Alexander Polce Leary
Principal Security Consultant
Alexander specializes in network penetration testing and email phishing. Alexander is also involved in the research and development of various tools and frameworks including PowerShell Empire.
More by Alexander Polce Leary
Tokenvator Release 3
This blog post discusses new additions to the Tokenvator for adding Token Privileges and manually crafting access tokens.
Tokenvator: Release 2
New Tokenvator release! Now with more token privilege manipulation, new named pipe token attacks, and File System Minifilter manipulation.
.Net Reflection without System.Reflection.Assembly
This blog shows how to load a .Net Assembly without having to call the suspicious Assembly.LoadFile() or Assembly.Load() Functions. Examples of the new version of RunDotNetDll32 will also be shared that use the technique.
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
Tokenvator: A Tool to Elevate Privilege using Windows Tokens – It works by impersonating or altering authentication tokens in processes that the executing process has the appropriate level of permissions to.
Executing .NET Methods with RunDotNetDll32
This blog introduces RunDotNetDll32.exe, which is a new tool for reflectively enumerating and executing .NET methods. It’s syntactically very similar to RunDll32.exe.
Targeting RSA Emergency Access Tokencodes for Fun and Profit
A few months ago, one of my RSA soft token was on the fritz. It refused to work, and I was not able to remote into the client’s network to do an internal project for them. In fiddling with the RSA self-service console, and playing around with the troubleshooting section, I came across this feature called the Emergency Access Tokencode.
Expanding the Empire with SQL
The core of PowerUpSQL is now in Empire. Let's quickly go over how these modules work in Empire as a few changes had to be made for it to be integrated.
Getting Started with WMI Weaponization – Part 6
Lets look at another practical example of weaponizing WMI using PowerShell. Earlier we went over how to create a custom WMI class. Using this class along with the Set-WmiInstance command we can create a class that we can then use to store files as Base64 Encoded strings.
Getting Started with WMI Weaponization – Part 5
Like SQL, WMI can be setup with a set of Triggers. We can use these triggers to maintain persistence on a system by launching commands after a specified event is detected. These are stored in the root/subscription namespace and fall into two broad categories, Intrinsic Events and Extrinsic Events.
Getting Started with WMI Weaponization – Part 4
In this post I’ll cover another method for recovering the ntds.dit file remotely using WMI Volume Shadow Copy methods, but the methods described here could also be used to retrieve local password hashes from the SAM and SYSTEM file.
Getting Started with WMI Weaponization – Part 3
Substantive changes to the configuration of a system can be made with WMI. These are often overlooked, as there are other and less obscure methods to accomplish the same goal. That said the ability to run these commands remotely through a different medium make these classes quite capable.
Getting Started with WMI Weaponization – Part 1
Windows Management Instrumentation (WMI) is a Microsoft management protocol derived from the Web-Based Enterprise Management (WBEM) protocol. WMI is a web service that can perform management operations on the host operating system. It has also been a part of Windows since Windows 95 where it was available as an optional feature.