Alexander Polce Leary
Principal Security Consultant
Alexander specializes in network penetration testing and email phishing. Alexander is also involved in the research and development of various tools and frameworks including PowerShell Empire.
More by Alexander Polce Leary
Tokenvator Release 3
July 22, 2021
This blog post discusses new additions to the Tokenvator for adding Token Privileges and manually crafting access tokens.
Tokenvator: Release 2
September 27, 2018
New Tokenvator release! Now with more token privilege manipulation, new named pipe token attacks, and File System Minifilter manipulation.
.Net Reflection without System.Reflection.Assembly
July 25, 2018
This blog shows how to load a .Net Assembly without having to call the suspicious Assembly.LoadFile() or Assembly.Load() Functions. Examples of the new version of RunDotNetDll32 will also be shared that use the technique.
Tokenvator: A Tool to Elevate Privilege using Windows Tokens
June 19, 2018
Tokenvator: A Tool to Elevate Privilege using Windows Tokens – It works by impersonating or altering authentication tokens in processes that the executing process has the appropriate level of permissions to.
Executing .NET Methods with RunDotNetDll32
April 24, 2018
This blog introduces RunDotNetDll32.exe, which is a new tool for reflectively enumerating and executing .NET methods. It’s syntactically very similar to RunDll32.exe.
Targeting RSA Emergency Access Tokencodes for Fun and Profit
June 13, 2017
A few months ago, one of my RSA soft token was on the fritz. It refused to work, and I was not able to remote into the client’s network to do an internal project for them. In fiddling with the RSA self-service console, and playing around with the troubleshooting section, I came across this feature called the Emergency Access Tokencode.
Expanding the Empire with SQL
May 9, 2017
The core of PowerUpSQL is now in Empire. Let's quickly go over how these modules work in Empire as a few changes had to be made for it to be integrated.
Getting Started with WMI Weaponization – Part 6
April 20, 2017
Lets look at another practical example of weaponizing WMI using PowerShell. Earlier we went over how to create a custom WMI class. Using this class along with the Set-WmiInstance command we can create a class that we can then use to store files as Base64 Encoded strings.
Getting Started with WMI Weaponization – Part 5
April 18, 2017
Like SQL, WMI can be setup with a set of Triggers. We can use these triggers to maintain persistence on a system by launching commands after a specified event is detected. These are stored in the root/subscription namespace and fall into two broad categories, Intrinsic Events and Extrinsic Events.
Getting Started with WMI Weaponization – Part 4
April 13, 2017
In this post I’ll cover another method for recovering the ntds.dit file remotely using WMI Volume Shadow Copy methods, but the methods described here could also be used to retrieve local password hashes from the SAM and SYSTEM file.
Getting Started with WMI Weaponization – Part 3
April 11, 2017
Substantive changes to the configuration of a system can be made with WMI. These are often overlooked, as there are other and less obscure methods to accomplish the same goal. That said the ability to run these commands remotely through a different medium make these classes quite capable.
Getting Started with WMI Weaponization – Part 1
April 4, 2017
Windows Management Instrumentation (WMI) is a Microsoft management protocol derived from the Web-Based Enterprise Management (WBEM) protocol. WMI is a web service that can perform management operations on the host operating system. It has also been a part of Windows since Windows 95 where it was available as an optional feature.