Grzegorz Tworek
@0gtweet
Followers
29,514
Following
1,431
Media
853
Statuses
5,890
My own research, unless stated otherwise. Not necessarily "safe when taken as directed". GIT d- s+: a+ C++++ !U !L !M w++++$ b++++ G-
Joined April 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 134797 Tweets
Madonna
• 126157 Tweets
Boeing
• 119118 Tweets
Nathan
• 92350 Tweets
Irak
• 64008 Tweets
عدنان البرش
• 41958 Tweets
#SRHvRR
• 35919 Tweets
Olimpiade
• 28951 Tweets
Bhuvi
• 22955 Tweets
KPLC
• 19730 Tweets
Bruno Mars
• 19651 Tweets
Marselino
• 19279 Tweets
زياد
• 17375 Tweets
Ernando
• 14499 Tweets
Canna
• 14176 Tweets
ALGS
• 12294 Tweets
Guinea
• 12169 Tweets
Hubner
• 12081 Tweets
Finally had a moment to test Winlogon password leaking (a.k.a. notifying) on Windows 11. No big surprise.
And the flow is:
-user enters password
-winlogon loads mpnotify.exe
-mpnotify opens RPC channel
-winlogon sends pass via RPC
-mpnotify forwards to DLL
-DLL stores it on disk
37
730
2K
Windows 10 offline admin creation? 😈
Why not?!
Everything happens through built-in offlinelsa and offlinesam DLLs. Official, but not very documented.
Enjoy the source code and the compiled exe, as usual:
37
467
2K
Need to download mimikatz (or some other nasty stuff) without alerting Windows Defender Antivirus? Paste these 3 lines into the command line 👇👇👇 1/2
27
497
2K
WHAT?! 😂
If you provide /FS:FILESYSTEM parameter to the format[.]com utility, the resulting process will try to load ("U"+FILESYSTEM).DLL using the default search path...
The weirdest custom DLL launcher I have meet so far :D
23
517
2K
Need an almost invisible, post-exploitation, persistent, fileless, LPE backdoor? There are many, but this one looks really beautiful for me: type "sc.exe sdset scmanager D:(A;;KA;;;WD)" from an elevated command prompt.
37
340
1K
Do you detect IIS Application Pool credential dumping by looking for "/text:*"?
Time to update your rules with undocumented /show, /(at)t, and /(at)text.
22
342
1K
Didn't described it precisely so far:
If you put 'mpnotify' value into the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, your exe will be launched by winlogon.exe when user logs on. After 30s the process will be terminated.
17
323
1K
A new tool has arrived! 😎
Somewhat like netstat, but with timestamps for connections!⏱
The C source code, and the compiled exe, as usual -
15
278
1K
Eliminate huge part of lateral movement scenarios with one command: "reg.exe add HKLM\SYSTEM\CurrentControlSet\Control /v DisableRemoteScmEndpoints /t REG_DWORD /d 1"
It will make Service Control Manager deaf to remote management. Everything else works properly.
11
323
1K
Is
#SysInternals
Sysmon good for discovering the full historical process tree? Of course! Bored with manual process, I have create simple (but fully working) PowerShell script, displaying the tree in a nicely walkable form. Enjoy:
16
279
948
By-design AV bypass with "dev drive" 😅
I really like this feature!
Update your detection rules if you want to spot this...
16
256
948
"write.exe" is just ShellExecute() to wordpad.exe. And ShellExecute() reads HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths before reading HKLM.
Which means, you can use "write" to launch anything if you create "wordpad.exe" subkey.
And it explains why I love Windows.🙃
10
220
881
Need to launch your app unusual way? ;)
1. Launch Sigverif.exe
2. Click "Advanced"
3. Type the exe path
4. Click "View Log"
5. Enjoy ShellExecute()
9
221
834
Are you an admin with EXE blocked by
#AppLocker
? You can bypass the protection without any execution traces in the AppLocker Log! Load your DLL, steal the token from spooler and create the child process.
C source code and the compiled binary, as usual:
6
288
812
Looks like the weirdest AV evasion I have ever seen.
1. Not all MsMpEng.exe versions allow to be suspended.
2. You may need to wait before your malware finally starts.
22
230
794
As a fan of non-obvious persistence mechanisms I had to try to collect (and categorize!) them all. It has just started, first 10 entries appeared, and more is coming each day.
I am happy to share it. Enjoy, contribute, use freely -
22
313
799
Yet another DLL sideloading: ShellChromeAPI.dll does not exist, but built-in DeviceEnroller.exe tries to load it when /PhoneDeepLink parameter is present. If you drop your own DLL, it nicely loads.
11
211
765
What a beautiful LOLBin in Microsoft-signed dumpbin.exe! 🤩
It just calls wspawnl("LINK /DUMP") without checking what link.exe actually is.
6
211
756
Four years after publishing my code stealing passwords from WinLogon I have just realized that NPLogonNotify() has a twin!
NPPasswordChangeNotify() obtains old and new cleartext passwords changed via CtrlAltDel. Clearly documented by MS and easy to use:
9
223
757
When attackers use BitLocker to encrypt your drives (sic!), digging through the ntds.dit file and looking for recovery keys may be the best option. And it’s exactly why I created such script. ExtractFVEPasswordsFromNTDS.ps1 Enjoy :)
4
279
710
Did they tell you "This function is included only in Windows XP." at ?
They lied :P
Feel free to try it at home: rundll32 keymgr,KRShowKeyMgr
14
214
699
Yet another
#PowerShell
#redteam
tip: use (WCHAR)0x2013, (WCHAR)0x2014, or (WCHAR)0x2015 instead of "-" and "/" to specify powershell.exe parameters. Huge part of detection rules will not spot them.
And if you are blue💙, you know what to do NOW.
BTW, same applies to the PS code.
6
286
688
Use PowerShell to dump passwords stored by Chrome. 🕵️♂️
Simple script doing the SQLite+DPAPI magic:
5
264
678
If you issue "view filename" in the nslookup, it creates a child process: "cmd.exe /c sort < filename | more".
Really
#Microsoft
? It's 2021... 🤯
13
209
668
Simple user-level persistence with grpconv.exe:
1. create %userprofile%\setup.ini
2. launch "grpconv.exe -o"
3. profit
Of course, grpconv.exe is provided with Windows 10, because you may need to convert Windows 3.x .grp files some day. 🙃
11
202
665
cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe" 😂
7
219
662
It is worse than I’ve thought initially! 🤦♂️
If you simply rename your malicious .exe file to msiexec.exe its files will be excluded from realtime scanning. REALLY
#WindowsDefender
?
Simple C# dropper and the eicar-based PoC instruction:
15
325
648
Use the LanMan-old NPLogonNotify() function to sniff every single password used to logon to Windows.
Cleartext. No reboot required.
NPLogonNotify() -
The C source, and fully working DLL -
3
340
636
Fancy Defender evasion? Yet another method, nearly bare hands:
1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change "Select" values to new one
5. Reboot
6. Enjoy 😎
A side effect of my "Registry internals" session yesterday 😅
14
178
626
How exactly winlogon.exe leaks user password? 🤔
It checks mpnotify value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and then launches exe specified there or mpnotify.exe if empty. Exe registers RPC endpoint and winlogon binds to it and passes the password. 🤯
7
180
596
Kerberos tickets dumping in pure PowerShell 😍
I simply love such approach.
So much more beautiful than loading pre-compiled binary blob. And so much harder to detect...
4
199
587
Any Internet-facing Windows machines?
1. Go to
2. Pick your favorite evil country.
3. Select "IP Range" as format.
4. Copy the result to clipboard.
5. Run the script from
12
167
574
@DrAzureAD
Me too! Why did they use checkboxes instead of radio buttons if you have to select only one!?
8
7
566
Did they tell you "no one will know your password if you do not type it"? They lied.
Winlogon.exe will know it anyway. 😈
6
145
562
Some time ago, I have published the tool allowing you to craft a token containing TrustedInstaller. Today, the Mk2 version appeared: no psexec.exe required, less talkative and with a bit cleaner code.
The C source code and the compiled EXE, as usual:
3
184
547
There is one thing to mention when talking about SystemRoot and cmd.exe: cmd.exe loads %systemroot%\System32\propsys.dll when an executable file is launched. Should I tell you more...? 😈
7
157
537
Simple tool enabling all privileges in the parent process (usually cmd.exe) token. Useful if you have SeBackup or SeRestore and need a cmd.exe ignoring all ACLs.
C code and the compiled .exe as usual.
With a link to the demonstration in the README:
3
174
524
Yet another approach to LSA secrets stealing. I just wanted to try with LsaOpenSecret() / LsaQuerySecret(). And it works (with date/time, and the OldVal as a bonus), so I am sharing the C source code, and the compiled EXE, as usual:
8
214
515
A keylogger/sniffer for the on-screen-keyboard? Sure, ETW is happy to help here with {4F768BE8-9C69-4BBC-87FC-95291D3F9D0C}😁
Enjoy the C source code, and the compiled exe, as usual -
7
143
511
Want to access
#KeePass
database from
#Powershell
? Load keepass.exe as an assembly and call its methods directly.
Very simple (and fully working) script here:
0
236
508
Do you store your "DNS dynamic update registration credentials" in a DHCP?
Cute, it means I have a new tool for you 😁😈
Enjoy the DHCP Server DNS Password Stealer. The C source code, and the compiled exe, as usual:
11
144
503
When was the last time you have used eudcedit.exe? Because we all have it in our systems for a reason, right? Right...?
18
23
491
Yet another built-in Windows downloader? 🤔
1. create LDIF file containing a http-based attrval-spec,
2. import it with ldifde.exe.
As an effect you can:
3. observe the request on the webserver,
4. find the file on your drive.
Enjoy 😈
7
142
472
Want to avoid shutdown script execution on your laptop? Set Critical Battery Level Action to "Shutdown" and unplug the power. Even if it is 99%, the shutdown scripts do not execute. Why does it work this way? See the short thread below: ⤵
4
89
475
Token stealing (aka duplication) with syscalls only? Not sure if it’s novel approach but had to try anyway. 🤷♂️
NtOpenProcessToken, NtAdjustPrivilegesToken, NtOpenProcess, NtDuplicateToken, and NtSetInformationThread at your service! Enjoy the C code:
7
119
468
Just a friendly reminder for all admins fixing overly privileged service accounts: the previous password is saved on the machine anyway. It means you should:
1. change the service password twice
or
2. change it for an account to make backup secret useless.
7
94
454
🔥🔥I definitely underestimated offlinelsa.dll...🔥🔥
It allows you to manipulate SAM database content offline! What if I give you an app assigning all privileges "Administrators" have to "Users"? 😈
Enjoy the C source code and the compiled exe, as usual:
5
167
450
Have you ever wanted to be TrustedInstaller? Or is it just me...? 🙈
It was the most obvious step, after I have realized I can put anything into the 100% legit security token. 😈
A piece of C, and the compiled EXE, as always:
2
132
447
Conditional ACLs, making the same file allowed for one app, denied for another one... 😮
I guess I know where I will dig during next weeks... 😎
15
62
445
And what if I tell you sfc.exe loads SSShim.dll (and couple of other DLLs too) from the SCANNED Windows, and not from the scanning one? 😈
Additionally, sfc.exe enforces you to run it as local admin.
Will you scan my OS image, please? 🙏
8
122
444
Yet another process dump method:
rdrleakdiag.exe /p <pid> /o <outputdir> /fullmemdmp /wait 1
5
188
447
1. Create file containing only "0".
2. Check the digital signature with
#PowerShell
3. Observe your file is properly signed by Microsoft.
Are you still thinking that digital signatures are complicated? :D
2
135
430
Explorer hides extensions of 16 file types, even if you want to see them all. If such files contain real PE (exe) content, they behave differently when you double click them. Nothing, errors, OpenWith dialog, etc.
And one of them will run actual exe file 😈
Dare to guess?
8
82
421
Yet another one... 🙄
Built-in DeviceEject.exe auto elevates and then loads hotplug.dll from the current path. It verifies parameters before loading the DLL, but it looks like "0 0 0" is good enough to pass the check.
5
115
409
Wrap your
#PowerShell
script into simple C# file and compile it on any Windows machine to avoid alerts and bans focused on powershell.exe. 😎
The code and more detailed instruction:
5
139
403
It waited on my backlog for months, even if I smelled some C2 potential within iFilters.
And now I can confirm it, and I LOVE it!
It's enough to send an email with attachment to a victim, to execute commands as LOCALSYSTEM.
11
96
395
Live kernel dump with PowerShell one-liner 😎💪
$ss = Get-CimInstance -ClassName MSFT_StorageSubSystem -Namespace Root\Microsoft\Windows\Storage
Invoke-CimMethod -InputObject $ss -MethodName "GetDiagnosticInfo" -Arguments @{DestinationPath="C:\dmp"; IncludeLiveDump=$true}
4
154
388
Did you expect this? Especially, an undocumented "-encodedarguments"
#PowerShell
parameter.
It may be shortened to "ea" or "encodeda".
Good luck fixing your detection rules 😂
6
168
384
The tool I hope you will never have to use. But if you do some Incident Response, collecting the volatile data is a must. And the tool does it. Neatly and fast. C source code, and the compiled EXE, as usual -
It collects: 👇
9
102
379
"Copy as path" required Shift+RightClick in Windows 10. And now I can see its own keyboard shortcut! Thank you Microsoft! 😀
7
40
372
TIL: The Process CommandLine is just the process own memory indicated by PEB->ProcessParameters->CommandLine->Buffer. Each process can freely change it, and easily fool all tools trying to read such value. Why anyone trusts it? 🤔
17
71
372
The biggest cybersecurity mystery ever: if I connect through untrusted Wi-Fi to a website with a green padlock next to the URL, am I safe, or not? 🤔
84
21
363
SeManageVolumePrivilege to "Full Admin" escalation:
1. Enable the privilege in the token
2. Create handle to \\.\C: with SYNCHRONIZE | FILE_TRAVERSE
3. Send the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545
4. Overwrite utilman.exe etc.
5. 😎
4
148
359
OH SNAP! 😮
Set the VSS Snapshot type GUID to {F12142B4-9A4B-49af-A851-700C42FDC2BE} to make snapshot disappear, but still work.
The C source code, and the compiled exe, as usual:
7
98
358
Yet another comspec-based
#LOLBin
to be added to your blue- or red-tinted repos.
For couple dozens of predefined commands, "help xxx" will launch "%comspec% /c xxx /?"
The finding itself is nearly year old, and it's high time I converted it into something practical.
6
126
348
I'm super excited to announce the launch of my "Mastering Windows Internals" pilot program. The goal is to share my knowledge and experiences, along with offering practical insights on using the tools I've developed and continue to update.
14
51
351
#redteam
tip: use logman.exe with -b, -rf, -s, and -rc to create highly-privileged local, and remote scheduled tasks. They are deeply hidden in the Task Scheduler GUI, especially as the actions are masked under "Custom Handler". And no one looks for attackers in Perfmon/DCS.
0
146
345
Yet another "expert" sharing my tool at BlackHat without attributing it to me🤬
Closed source, never made for sharing publicly.
Great choice of speakers (again)
@BlackHatEvents
🙄
And the URL of shame:
25
54
339
Are you afraid of Windows Services hidden via ACLs? Find them easily with simple PowerShell script:
Now it's the Red Team turn: improve service hiding with registry ACLs manipulation ;)
3
91
332
If you have Microsoft DTrace handy, you can make live kernel dump with one cmdline: dtrace.exe -w "syscall:::return {lkd(0); exit(0);}"
6
95
323
UEFI-based persistence? Sure! Documented as well:
BTW it nicely bypasses BitLocker protection, if you rely on TPM without PIN.
7
122
327
Quick cmdline way of converting HEX to DEC? Use "set /a" 😎
3
59
322
As my sideloading technique gained some popularity today, I have decided to share one of the tiniest malicious code I have ever written. Volume label is the payload... 😈
BLUE TEAMS: Watch format's child processes please! 🙏
WHAT?! 😂
If you provide /FS:FILESYSTEM parameter to the format[.]com utility, the resulting process will try to load ("U"+FILESYSTEM).DLL using the default search path...
The weirdest custom DLL launcher I have meet so far :D
23
517
2K
0
80
315
There are hundreds of ways of making your Windows unbootable, but some of them are just more interesting. Like the bcedit.exe {badmemory} undocumented option, telling Windows the RAM is "bad" 😅
1000 ought to be enough for anyone.
7
47
311
Some time ago I have realized a process can manipulate its own cmdline, which is quite cool. :)
Today I learned a process can play with the path and current directory as well. The conclusion is simple: don't trust these fields!
Don't be like Process Explorer... 😅
9
78
307
Do you trust RunAsPPL? The "prevent code injection that could compromise credentials" narration? Technically it is right, as you cannot load your DLL into LSASS. But what if LSASS.exe passes cleartext passwords to mpnotify.exe, which automatically loads untrusted DLLs? 😱
4
111
301
Undocumented (what a surprise!) EVTX file format flag, making all internal checksums ignored.
Good to have if you plan to manipulate the log content.🕵️
Simple "try this at home"
#PowerShell
script:
3
126
299
Not-so-widely-known persistence with rdpwd\StartupPrograms - finally documented at
More coming. :)
2
100
298
Would you like to analyze process history in Excel? Convert the
#Sysmon
event log to CSV with simple
#PowerShell
script:
11
83
293
Malicious IFilter? Why not! It’s a DLL waiting patiently (not even loaded) until the file with a particular extension appears. Then it executes as the LOCALSYSTEM. More in a short writeup:
6
108
291
Caring about whoami? Despite common belief, it doesn't use GetUserNameEx() unless you specify /UPN or /FQDN param!
Whoami calls OpenProcessToken() to get process token, then GetTokenInformation() to get SID, and finally LookupAccountSid() to get username.
You have been warned ;)
4
62
283
Reading an analysis of CVE-2023-36884 exploitation by Storm-0978.
Filter your outbound traffic ffs! 🙄
3
89
279
If you are responsible for Win11 security baseline, please use the new (I mean fixed after 20+ years) configuration option "Enable MPR notifications" under Windows Components\Windows Logon Options.
Defaults allow to read cleartext credentials from Winlogon with a simple DLL.
4
59
275
Persistency tip: if you have admin rights for a moment, just add “WD” or “DC” to SDDL of any of Windows Services. It will allow you to elevate your privileges back any moment you need.
Good luck finding this, Blue Team...
7
78
274
Want to know what fsutil devdrv actually does? Here you have it:
1. devdrv enable -> FsEnableDevDrive=1 in CCS\Control\FileSystem
2. disallowAv -> FltmgrDevDriveAllowAntivirusFilter=0 in CCS\Control\FilterManager
3. clearFiltersAllowed -> FsFlags + FsGuid in
By-design AV bypass with "dev drive" 😅
I really like this feature!
Update your detection rules if you want to spot this...
16
256
948
2
78
267