π [ James Forshaw @tiraniddo ]
I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings.
The main take away is, writing Rust won't save you from logical bugs :)
π https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html
π₯ [ tweet ]
I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings.
The main take away is, writing Rust won't save you from logical bugs :)
π https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html
π₯ [ tweet ]
ΠΏΡΠΎ Π½ΠΎΠ²ΡΠΉ sudo Π² win 11π₯8
π [ WithSecureβ’ @WithSecure ]
Threat actors often sign malware using either stolen, or even legally acquired, code signing certificates.
Check out the latest @Github update from @WithSecure's @dottor_morte, with a repository of certs known to have been leaked/stolen, and then abused.
π https://github.com/WithSecureLabs/lolcerts
π₯ [ tweet ]
Threat actors often sign malware using either stolen, or even legally acquired, code signing certificates.
Check out the latest @Github update from @WithSecure's @dottor_morte, with a repository of certs known to have been leaked/stolen, and then abused.
π https://github.com/WithSecureLabs/lolcerts
π₯ [ tweet ]
π₯2
π [ Soumyani1 @reveng007 ]
I wanna thank all of them (Not In Order):
@SEKTOR7net
@VirtualAllocEx
@peterwintrsmith
@D1rkMtr
@Jean_Maes_1994
@0xBoku
@Sh0ckFR
@_winterknife_
@jack_halon
For helping me develop this POC, DarkWidow:
π https://github.com/reveng007/DarkWidow
π₯ [ tweet ]
I wanna thank all of them (Not In Order):
@SEKTOR7net
@VirtualAllocEx
@peterwintrsmith
@D1rkMtr
@Jean_Maes_1994
@0xBoku
@Sh0ckFR
@_winterknife_
@jack_halon
For helping me develop this POC, DarkWidow:
π https://github.com/reveng007/DarkWidow
π₯ [ tweet ]
π8π₯5
Red Team Roadmap (by @soheilsec)
π https://xmind.app/m/9Zcnkq
ΠΠΈΡΠΈΡΠ΅, ΠΊΠ°ΠΊΠΈΡ ΡΡΠΎΠ²Π½Π΅ΠΉ Π²Π°ΠΌ Π½Π΅ Ρ Π²Π°ΡΠ°Π΅Ρπ
ΠΠΈΡΠΈΡΠ΅, ΠΊΠ°ΠΊΠΈΡ ΡΡΠΎΠ²Π½Π΅ΠΉ Π²Π°ΠΌ Π½Π΅ Ρ Π²Π°ΡΠ°Π΅Ρ
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯±7π6π₯1
π [ MDSec @MDSecLabs ]
Interested in sharpening your red team AD recon? Check out our latest post by @domchell, "Active Directory Enumeration for Red Teams"
π https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
π₯ [ tweet ]
Interested in sharpening your red team AD recon? Check out our latest post by @domchell, "Active Directory Enumeration for Red Teams"
π https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
π₯ [ tweet ]
π₯6π2
π [ Andy Robbins @_wald0 ]
Directory.ReadWrite.All is not as powerful as you might think. In this post:
β Why that matters
β How I came to that conclusion
β Which app roles matter more
π https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-you-might-think-c5b09a8f78a8
π₯ [ tweet ]
Directory.ReadWrite.All is not as powerful as you might think. In this post:
β Why that matters
β How I came to that conclusion
β Which app roles matter more
π https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-you-might-think-c5b09a8f78a8
π₯ [ tweet ]
π6
π [ VβοΈ @vincenzosantuc1 ]
Blog post about how I granted the Reflective DLL I worked on with Indirect Syscall skills. PIC to enumerate SSN and few Windows calling convention theory "pills". Among the other challenges :)
π https://oldboy21.github.io/posts/2024/02/reflective-dll-got-indirect-syscall-skills/
π₯ [ tweet ]
Blog post about how I granted the Reflective DLL I worked on with Indirect Syscall skills. PIC to enumerate SSN and few Windows calling convention theory "pills". Among the other challenges :)
π https://oldboy21.github.io/posts/2024/02/reflective-dll-got-indirect-syscall-skills/
π₯ [ tweet ]
π7
π [ Soufiane @S0ufi4n3 ]
New technique to bypassing EDRs with EDR-Preloading.
Tldr: blocking EDR from loading it's DLL into a process preventing the deployment of user land hooks.
π https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html
π https://github.com/MalwareTech/EDR-Preloader
π₯ [ tweet ]
New technique to bypassing EDRs with EDR-Preloading.
Tldr: blocking EDR from loading it's DLL into a process preventing the deployment of user land hooks.
π https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html
π https://github.com/MalwareTech/EDR-Preloader
π₯ [ tweet ]
π₯7π1
π [ WHOAMI @wh0amitz ]
SharpADWS implements MS-ADDM, MS-WSTIM and MS-WSDS protocol, you can use the source code of it to easily implement the following operations on Active Directory Web Services:
Enumerate
Pull
Delete
Get
Put
Add
Replace
Delete
Create
π https://github.com/wh0amitz/SharpADWS
π₯ [ tweet ]
SharpADWS implements MS-ADDM, MS-WSTIM and MS-WSDS protocol, you can use the source code of it to easily implement the following operations on Active Directory Web Services:
Enumerate
Pull
Delete
Get
Put
Add
Replace
Delete
Create
π https://github.com/wh0amitz/SharpADWS
π₯ [ tweet ]
π₯5π4
π [ SpecterOps @SpecterOps ]
Check out our latest blog post about ADCS ESC13. @Jonas_B_K discusses how the abuse technique works, the ADCS feature it abuses, where the feature is used in the wild, how we can audit for ESC13, and how to deal with it from a defensive perspective.
π https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
π₯ [ tweet ]
π
Check out our latest blog post about ADCS ESC13. @Jonas_B_K discusses how the abuse technique works, the ADCS feature it abuses, where the feature is used in the wild, how we can audit for ESC13, and how to deal with it from a defensive perspective.
π https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
π₯ [ tweet ]
Ρ Π·Π°ΠΏΡΡΠ°Π²ΡΡ Π² ΡΡΠΈΡ
ΡΡΠΊΠ°Ρ
ΡΠΆΠ΅ Please open Telegram to view this post
VIEW IN TELEGRAM
π₯4π2π1
π [ BlackArrow @BlackArrowSec ]
Enhanced version of secretsdump from #Impacket to dump credentials without touching disk.
This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives.
π https://github.com/fortra/impacket/pull/1698
π https://github.com/jfjallid/go-secdump
π₯ [ tweet ]
Enhanced version of secretsdump from #Impacket to dump credentials without touching disk.
This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives.
π https://github.com/fortra/impacket/pull/1698
π https://github.com/jfjallid/go-secdump
π₯ [ tweet ]
π₯7π2
π [ icyguider @icyguider ]
I recently implemented 7 public UAC bypasses as BOFs and integrated them into a Havoc module and Sliver extensions. Requests to add more bypass methods are also welcome!
π https://github.com/icyguider/UAC-BOF-Bonanza
π₯ [ tweet ]
I recently implemented 7 public UAC bypasses as BOFs and integrated them into a Havoc module and Sliver extensions. Requests to add more bypass methods are also welcome!
π https://github.com/icyguider/UAC-BOF-Bonanza
π₯ [ tweet ]
π₯8π4
π [ Thorsten E. @endi24 ]
A PowerShell script to create an HTML report on recent changes in Active Directory.
π https://gist.github.com/jdhitsolutions/9255f0bf7fe0dc6d2dde868c18d5049f
π₯ [ tweet ]
A PowerShell script to create an HTML report on recent changes in Active Directory.
π https://gist.github.com/jdhitsolutions/9255f0bf7fe0dc6d2dde868c18d5049f
π₯ [ tweet ]
π5π₯2π€1
π [ Hyp3rlinx @hyp3rlinx ]
Windows Defender Trojan.Win32/Powessere.G / Mitigation Bypass
π₯ [ tweet ]
Windows Defender Trojan.Win32/Powessere.G / Mitigation Bypass
C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13)
Access is denied.
C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX')π₯ [ tweet ]
π10π₯±2π1
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Diego Capriotti @naksyn ]
Here's a new project and some Pyramid features:
Embedder lets you create small (go | nim | C# | C++) executables that load Python interpreter to execute Python code using the embedding functionality.
Embedder can be easily paired with Pyramid that now has a more OPSEC Pythonmemorymodule with full-in-memory import and all the download chain using Wininet API to reduce the imports to the minimum and smile to those pesky NTLM proxies along the way.
Pyramid updates are on the dev branch, plan merging to main soon.
Here's a video that shows a 13 kB C# embedder assembly bootstrapping Pyramid to execute mimikatz.
Who needs python.exe when you can bring Python to the world? π
π https://github.com/naksyn/Embedder
π₯ [ tweet ]
Here's a new project and some Pyramid features:
Embedder lets you create small (go | nim | C# | C++) executables that load Python interpreter to execute Python code using the embedding functionality.
Embedder can be easily paired with Pyramid that now has a more OPSEC Pythonmemorymodule with full-in-memory import and all the download chain using Wininet API to reduce the imports to the minimum and smile to those pesky NTLM proxies along the way.
Pyramid updates are on the dev branch, plan merging to main soon.
Here's a video that shows a 13 kB C# embedder assembly bootstrapping Pyramid to execute mimikatz.
Who needs python.exe when you can bring Python to the world? π
π https://github.com/naksyn/Embedder
π₯ [ tweet ]
π₯9π€―1
π [ pfiatde @pfiatde ]
This is crazy. Github does not prevent you from accessing commits which are reverted nor shown in the UI.
Just query the API and you are ready to go. Cool Blogpost!
π https://neodyme.io/en/blog/github_secrets/
π₯ [ tweet ]
This is crazy. Github does not prevent you from accessing commits which are reverted nor shown in the UI.
Just query the API and you are ready to go. Cool Blogpost!
π https://neodyme.io/en/blog/github_secrets/
π₯ [ tweet ]
π5π1π₯1
π [ Garrett @garrfoster ]
SCCM hierarchy takeover by abusing site server high availability. In this blog, I walkthrough what active and passive site servers are and share multiple abusable scenarios that come bundled in.
π https://posts.specterops.io/sccm-hierarchy-takeover-with-high-availability-7dcbd3696b43
π₯ [ tweet ]
SCCM hierarchy takeover by abusing site server high availability. In this blog, I walkthrough what active and passive site servers are and share multiple abusable scenarios that come bundled in.
π https://posts.specterops.io/sccm-hierarchy-takeover-with-high-availability-7dcbd3696b43
π₯ [ tweet ]
π₯2π1
Π Π°Π· Ρ Π½Π°Ρ ΠΊΠ°Π½Π°Π» ΡΡΡΠΊΠ° Π·Π°Π²ΡΠ·Π°Π½ Π½Π° Π’Π²ΠΈΡΡΠ΅ΡΠ΅, Π΄Π°Π²Π°ΠΉΡΠ΅ Π²ΡΠ΅ Π²ΠΌΠ΅ΡΡΠ΅ ΠΏΠΎΡΠ°Π΄ΡΠ΅ΠΌΡΡ Π·Π° ΠΌΠΎΠΈ 10ΠΊ π€
π₯44π2
π [ Justin Ibarra @br0k3ns0und ]
Just updated with a few more entries.
Also, let me know if there are any others that should be added
π https://lolol.farm
π₯ [ tweet ]
Just updated with a few more entries.
Also, let me know if there are any others that should be added
π https://lolol.farm
π₯ [ tweet ]
π5
π [ 0xdf @0xdf_ ]
In Visual from @hackthebox_eu I'll exploit a Visual Studio build service. The most interesting part is recovering SeImpersonate for the local service account using FullPower so that I can run a Potato exploit.
π https://0xdf.gitlab.io/2024/02/24/htb-visual.html
π₯ [ tweet ]
In Visual from @hackthebox_eu I'll exploit a Visual Studio build service. The most interesting part is recovering SeImpersonate for the local service account using FullPower so that I can run a Potato exploit.
π https://0xdf.gitlab.io/2024/02/24/htb-visual.html
π₯ [ tweet ]
Π΄Π°Π²Π½ΠΎ ΡΠΆΠ΅ Π½Π΅ ΡΠΈΡΠ°Π» htbΡΠ½ΡΠ΅ Π²ΡΠ°ΠΉΡΠ°ΠΏΡ, Π½ΠΎ ΡΡΠΎΡ ΠΏΡΠΈΠΊΠΎΠ»ΡΠ½ΡΠΉπ4