π [ Chris Au @netero_1010 ]
Made a tool to create/modify schedule task using just registry keys. It has some requirements (require SYSTEM) but the beauty of it is it wont generate schedule task creation event log.
π https://github.com/netero1010/GhostTask
π₯ [ tweet ]
Made a tool to create/modify schedule task using just registry keys. It has some requirements (require SYSTEM) but the beauty of it is it wont generate schedule task creation event log.
π https://github.com/netero1010/GhostTask
π₯ [ tweet ]
π₯4π2π₯±1
π [ Fabian @testert01 ]
[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process.
This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog.
π https://nothingspecialforu.github.io/EvtPsstBlog/
π₯ [ tweet ]
[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process.
This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog.
π https://nothingspecialforu.github.io/EvtPsstBlog/
π₯ [ tweet ]
π₯3π2
π [ Corben Leo @hacker_ ]
I've made $500k+ from #SSRF vulnerabilities.
Here are my tricks:
π https://threadreaderapp.com/thread/1694554700555981176.html
π₯ [ tweet ]
I've made $500k+ from #SSRF vulnerabilities.
Here are my tricks:
π https://threadreaderapp.com/thread/1694554700555981176.html
π₯ [ tweet ]
π5
π [ Matthew @embee_research ]
Unpacking .NET Malware Using Process Hacker and Dnspy.
An easy method to obtain unpacked .NET samples by leveraging Process Hacker to identify suspicious modules, and Dnspy to save them from memory.
π https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/
π₯ [ tweet ]
Unpacking .NET Malware Using Process Hacker and Dnspy.
An easy method to obtain unpacked .NET samples by leveraging Process Hacker to identify suspicious modules, and Dnspy to save them from memory.
π https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/
π₯ [ tweet ]
π3
π [ n00py @n00py1 ]
The craziest BloodHound art I've made yet (password sharing clusters)
π₯ [ tweet ]
ΠΏΠ»Π°Π³ΠΈΠ°Ρ - ΠΎΡΠ΅Π²ΠΈΠ΄Π½ΠΎ ΠΆΠ΅, ΡΡΠΎ ΡΡΠΎ ΠΠΎΠ»ΠΎΡΠ°ΡΡΠΉ Π±ΡΠ±Π»ΠΈΠΊ
The craziest BloodHound art I've made yet (password sharing clusters)
π₯ [ tweet ]
ΠΏΠ»Π°Π³ΠΈΠ°Ρ - ΠΎΡΠ΅Π²ΠΈΠ΄Π½ΠΎ ΠΆΠ΅, ΡΡΠΎ ΡΡΠΎ ΠΠΎΠ»ΠΎΡΠ°ΡΡΠΉ Π±ΡΠ±Π»ΠΈΠΊ
π₯6
Offensive Xwitter
π [ Elliot @ElliotKillick ] Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecuteβ¦
π [ Elliot @ElliotKillick ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
π https://github.com/ElliotKillick/LdrLockLiberator
π₯ [ tweet ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
π https://github.com/ElliotKillick/LdrLockLiberator
π₯ [ tweet ]
π₯2
π [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
π https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
π₯ [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
π https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
π₯ [ tweet ]
π₯2
π [ sinusoid @the_bit_diddler ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? βοΈ
Ability to revert said changes? βοΈ
Support processes, paths, and extensions? βοΈ
BOF? βοΈ
C# βοΈ
Code is public:
π https://github.com/EspressoCake/DefenderPathExclusions
π https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
π₯ [ tweet ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? βοΈ
Ability to revert said changes? βοΈ
Support processes, paths, and extensions? βοΈ
BOF? βοΈ
C# βοΈ
Code is public:
π https://github.com/EspressoCake/DefenderPathExclusions
π https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
π₯ [ tweet ]
π₯6
π [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
Daily Linux whoami:
π₯ [ tweet ]
Daily Linux whoami:
$(echo -e "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69")
π₯ [ tweet ]
π5π₯1
Offensive Xwitter
π [ Antonio Cocomazzi @splinter_code ] Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe π π₯ [ tweet ]
π [ Geiseric @Geiseric4 ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This script could help:
It works from low privileged user π
π https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
π₯ [ tweet ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This script could help:
It works from low privileged user π
π https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
π₯ [ tweet ]
π₯4
π [ Thomas Seigneuret @_zblurx ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities π₯
For example with RBCD ππ»
π₯ [ tweet ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities π₯
For example with RBCD ππ»
π₯ [ tweet ]
π₯8π1
π [ Antonio Cocomazzi @splinter_code ]
The slides of our joint research talk β10 Years of Windows Privilege Escalation with Potatoesβ at #POC2023 are out!
cc @decoder_it
π https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
π₯ [ tweet ]
The slides of our joint research talk β10 Years of Windows Privilege Escalation with Potatoesβ at #POC2023 are out!
cc @decoder_it
π https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
π₯ [ tweet ]
π₯7
Offensive Xwitter
π [ Antonio Cocomazzi @splinter_code ] The slides of our joint research talk β10 Years of Windows Privilege Escalation with Potatoesβ at #POC2023 are out! cc @decoder_it π https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privβ¦
10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
1.6 MB
π₯4
π [ ΡΟ
Ξ·g ΥΞΠΞ€ @yunginnanet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
π https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
π₯ [ tweet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
π https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
π₯ [ tweet ]
π₯6
π [ 5pider @C5pider ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
π https://github.com/Cracked5pider/LdrLibraryEx
π₯ [ tweet ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
π https://github.com/Cracked5pider/LdrLibraryEx
π₯ [ tweet ]
π₯3
π [ Charlie Clark @exploitph ]
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
π https://github.com/0xe7/RoastInTheMiddle/pull/1
π₯ [ tweet ]
ΡΠΏΠ°ΡΠΈΠ±ΠΎ @Michaelzhm, ΡΡΠΎ ΠΏΠ½ΡΠ» π
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
π https://github.com/0xe7/RoastInTheMiddle/pull/1
π₯ [ tweet ]
ΡΠΏΠ°ΡΠΈΠ±ΠΎ @Michaelzhm, ΡΡΠΎ ΠΏΠ½ΡΠ» π
π₯4π1π1
π [ S4ntiagoP @s4ntiago_p ]
π₯ New blogpost π₯
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
π https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
π₯ [ tweet ]
π₯ New blogpost π₯
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
π https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
π₯ [ tweet ]
π₯4
π [ S3cur3Th1sSh1t @ShitSecure ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
π https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
π₯ [ tweet ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
π https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
π₯ [ tweet ]
π3π₯1
π [ RΓ©mi GASCOU (Podalirius) @podalirius_ ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ‡οΈ
π https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
π₯ [ tweet ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ‡οΈ
π https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
π₯ [ tweet ]
π2