.com
Incursus Absconditus: Getting Busy at the Command Line
http://0xthem.blogspot.com/2014/08/getting-busy-at-command-line.html
Friday, August 1, 2014. Getting Busy at the Command Line. We all can get a little lazy relying on the frameworks that have arisen due to the monetization of offensive skills. In light of this, I wanted to make a short post to inspire people to explore what can still be done by rubbing two sticks together in a shell. The command line. Use it more, and harder. A simple reverse shell using fifos and openssl s client. There's a great deal you can do with this tool, take a look at the server options. Mkdir -p...
0xthem.blogspot.com
Incursus Absconditus: Late Night Privilege Escalation (keepUP)
http://0xthem.blogspot.com/2014/06/late-night-privilege-escalation-keepup.html
Friday, June 6, 2014. Late Night Privilege Escalation (keepUP). Local Interprocess Command Sockets -. How this came to be:. A few weekends ago I was working through exercises from the folks at Offensive Security when the VPN connection died. ifconfig. Told me that the tap. Interface was down, out of habit I fired off netstat. To see what other connections were established, something strange stood out. There was a root-owned process listening in the Registered Ports. Digging deeper with lsof,. Just how fe...
0xthem.blogspot.com
Incursus Absconditus: June 2014
http://0xthem.blogspot.com/2014_06_01_archive.html
Friday, June 6, 2014. Late Night Privilege Escalation (keepUP). Local Interprocess Command Sockets -. How this came to be:. A few weekends ago I was working through exercises from the folks at Offensive Security when the VPN connection died. ifconfig. Told me that the tap. Interface was down, out of habit I fired off netstat. To see what other connections were established, something strange stood out. There was a root-owned process listening in the Registered Ports. Digging deeper with lsof,. Just how fe...
0xthem.blogspot.com
Incursus Absconditus: August 2014
http://0xthem.blogspot.com/2014_08_01_archive.html
Friday, August 1, 2014. Getting Busy at the Command Line. We all can get a little lazy relying on the frameworks that have arisen due to the monetization of offensive skills. In light of this, I wanted to make a short post to inspire people to explore what can still be done by rubbing two sticks together in a shell. The command line. Use it more, and harder. A simple reverse shell using fifos and openssl s client. There's a great deal you can do with this tool, take a look at the server options. Mkdir -p...
0xthem.blogspot.com
Incursus Absconditus: Self-removing PE's with Remote Thread Injection
http://0xthem.blogspot.com/2014/10/self-delete-pe.html
Tuesday, October 14, 2014. Self-removing PE's with Remote Thread Injection. There has been a great deal of sharing of client side techniques of late, so I thought I'd toss out a tip. A means to have a PE executable terminate and delete itself while running on a modern Windows system. The technique we will use is not new, but is one I discovered independently while tinkering with thread injection techniques a few years back. Since many people are familiar with the CreateThread. As many people are using Py...