ProcessHider – hiding processes from monitoring tools at Windows

ProcessHider is a post-exploitation tool designed to hide processes from monitoring tools such as Task Manager and Process Explorer, thus preventing the admins from discovering payload’s processes. The tool works on both 32 and 64 bit versions, by self detecting the OS version and using the right version of the tool.

ProcessHider is available as a EXE file or as a Powershell script.

Windows RCE exploit collection

The exploit samples database is a repository for RCE (remote code execution) exploits and Proof-of-Concepts for WINDOWS, the samples are uploaded for education purposes for red and blue teams.

Proof of Concepts are alwayes idetified by #PoC# in the name of the relevant exploit folder, and those samples will alwayes pop out a calculator or a message box and therefore will be easily identified by many AV’s (which prevent the calculator shellcode).

The respository is separated to categories and it’s sub-categories based on the different attack vectors(e.g. Web attack vector contain known subcategories which are flash, silverlight or javascript).

Each sub-category includes a list of folders that represent the different CVE’s (vulerabilities).

Reptile – linux kernel rootkit

Reptile is a LKM rootkit written for evil purposes that runs on kernel 2.6.x/3.x/4.x.
Would you like to see his fatality?


  • Give root to unprivileged users
  • Hide files and directories
  • Hide files contents
  • Hide processes
  • Hide himself
  • Hidden boot persistence
  • ICMP/UDP/TCP port-knocking backdoor
  • Full TTY/PTY shell with file transfer
  • Client to handle Reptile Shell


Empire GUI

The Empire Multiuser GUI is a graphical interface to the Empire post-exploitation Framework. It was written in Electron and utilizes websockets (SocketIO) on the backend to support multiuser interaction. The main goal of this project is to enable red teams, or any other color team, to work together on engagements in a more seamless and integrated way than using Empire as a command line tool.

Read more about the Empire Framework


This is a BETA release and does not have all the functionality of the full Empire Framework. The goal is to get community involvement early on to help fix bugs before adding in many of the bells and whistles. The main interaction with Agents at this point is soley through a shell prompt. The next release will have Module support, etc.


  • Multiplatorm Support (OSX,Window,Linux)
  • Traffic over HTTPS
  • User Authentication
  • Multiuser Support
  • Agent Shell Interaction

project’s github repository


Microsoft shipped and fixed four win32k kernel Escalation of Privilege vulnerabilities in the May security bulletin. This article will discover and analyze one of these vulnerabilities caused by a null pointer dereference fixed by the patch program, and will finally attempt to implement its proof and exploitation code. The analyzing and debugging process will take place in a virtual machine of Windows 7 x86 SP1 basic environment.

To avoid attacks from exploiting this vulnerability, users who are using Windows operating system must install the latest official security updates as soon as possible.

0x0 Abstract

This article discovers and analyzes a kernel Escalation of Privilege vulnerability caused by a null pointer dereference in the win32k kernel module by matching the patch. According to the information released by FortiGuard Labs, the bug is CVE-2018-8120 that was fixed in the May patch. The vulnerability exists in the kernel function SetImeInfoEx. In the case where the pointer field spklList of the target window station has not been validated, the function directly reads the memory address pointed to by the field.

It is possible that the value of field spklList of window station tagWINDOWSTATION object reaches 0. If an user process creates a window station whose filed spklList points to NULL address, and associates the window station with the current process, at the time when calling system service NtUserSetImeInfoEx to set extended IME information, the kernel function SetImeInfoEx would access the memory in zero page which is located in the user address space. The operation of the function will cause the page fault exception, resulting in the occurrence of the system BSOD.

If the exploitation code in the user process allocates zero page memory in advance, to make the zero page mapped, and crafts some fake kernel objects in the zero page, the data in the zero page will be mistaken for a correct keyboard layout tagKL node object by the kernel function, which implements the arbitrary address writing primitive. Using the implemented writing primitive to override the function pointer field of a particular kernel object (such as tagWND), or to modify the relevant flag bits that represent kernel mode or user mode execution, the ability of arbitrary code execution is then implemented, the kernel Escalation of Privilege is achieved ultimately as well.

continue reading the original article at

DLL Hijacking via URL files

This blogpost describes how I got annoyed by vulnerabilities in 3rd party Windows applications, which allowed to execute local files but without parameters. So I decided to find a vulnerability in Windows itself to properly exploit them.

The Problem

On multiple occasions I encountered an application with a vulnerability, which would allow to execute a local file. This means an attacker controlled string ended up in a Windows API call like ShellExecute although the system call itself does not really matter. The problem was that I was not able to control any parameters eg. I was able to pass file:///c:/windows/system32/cmd.exe but could not actually execute any malicious payload. And just opening cmd.exe, calc.exe, powershell.exe etc. is kinda boring.
So I started to brainstorm how I can abuse this kind of vulnerability and be able to actually execute my own program code:

Abusing the download folder

The first idea, which could come to mind, is abusing the vulnerable application to trigger a download of a file. As soon as the file is downloaded the vulnerability could be triggered again and the downloaded file gets executed. This approach has two problems:
1) It requires that I am able to trigger a download of a file without user interaction
2) Even if the requirement of step 1 are fulfilled, Windows has another hurdle: The Zone model for downloaded files or to be exact: Zone.Identifiers

continue reading the original article

Living Off The Land Binaries and Scripts (and now also Libraries)

There are currently three different lists.

The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.

Definition of LOLBAS candidates (Binaries,scripts and libraries):

  • LOLBAS candidates must be present on the system by default or introduced by application/software “installation” from a “reputable” vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
  • Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 – execute code from SCT online)
    • executing code
    • downloading/upload files
    • bypass UAC
    • compile code
    • getting creds/dumping process
    • surveillance (keylogger, network trace)
    • evade logging/remove log entry
    • side-loading/hijacking of DLL
    • pass-through execution of other programs, script (via a LOLBin)
    • pass-through persistence utilizing existing LOLBin
    • persistence (Hide data in ADS, execute at logon etc)

Right now it is me that decides if the files are a valid contribution or not. I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything. Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.

Every binary, script and library has it’s own .md file in the subfolders. That way I should be easier to maintain and reuse. I have borrowed examples from the community (And a lot from Red Canary – Atomic Red Team – Thanks @subtee) Would really love if the community could contribute as much as possible. That would make it better for everyone. If you think it is hard to make a pull request using github, don’t hesitate to send me a tweet and I will add the contribution for you.

projects github repository

mimikatz new release 2.1.1

It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?

mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits).
Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM token, so be aware of UAC from Vista version.

mimikatz releases

Red Teaming/Adversary Simulation Toolkit

A collection of open source and commercial tools that aid in red team operations. This repository will help you during red team engagement. If you want to contribute to this list send me a pull request.