Convert curl commands to Python, JavaScript, PHP, R, Go, Rust, Elixir, Java, MATLAB, Dart, CFML, Ansible URI, Strest or JSON

Web (Live Demo): https://curlconverter.com/

Project: https://github.com/curlconverter/curlconverter

#tool #converter #curl #darw1n

NTLMRelay2Self over HTTP

Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.

https://github.com/med0x2e/NTLMRelay2Self

#ad #ntlm #relay #rbcd #redteam

SharpHound Cheat Sheet

https://github.com/SadProcessor/HandsOnBloodHound/blob/master/BH21/BH4_SharpHound_Cheat_Dark.pdf

#sharphound #bloodhound #cheatsheet

⏱ Scheduled Task Tampering

In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.

https://labs.f-secure.com/blog/scheduled-task-tampering/

#windows #schedule #task #redteam #blueteam

🧨 RCE в BIG-IP iControl REST (CVE-2022-1388)

Эта уязвимость может позволить неаутентифицированному злоумышленнику с сетевым доступом к системе BIG-IP выполнять произвольные системные команды, создавать или удалять файлы или отключать службы (CVE-2022-1388)

Дорк для Shodan:

http.title:"BIG-IP®-+Redirect" +"Server"

PoC представлен на изображении ниже или по ссылке.

Ссылка на PoC

#web #cve #rce

🛡️Defending the Three Headed Relay

This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.

https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339

#ad #kerberos #relay #mitigation #blueteam

🛠️ Cobalt Strike and BloodHound Integration

PyCobaltHound is an Aggressor script, an extension to CobaltStrike that allows you to integrate with BloodHound so that you can request and receive reports from the same interface.

Features:

— Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials.
— Automatically marking compromised users and computers as owned.
— Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users.

https://github.com/NVISOsecurity/pyCobaltHound

#cobaltstrike #bloodhound #redteam

📜 Abuse AD CS via dNSHostName Spoofing

This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1

#ad #adcs #privesc #redteam

💉 From Process Injection to Function Hijacking

This post about FunctionHijacking, a "new" process injection technique built upon Module/Function Stomping, along with experiments to break behavioral based detection of other common process injection techniques.

https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/

#av #evasion #maldev #redteam #research

🦮 BloodHound via Proxychains

For BloodHound.py ingestor to work through proxychains you need to use TCP instead of UDP for DNS queries by adding the --dns-tcp flag.

#ad #bloodhound #proxy #tricks

🔐 Dumping LSASS with AV

Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory

Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp

To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).

There's also Metasploit post exploitation module for this under post/windows/gather/avast_memory_dump

AvDump.exe is located at C:\Program Files\Avast Software\Avast.

You can also download AvDump.exe from this link.

VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details

#ad #evasion #lsass #dump #avast #redteam

🔍 LDAP Search Reference

A detailed reference for using ldapsearch for RedTeam operations.

https://malicious.link/post/2022/ldapsearch-reference/

#ad #ldap #ldapsearch #redteam

🛠 DNSHostName Spoofing combined with KrbRelayUp

Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.

https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25

#ad #adcs #privesc #ldap #relay #redteam

🛠 API Unhooking with Perun's Fart

An article about a new method of avoiding AV/EDR by creating a process in a suspended state and getting a copy of the ntdll from the new process before it is hijacked by AV/EDR.

Research:
https://dosxuz.gitlab.io/post/perunsfart/

PoC:
https://github.com/dosxuz/PerunsFart

#av #edr #evasion #api #unhooking #resarch

🥇 We are winners

On May 18 and 19, The Standoff was held conjunction with the forum on practical information security Positive Hack Days.

Hackers found vulnerabilities in corporate and industrial IT infrastructures, and cybersecurity specialists gained experience in preventing unacceptable events. Thousands of spectators. Unexpected decisions. Unforgettable emotions.

Our Codeby team took first place!
I want to sincerely thank each member of the team, you are the best.
Also many thanks to the organizers of the forum for creating such a large-scale event.