The Black Death ravaged medieval Western Europe, ultimately wiping out roughly one-third of the population. Scientists have identified the bacterium responsible and its likely origins, but certain specifics of how and why it spread to Europe are less clear. According to a new paper published in the journal Communications Earth & Environment, either one large volcanic eruption or a cluster of eruptions might have been the triggering factor, setting off a chain of events that brought the plague to the Mediterranean region in the 1340s.
Technically, we’re talking about the second plague pandemic. The first, known as the Justinian Plague, broke out about 541 CE and quickly spread across Asia, North Africa, the Middle East, and Europe. (The Eastern Roman Emperor Justinian I, for whom the pandemic is named, actually survived the disease.) There continued to be outbreaks of the plague over the next 300 years, although the disease gradually became less virulent and died out. Or so it seemed.
In the Middle Ages, the Black Death burst onto the scene, with the first historically documented outbreak occurring in 1346 in the Lower Volga and Black Sea regions. That was just the beginning of the second pandemic. During the 1630s, fresh outbreaks of plague killed half the populations of affected cities. Another bout of the plague significantly culled the population of France during an outbreak between 1647 and 1649, followed by an epidemic in London in the summer of 1665. The latter was so virulent that, by October, one in 10 Londoners had succumbed to the disease—over 60,000 people. Similar numbers perished in an outbreak in Holland in the 1660s. The pandemic had run its course by the early 19th century, but a third plague pandemic hit China and India in the 1890s. There are still occasional outbreaks today.
European exchange WhiteBIT announced the inclusion of its native token in major digital asset benchmarks by leading global provider of financial market indices, S&P Dow Jones Indices, marking a significant step for the platform and the region’s crypto infrastructure sector.
WhiteBIT Included In Major Crypto Indices
On Thursday, top crypto exchange WhiteBIT announced that its token, WBT, has been added to the S&P Cryptocurrency Broad Digital Market (BDM) Index, curated by S&P Dow Jones Indices (DJI).
The S&P BDM Index is designed to track the performance of crypto assets that meet strict institutional criteria, including liquidity, market capitalization, governance, transparency, and risk controls, and are listed on recognized open digital exchanges.
This marks an important milestone for both WhiteBIT and the broader fintech landscape in Central and Eastern Europe, the exchange noted, as it reinforces “the platform’s growing role in the global crypto economy” and highlights the industry’s move toward regulated, infrastructure-level players.
In a statement, Volodymyr Nosov, CEO of WhiteBIT, affirmed that “being recognized by S&P DJI is more than an index inclusion — it signals that crypto infrastructure from our region has reached global institutional standards.”
The announcement also revealed that WBT was added to the other four S&P Dow Jones digital-asset indices, including the S&P Cryptocurrency Broad Digital Asset (BDA) Index, S&P Cryptocurrency Financials Index, S&P Cryptocurrency LargeCap Ex-MegaCap Index, and the S&P Cryptocurrency LargeCap Index.
Notably, index providers have been expanding coverage beyond protocol-layer tokens as the industry matures, acknowledging the systemic role of exchanges and financial infrastructure platforms, positioning these companies within the global map of institutional-grade digital asset providers.
The exchange underscored that the classifications require a remarkable record of liquidity stability, transparent price formation, and consistent market cap behavior. “This is a turning point not only for our company but also for the evolution of compliant crypto services worldwide,” Nosov continued.
WhiteBIT’s Expansion And WBT’s Momentum
The S&P index inclusions follow a strong market performance from WBT, which rallied around 50% over the last three months, despite recent market volatility that sent many leading tokens to multi-month lows in the past few weeks.
In mid-November, the altcoin reached an all-time high (ATH) of $62.96, fueled by last month’s positive developments. As reported by Bitcoinist, WhiteBIT unveiled its entry into the Argentine and Brazilian markets, building on its expansion to Australia, Croatia, Italy, and Kazakhstan.
The move is expected to integrate local fiat providers and add support for local currencies, aiming to further enhance accessibility and convenience for domestic users in the two largest countries in South America.
Moreover, the exchange signed a strategic cooperation agreement with Durrah AlFodah Holding, represented by His Royal Highness Prince Naif Bin Abdullah Bin Saud Bin Abdulaziz Al Saud, to drive the Kingdom’s development in blockchain technology, digital finance, and data infrastructure.
Under the strategic agreement, WhiteBIT is set to provide technological expertise and infrastructure design. Meanwhile, Durrah AlFodah will facilitate the exchange’s market entry, regulatory engagement, and partnership development across Saudi Arabia.
Now, being part of S&P’s indices offers WBT a clear benchmark, the announcement added, facilitating its use in future financial products and long-term investment strategies.
This expanded representation marks an important shift for WBT: from a utility token into a component integrated into global benchmark structures used by investment firms, ETF/ETN designers, and quantitative research platforms. Its presence in multiple institutional models means that WBT is now incorporated into the analytical frameworks that guide long-term allocation strategies, diversified exposure construction, and risk-adjusted portfolio modelling.
In the late hours of December 3, WBT rallied to a new ATH of $63.05 before stabilizing around the $62 mark, according to CoinGecko data. This represents a 14.5% increase from the recent lows and a 9% surge in the weekly timeframe.
One of the major difficulties in studying electricity, especially when compared to many other physical phenomena, is that it cannot be observed directly by human senses. We can manipulate it to perform various tasks and see its effects indirectly, like the ionized channels formed during lightning strikes or the resistive heating of objects, but its underlying behavior is largely hidden from view. Even mathematical descriptions can quickly become complex and counter-intuitive, obscured behind layers of math and theory. Still, [lcamtuf] has made some strides in demystifying aspects of electricity in this introduction to analog filters.
The discussion on analog filters looks at a few straightforward examples first. Starting with an resistor-capacitor (RC) filter, [lcamtuf] explains it by breaking its behavior down into steps of how the circuit behaves over time. Starting with a DC source and no load, and then removing the resistor to show just the behavior of a capacitor, shows the basics of this circuit from various perspectives. From there it moves into how it behaves when exposed to a sine wave instead of a DC source, which is key to understanding its behavior in arbitrary analog environments such as those involved in audio applications.
There’s some math underlying all of these explanations, of course, but it’s not overwhelming like a third-year electrical engineering course might be. For anyone looking to get into signal processing or even just building a really nice set of speakers for their home theater, this is an excellent primer. We’ve seen some other demonstrations of filtering data as well, like this one which demonstrates basic filtering using a microcontroller.
As the market rebounds, Solana (SOL) is retesting a crucial area that has served as resistance since the November pullbacks. Some market watchers suggest that a short-term rally is likely, while others have highlighted potential signs of weakness.
Solana Eyes $144 Resistance
Solana is attempting to turn the $140 area into support while nearing a key local resistance for the third time in a month. The cryptocurrency has been trading between the $120-$144 levels since mid-November, struggling to hold the high zone of its local range amid the recent market volatility.
Last week, it bounced 10% toward the $140-$144 area but plunged to the range lows after Sunday’s correction, hitting a one-week low of $123 on Monday. As a result, it tested an ascending trendline that has served as support since 2023.
Ali Martinez explained that during the pullbacks, SOL has retested this key support trendline. Notably, each time the cryptocurrency has tapped this trendline, it has registered strong rebounds in the following months, suggesting that the price could rally more than 80% in the mid-term if this support holds.
Following Tuesday’s market rebound, SOL climbed back to the range’s highs, attempting to break above the local range once more. Market observer More Crypto Online affirmed that Wednesday’s rejection from $144 was expected, as it has been a strong resistance for weeks.
The trader considers that investors should not worry as long as the mid-zone of its range, between the $134-$139 levels, holds as support. “It’s not really a breakdown yet; we just have a first sharp pullback,” he affirmed, emphasizing that there’s no evidence that bears are taking the lead.
He noted that breaking below the mid-zone of its range would open the door to a retest of the recent lows and potentially risk a drop to the $117 area or lower. Nonetheless, if bulls take the lead and reclaim the $144 level as support, it will open the door to a retest of higher levels, including the $163 level, where the major next sell wall for SOL is situated.
Is SOL’s Crucial Support Weakening?
Meanwhile, Rekt Capital shared an analysis on longer timeframes, pointing out that Solana has been moving within a clear macro range, situated between the $123 and $296 levels, in the monthly timeframe, clustering in this area since early 2024.
Per the analyst, the cluster has been developing for an extended period, and the potential for distribution and its function as a re-accumulation structure decreases the longer it continues.
Despite this, he emphasized that the focus is on the 21-month horizontal support level. As the analysis noted, Solana recorded a 140% rally during the first major rebound from the region in Q3 and Q4, 2024.
In the second rebound from this support, which started in Q3 2025, SOL saw a significantly smaller rally, surging around 100% to its September local high. Now, the cryptocurrency is rebounding from this level, which could confirm a decreasing trend for the altcoin and raise the alarm about its strength.
“While it is positive to see this rebound, if the move turns into a weaker rebound than the previous ones, then questions will arise regarding the strength of this support,” Rekt Capital asserted.
To prevent this, Solana must breach the one-year downtrend or the multi-week downtrend on the weekly timeframe. “Failing to break either of these trendlines would produce a smaller rally because the prior rebound — the one that rallied around 100% — would fall short and reject from these downtrends instead.”
The analyst concluded that a sequence of progressively smaller bounces “would imply increasing weakness into that support, which in turn would favour the potential for distribution in Solana over time.”
As the whole crypto market bled, Zcash (ZEC) started December with a massive one-day pullback, leading the losses among top cryptocurrencies. While some market observers suggest that the altcoin is positioned for a major move, others have warned that the price risks another major correction in the coming weeks.
Zcash Loses Key Support Levels Amid Crash
Following the late Sunday market correction, Zcash has lost crucial levels and fallen to one-month lows. Over the past three months, the cryptocurrency has seen a parabolic rally, surging over 1,775% to its all-time high (ATH) of $750 in early November.
Since its ATH rally, the altcoin has been trading within the $440-$720 levels, bouncing between the range’s upper and lower boundaries amid the recent market volatility. However, the end-of-November pullback saw ZEC’s price unsuccessfully retest its key support area, closing the day below this area for the first time in nearly a month.
After losing this zone, Zcash continued to drop below other key support levels, breaking down the $400 barrier and hitting a local low of $328 on Monday morning before bouncing to the $340 area.
Amid this performance, some market observers warned that the altcoin could be in trouble and further bleeding may occur in the coming weeks. Sjuul from AltCryptoGems highlighted that ZEC registers the biggest price drops in the weekly and daily timeframes, with declines of 40.2% and 24%, respectively.
The analyst previously pointed out that the cryptocurrency lost its uptrend after falling below the EMA200, recording “a perfect bearish retest followed by a strong rejection” last week. As a result, Sjuul suggested that if Zcash did not reclaim the key moving average, the cryptocurrency would be positioned for a breakdown to lower support levels.
Similarly, Altcoin Sherpa considers that ZEC could drop another 30%-40% to the $200 area after losing the crucial $440 support. Nonetheless, he added that the price will likely see short-term bounces during its retracement.
ZEC’s Correction: Nothing To Worry About?
Mert Mumtaz, Helius co-founder and CEO, affirmed that a correction after a 700% rally “is normal,” adding that the privacy token “looks great” on higher timeframes. Notably, the cryptocurrency still shows 700% and 485% increases on the three-month and one-year timeframes.
The CEO also highlighted Zcash’s strengths: “privacy is not a narrative, private money is the entire purpose of crypto,” suggesting that the altcoin is positioned to challenge other leading cryptocurrencies like XRP in the future.
Meanwhile, another pseudonym market watcher considers that Zcash is preparing for a big move despite the correction. According to X analyst Make Sense, the cryptocurrency is at a make-or-break level after falling to the $320 mark, its first major support area below the November range.
If ZEC holds the current range, the price could reclaim its recently lost range and bounce to its $500-$600 mid-range. On the contrary, if it loses its current levels, the cryptocurrency could retest the $280 and even $200 area, he affirmed, before a trend reversal.
“This is where market makers decide the next trend: bounce early → mid-range rally or deep sweep → full trend reversal. Either way, volatility is about to explode,” he explained.
As of this writing, Zcash is trading at $338, a 20% decline in the monthly timeframe.
Bitcoin has rallied more than 12% since last week’s sharp drop to the $80,000 low, offering the market a brief moment of relief after an intense period of capitulation. Despite this rebound, fear and uncertainty continue to dominate sentiment, especially following what analysts describe as the largest short-term holder capitulation in Bitcoin’s history.
This wave of realized losses—fast, aggressive, and record-breaking—has left many investors questioning whether the recent recovery is sustainable or simply a temporary bounce in a broader downtrend.
According to new data from Glassnode, the path ahead remains challenging. Analysts explain that Bitcoin must break above the major supply clusters created by top buyers earlier in the cycle if it is to regain meaningful upward momentum.
These clusters represent areas where a large number of investors previously bought at higher prices and may now look to exit at breakeven, increasing the likelihood of heavy sell-side pressure as BTC climbs.
Bitcoin Faces Critical Supply Barriers
Glassnode reports that Bitcoin is now approaching two major supply clusters that will play a decisive role in determining whether the recent rebound can evolve into a sustained recovery. The first cluster sits between $93,000 and $96,000, while the second—much larger and more structurally important—spans $100,000 to $108,000.
These zones were formed by heavy buying activity earlier in the cycle and represent areas where many investors are currently underwater or sitting near breakeven.
Because of this, Glassnode notes that these ranges typically act as strong resistance, as recent buyers who endured the latest drawdown may choose to sell once the price returns to their entry levels. This dynamic can create temporary supply walls, slowing down momentum even in moments of aggressive recovery.
Bitcoin’s ability to break through these clusters will determine whether it can re-establish a path toward a new all-time high or remain trapped under heavy distribution pressure. The market is now entering a critical phase, with traders closely watching how BTC behaves as it approaches these levels. A clean breakout would signal renewed confidence, while rejection could signal that the broader corrective structure is not yet over.
Testing Support After a Sharp Multi-Week Selloff
Bitcoin’s weekly chart shows a market attempting to stabilize after one of the most aggressive drawdowns of the cycle. BTC has rebounded to the $91,500 area following a deep wick to the $80K region last week, signaling that buyers are finally stepping in at key support. This rebound coincides with a strong weekly candle showing a long lower shadow, a classic sign of demand absorption during heavy selloffs.
However, despite this bounce, the broader structure remains fragile. The price is trading below the 50-week moving average, a level that previously acted as reliable support throughout the bull phase. Losing this dynamic support earlier in the month was a significant technical break, and BTC is now attempting to reclaim it from below—typically a challenging move that often acts as resistance.
The 100-week moving average around the mid-$80K region has proven critical, halting the decline and serving as the primary area where buyers defended the trend. As long as BTC holds above this zone, the broader market avoids confirming a deeper macro reversal.
Volume remains elevated, reflecting capitulation-level activity, and the market is now in a decisive phase. A sustained close above $92K–$94K would strengthen recovery prospects, while rejection would risk another retest of the $80K support.
Featured image from ChatGPT, chart from TradingView.com
While the crypto market bounces from last week’s correction, Bitcoin (BTC) is attempting to reclaim a crucial area as support to continue its recovery rally. As the flagship crypto faces some resistance, some market watchers have suggested that this week’s close may be key for its end-of-year performance.
Bitcoin Faces Rejection Ahead Of November Close
Bitcoin has retested a crucial resistance level for the first time in a week, hitting a one-week high of $93,092 on Friday morning before retracing. The flagship crypto has failed to hold crucial support levels throughout the November corrections, trading below $100,000 for nearly two weeks.
A week ago, BTC plunged below $90,000 during the latest market correction, reaching a seven-month low of $80,600. However, the cryptocurrency led this week’s broader recovery, reclaiming key levels over the past few days.
Amid its recent performance, some market observers have noted that Bitcoin is currently retesting a crucial re-accumulation region, between $82,000 and $93,000, where the price consolidated after previous pullbacks, including the Q1 market correction.
Analyst Rekt Capital highlighted that BTC rebounded more than 7% from the local bottom and has revisited the range high resistance during Friday’s recovery. Now, Bitcoin is attempting to hold the high zone of its local range, retesting the $90,000-$91,000 area as support after being rejected from the key resistance.
Previously, he pointed out that last week’s weekly close aligned with the flagship crypto’s monthly range, setting the stage for a potential floor around the $86,000 area, which would develop a new range between this level and the $93,000 resistance.
To the analyst, Bitcoin must close the week, which also coincides with November’s monthly close, above $93,5000 and turn this level into support if it wants to further build on its newfound momentum and potentially revisit its two-month downtrend line, which currently sits near the $96,000 mark.
“The ~$93500 level happens to be a Four-Year Cycle level. History suggests price should be able to find a way to 12-month close above ~$93500 to finish 2025 green,” Rekt Capital added on X.
$98,000 Rally or $88,000 Drop Next?
Market watcher Ted Pillows discussed BTC’s short-term future as it faces some resistance around the $92,000-$93,000 levels. To the analysts, reclaiming this area could propel the price towards the $98,000-$100,000 barrier in the coming weeks.
On the contrary, he suggested that failing to reclaim this level will send Bitcoin’s price below the $88,000 mark. Earlier this week, Ted warned that this was one of the most important levels to reclaim and hold as support in the short term, as a rejection from this area could trigger a significant drop below the recent lows.
Similarly, Daan Crypto Trades noted that the constant sell-off of the past few weeks has created “a ton of marginally lower highs, creating such a big liquidity pocket” between the $97,000-$98,000 zone.
This region also aligns with key horizontal price levels in bigger timeframes, making it a “good area to watch,” as BTC continues to consolidate in a relatively tight range.
The trader considers that if BTC’s price breaks down, the $88,000 mark could be a good place for a higher low. However, if the price holds above the $91,800 level, it may trigger another retest of the $93,000 resistance.
Ultimately, He warned that the market could likely see a “Choppy environment in the short-term surrounding Thanksgiving, which always sees pretty low volume & liquidity.”
As of this writing, Bitcoin is trading at $90,500, a 1.1% decline in the daily timeframe.
Bitcoin may be closing in on a new all-time high after moves in the derivatives market and fresh buying from large holders, according to market watchers and on-chain data.
Max Keiser, a long-time Bitcoin advocate, pointed to a filing by Nasdaq to increase options limits for BlackRock’s IBIT to 1 million contracts — a jump that represents roughly a 40x expansion from prior levels — as a key development that could remove barriers to bigger institutional flows.
Options Market Expands Significantly
According to Nasdaq paperwork and public commentary, the previous 25,000 contract cap had been seen by some as too small for rising volume.
Market experts argued that earlier limits were “discriminatorily small” and suggested that 400,000 contracts would be a more reasonable baseline given current demand.
Some described the change as a move that could place IBIT into a mega-cap derivatives category, unlocking follow-on effects for how banks and funds structure exposure to bitcoin.
I first explained this in 2017:
Now that BTC derivatives market was just expanded by 40x
New ATH’s are in play.
**November 2, 2017**
Max Keiser first discussed Bitcoin market makers needing to expand their inventory to support higher prices in this X post: “Wall St traders… https://t.co/aBQ5DdSDay
Market makers will be able to hedge larger positions without hitting the old size wall, which can lower spreads and deepen available liquidity.
Based on reports, that also means banks can build structured notes that use IBIT as a reference without tripping existing risk caps — and JPMorgan is reportedly preparing Bitcoin-backed structured notes that would track BlackRock IBIT.
Those products could channel steady, institutional flows into the market rather than one-off spikes.
On-Chain Buyers Step In
According to Glassnode’s Accumulation Trend Score by cohort, holders of 10,000 BTC or more have flipped to net accumulation and now show a score of 0.8, signaling strong buying.
The 1,000 to 10,000 BTC group has also turned positive for the first time since September, while the 100 to 1,000 BTC cohort has been in active accumulation since October and continued buying through recent declines. Even retail holders with less than 1 BTC are showing their strongest accumulation since July.
Price Action And Value Zones
Bitcoin’s price behavior supports the buying narrative. The token fell into the low $80,000 area that served as support in May and then climbed back above $90,000 quickly, which many traders took as a sign that the market sees value in the $80,000 zone.
Based on reports, the average cost basis for US spot bitcoin ETFs was near $82,000, and that figure has been cited as a reason institutions found the dip attractive.
Market Risks And Short-Term Noise
Keiser had warned previously that when size limits blocked hedging, the market would be prone to pullbacks — and some analysts say that is part of the reason for recent volatility.
Expanding the options cap allows volume sellers to enter more smoothly, which could reduce erratic swings but will not erase market risk.
Price spikes are still possible and downside moves remain a real threat if flows slow or macro conditions shift.
Featured image from Gemini, chart from TradingView
You have that slide rule in the back of the closet. Maybe it was from your college days. Maybe it was your Dad’s. Honestly. Do you know how to use it? Really? All the scales? That’s what we thought. [Amen Zwa, Esq.] not only tells you how slide rules came about, but also how to use many of the common scales. You can also see his collection and notes on being a casual slide rule collector and even a few maintenance tips.
The idea behind these computing devices is devilishly simple. It is well known that you can reduce a multiplication operation to addition if you have a table of logarithms. You simply take the log of both operands and add them. Then you do a reverse lookup in the table to get the answer.
For a simple example, you know the (base 10) log of 10 is 1 and the log of 1000 is 3. Adding those gives you 4, and, what do you know, 104 is 10,000, the correct answer. That’s easy when you are working with numbers like 10 and 1000 with base 10 logarithms, but it works with any base and with any wacky numbers you want to multiply.
The slide rule is essentially a log table on a stick. That’s how the most common scales work, at least. Many rules have other scales, so you can quickly, say, square or cube numbers (or find roots). Some specialized rules have scales for things like computing power.
We collect slide rules, too. Even oddball ones. We’ve often said that the barrier of learning to use a slide rule weeded out many bad engineers early.
Computers are extremely good with numbers, but they haven’t gotten many human mathematicians fired. Until recently, they could barely hold their own in high school-level math competitions.
But now Google’s DeepMind team has built AlphaProof, an AI system that matched silver medalists’ performance at the 2024 International Mathematical Olympiad, scoring just one point short of gold at the most prestigious undergrad math competition in the world. And that’s kind of a big deal.
True understanding
The reason computers fared poorly in math competitions is that, while they far surpass humanity’s ability to perform calculations, they are not really that good at the logic and reasoning that is needed for advanced math. Put differently, they are good at performing calculations really quickly, but they usually suck at understanding why they’re doing them. While something like addition seems simple, humans can do semi-formal proofs based on definitions of addition or go for fully formal Peano arithmetic that defines the properties of natural numbers and operations like addition through axioms.
For quite an extensive period of time we have been covering different ways PowerShell can be used by hackers. We learned the basics of reconnaissance, persistence methods, survival techniques, evasion tricks, and mayhem methods. Today we are continuing our study of PowerShell and learning how we can automate it for real hacking tasks such as privilege escalation, AMSI bypass, and dumping credentials. As you can see, PowerShell may be used to exploit systems, although it was never created for this purpose. Our goal is to make it simple for you to automate exploitation during pentests. Things that are usually done manually can be automated with the help of the scripts we are going to cover. Let’s start by learning about AMSI.
AMSI is the Antimalware Scan Interface. It is a Windows feature that sits between script engines like PowerShell or Office macros and whatever antivirus or EDR product is installed on the machine. When a script or a payload is executed, the runtime hands that content to AMSI so the security product can scan it before anything dangerous runs. It makes scripts and memory activity visible to security tools, which raises the bar for simple script-based attacks and malware. Hackers constantly try to find ways to keep malicious content from ever being presented to it, or to change the content so it won’t match detection rules. You will see many articles and tools that claim to bypass AMSI, but soon after they are released, Microsoft patches the vulnerabilities. Since it’s important to be familiar with this attack, let’s test our system and try to patch AMSI.
First we need to check if the Defender is running on a Russian target:
As you know by now, there are a few ways to execute scripts in PowerShell. We will use a basic one for demonstration purposes:
PS > .\shantanukhande-amsi.ps1
If your output matches ours, then AMSI has been successfully patched. From now on, the Defender does not have access to your PowerShell sessions and any kind of scripts can be executed in it without restriction. It’s important to mention that some articles on AMSI bypass will tell you that downgrading to PowerShell Version 2 helps to evade detection, but that is not true. At least not anymore. Defender actively monitors all of your sessions and these simple tricks will not work.
Since you are free to run anything you want, we can execute Mimikatz right in our session. Note that we are using Invoke-Mimikatz.ps1 by g4uss47, and it is the updated PowerShell version of Mimikatz that actually works. For OPSEC reasons we do not recommend running Mimikatz commands that touch other hosts because network security products might pick this up. Instead, let’s dump LSASS locally and inspect the results:
Now we have the credentials of brandmanager. If we compromised a more valuable target in the domain, like a server or a database, we could expect domain admin credentials. You will see this quite often.
Privilege Escalation with PowerUp
Privilege escalation is a complex topic. Frequently systems will be misconfigured and people will feel comfortable without realizing that security risks exist. This may allow you to skip privilege escalation altogether and jump straight to lateral movement, since the compromised user already has high privileges. There are multiple vectors of privilege escalation, but among the most common ones are unquoted service paths and insecure file permissions. While insecure file permissions can be easily abused by replacing the legitimate file with a malicious one of the same name, unquoted service paths may require more work for a beginner. That’s why we will cover this attack today with the help of PowerUp. Before we proceed, it’s important to mention that this script has been known to security products for a long time, so be careful.
Finding Vulnerable Services
Unquoted Service Path is a configuration mistake in Windows services where the full path to the service executable contains spaces but is not wrapped in quotation marks. Because Windows treats spaces as separators when resolving file paths, an unquoted path like C:\Program Files\My Service\service.exe can be interpreted ambiguously. The system may search for an executable at earlier, shorter segments of that path (for example C:\Program.exe or C:\Program Files\My.exe) before reaching the intended service.exe. A hacker can place their own executable at one of those earlier locations, and the system will run that program instead of the real service binary. This works as a privilege escalation method because services typically run with higher privileges.
Now let’s test the service names and see which one will get us local admin privileges:
PS > Invoke-ServiceAbuse -Name 'Service Name'
If successful, you should see the name of the service abused and the command it executed. By default, the script will create and add user john to the local admin group. You can edit it to fit your needs.
The results can be tested:
PS > net user john
Now we have an admin user on this machine, which can be used for various purposes.
With enough privileges we can dump NTDS and SAM without having to deal with security products at all, just with the help of native Windows functions. Usually these attacks require multiple commands, as dumping only NTDS or only a SAM hive does not help. For this reason, we have added a new script to our repository. It will automatically identify the type of host you are running it on and dump the needed files. NTDS only exists on Domain Controllers and contains the credentials of all Active Directory users. This file cannot be found on regular machines. Regular machines will instead be exploited by dumping their SAM and SYSTEM hives. The script is not flagged by any AV product. Below you can see how it works.
Attacking SAM on Domain Machines
To avoid issues, bypass the execution policy:
PS > powershell -ep bypass
Then dump SAM and SYSTEM hives:
PS > .\ntds.ps1
Wait a few seconds and find your files in C:\Temp. If the directory does not exist, it will be created by the script.
Next we need to exfiltrate these files and extract the credentials:
bash$ > secretsdump.py -sam SAM -system SYSTEM LOCAL
Attacking NTDS on Domain Controllers
If you have already compromised a domain admin, or managed to escalate your privileges on the Domain Controller, you might want to get the credentials of all users in the company.
We often use Evil-WinRM to avoid unnecessary GUI interactions that are easy to spot. Evil-WinRM allows you to load all your scripts from the machine so they will be executed without touching the disk. It can also patch AMSI, but be really careful.
Evil-WinRM has a download command that can help you extract the files. After that, run this command:
bash$ > secretsdump.py -ntds ntds.dit -sam SAM -system SYSTEM LOCAL
Summary
In this chapter, we explored how PowerShell can be used for privilege escalation and complete domain compromise. We began with bypassing AMSI to clear the way for running offensive scripts without interference, then moved on to credential dumping with Mimikatz. From there, we looked at privilege escalation techniques such as unquoted service paths with PowerUp, followed by dumping NTDS and SAM databases once higher privileges were achieved. Each step builds on the previous one, showing how hackers chain small misconfigurations into full organizational takeover. Defenders should also be familiar with these attacks as it will help them tune the security products. For instance, harmless actions such as creating a shadow copy to dump NTDS and SAM can be spotted if you monitor Event ID 8193 and Event ID 12298. Many activities can be monitored, even benign ones. It depends on where defenders are looking at.
Sharing the Swedish concept of ‘death cleaning’, Margareta Magnusson’s ‘Dostadning’ is a handy book to have, if for nothing but tips that can help the decluttering process too.
‘A fond and wise little book’ is what the New York Times called it and I would agree. I stumbled on this book at a time when I had – desperately – turned to the Internet for solutions on ways to convince my mother to declutter. She is a habitual hoarder who has preserved everything – from gift boxes that came our way over 15 years ago to frying pan sets and of course, the usual photographs, baby clothes etc. And considering the fact that I hoard books because “what if there’s an apocalypse and I have all the time in the world”, its best I put a pause on the commentary.
The Internet listed this book in its set of suggestions and I was caught by the musically assertive sounding word – “Dostadning”. As I read the blurb, I was intrigued.
The Crux
Margareta Magnussion’s book isn’t a preachy, morbid book that laments death. Instead, it treats death as a fact of life, which, despite its heartbreaking nature, it is. The author – who is a professional ‘death cleaner’ advocates the idea of taking care of your possessions, to, among others things, ensure what you value goes to an individual or place that appreciates it and your immediate family or loved ones do not have to bear the burden of sorting through your things after you’ve moved on.
Following the initial introductory chapters, the author has divided the chapters on the basis of the things that form a part of life and have to be dealt with later – artefacts and articles, knickknacks and photographs, pets, clothing and more. The author downplays the gravity by interspersing her suggestions with instances from her life, with memories attached to her own death cleaning, personal and professional.
To Read or Not to Read
What stands out for me in this particular read is that the tips that she has given are practical enough such that they need not be relegated to the concept of death cleaning alone. These tips are helpful when you are changing homes, moving to another city/country or downsizing/decluttering as is evident in the photograph above – note the number of stickers peeping out of the book! I recommend this book for those looking for such practical tips and have added it to my mother’s bedside pile of books she should read.
I would, however, also add a ‘trigger’ label to this particular book for those who’ve seen death at close quarters – it may bring back memories that aren’t necessary good, it may remind you of moments of grief that may throw you into despair. That is not the intention of this book in any way but there is no discounting the unpredictability of the human mind and emotions so I’d recommend that for those for who continue to struggle with the concept of death, take your time with this book, if at all.
P.S Available to be borrowed by fellow bibliophiles in Ahmedabad.
Sharing the Swedish concept of ‘death cleaning’, Margareta Magnusson’s ‘Dostadning’ is a handy book to have, if for nothing but tips that can help the decluttering process too.
‘A fond and wise little book’ is what the New York Times called it and I would agree. I stumbled on this book at a time when I had – desperately – turned to the Internet for solutions on ways to convince my mother to declutter. She is a habitual hoarder who has preserved everything – from gift boxes that came our way over 15 years ago to frying pan sets and of course, the usual photographs, baby clothes etc. And considering the fact that I hoard books because “what if there’s an apocalypse and I have all the time in the world”, its best I put a pause on the commentary.
The Internet listed this book in its set of suggestions and I was caught by the musically assertive sounding word – “Dostadning”. As I read the blurb, I was intrigued.
The Crux
Margareta Magnussion’s book isn’t a preachy, morbid book that laments death. Instead, it treats death as a fact of life, which, despite its heartbreaking nature, it is. The author – who is a professional ‘death cleaner’ advocates the idea of taking care of your possessions, to, among others things, ensure what you value goes to an individual or place that appreciates it and your immediate family or loved ones do not have to bear the burden of sorting through your things after you’ve moved on.
Following the initial introductory chapters, the author has divided the chapters on the basis of the things that form a part of life and have to be dealt with later – artefacts and articles, knickknacks and photographs, pets, clothing and more. The author downplays the gravity by interspersing her suggestions with instances from her life, with memories attached to her own death cleaning, personal and professional.
To Read or Not to Read
What stands out for me in this particular read is that the tips that she has given are practical enough such that they need not be relegated to the concept of death cleaning alone. These tips are helpful when you are changing homes, moving to another city/country or downsizing/decluttering as is evident in the photograph above – note the number of stickers peeping out of the book! I recommend this book for those looking for such practical tips and have added it to my mother’s bedside pile of books she should read.
I would, however, also add a ‘trigger’ label to this particular book for those who’ve seen death at close quarters – it may bring back memories that aren’t necessary good, it may remind you of moments of grief that may throw you into despair. That is not the intention of this book in any way but there is no discounting the unpredictability of the human mind and emotions so I’d recommend that for those for who continue to struggle with the concept of death, take your time with this book, if at all.
P.S Available to be borrowed by fellow bibliophiles in Ahmedabad.
Login
