Study a real world example of Windows service plugin resolution abuse.
Learn how NTLM coercion techniques are discovered and documented.
Reproduce the proof of concept in an authorized lab to understand machine-account credential leaks.
| 0xhossam/uncanny | alexanderpach/low-latency-audio-pipeline | atc1441/atc_rtl_ble_oepl | |
|---|---|---|---|
| Stars | 12 | 12 | 12 |
| Language | C | C | C |
| Setup difficulty | hard | moderate | hard |
| Complexity | 5/5 | 4/5 | 5/5 |
| Audience | researcher | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires a Windows lab with Developer Mode enabled and a patched Impacket SMB server to reproduce.
UNCanny is a security research project that documents a technique for forcing a Windows machine to authenticate as itself (using its machine account) over a network, triggered by a normal user with no administrator access. This kind of technique is called NTLM coercion, and it is used in penetration testing and red team engagements to capture network credentials that can then be relayed to other systems on the same network. The author is clear that this primitive has significant limitations and is not reliable for real operations, but considers the research worth publishing. The technique works by abusing the Windows Store install service, a background process that runs with full system privileges to manage app installations. That service supports third-party plugins, and it loads them by looking up an installed package by name, finding where that package is stored on disk, and loading a DLL from that location. The key detail is that Windows allows any regular user to register a package whose install location points to a network share (a UNC path) rather than a local folder. When the install service tries to load a plugin from that network share, the operating system sends an authentication request to the attacker's server using the machine account, not the user's account. The attacker captures that credential. There is also a local privilege escalation path described in the README. If the attacker places a specially crafted DLL on the network share before the service loads it, the service will execute that DLL code as the SYSTEM account (the highest privilege level on a Windows machine). The work item the trigger creates also gets queued to disk and replays on reboot, meaning the coercion continues repeating until the registered package is removed. The main precondition that limits practical use is that Developer Mode must be enabled on the target machine. This setting allows loose-file app registration, which is what makes the UNC package registration possible. It is common on developer workstations but uncommon on locked-down corporate machines. The repository includes a proof-of-concept script and setup instructions for Kali Linux. The author notes this was published as a research artifact for others studying the same attack surface, not as a ready-to-deploy tool.
Security research documenting a Windows bug where a non-admin user can trick a system service into leaking machine-account network credentials.
Mainly C. The stack also includes C, Windows, PowerShell.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.