mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
WDAC Policy Removal + SSRF domains
This commit is contained in:
parent
f85f2cb4c6
commit
b8c803717a
@ -4414,3 +4414,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
||||||
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
||||||
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
||||||
|
* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d)
|
@ -307,7 +307,10 @@ Also known as `WDAC/UMCI/Device Guard`.
|
|||||||
DeviceGuardCodeIntegrityPolicyEnforcementStatus : EnforcementMode
|
DeviceGuardCodeIntegrityPolicyEnforcementStatus : EnforcementMode
|
||||||
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode
|
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode
|
||||||
```
|
```
|
||||||
|
* Remove WDAC policies using CiTool.exe (Windows 11 2022 Update)
|
||||||
|
```ps1
|
||||||
|
$ CiTool.exe -rp "{PolicyId GUID}" -json
|
||||||
|
```
|
||||||
* Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip`
|
* Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip`
|
||||||
* Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\`
|
* Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\`
|
||||||
* WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
|
* WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
|
||||||
@ -383,4 +386,5 @@ You can check if it is done decrypting using this command: `manage-bde -status`
|
|||||||
* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
|
* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
|
||||||
* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
|
* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
|
||||||
* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
|
* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
|
||||||
* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
|
* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)
|
||||||
|
* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies)
|
@ -110,11 +110,13 @@ http://0000::1:3128/ Squid
|
|||||||
|
|
||||||
### Bypass localhost with a domain redirection
|
### Bypass localhost with a domain redirection
|
||||||
|
|
||||||
|
| Domain | Redirect to |
|
||||||
* `spoofed.[BURP_COLLABORATOR]` such as `spoofed.redacted.oastify.com`
|
|------------------------------|-------------|
|
||||||
* `localtest.me` redirect to `::1`
|
| localtest.me | `::1` |
|
||||||
* `company.127.0.0.1.nip.io` redirect to `127.0.0.1`
|
| localh.st | `127.0.0.1` |
|
||||||
* `bugbounty.dod.network` redirect to `127.0.0.2`
|
| spoofed.[BURP_COLLABORATOR] | `127.0.0.1` |
|
||||||
|
| spoofed.redacted.oastify.com | `127.0.0.1` |
|
||||||
|
| company.127.0.0.1.nip.io | `127.0.0.1` |
|
||||||
|
|
||||||
The service nip.io is awesome for that, it will convert any ip address as a dns.
|
The service nip.io is awesome for that, it will convert any ip address as a dns.
|
||||||
|
|
||||||
@ -138,7 +140,7 @@ http://127.0.0.0
|
|||||||
http://2130706433/ = http://127.0.0.1
|
http://2130706433/ = http://127.0.0.1
|
||||||
http://3232235521/ = http://192.168.0.1
|
http://3232235521/ = http://192.168.0.1
|
||||||
http://3232235777/ = http://192.168.1.1
|
http://3232235777/ = http://192.168.1.1
|
||||||
http://2852039166/ = http://169.254.169.254
|
http://2852039166/ = http://169.254.169.254
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bypass using octal IP
|
### Bypass using octal IP
|
||||||
|
@ -62,7 +62,7 @@
|
|||||||
- [Bypass "<" and ">" using < and >](#bypass--and--using--and-)
|
- [Bypass "<" and ">" using < and >](#bypass--and--using--and-)
|
||||||
- [Bypass ";" using another character](#bypass--using-another-character)
|
- [Bypass ";" using another character](#bypass--using-another-character)
|
||||||
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
||||||
- [Bypass using Katana](#bypass-using-katana)
|
- [Bypass using Katakana](#bypass-using-katakana)
|
||||||
- [Bypass using Cuneiform](#bypass-using-cuneiform)
|
- [Bypass using Cuneiform](#bypass-using-cuneiform)
|
||||||
- [Bypass using Lontara](#bypass-using-lontara)
|
- [Bypass using Lontara](#bypass-using-lontara)
|
||||||
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
||||||
@ -967,7 +967,7 @@ Unicode Character U+FF1C and U+FF1E
|
|||||||
></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
|
></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bypass using Katana
|
### Bypass using Katakana
|
||||||
|
|
||||||
Using the [Katakana](https://github.com/aemkei/katakana.js) library.
|
Using the [Katakana](https://github.com/aemkei/katakana.js) library.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user