📡 Relaying to ADFS Attacks

Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.

https://www.praetorian.com/blog/relaying-to-adfs-attacks/

#ad #adfs #relay #ntlm

😡 Brute-Ratel-C4-Community-Kit

This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4. Anything which is added in the deprecated folder will not be a part of the latest release of BRc4.

https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit

#c2 #bof #shellcode #injection

🔎 ldeep

In-depth LDAP enumeration utility.

https://github.com/franc-pentest/ldeep

Install:

$ pip3 install ldeep

Usage Example:

Enumerate ACEs of the AdminSDHolder object

$ ldeep ldap -s 'ldap://10.10.13.37' -d megacorp -u j.doe -p 'Passw0rd!' -b 'CN=System,DC=megacorp,DC=local' sddl AdminSDHolder | jq '.[].nTSecurityDescriptor.DACL.ACEs[] | select(.Type | contains("Allowed")) | .SID + " :: " + .Type'

Convert SID to name

$ ldeep ldap -s 'ldap://10.10.13.37' -d megacorp -u j.doe -p 'Passw0rd!' from_sid <SID>

#ad #ldap

🐾 ChopHound

Some scripts for dealing with any challenges that might arise when importing (large) JSON datasets into BloodHound.

Blog post:
https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets

Scripts:
https://github.com/bitsadmin/chophound

#ad #bloodhound #cypher

⚔️ Maelstrom: C2 Development Blog Series

We wanted to explore how C2s function in 2022, what evasive behavior's are required, and what a minimum viable C2 looks like in a world of sophisticated endpoint protection.

Which gave us our goals for this blog series:

- Document the internals of a minimum viable C2:
* What are the ideas behind popular C2 implementations?
* What are their goals and objectives?
- Analyse and implement evasive behaviors:
* What is required to run on a contemporary Windows system?
* What is required to bypass up-to-date, modern endpoint protection?
- Produce a proof-of-concept C2:
* What is the minimum viable C2 for an operator in 2022?
* What is required to detect this minimum viable C2?

🔗 Maelstrom: An Introduction
🔗 Maelstrom: The C2 Architecture
🔗 Maelstrom: Building the Team Server
🔗 Maelstrom: Writing a C2 Implant
🔗 Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks

#maldev #c2

🐞 Malware Development for Dummies

In the age of EDR, red team operators cannot get away with using pre-compiled payloads anymore. As such, malware development is becoming a vital skill for any operator. Getting started with maldev may seem daunting, but is actually very easy. This workshop will show you all you need to get started!

Slides:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Slides

Exercises:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Exercises

#maldev #csharp #nim

🔴 Reversing BRc4 Red-Teaming Tool Used by APT 29

On May 19, a malicious payload associated with Brute Ratel C4 (BRc4) was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.

Blog post:
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

Reversing the Malware by IppSec:
https://youtu.be/a7W6rhkpVSM

#maldev #c2 #brc4

#ad #rpc #ntlm #privesc

[ Coercer ]

atricle: https://github.com/p0dalirius/windows-coerced-authentication-methods
There is currently 15 known methods in 5 protocols.

tool: https://github.com/p0dalirius/Coercer
A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.

🔒 TLSX

Collection of additional assets of a target CIDR/IP/HOST from TLS certificates.

Features:
— Fast And fully configurable TLS Connection
— Multiple Modes for TLS Connection
— Multiple TLS probes
— Auto TLS Fallback for older TLS version
— Pre Handshake TLS connection (early termination)
— Customizable Cipher / SNI / TLS selection
— TLS Misconfigurations
— HOST, IP, URL and CIDR input
— STD IN/OUT and TXT/JSON output

Example:

tlsx -u 209.133.79.0/24 -san -cn -silent -resp-only | dnsx -silent | httpx | nuclei

https://github.com/projectdiscovery/tlsx

#recon #tls #grabber #tools

🧦 Chisel Strike

A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.

https://github.com/m3rcer/Chisel-Strike

#cobaltstrike #socks #proxy #redteam

🎲 Abusing forgotten permissions on computer objects in Active Directory

The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this.

Resource:
🔗 https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
🔗 https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/

#ad #permission #acl

Моя статья по пост-эксплуатации взломанного оборудования Cisco вышла в свет.

https://habr.com/ru/post/676942/

ᛝ

👀 PowerView.py

This is an alternative for the awesome original PowerView script. Most of the modules used in PowerView are available in this project.

https://github.com/aniqfakhrul/powerview.py

#ad #powerview #python #tools

🪲 Abuse Cloudflare Zerotrust for C2 channels

https://0xsp.com/offensive/red-ops-techniques/abuse-cloudflare-zerotrust-for-c2-channels/

#c2 #cloudflare #zerotrust #redteam

👨‍👩‍👦 Book Can Save A Life

I will be very happy if this book helps at least one person to gain knowledge and learn the science of cybersecurity. The book is mostly practice oriented. This book is dedicated to my wife, Laura, and my children, Yerzhan and Munira. Also, thanks to everyone who is helping me through these difficult times. The proceeds from the sale of this book will be used to treat Munira, who is currently battling for her life at a hospital in Istanbul, Turkey.

The book is divided into three logical chapters:

— Malware development tricks and techniques;
— AV evasion tricks;
— Persistence techniques.

This book costs $16 but you can pay as much as you want. All money will go to the treatment of her daughter.

https://cocomelonc.github.io/book/2022/07/16/mybook.html

Channel author's preface:
Dear cocomelonc (@abuyerzh) I wish you and your daughter health and well-being!

🔓 Unprotect

A project that is meant to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. A catalog of over 200 tricks used by malware to bypass detection and protection tools. There are also rules for detecting these tricks.

https://unprotect.it/

#maldev #evasion #redteam #blueteam

💉 Apache Spark RCE (CVE-2022-33891)

Apache Spark could allow an attacker to execute arbitrary commands on the system, caused by improper input validation of code path in HttpSecurityFilter when ACSs are enabled. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

PoC (Sleep 10):
https://localhost:8080/?doAs=`echo%20%22c2xlZXAgMTAK%22%20|%20base64%20-d%20|%20bash`

Exploits:
https://github.com/HuskyHacks/cve-2022-33891
https://github.com/W01fh4cker/cve-2022-33891
https://github.com/west-wind/CVE-2022-33891

Shodan Dorks:
http.favicon.hash:856048515

#apache #spark #rce #cve

🔍 OSINT Tools

Today I'm going to talk about two excellent resources for photo editing during OSINT/IMINT.

Remini:
The image unblurring/sharpening tool could help yield better reverse image search and facial recognition result.
https://app.remini.ai/

Cleanup.Pictures:
One of the best online photo object removal tools I've ever seen.
https://cleanup.pictures/


#OSINT #IMINT #ImageAnalysis #tools