Interacting with Users
Traffic Capture
Monitoring for Process Command Lines
procmon.ps1
Vulnerable Services
Docker Desktop Community Edition before 2.1.0.1.
The program looks for docker-credential-wincred.exe
and docker-credential-wincred.bat
files in the C:\PROGRAMDATA\DockerDesktop\version-bin\
. This directory was misconfigured to allow full write access to the BUILTIN\Users
group, meaning that any authenticated user on the system could write a file into it (such as a malicious executable).
Any executable placed in that directory would run when a) the Docker application starts and b) when a user authenticates using the command docker login
.
SCF on a File Share
@Inventory.scf
Using SCFs no longer works on Server 2019 hosts, but we can achieve the same effect using a malicious .lnk file.
Capturing Hashes with a Malicious .lnk File
Generating a Malicious .lnk File
Last updated