Suspicious Named Pipe Events

https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8

#windows #pipe #events #blueteam #redteam

Active Directory ACL Visualizer and Explorer

adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.

https://github.com/lkarlslund/adalanche

#ad #acl #visualizer #blueteam #redteam

Network Access Control (NAC) Bypass

This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.

https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/

#nac #bypass #pentest

LdrLoadDll-Unhooking

https://github.com/trickster0/LdrLoadDll-Unhooking

#edr #evasion #dll #cpp

Ares

This project is a PoC loader written in C/C++ based on the Transacted Hollowing technique. It features:

— PPID spoofing
— Dynamic function resolution with API hashing
— NTDLL unhooking
— AES256 CBC Encryption
— CIG to block non-Microsoft-signed binaries

https://github.com/Cerbersec/Ares

#edr #evasion #cpp

Vergilius

A collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches

https://www.vergiliusproject.com/

#windows #driver #kernel

Malware Analysis: Syscalls

Great guide and overview about Syscalls and how to start diagnosing them.

https://jmpesp.me/malware-analysis-syscalls-example/

#maldev #cpp #syscall

Evading WinDefender ATP Credential Theft

https://b4rtik.github.io/posts/evading-windefender-atp-credential-theft-kernel-version/

#windows #native #api #kernel #cpp

Active Directory Checklist — Attack & Defense Cheatsheet

https://cybersecuritynews.com/active-directory-checklist/

#ad #cheatsheet #redteam #blueteam

DevSecOps pipelines

— Secrets scan
— Code scan
— Dependency check (code libraries + image packages)
— DAST
— Exposures check

Pipelines:
https://gitlab.com/whitespots-public/pipelines

Security scanners:
https://gitlab.com/whitespots-public/security-images

Example project integration:
https://gitlab.com/whitespots-public/vulnerable-python-app

#appsec #devsecops #pipelines

LDAP Relay Scan

A tool to check Domain Controllers for LDAP server protections regarding the relay of NTLM authentication.

https://github.com/zyn3rgy/LdapRelayScan

#ad #ldap #scan #tools

Adding DCSync Permissions from Linux

https://www.n00py.io/2022/01/adding-dcsync-permissions-from-linux/

#ad #dcsync #linux

Process Ghosting

This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).

Research:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

C# Code Snippet:
https://github.com/Wra7h/SharpGhosting

#edr #evasion #process #ghosting #csharp

aesKrbKeyGen

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password. Either of the resulting keys can be utilized with Impacket's getTGT.py to obtain a TGT for the account, provided it is configured to support AES encryption.

https://github.com/Tw1sm/AesKrbKeyGen

#ad #kerbeos #tgt #tools

Finding Sensitive Files for BugBounty

— /proc/self/cwd/index.php
— /proc/self/cwd/main.py
— /etc/motd
— /proc/net/udp
— /proc/net/arp
— /proc/self/environ
— /var/run/secrets/kubernetes.io/serviceaccount
— /proc/cmdline
— /proc/mounts
— /etc/motd
— /etc/mysql/my.cnf
— /proc/sched_debug
— /home/ user/.bash_history
— /home/user/.ssh/id_rsa

#sensitive #files #bugbounty #bugbountytips

Custom Previews For Malicious Attachments

A phishing technique that allows attackers to create fake previews for their malicious attachment with Google Mail.

https://mrd0x.com/phishing-google-users-by-spoofing-previews/

#phishing #gmail #attachments

Anti-Spam Bypass

A script that helps you understand why your E-Mail ended up in Spam

https://github.com/mgeeky/decode-spam-headers

#phishing #anispam #bypass

Log4j — WAF and Patches Bypass Tricks

https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

#log4j #waf #bypass #bugbounty

CRLF OneLiner

A simple Bash one liner with aim to automate CRLF vulnerability scanning. This is an extremely helpful and practical One liner for Bug Hunters, which helps you find CRLF missconfiguration in every possible method. Simply replace the links in subdomains.txt with the URL you want to target. This will help you scan for CRLF vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CRLF.

Bash OneLiner:
input='CRLF-one-liner/subdomains.txt';while IFS= read -r targets; do cat CRLF-one-liner/crlf_payloads.txt |xargs -I % sh -c "curl -vs --max-time 9 $targets/% 2>&1 |grep -q '< Set-Cookie: ?crlf'&& echo $targets '[+] is vulnerable with payload: '%>>crlf_results.txt||echo '[-] Not vulnerable: '$targets";done<$input

crlf_payloads.txt:
https://raw.githubusercontent.com/kleiton0x00/CRLF-one-liner/master/crlf_payloads.txt

#crlf #bash #oneliner #bugbounty

Create a Hidden Account in Windows

A tool for creating hidden accounts using the registry.
In addition to adding hidden accounts, the tool also adds functions to check hidden accounts and delete hidden accounts, so that both the red team and the blue team can use this tool.

https://github.com/wgpsec/CreateHiddenAccount

#ad #windows #hidden #account