π [ Alisa Esage Π¨Π΅Π²ΡΠ΅Π½ΠΊΠΎ @alisaesage ]
Everyone who doesnβt like me sucks and is a bad person
π₯ [ tweet ]
Everyone who doesnβt like me sucks and is a bad person
π₯ [ tweet ]
current moodπ11π₯3π₯±3π€―2
π [ NULL @NUL0x4C ]
FetchPayloadFromDummyFile: A tool to obfuscate your payload while reducing entropy by converting the payload to arrays of offsets.
π https://github.com/NUL0x4C/FetchPayloadFromDummyFile
π₯ [ tweet ]
FetchPayloadFromDummyFile: A tool to obfuscate your payload while reducing entropy by converting the payload to arrays of offsets.
π https://github.com/NUL0x4C/FetchPayloadFromDummyFile
π₯ [ tweet ]
π₯7π1
π [ X-C3LL @TheXC3LL ]
You can find my slides for "Offensive VBA" talk here
π https://github.com/X-C3LL/congresos-slides/blob/master/Offensive%20VBA.pdf
π₯ [ tweet ]
You can find my slides for "Offensive VBA" talk here
π https://github.com/X-C3LL/congresos-slides/blob/master/Offensive%20VBA.pdf
π₯ [ tweet ]
π7π₯1π1
π [ Daniel @0x64616e ]
Added support for LAPSv2 to BloodHound[.]py:
π https://github.com/dirkjanm/BloodHound.py/pull/159
π₯ [ tweet ]
Added support for LAPSv2 to BloodHound[.]py:
π https://github.com/dirkjanm/BloodHound.py/pull/159
π₯ [ tweet ]
π₯6
π [ Lsec @lsecqt ]
I created a blog-post about MSSQL relay attack. Hope you enjoy and find this useful:
π https://lsecqt.github.io/Red-Teaming-Army/active-directory/compromising-mssql-databases-by-relaying/
π₯ [ tweet ]
I created a blog-post about MSSQL relay attack. Hope you enjoy and find this useful:
π https://lsecqt.github.io/Red-Teaming-Army/active-directory/compromising-mssql-databases-by-relaying/
π₯ [ tweet ]
π6π₯2
π [ S3cur3Th1sSh1t @ShitSecure ]
Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now:
π https://github.com/CICADA8-Research/RemoteKrbRelay
That's huge news from my perspectiveπ₯
π₯ [ tweet ]
Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now:
π https://github.com/CICADA8-Research/RemoteKrbRelay
That's huge news from my perspectiveπ₯
π₯ [ tweet ]
Π΄Π΅ΠΆΠ°Π²Ρ, Π³Π΄Π΅-ΡΠΎ Ρ ΡΡΠΎ ΡΠΆΠ΅ Π²ΠΈΠ΄Π΅Π»... whateverπ₯9π4π₯±1
π [ HADESS @Hadess_security ]
64 Methods For Execute Mimikatz
π https://redteamrecipe.com/64-methods-for-execute-mimikatzrtc0003
π₯ [ tweet ]
64 Methods For Execute Mimikatz
π https://redteamrecipe.com/64-methods-for-execute-mimikatzrtc0003
π₯ [ tweet ]
π₯±8π6π₯1
π [ Balthasar @BalthasarMartin ]
Today at #Troopers24 we released Certiception β the ADCS honeypot we always wanted to have.
Blog:
π https://srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted
Source code:
π https://github.com/srlabs/Certiception
Slide deck, including our guide to deception strategy:
π https://github.com/srlabs/Certiception/blob/main/documentation/
π₯ [ tweet ]
Today at #Troopers24 we released Certiception β the ADCS honeypot we always wanted to have.
Blog:
π https://srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted
Source code:
π https://github.com/srlabs/Certiception
Slide deck, including our guide to deception strategy:
π https://github.com/srlabs/Certiception/blob/main/documentation/
π₯ [ tweet ]
π1π₯1π€1
π [ Nikhil Mittal @nikhil_mitt ]
"When the hunter becomes the hunted: Using custom callbacks to disable EDRs"
A fantastic blog post by @d1rkmtr that is full of knowledge and a teaser!
π https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
π₯ [ tweet ]
"When the hunter becomes the hunted: Using custom callbacks to disable EDRs"
A fantastic blog post by @d1rkmtr that is full of knowledge and a teaser!
π https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
π₯ [ tweet ]
π₯6π1
π [ Daniel @0x64616e ]
My friend @mojeda_101 and I had the funny idea to leverage GPO item-level targeting for domain persistence.
π https://pentest.party/posts/2024/persistence-with-wmi-filters/
π₯ [ tweet ]
My friend @mojeda_101 and I had the funny idea to leverage GPO item-level targeting for domain persistence.
π https://pentest.party/posts/2024/persistence-with-wmi-filters/
π₯ [ tweet ]
ΠΊΠΎΠΌΡ ΡΠΎΠΆΠ΅ Π² ΠΏΠ΅ΡΠ²ΡΡ ΠΎΡΠ΅ΡΠ΅Π΄Ρ Π² Π³ΠΎΠ»ΠΎΠ²Ρ ΠΏΡΠΈΡΠ»ΠΎ ΡΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ Ρ port knocking?π₯4π₯±1
π [ DSAS by INJECT @DevSecAS ]
Active Directory Dumper - ADFind on Python
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper/
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper-2/
π₯ [ tweet ]
Active Directory Dumper - ADFind on Python
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper/
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper-2/
π₯ [ tweet ]
π₯5π3
Forwarded from APT
The Qualys Threat Research Unit has discovered a Remote Unauthenticated Code Execution vulnerability in OpenSSHβs server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387.
The vulnerability, which is a signal handler race condition in OpenSSHβs server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems.
π Research:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
π PoC:
https://github.com/7etsuo/cve-2024-6387-poc
#openssh #glibc #rce #cve
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯12
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Ege BalcΔ± @egeblc ]
New tool drop! π₯π₯ de-optimizer uses several mathematical approaches for mutating machine code instructions to their functional equivalents. Very good for bypassing rule-based detection without using any RWE memory.
π https://github.com/EgeBalci/deoptimizer
π₯ [ tweet ]
New tool drop! π₯π₯ de-optimizer uses several mathematical approaches for mutating machine code instructions to their functional equivalents. Very good for bypassing rule-based detection without using any RWE memory.
π https://github.com/EgeBalci/deoptimizer
π₯ [ tweet ]
π7
π [ Diego Capriotti @naksyn ]
Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with:
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A generic PE loader to hook Sleep and quickly prototype evasion ideas.
- Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners.
I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory.
Hereβs the blog post:
π https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
And the PE loader used, dubbed Dojoloader:
π https://github.com/naksyn/DojoLoader
In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.
π₯ [ tweet ]
Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with:
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A generic PE loader to hook Sleep and quickly prototype evasion ideas.
- Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners.
I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory.
Hereβs the blog post:
π https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
And the PE loader used, dubbed Dojoloader:
π https://github.com/naksyn/DojoLoader
In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.
π₯ [ tweet ]
π₯6π2
π [ Winslow @senzee1984 ]
Check out my new article - EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Blog:
π https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
Github:
π https://github.com/senzee1984/EDRPrison
π₯ [ tweet ]
Check out my new article - EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Blog:
π https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
Github:
π https://github.com/senzee1984/EDRPrison
π₯ [ tweet ]
π₯5π€―2
π [ Tyler Hudak @SecShoggoth ]
I recommend reading this thread as it gives some great insight and stories into incidents.
Also, the current top comment on there is freaking incredible!
π https://www.reddit.com/r/sysadmin/comments/1dsgi6t/sysadmins_who_went_through_a_breach_how_did_the
π₯ [ tweet ]
I recommend reading this thread as it gives some great insight and stories into incidents.
Also, the current top comment on there is freaking incredible!
π https://www.reddit.com/r/sysadmin/comments/1dsgi6t/sysadmins_who_went_through_a_breach_how_did_the
π₯ [ tweet ]
π9
π [ ap @decoder_it ]
Cool finding from my colleague @cj_berlin detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack π²
π https://it-pro-berlin.de/2024/07/use-ssh-on-windows-they-said/
π₯ [ tweet ]
Cool finding from my colleague @cj_berlin detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack π²
π https://it-pro-berlin.de/2024/07/use-ssh-on-windows-they-said/
π₯ [ tweet ]
π6π₯3π₯±1