Windows Persistence - Binary replacing

Methodology and Resources/Cloud - Azure Pentest.md

@@ -177,6 +177,8 @@ Found Container - hrsecure.blob.core.windows.net/NETSPItest
 
 > By default it is possible to query almost all the information about the directory as authenticated user, even when the Azure portal is restricted, using Azure AD Graph.
 
+Check if the compagny is using Azure AD with `https://login.microsoftonline.com/getuserrealm.srf?login=username@target.onmicrosoft.com&xml=1`.
+
 ```powershell
 $ git clone https://github.com/dirkjanm/ROADtools
 $ pip install roadrecon
@@ -290,6 +292,8 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
 
 ## Azure AD - Password Spray
 
+> Default lockout policy of 10 failed attempts, locking out an account for 60 seconds
+
 ```powershell
 git clone https://github.com/dafthack/MSOLSpray
 Import-Module .\MSOLSpray.ps1
@@ -357,7 +361,11 @@ Prerequisite:
   * Compromise a server with Azure AD Connect service
   * Access to ADSyncAdmins or local Administrators groups
 
-Use the script **azuread_decrypt_msol.ps1** from @xpn : https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1 to recover the decrypted password for the MSOL account
+Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account:
+* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545
+* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
+
+Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
 
 ## Azure AD Connect - Seamless Single Sign On Silver Ticket
 
@@ -455,6 +463,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
     https://fws.domain.com/o365/visfed/intrdomain/se/?username=firstname.lastname%40domain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
     </AuthURL>
     ```
+* Validate email : https://github.com/LMGsec/o365creeper `o365creeper.py -f emails.txt -o validemails.txt`
 * Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
 
 
@@ -473,4 +482,6 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
 * [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
 * [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
-* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
+* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
+* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
+* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)

Methodology and Resources/Windows - Persistence.md

@@ -16,7 +16,12 @@
     * [HKLM](#hklm)
     * [Services](#services)
     * [Scheduled Task](#scheduled-task)
+    * [Binary Replacement](#binary-replacement)
+        * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp)
+        * [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10)
     * [RDP Backdoor](#rdp-backdoor)
+        * [utilman.exe](#utilman.exe)
+        * [sethc.exe](#sethc.exe)
     * [Skeleton Key](#skeleton-key)
 * [References](#references)
 
@@ -157,6 +162,27 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
 
+### Binary Replacement
+
+#### Binary Replacement on Windows XP+
+
+| Feature             | Executable                            |
+|---------------------|---------------------------------------|
+| Sticky Keys         | C:\Windows\System32\sethc.exe         |
+| Accessibility Menu  | C:\Windows\System32\utilman.exe       |
+| On-Screen Keyboard  | C:\Windows\System32\osk.exe           |
+| Magnifier           | C:\Windows\System32\Magnify.exe       |
+| Narrator            | C:\Windows\System32\Narrator.exe      |
+| Display Switcher    | C:\Windows\System32\DisplaySwitch.exe |
+| App Switcher        | C:\Windows\System32\AtBroker.exe      |
+
+#### Binary Replacement on Windows 10+
+
+Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable.
+
+Create a malicious **HID.dll** in  `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
+
+
 ### RDP Backdoor
 
 #### utilman.exe
@@ -190,4 +216,5 @@ Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administr
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
 * [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
-* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
+* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
+* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)