Phrozen Timeline - Phrozen
External Timestomp 09 Aug 2022

New Unprotect C# Code Snippet added for technique Timestomp.

This tiny code snippet demonstrate the principle of file time stomping.

Steps:

  • Enumerate files in current directory (excluding the target file).
  • Sort enumerated files by modification date.
  • Takes the most recent file and apply its File Creation Date, File Last Modification and File Last Access to our target file.

Additional information:

  • Supports relative target file.
  • If no files lives inside the current directory, then current directory (parent folder) date information are used.
  • If no files lives inside the current directory and current directory is a root path, then timestomp procedure fails.

External Process Hollowing, RunPE 24 Jun 2022

New Unprotect Delphi Code Snippet added for technique Process Hollowing, RunPE with support of both x86-32 and x86-64 in a single code.


External ProcEnvInjection - Remote code injection by abusing process environment strings 17 Jun 2022

New Unprotect Delphi Code Snippet added for technique ProcEnvInjection - Remote code injection by abusing process environment strings for both x86-32 and x86-64.


External DLL Injection via CreateRemoteThread and LoadLibrary 17 Jun 2022

New Unprotect Delphi Code Snippet added for technique DLL Injection via CreateRemoteThread and LoadLibrary with both support of x86-32 and x86-64.


External Checking Mouse Activity 17 Jun 2022

New Unprotect Delphi Code Snippet added for technique Checking Mouse Activity


External OSWE (Offensive Security Web Expert) 19 Apr 2022

Certified OSWEs have a clear and practical understanding of white box web application assessment and security. They’ve proven their ability to review advanced source code in web apps, identify vulnerabilities, and exploit them.


PowerRunAsSystem 25 Feb 2022

Run application as system with interactive system process support (active Windows session)

This technique doesn't rely on any external tools and doesn't require a Microsoft Service.

It spawns an NT Authority/System process using the Microsoft Windows Task Scheduler then upgrade to Interactive System Process using cool WinApi's (Run in Active Windows Session)



Read more...
Power Remote Desktop 27 Jan 2022

Power Remote Desktop is a fully functional Remote Desktop Application entirely coded in PowerShell.

It doesn't rely on any existing Remote Desktop Application or Protocol to function. A serious advantage of this application is its nature (PowerShell) and its ease of use and installation.

This project demonstrate why PowerShell contains the word Power. It is unfortunately often an underestimated programming language that is not only resumed to running commands or being a more fancy replacement to the old Windows command-line interpreter (cmd).



Read more...
PowerRunAsAttached 03 Dec 2021

PowerRunAsAttached is a ported version of RunAsAttachedLocal in Powershell with inline CSharp.

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).

One possible example is that this tool gives you with ease the possibility to do vertical / horizontal privilege escalation through your already established Netcat / WinRM session.



Read more...
PowerBruteLogon 01 Dec 2021

PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell

⚠️ Notice: this version is slower than WinBruteLogon but has the serious advantage of being 100% entirely coded in PowerShell. In a near future, password attempts will be distributed to separate threads to speed up the process. Also keep in mind that this method is very noisy, each failed attempt will get logged on Microsoft Windows Event Logs.

You might find useful information about the technique used in this PoC here



Read more...