DCOMRunAs instantiates COM objects in the session of a logged-on user on a remote machine. By targeting a COM object subject to DLL hijacking and dropping a custom DLL at that path, the payload...
BitlockMove Lateral Movement via Bitlocker DCOM & COM Hijacking. This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of...
Microsoft has issued a warning over the growing surge of large-scale ClickFix phishing attacks and has recommended that system administrators restrict the use of command-line tools and disable the Run dialog in Windows. This...
EByte-AMSI-ProxyInjector A lightweight tool that injects a custom assembly proxy into a target process to silently bypass AMSI scanning by redirecting AmsiScanBuffer calls. It suspends the target’s threads, patches the function to always return...
Researchers at Resecurity have drawn attention to an exceptionally dangerous attack that enables adversaries to seize full control over an organization’s Active Directory domain infrastructure—all while exploiting default Windows configurations. The technique combines MITM6,...
A newly evolved strain of the Coyote banking trojan has adopted an unconventional method of user surveillance on Windows systems. Malicious actors have learned to exploit Microsoft’s UI Automation (UIA) framework—originally designed to aid...
NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams). NTOpenProcessToken...
There is no shortage of protective tools today, yet unfortunately, the number of threats continues to outpace them—particularly those that operate subtly and invisibly, penetrating the very core mechanisms of an operating system. Detecting...
Microsoft has released a new Windows 11 update (Build KB5060838) for participants of the Windows Insider Program in the Dev Channel. This update introduces both publicly available enhancements and features that are being gradually...
PPL Exploit PoC (Proof of Concept) This repository contains a C++ Proof of Concept (PoC) demonstrating the exploitation of Windows Protected Process Light (PPL) using COM-to-.NET redirection and reflection techniques for code injection. The...
