Offensive Xwitter
π [ drm @lowercase_drm ] pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib. π https://github.com/the-useless-one/pywerview/commit/ba08fβ¦
πΉ [ snπ₯Άvvcrπ₯sh @snovvcrash ]
A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjanβs adidnsdumpππ»
π₯ [ tweet ][ quote ]
A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjanβs adidnsdumpππ»
π₯ [ tweet ][ quote ]
π₯4π2π₯±1
π [ an0n @an0n_r0 ]
my favorite (and might be the most complete) wifi hacking guide (+pwnbox setup) by @Xst3nZ:
π https://github.com/koutto/pi-pwnbox-rogueap/wiki
following this it was relatively easy to perform an evil twin attack after setting up a wpa-eap home lab (managed to capture a challenge using eaphammer π).
π₯ [ tweet ]
my favorite (and might be the most complete) wifi hacking guide (+pwnbox setup) by @Xst3nZ:
π https://github.com/koutto/pi-pwnbox-rogueap/wiki
following this it was relatively easy to perform an evil twin attack after setting up a wpa-eap home lab (managed to capture a challenge using eaphammer π).
π₯ [ tweet ]
π6
π [ Felipe Molina @felmoltor ]
Great reading about Sliver and OSEP:
π https://bishopfox.com/blog/passing-the-osep-exam-using-sliver
π₯ [ tweet ]
Great reading about Sliver and OSEP:
π https://bishopfox.com/blog/passing-the-osep-exam-using-sliver
π₯ [ tweet ]
π₯10
π [ Maxime Meignan @th3m4ks ]
How to disable some parts of EDRβs telemetry on Windows 10? Just ask nicely!
See for more info about an interesting logic bug we found on Win10 that affects all EDRs π
π https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/
π₯ [ tweet ]
How to disable some parts of EDRβs telemetry on Windows 10? Just ask nicely!
See for more info about an interesting logic bug we found on Win10 that affects all EDRs π
π https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/
π₯ [ tweet ]
π₯4
Offensive Xwitter
πΉ [ snπ₯Άvvcrπ₯sh @snovvcrash ] A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjanβs adidnsdumpππ» π₯ [ tweet ][ quote ]
π [ drm @lowercase_drm ]
Another trick: LDAP signing but LDAPS is not configured? Use DIGEST-MD5 and signing!
π₯ [ tweet ][ quote ]
Another trick: LDAP signing but LDAPS is not configured? Use DIGEST-MD5 and signing!
π₯ [ tweet ][ quote ]
π3π₯1
π [ TrustedSec @TrustedSec ]
Our new #blog post by @mega_spl0it and @4ndr3W6S takes a deep dive into how Active Directory (AD) attribute-based detections can be built and how to identify where an adversary may be hiding. Read the first of this 3-part series now!
π https://hubs.la/Q024-06m0
π₯ [ tweet ]
Our new #blog post by @mega_spl0it and @4ndr3W6S takes a deep dive into how Active Directory (AD) attribute-based detections can be built and how to identify where an adversary may be hiding. Read the first of this 3-part series now!
π https://hubs.la/Q024-06m0
π₯ [ tweet ]
π4
π [ ippsec @ippsec ]
Uploaded a video talking about the Looney Tunable exploit. Don't go deep into the exploit but analyze the script/shellcode to make sure its not malicious, update offsets if your target isn't supported, and generic+specific detections to this.
π https://youtu.be/1iV-CD9Apn8
π₯ [ tweet ]
Uploaded a video talking about the Looney Tunable exploit. Don't go deep into the exploit but analyze the script/shellcode to make sure its not malicious, update offsets if your target isn't supported, and generic+specific detections to this.
π https://youtu.be/1iV-CD9Apn8
π₯ [ tweet ]
π1
Offensive Xwitter
π [ ippsec @ippsec ] Uploaded a video talking about the Looney Tunable exploit. Don't go deep into the exploit but analyze the script/shellcode to make sure its not malicious, update offsets if your target isn't supported, and generic+specific detectionsβ¦
π [ 0xdf @0xdf_ ]
I wrote a blog post for the @hackthebox_eu blog on how to exploit the Looney Tunables CVE on the TwoMillion machine. I'll give an overview of the exploit, show how to run it, and how to identify it in logs:
π https://affiliate.hackthebox.com/blog?slug=exploiting-the-looney-tunables-vulnerability-cve-2023-4911
π₯ [ tweet ]
I wrote a blog post for the @hackthebox_eu blog on how to exploit the Looney Tunables CVE on the TwoMillion machine. I'll give an overview of the exploit, show how to run it, and how to identify it in logs:
π https://affiliate.hackthebox.com/blog?slug=exploiting-the-looney-tunables-vulnerability-cve-2023-4911
π₯ [ tweet ]
π2
π [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATP which constantly scan the memory region for known patterns should easily pick this up. FYI, if BRc4 gets leaked, I would do the same for BRc4 too, like I've done in the past. No hard feelings, just helping the community.
π https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/cs49.yara
π https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/scan_process.c
π₯ [ tweet ]
Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATP which constantly scan the memory region for known patterns should easily pick this up. FYI, if BRc4 gets leaked, I would do the same for BRc4 too, like I've done in the past. No hard feelings, just helping the community.
π https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/cs49.yara
π https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/scan_process.c
π₯ [ tweet ]
π4
π [ Charlie Bromberg Β« Shutdown Β» @_nwodtuhs ]
pyWhisker can now do cross-domain shadow credentials ποΈπ«¦ποΈ
π https://github.com/ShutdownRepo/pywhisker
π₯ [ tweet ]
pyWhisker can now do cross-domain shadow credentials ποΈπ«¦ποΈ
pywhisker.py --action add -d domainA -u owned_user -p password --target user_in_domainB --target-domain domainBπ https://github.com/ShutdownRepo/pywhisker
π₯ [ tweet ]
π₯8
ΠΠΎΠΌΡ Π½Π΅ΠΌΠ½ΠΎΠ³ΠΎ ΠΊΠΈΡΠΈΠ»Π»ΠΈΡΡ Π΄Π»Ρ Havoc?
π https://github.com/snovvcrash/Havoc/commit/438f52b8e68110862dfbb841dd5b440e9c9f3ca1
ΠΡ ΠΈ ΡΠΈΠΊΡ Π΄Π»Ρ InvokeAssembly Π΄ΠΎ ΠΊΡΡΠΈ:
π https://github.com/snovvcrash/HavocModules/commit/dc017e254660bb7f416b8d04e27c15c388e849ef
π https://github.com/snovvcrash/Havoc/commit/438f52b8e68110862dfbb841dd5b440e9c9f3ca1
ΠΡ ΠΈ ΡΠΈΠΊΡ Π΄Π»Ρ InvokeAssembly Π΄ΠΎ ΠΊΡΡΠΈ:
π https://github.com/snovvcrash/HavocModules/commit/dc017e254660bb7f416b8d04e27c15c388e849ef
π₯14
π [ Mayfly @M4yFly ]
GOAD update available π₯³
- Azure provider is now supported thx to @Zeph_RooT !
- Two versions of the lab are available (A light version with 3 computers has been added).
- Some scripts to help install.
- Refactoring to simplify adding lab and providers.
π https://github.com/Orange-Cyberdefense/GOAD
π₯ [ tweet ]
GOAD update available π₯³
- Azure provider is now supported thx to @Zeph_RooT !
- Two versions of the lab are available (A light version with 3 computers has been added).
- Some scripts to help install.
- Refactoring to simplify adding lab and providers.
π https://github.com/Orange-Cyberdefense/GOAD
π₯ [ tweet ]
π7
Offensive Xwitter
π [ TrustedSec @TrustedSec ] Our new #blog post by @mega_spl0it and @4ndr3W6S takes a deep dive into how Active Directory (AD) attribute-based detections can be built and how to identify where an adversary may be hiding. Read the first of this 3-part seriesβ¦
π [ TrustedSec @TrustedSec ]
In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now!
π https://hubs.ly/Q025hFdr0
π₯ [ tweet ]
In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now!
π https://hubs.ly/Q025hFdr0
π₯ [ tweet ]
π₯2π1
Offensive Xwitter
π [ TrustedSec @TrustedSec ] In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now! π https://hubs.ly/Q025hFdr0β¦
π [ TrustedSec @TrustedSec ]
In the third and final installment of our #blog series by @mega_spl0it @4ndr3W6S DACL-based detections are built, identifying attacks that focus on obscure or lesser-known AD Attributes that fall outside of the scope of Parts 1 and 2. Read it now!
π https://hubs.la/Q025N0lk0
π₯ [ tweet ]
In the third and final installment of our #blog series by @mega_spl0it @4ndr3W6S DACL-based detections are built, identifying attacks that focus on obscure or lesser-known AD Attributes that fall outside of the scope of Parts 1 and 2. Read it now!
π https://hubs.la/Q025N0lk0
π₯ [ tweet ]
π₯4π1
π [ Check Point Research @_CPResearch_ ]
CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries β‘οΈ R2R stomping β¬ οΈ
π€Implementation and resulting problems
π οΈTechniques and tools to analyze R2R stomped Assemblies
β οΈDetecting R2R stomping
π https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/
π₯ [ tweet ]
CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries β‘οΈ R2R stomping β¬ οΈ
π€Implementation and resulting problems
π οΈTechniques and tools to analyze R2R stomped Assemblies
β οΈDetecting R2R stomping
π https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/
π₯ [ tweet ]
π1
Offensive Xwitter
π [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ] Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATPβ¦
π [ Florian Roth @cyb3rops ]
Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned
π₯ [ tweet ]
Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned
π₯ [ tweet ]
ΠΊΠΎΠ³Π΄Π° Π½Π°Π²Π΅Π» ΡΡΠ΅ΡΡ...π2
π [ Elliot @ElliotKillick ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
π https://elliotonsecurity.com/perfect-dll-hijacking/
π₯ [ tweet ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
π https://elliotonsecurity.com/perfect-dll-hijacking/
π₯ [ tweet ]
π₯5
π [ S3cur3Th1sSh1t @ShitSecure ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking π₯by @BlackSnufkin42 π
π https://github.com/BlackSnufkin/NovaLdr
π₯ [ tweet ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking π₯by @BlackSnufkin42 π
π https://github.com/BlackSnufkin/NovaLdr
π₯ [ tweet ]
π₯2