Offensive Xwitter
πππ
π [ Wietze @Wietze ]
Were you aware standard VSCode can be turned into a fully-functioning RAT with a single command?
β Popular/MS-signed exe
β Uses MS network infra
β VSCode is always noisy, abuse may not stand out
π₯Open/edit/delete files, run arbitrary commands
Solid find:
π https://badoption.eu/blog/2023/01/31/code_c2.html
π₯ [ tweet ]
Were you aware standard VSCode can be turned into a fully-functioning RAT with a single command?
β Popular/MS-signed exe
β Uses MS network infra
β VSCode is always noisy, abuse may not stand out
π₯Open/edit/delete files, run arbitrary commands
Solid find:
π https://badoption.eu/blog/2023/01/31/code_c2.html
π₯ [ tweet ]
π₯5
π [ Clandestine @akaclandestine ]
πΌπ/ππΏπ ππ«ππ¨ππ€π£ | πππ‘π¬ππ§π πΏππ«ππ‘π€π₯π’ππ£π© πΎ
π Part 1 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
π Part 2 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
π Part 3 - https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7
π Part 4 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p-4-162662bb630e
π₯ [ tweet ]
πΌπ/ππΏπ ππ«ππ¨ππ€π£ | πππ‘π¬ππ§π πΏππ«ππ‘π€π₯π’ππ£π© πΎ
π Part 1 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
π Part 2 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
π Part 3 - https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7
π Part 4 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p-4-162662bb630e
π₯ [ tweet ]
π₯7
π [ Greg Darwin @gregdarwin ]
A new Cobalt Strike blog post just dropped. This is the second in the series on UDRL development, and covers obfuscation and masking. It is accompanied by some major updates to the UDRL-VS kit.
π https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-2-obfuscation-masking
π₯ [ tweet ]
A new Cobalt Strike blog post just dropped. This is the second in the series on UDRL development, and covers obfuscation and masking. It is accompanied by some major updates to the UDRL-VS kit.
π https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-2-obfuscation-masking
π₯ [ tweet ]
π3
π [ Andrew Oliveau @AndrewOliveau ]
π₯BOOM!π₯ Another privilege escalation blog, this time showcasing how to convert arbitrary file deletions ποΈ to SYSTEM command promptπ CVE-2023-27470. Learn about TOCTOU, pseudo-symlinks, MSI rollback exploits, and, of course, how to protect yourselves!
π https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities
π₯ [ tweet ]
π₯BOOM!π₯ Another privilege escalation blog, this time showcasing how to convert arbitrary file deletions ποΈ to SYSTEM command promptπ CVE-2023-27470. Learn about TOCTOU, pseudo-symlinks, MSI rollback exploits, and, of course, how to protect yourselves!
π https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities
π₯ [ tweet ]
π₯4
π [ ShorSec Cyber Security @ShorSecLtd ]
π₯New Blog Post Alert!
The next chapter in our "The Path to DA" series is now live: "(Relaying) To The Internet And Back".
This entry, by @dec0ne, explores yet another route to DA, focusing on the intricacies of ADIDNS Abuse, LDAP relay, RBCD, and more.
π https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
π₯ [ tweet ]
π₯New Blog Post Alert!
The next chapter in our "The Path to DA" series is now live: "(Relaying) To The Internet And Back".
This entry, by @dec0ne, explores yet another route to DA, focusing on the intricacies of ADIDNS Abuse, LDAP relay, RBCD, and more.
π https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
π₯ [ tweet ]
π2π₯1
π [ Vincent Yiu @vysecurity ]
DevTunnels, blue are going to begin searching for DevTunnels.ms. Get ready ahead of time and use domains like:
π₯ [ tweet ]
DevTunnels, blue are going to begin searching for DevTunnels.ms. Get ready ahead of time and use domains like:
global.rel.tunnels.api.visualstudio.com
tunnels-prod-rel-tm.trafficmanager.net
*.app.github.dev
π https://www.syonsecurity.com/post/devtunnels-for-c2π₯ [ tweet ]
π₯2
π [ Rohan Aggarwal @nahoragg ]
My talk "Bypassing Anti-Cheats & Hacking Competitive Games" from @securityfest is now available on Youtube. #game #Hacking
π https://youtu.be/bTU7huCmFXA
π₯ [ tweet ]
My talk "Bypassing Anti-Cheats & Hacking Competitive Games" from @securityfest is now available on Youtube. #game #Hacking
π https://youtu.be/bTU7huCmFXA
π₯ [ tweet ]
π₯4
π [ S3cur3Th1sSh1t @ShitSecure ]
Just finished the talk "Playing Chess as Red-Teams" @MCTTP_Con! π₯ Time to release my PoC to avoid Kernel Callback / ETWti triggered memory scans for process injection - Caro-Kann:
π https://github.com/S3cur3Th1sSh1t/Caro-Kann
π₯ [ tweet ]
Just finished the talk "Playing Chess as Red-Teams" @MCTTP_Con! π₯ Time to release my PoC to avoid Kernel Callback / ETWti triggered memory scans for process injection - Caro-Kann:
π https://github.com/S3cur3Th1sSh1t/Caro-Kann
π₯ [ tweet ]
π4
π [ Antonio Cocomazzi @splinter_code ]
Excited to share my hardest research about UAC π€―
"Bypassing UAC with SSPI Datagram Contexts" π₯
In a nutshell:
β Works on latest Windows 11 down to Windows 7
β Works on both domain-joined and non-domain-joined machines
β Works without using UI hacks or any auto Works without using UI hacks or any auto elevated binary/interface
β Works with maximum UAC level settings *Always Notify*
β Not a security boundary / Wonβt Fix
Enjoy the read! π
π https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
π₯ [ tweet ]
Excited to share my hardest research about UAC π€―
"Bypassing UAC with SSPI Datagram Contexts" π₯
In a nutshell:
β Works on latest Windows 11 down to Windows 7
β Works on both domain-joined and non-domain-joined machines
β Works without using UI hacks or any auto Works without using UI hacks or any auto elevated binary/interface
β Works with maximum UAC level settings *Always Notify*
β Not a security boundary / Wonβt Fix
Enjoy the read! π
π https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
π₯ [ tweet ]
π₯6
π [ SkelSec @SkelSec ]
Weeeee! My Defcon talk is now on Youtube!
π https://www.youtube.com/watch?v=7oAZK8x_mL0
π https://github.com/skelsec/wsnet
π https://github.com/skelsec/wsnet-dotnet
π₯ [ tweet ]
Weeeee! My Defcon talk is now on Youtube!
π https://www.youtube.com/watch?v=7oAZK8x_mL0
π https://github.com/skelsec/wsnet
π https://github.com/skelsec/wsnet-dotnet
π₯ [ tweet ]
@skelsec Π³Π΅Π½ΠΈΠΉ, indeedπ2π₯1
Offensive Xwitter
π [ SkelSec @SkelSec ] Weeeee! My Defcon talk is now on Youtube! π https://www.youtube.com/watch?v=7oAZK8x_mL0 π https://github.com/skelsec/wsnet π https://github.com/skelsec/wsnet-dotnet π₯ [ tweet ] @skelsec Π³Π΅Π½ΠΈΠΉ, indeed
Tamas Jos - Spooky authentication at a distance.pdf
3.6 MB
π2π₯1
π [ Adam Chester π΄ββ οΈ @_xpn_ ]
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
π https://www.trustedsec.com/blog/okta-for-red-teamers/
π₯ [ tweet ]
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
π https://www.trustedsec.com/blog/okta-for-red-teamers/
π₯ [ tweet ]
π₯2
Offensive Xwitter
π [ Adam Chester π΄ββ οΈ @_xpn_ ] My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to authβ¦
π [ ΡΠ°mΠ΅Ρ βββββββ @rotarydrone ]
Awesome stuff π₯ The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
π https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
π₯ [ tweet ][ quote ]
Awesome stuff π₯ The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
π https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
π₯ [ tweet ][ quote ]
π₯2
π [ Dylan Tran @d_tranman ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
π https://dtsec.us/2023-09-15-StackSpoofin/
π₯ [ tweet ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
π https://dtsec.us/2023-09-15-StackSpoofin/
π₯ [ tweet ]
π₯2
π [ Greg Darwin @gregdarwin ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
π https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
π₯ [ tweet ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
π https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
π₯ [ tweet ]
π₯2
ΠΡΠΈΡ
Π°Π½ΡΠ», ΠΊΠΎΠ³Π΄Π° rpcclient Π² ΠΎΡΠ΅ΡΠ΅Π΄Π½ΠΎΠΉ ΡΠ°Π· ΡΠ»ΠΎΠΌΠ°Π»ΡΡ ΠΎ ΡΡΠ°ΡΡΠ΅ ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Ρ, Π° ΡΠ΄Π΅Π»Π°ΡΡ ΡΠ΅Π·ΠΎΠ»Π² ΠΈΠΌΡβοΈΡΠΈΠ΄ Π½Π°Π΄ΠΎ Π±ΡΠ»ΠΎ Π·Π΄Π΅ΡΡ ΠΈ ΡΠ΅ΠΉΡΠ°Ρ:
π https://github.com/fortra/impacket/pull/1618
π https://github.com/fortra/impacket/pull/1618
GitHub
Add lookupname.py example by snovvcrash Β· Pull Request #1618 Β· fortra/impacket
A tiny example for hLsarLookupNames3 and hLsarLookupSids2 calls that I use when rpcclient refuses to work π
π₯8π1