π [ Check Point Research @_CPResearch_ ]
CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries β‘οΈ R2R stomping β¬ οΈ
π€Implementation and resulting problems
π οΈTechniques and tools to analyze R2R stomped Assemblies
β οΈDetecting R2R stomping
π https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/
π₯ [ tweet ]
CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries β‘οΈ R2R stomping β¬ οΈ
π€Implementation and resulting problems
π οΈTechniques and tools to analyze R2R stomped Assemblies
β οΈDetecting R2R stomping
π https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/
π₯ [ tweet ]
π1
Offensive Xwitter
π [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ] Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATPβ¦
π [ Florian Roth @cyb3rops ]
Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned
π₯ [ tweet ]
Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned
π₯ [ tweet ]
ΠΊΠΎΠ³Π΄Π° Π½Π°Π²Π΅Π» ΡΡΠ΅ΡΡ...π2
π [ Elliot @ElliotKillick ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
π https://elliotonsecurity.com/perfect-dll-hijacking/
π₯ [ tweet ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
π https://elliotonsecurity.com/perfect-dll-hijacking/
π₯ [ tweet ]
π₯5
π [ S3cur3Th1sSh1t @ShitSecure ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking π₯by @BlackSnufkin42 π
π https://github.com/BlackSnufkin/NovaLdr
π₯ [ tweet ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking π₯by @BlackSnufkin42 π
π https://github.com/BlackSnufkin/NovaLdr
π₯ [ tweet ]
π₯2
π [ Outflank @OutflankNL ]
Weβve pushed βRemotePipeListβ on our GitHub and released a blog post. The tools is used to list named pipes of remote systems. Useful for remote reconnaissance.
Blog post here
C2 Tool Collection here
π https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/
π https://github.com/outflanknl/C2-Tool-Collection/tree/main/Other/RemotePipeList
π₯ [ tweet ]
Weβve pushed βRemotePipeListβ on our GitHub and released a blog post. The tools is used to list named pipes of remote systems. Useful for remote reconnaissance.
Blog post here
C2 Tool Collection here
π https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/
π https://github.com/outflanknl/C2-Tool-Collection/tree/main/Other/RemotePipeList
π₯ [ tweet ]
π5
π [ Andrew @4ndr3w6S ]
Happy to finally share our slide
deck/demo videos from our @texascyber talk, βYou DISliked DCSync? Wait For NetSync!β
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph π€
π https://github.com/4ndr3w6/Presentations/tree/main/Texas_Cyber_Summit_2023
π₯ [ tweet ]
Happy to finally share our slide
deck/demo videos from our @texascyber talk, βYou DISliked DCSync? Wait For NetSync!β
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph π€
π https://github.com/4ndr3w6/Presentations/tree/main/Texas_Cyber_Summit_2023
π₯ [ tweet ]
π2π₯2
π [ Antonio Cocomazzi @splinter_code ]
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe π
π₯ [ tweet ]
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe π
π₯ [ tweet ]
π€―13π1
π [ Tony Gore @nullg0re ]
Dcsync without triggering traditional alerts?
π https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/
π₯ [ tweet ]
Dcsync without triggering traditional alerts?
π https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/
π₯ [ tweet ]
Offensive Xwitter
π [ Andrew @4ndr3w6S ] Happy to finally share our slide deck/demo videos from our @texascyber talk, βYou DISliked DCSync? Wait For NetSync!β Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partnerβ¦
You_Disliked_DCSync_Wait_For_NetSync_Texas_Cyber_Summit_2023_Charlie.pdf
31.6 MB
π₯3
π [ Kleiton Kurti @kleiton0x7e ]
Spent some time reversing undocumented Syscalls residing in Kernel32/Ntdll and created a PoC for proxying DLL loads. This leads to a clean call stack as the return address pointing to shellcode won't be pushed to stack.
#CyberSecurity #redteam #infosec
π https://github.com/kleiton0x00/Proxy-DLL-Loads
π₯ [ tweet ]
Spent some time reversing undocumented Syscalls residing in Kernel32/Ntdll and created a PoC for proxying DLL loads. This leads to a clean call stack as the return address pointing to shellcode won't be pushed to stack.
#CyberSecurity #redteam #infosec
π https://github.com/kleiton0x00/Proxy-DLL-Loads
π₯ [ tweet ]
π4π₯1
π [ spencer @techspence ]
A .net port of @ZeroMemoryEx AMSI Killer with an added feature to continuously patch new powershell processes by @S1lky_1337
π https://github.com/S1lkys/SharpKiller
π https://github.com/ZeroMemoryEx/Amsi-Killer
π₯ [ tweet ]
A .net port of @ZeroMemoryEx AMSI Killer with an added feature to continuously patch new powershell processes by @S1lky_1337
π https://github.com/S1lkys/SharpKiller
π https://github.com/ZeroMemoryEx/Amsi-Killer
π₯ [ tweet ]
π₯4
π [ N1k0la @webdxg ]
Exchange Server CVE-2023-36745
Standing on the Shoulder of Giants @chudyPB
π https://n1k0la-t.github.io/2023/10/24/Microsoft-Exchange-Server-CVE-2023-36745/
π₯ [ tweet ]
Exchange Server CVE-2023-36745
Standing on the Shoulder of Giants @chudyPB
π https://n1k0la-t.github.io/2023/10/24/Microsoft-Exchange-Server-CVE-2023-36745/
π₯ [ tweet ]
π₯4
π [ Mayfly @M4yFly ]
A new Lab π° is available on GOAD: NHA.
This time it is a challenge, 5 vms, you start with no account and try to get domain admin on the two domains.
Have fun !
π https://github.com/Orange-Cyberdefense/GOAD/tree/main/ad/NHA
π₯ [ tweet ]
A new Lab π° is available on GOAD: NHA.
This time it is a challenge, 5 vms, you start with no account and try to get domain admin on the two domains.
Have fun !
π https://github.com/Orange-Cyberdefense/GOAD/tree/main/ad/NHA
π₯ [ tweet ]
π₯5
π [ Garrett @garrfoster ]
Pushed an update to SCCMHunter to include @SkelSec's python unobfuscator for @_xpn_'s sccmwtf NAA attack. Shout out to you both for the awesome work!
π https://github.com/garrettfoster13/sccmhunter
π https://github.com/xpn/sccmwtf/blob/main/policysecretunobfuscate.py
π₯ [ tweet ]
Pushed an update to SCCMHunter to include @SkelSec's python unobfuscator for @_xpn_'s sccmwtf NAA attack. Shout out to you both for the awesome work!
π https://github.com/garrettfoster13/sccmhunter
π https://github.com/xpn/sccmwtf/blob/main/policysecretunobfuscate.py
π₯ [ tweet ]
π4π₯1
π [ Justin Elze @HackingLZ ]
wmiexec is so reliable with so many great detections avaliable. Cortex does a really good job without of the box Impacket as well.
π https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
π https://micahbabinski.medium.com/brace-for-impacket-5191dff82c74
π₯ [ tweet ]
wmiexec is so reliable with so many great detections avaliable. Cortex does a really good job without of the box Impacket as well.
π https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
π https://micahbabinski.medium.com/brace-for-impacket-5191dff82c74
π₯ [ tweet ]
π₯3
π₯3π1