Alternative AD resource

Link: Active Directory - Information Security Reference (rmusser.net)

While I think Sean Metcalf gets the nod for most expansive writing on the subject of AD security, this site is a little more digestable and formatted in an easy to use fashion.

The site is divvied up into sections, and breaks out static, referential information from the more dynamic attacker tactics and such. Should be easier to maintain that way.

Overview of ways to dump LSASS.exe

Link: LSASS Memory Dumps Are Stealthier Than Ever Before (deepinstinct.com)

Nice quick article going over a multitude of ways you can dump the password hashes from the lsass.exe process, a usually pivotal step in the process of expanding your reach on a network. Lots of tools act in a very suspicious fashion that can be easy to write static signatures for. A notable oversight of the listed tools though are the network/remote tools such as Hackndo/lsassy and skelsec/pypykatz.

Yet Another Shellcode Loader

Link: rvrsh3ll/Alaris: A protective and Low Level Shellcode Loader the defeats modern EDR systems. (github.com)

I linked rvrsh3ll’s fork of this because it’s already been modified for use. There are a lot of tools coming out to deal with the better outcomes from EDRs, so the cat and mouse are still in full force at the moment.

Bonus Track: BHIS Sacred Cow Tipping 2021

No link

When this comes out on Youtube, be sure to watch it. Lots of good comentary this year and some very nice pointers from Rob Fuller near the end. I had forgotten about the Microsoft Diagnostic Cab tool, and wouldn’t have put together to use it as a delivery device!