Dancing with PEB: Change CommandLine

April 9, 2024 - 2 mins read

I am taking Sektor7 Intermediate Malware Development training and as an exercise, I decided to create toy project which will go through all active processes and change their CommandLine parameter. First of all lets have a look at PEB structure of notepad.exe process: Here, we are mapping _PEB structure fields to actual PEB structure in memory dt _PEB @$peb One of the structure field is ProcessParameters ProcessParameters is type of _RTL_USER_PROCESS_PARAMETERS and for our interests, we want CommandLine field

Backdoor AdminSDHolder

June 6, 2022 - 3 mins read

In a red team operation when we gain Domain Admin privileges, we want to make sure we will have access to the environment even though system administrators or blue teamers notice it. In Active Directory environment amount of TTPs (Techniques, Tactics, Procedures) for persistence is huge. One common way to persist is to use AdminSDHolder container, which is in System container Every 60 minutes SDPropagator in AD, will overwrite Protected groups ACL with AdminSDHolder ACL.

HTB Prolab: Offshore

April 6, 2022 - 5 mins read

Introduction At the beginning, HackTheBox was platform known for just a single box exercises but it evolved a lot and become one of the best platform for honing your cyber security skills and tradecraft. One of the best feature of this platform is its prolabs Dante Offshore RastaLabs Cybernetics APTLabs Prolabs are huge labs composed of several domains and forests, spanned across different subnets and each one of them varies by difficulty and sizes.

DPAPI Decryption

February 1, 2022 - 3 mins read

Introduction DPAPI stands for Data Protection API and was introducted by microsoft in Windows 2000 and since then it is used heavily by windows even if you aren’t aware of it. Simply put, DPAPI lets you encrypt/decrypt data. You don’t need to worry about encryption keys at all. DPAPI has 2 simple API: CryptProtectData() CryptUnprotectData() As you might already guessed it: For encryption you use CryptProtectData() For decryption you use CryptUnprotectData()

CRTP Review

February 5, 2021 - 5 mins read

Introduction Before starting HackTheBox Offshore I needed some background on attacking Active Directory environment. I had had some sysadmin experience in AD and it was time to going through penetration testing course focused on Active Directory. I had already heard about PentesterAcademy training course (Attacking and Defending Active Directory) and didn’t spend time on searching much back then and immediately purchased this course which is accompanying training course for CRTP examination.