Oddvar Moe
@Oddvarmoe
Followers
18,696
Following
1,019
Media
1,619
Statuses
11,367
Red Teamer @TrustedSec | MS MVP | Speaker | Security Researcher | Blogger | Total n00b & always learning | UNC1194 | Tinkerer | Gamer I try to inspire!
Norway
Joined September 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#IanxSB19xTerry
• 323435 Tweets
Rio Grande do Sul
• 123680 Tweets
Madonna
• 122345 Tweets
Boeing
• 110851 Tweets
suho
• 96797 Tweets
#MOONLIGHTOutNow
• 71740 Tweets
Özgür Özel
• 67441 Tweets
RPWP CONCEPT PHOTO 2
• 61899 Tweets
Irak
• 60580 Tweets
Nathan
• 52183 Tweets
عدنان البرش
• 34678 Tweets
#無責任でええじゃないかLOVE
• 28117 Tweets
KPLC
• 15237 Tweets
Canna
• 11795 Tweets
Ivar Jenner
• 11185 Tweets
Ernando
• 10819 Tweets
ALGS
• 10743 Tweets
Pinned Tweet
Did you know that most of the O365 password spraying tools are giving (not after today) the wrong output for the error AADSTS50079?
AADSTS50079 has changed the meaning over the years from Microsoft and does not longer mean that MFA is in use, it actually means that MFA must be…
Principal Security Consultant
@Oddvarmoe
made an exciting discovery while using password-spraying tools in Microsoft Office 365 during a recent engagement. Read our latest
#blog
to find out how he went from error to entry!
4
66
247
10
62
194
Things that make my Red Team day harder:
- Macro's disabled
- HTA's disabled
- LAPS implemented
- SMB Signing On
- User Behavior Analytics
- Educated Users
And the worst is a blue team that has passion, that use HoneyUsers/Honeytokens/tripwire/fakeservice and focus on detection.
38
463
2K
I may or may not have nuked all computers in my classroom when I was young
78
108
2K
Defenders should deploy this settings:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Dword: RunAsPPL
Value: 1
Protects dumping of Lsass with a simple registry value.
Encountered that on an engagement recently. 🤯
Mimikatz driver needed to bypass
Details
19
618
1K
Some really great sites you should bookmark
(just released)
26
408
1K
Random tip on LDAP searches.
Search for UserAccountControl set to 544. That is for "Enabled, Password Not Required". If you get hits, try to authenticate with the account without a password.
4
145
691
This also works really well:
cmd.exe /c "gpupdate /force/../../../../../../../../../../windows/notepad.exe"
and
cmd /c "mshta.exe c:\temp\none.hta/../../../../../../../../../../windows/notepad.exe"
Fun stuff to be had with this technique
7
269
665
Love this technique of doing dcsync. When DA is achieved, simply create a new computer account with a password you know and set the UserAccountControl to SERVER_TRUST_ACCOUNT 0x2000.
Then you can DCSync using that account 💥
Great blog post about it here:
5
284
670
TIL
Win+Ctrl+Shift+B restarts the graphic driver in Windows
17
160
629
This setting is very powerful and easy forgotten.
If you have not implemented LAPS/Unique Local admin passwords, then this is way to make it harder to move laterally between machines.
6
179
626
I often/still find Group Policy Preferences passwords when I do my pentests.
To check if you have this present in your domain you can run this command:
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
A great write-up here by
@PyroTek3
6
316
597
If you have AppLocker deployed, be aware that most times when Windows 10 is updated/upgraded, it creates a TASKS_MIGRATED folder under C:\windows\system32 that has the CREATOR OWNER, meaning that users can create and execute files from the folder and bypassing AppLocker 😱
6
306
593
Windows binaries:
Linux binaries:
Living off Trusted Sites:
File Extensions Used by Attackers:
Blue Team / Binaries that behaves like malware:
4
252
573
This could be useful for trolling (part of SCCM): sctoastnotification.exe "Title" "Message"
9
159
533
A good documentation on all the different
#LOLBins
and
#LOLScripts
would be nice? Right?
Good thing I have started then. Still have a lot of notes to add, but I feel this is a good start. Would love community feedback and contributions.
Is this useful?
22
315
531
While adding the Windows Defender MpCmdRun.exe to LOLBAS, I also discovered it can store the downloaded file into an Alternate Data Stream. Sweet stuff!
Added here:
Also updated my ADS list:
Great discovery by
@mohammadaskar2
Well, you can download a file from the internet using Windows Defender itself.
In this example, I was able to download Cobalt Strike beacon using the binary "MpCmdRun.exe" which is the "Microsoft Malware Protection Command Line".
89
1K
3K
5
209
501
New persistence technique using GlobalFlags in Image File Execution Options
Does not show up in Autoruns.exe.
Enjoy!
#Blogpost
#FeedBackWelcome
8
341
496
Due to the massive response on this tweet I got inspired to write a blog post about some easy wins that makes Red Teaming harder. So, giving away 4 free easy wins for Christmas in this post. 🎅
Enjoy
Things that make my Red Team day harder:
- Macro's disabled
- HTA's disabled
- LAPS implemented
- SMB Signing On
- User Behavior Analytics
- Educated Users
And the worst is a blue team that has passion, that use HoneyUsers/Honeytokens/tripwire/fakeservice and focus on detection.
38
463
2K
7
144
482
It is official!
I have been promoted to Principal Security Consultant at
@TrustedSec
and it feels awesome. Love to be a place where I can grow my career and my contributions are appreciated. Without doubt the best place I have ever worked! ❤️❤️
39
14
448
Trying to figure out the name of a Domain Controller without running OS commands on the host through your shell?
Take a look at C:\windows\debug\netsetup.log.
This file contains information about how the computer joined the domain.
#PentestTip
4
130
436
An attacker can use this to create a computer account (When AD is default) :
djoin /PROVISION /DOMAIN <fqdn> /MACHINE evilpc /SAVEFILE C:\temp\evilpc.txt /DEFPWD /PRINTBLOB /NETBIOS evilpc
^This will create the computer account named evilpc with the password evilpc 😱
[New Blog Post] LockDown Diary - How I used DJOIN to Build Test Machines over VPN
Taking a break from woodworking to share my experience with DJOIN
#MVPBuzz
#MEMCM
#ConfigMgr
#VPN
#SplitTunneling
#COVID_19
#LockDown
#SCCM
#Windows
#SysManSquad
4
40
98
11
170
428
2005: Spent 20$ on ringtones
2022: Phone on silent for the last 5 years
7
77
413
Did you know when a computer becomes a member of an AD domain, it is a member of the Authenticated Users group?
Meaning if you are system on a machine you can do stuff towards the domain.
After a discussion today I realized that is possibly not common knowledge.
17
121
413
I created this quick and dirty Powershell script to check your current system drivers against the awesome list from
@M_haggis
@_josehelps
@nas_bench
Hope you find it useful
14
139
409
My first blog post on
@TrustedSec
's blog is live.🍾🎂
"Local admin access and Group Policy don't mix"
Feedback welcome! 😊
17
190
399
AppLocker case study blogposts so far. More to come!
AppLocker study 1 -
AppLocker study 2 -
Hardening based on study 1 -
Hardening based on study 2 -
#AppLocker
#FeedBackWelcome
7
212
404
A few things that really can make Red Teaming more difficult:
- Network segmentation is implemented and SMB is blocked almost everywhere (I would do this if I was working the blue side)
- Internal MFA for accessing servers with an isolated enrollment process
- HoneyThings
20
65
377
Detecting Powershell Empire using Sysinternals tools. Awesome writeup!
2
170
354
This is very cool!
NTLM hashes without touching LSASS.exe.
Thanks
@elad_shamir
for sharing!
The Internal-Monologue project can be found here:
2
203
346
Created some Youtube content. My goal with this video series is to try to help defenders with typical issues we see on our engagements.
Intro:
AD Primer:
AD attacks:
Common Attacks:
4
129
338
VERY interesting: Account operators can become domain admins through Key Enterprise Admins : - Did you know
@harmj0y
@PyroTek3
- Thanks to Arne
@intility
for the tip -
@msftsecresponse
claims it is not a vulnerability. Blog post by
@DanielUlrichs
#PenTest
5
184
325
A quicktip to all treat hunters out there: sfc.exe /verifyonly and look in the C:\Windows\Logs\CBS\CBS.log file afterwards. Look for "does not match". Easy way to check system binaries 😎
2
161
313
I just discovered that rundll32 also executes data in alternate streams.
Probably already discovered by someone else.
¯\_(ツ)_/¯
I hope you have detection mechanism for data hidden in ADS.
9
167
313
You landed on a box with whitelisting and found out that Plex media server is installed....
Well, I suggest you look at PlexScriptHost.exe.
Could be that you find a signed by Plex version of Python... Just saying...
#LOLBins
7
103
312
Doing
#pentest
and you did not find any passwords in Unattend.xml, remember to also check SetupInfo.bak. You could get lucky!
Great post by
@samilaiho
4
152
310
Update to LOLBAS today. Merged a lot of PRs. Thanks!
New:
Aspnet_Compiler.exe,Certoc.exe,Cmdl32.exe,FltMC.exe,IMEWDBLD.exe,OfflineScannerShell.exe,OneDriveStandaloneUpdater.exe,PrintBrm.exe,SettingSyncHost.exe,Stordiag.exe,WorkFolders.exe,Procdump.exe+++
2
115
300
New blog post about an adventure I had with pre-created computer accounts. Let me tell you, old computer accounts can be fun!
Ended up creating an impacket script and a PR to the SharpHound ingestor as part of my adventure 🔥
Feedback is appreciated
40
119
303
Found an even cooler example with this technique when looking at it quick.
When executing with conhost it executes the process without a parent PID.
conhost calc.exe/../../windows/notepad.exe
Thanks for the inspiring post
@julianpentest
This also works really well:
cmd.exe /c "gpupdate /force/../../../../../../../../../../windows/notepad.exe"
and
cmd /c "mshta.exe c:\temp\none.hta/../../../../../../../../../../windows/notepad.exe"
Fun stuff to be had with this technique
7
269
665
5
85
290
If you are looking into NTFS Alternate Data Streams (ADS) then you can benefit from my previous work on the subject.
Part 1:
Part 2:
Gist with commands:
3
182
293
They are able to land 🚀 things on Mars, and I still cannot quit vim
18
43
279
New blog post out now!🚨
I wrote a blog post on how I researched how to use the Windows Timeline to figure out user behavior on machines.
A big shout to
@kacos2000
for is excellent research on the Windows Timeline, I reused a lot of his stuff (TY)
9
108
268
Msconfig,Pcwrun,netsh,Runonce,Gpscript,Extexport,psr,Nvudisp,Vsjitdebugger, Mftrace some of the latest
#LOLBins
to the LOLBAS list.
List is constantly growing.
Really love where this project is heading.
Thanks everyone for contributing!
7
150
265
TL;DR my blogpost:
Persistence technique (1-liner) - executes at local admin logon:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil.dll"
Does not show in Autoruns.exe as of now.
Video:
Want to hide from Autoruns and create persistence?
My quick research on RunOnceEx -
Technique requires local admin, but still cool I think. Feedback welcome!
#MayHaveBeenDoneBefore
#NewBlogPost
#HidingFromBlueTeam
2
146
222
5
137
253
It is official, I now work for
@TrustedSec
and
@HackingDave
is my new boss - Dreams do come true
35
29
239
Looking at local files on my computer and it seems like Nvidia GeForce Experience has the possibility to disassemble and assemble files to/from .asm format using courgette.exe.
They also have a Nvidia signed 7-zip.exe copy. Perfect when whitelisting prevents the use of 7-zip.
13
96
233
Quick
#AppLocker
bypass using ACL error in
#Teamviewer
12 log file.
Done by adding alternate streams and executing the stream using WMIC.
#beautiful
Thought it was a new discovery with the WMIC alternate stream execution, but was already blogged about:
3
164
233
Great work on increasing the capabilities of NTDS.dit pwnage!
1
79
237
New blog post about using ADExplorer on engagements covering stuff like how to use a machine account hash over a socks proxy and various other recon tips.
Hope you find it useful
4
104
232
This is such a great post by
@CE2Wells
Awesome method that can be abused by attackers. Have been working with mandatory profiles a lot in my past, but never thought of using it like this .
🤯🤯
Thanks for sharing!
2
95
230
This is really cool!
Abusing Microsoft Builtin PowerShell Script in Windows to execute DLL
Awesome find by
@nickvangilder
Undocumented method for proxied execution of an unsigned .NET assembly: powershell.exe -command "set-location -path c:\windows\diagnostics\system\networking; import-module .\UtilityFunctions.ps1; RegSnapin ..\..\..\..\temp\unsigned.dll;[Program.Class]::Main()”
7
108
341
2
70
226
Hardened my new machine and added Attack Surface Reduction Rules. Well, I was hoping the protection was
a little better than this - smh
11
47
226
Whaaat!?! TIL for me as well
This is a big TIL for me!
If you put a space before your command, it is not saved to the history.🤯
29
293
1K
9
48
227
Want to hide from Autoruns and create persistence?
My quick research on RunOnceEx -
Technique requires local admin, but still cool I think. Feedback welcome!
#MayHaveBeenDoneBefore
#NewBlogPost
#HidingFromBlueTeam
2
146
222
Awesome
@TrustedSec
#Sysmon
videos by
@Carlos_Perez
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
…
1
82
225
I cannot recommend Automated Labs enough. It saves me so much time when I need an environment with the Active Directory named according to my current engagement. Perfect for payload testing
1
57
205
Valid paths to a binary in c:\temp on Windows (without ftp/webdav server or similar).
Do you know more paths?
c:\temp\file.exe
\\127.0.0.1\c$\temp\file.exe (or localhost)
\\.\c:\temp\file.exe
\\?\Volume{GUID of drive}\temp\file.exe
15
28
194
Approved some PR in the LOLBAS (Thanks all)
- Rundll32 - Execute directly from smb
- FTP - One-liner example
- Explorer - added with the /root example
- PSR - For recon added
- Desktoipimgdownldr - Downloading files
- Regini - Write reg from ADS
1
56
177
Approved a few PR that had queued up on LOLBAS.
Added the following
- Dllhost.exe
- Datasvcutil.exe
- Appinstaller.exe
- Pnputil.exe
- Remote.exe
- Adplus.exe
In addition some adjustments were made to Teams update.exe, path added to winword.exe, OS on syncappvpub and more
0
43
177
Approved some new additions to the LOLBAS project.
Rasautou.exe
ilasm.exe
vbc.exe
ntdsutil.exe
Thanks to
@ForensicITGuy
, Lior Adar and
@VakninHai
1
71
175
A little old random fun fact about Exchange that probably not everyone knows. Very often you will see the the following "ou=Exchange Administrative Group\FYDIBOHF23SPDLT" referenced.
That FYDIBOHF23SPDLT might look random, but it is not. (Caesar's cipher 1 to the left 😉)
10
28
173
Very sexy method for dumping NTDS.dit that I had forgotten about using IFM:
5
84
170
Many ways to execute COM:
cmd /c start shell:::{GUID}
explorer shell:::{GUID}
rundll32 url.dll, OpenURL shell:::{GUID}
Do you know some other technique?
1/2
Thanks to
@browninfosecguy
() and
@Oddvarmoe
, I have learnt something really useful, Which I'd like to share with you:-) Take a look at the picture, and Check here as well :
3
66
124
4
70
171
Well well! Microsoft removed the Windows version checks to use AppLocker! Everyone can now use AppLocker!
3
56
172
Want to improve your phishing campaign? Well then I got a trick to share with you. New blog post about Next Gen Phishing - Leveraging Azure Information Protection.
2
78
167