NetSPI Blog

Alexander Polce Leary

Alexander Leary holds a BS in Information Security and Forensics from the Rochester Institute of Technology and graduated Summa Cum Laude. Alexander has been involved in information security consulting for over 5 years. Prior to becoming involved in computer security, Alexander worked as a system administrator, network administrator, and web developer. Alexander specializes in network penetration testing and email phishing. Alexander is also involved in the research and development of various tools and frameworks including PowerShell Empire.

Alexander Polce Leary
June 19th, 2018

Tokenvator: A Tool to Elevate Privilege using Windows Tokens

Tokenvator: A Tool to Elevate Privilege using Windows Tokens WheresMyImplant is a mini red team toolkit that I have been developing over the past year in .NET. While developing and using it, I found that I consistently needed to alter my process access token to do such things as SYSTEM permissions or add debug privileges […]

Alexander Polce Leary
April 24th, 2018

Executing .NET Methods with RunDotNetDll32

This blog introduces RunDotNetDll32.exe, which is a new tool for reflectively enumerating and executing .NET methods. It’s syntactically very similar to RunDll32.exe.

Alexander Polce Leary
June 13th, 2017

Targeting RSA Emergency Access Tokencodes for Fun and Profit

A few months ago, one of my RSA soft token was on the fritz. It refused to work, and I was not able to remote into the client’s network to do an internal project for them. In fiddling with the RSA self-service console, and playing around with the troubleshooting section, I came across this feature called the Emergency Access Tokencode.

Alexander Polce Leary
May 9th, 2017

Expanding the Empire with SQL

The core of PowerUpSQL is now in Empire. Let’s quickly go over how these modules work in Empire as a few changes had to be made for it to be integrated.

Alexander Polce Leary
April 20th, 2017

Getting Started with WMI Weaponization – Part 6

Lets look at another practical example of weaponizing WMI using PowerShell. Earlier we went over how to create a custom WMI class. Using this class along with the Set-WmiInstance command we can create a class that we can then use to store files as Base64 Encoded strings.

Alexander Polce Leary
April 18th, 2017

Getting Started with WMI Weaponization – Part 5

Establishing Persistence with WMI Like SQL, WMI can be setup with a set of Triggers. We can use these triggers to maintain persistence on a system by launching commands after a specified event is detected. These are stored in the root/subscription namespace and fall into two broad categories, Intrinsic Events and Extrinsic Events. Intrinsic Events […]

Alexander Polce Leary
April 13th, 2017

Getting Started with WMI Weaponization – Part 4

Stealing the NTDS.dit File Remotely using the WMI Win32_ShadowCopy Class Dumping password hashes is a pretty common task during pentest and red team engagements. For domain controllers, it can be done a number of different ways including, but not limited to, DCSync (drsuapi), lsadump, and parsing the ntds.dit directly.  Sean Metcalf has already covered how […]

Alexander Polce Leary
April 11th, 2017

Getting Started with WMI Weaponization – Part 3

Substantive changes to the configuration of a system can be made with WMI. These are often overlooked, as there are other and less obscure methods to accomplish the same goal. That said the ability to run these commands remotely through a different medium make these classes quite capable.

Alexander Polce Leary
April 6th, 2017

Getting Started with WMI Weaponization – Part 2

A WMI class, such as Win32_Process is a grouping of like properties and methods. Using SQL as an analogy, a property is like a SQL column and a method is similar to a stored procedure.