π [ Daniel @0x64616e ]
Added support for LAPSv2 to BloodHound[.]py:
π https://github.com/dirkjanm/BloodHound.py/pull/159
π₯ [ tweet ]
Added support for LAPSv2 to BloodHound[.]py:
π https://github.com/dirkjanm/BloodHound.py/pull/159
π₯ [ tweet ]
π₯6
π [ Lsec @lsecqt ]
I created a blog-post about MSSQL relay attack. Hope you enjoy and find this useful:
π https://lsecqt.github.io/Red-Teaming-Army/active-directory/compromising-mssql-databases-by-relaying/
π₯ [ tweet ]
I created a blog-post about MSSQL relay attack. Hope you enjoy and find this useful:
π https://lsecqt.github.io/Red-Teaming-Army/active-directory/compromising-mssql-databases-by-relaying/
π₯ [ tweet ]
π6π₯2
π [ S3cur3Th1sSh1t @ShitSecure ]
Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now:
π https://github.com/CICADA8-Research/RemoteKrbRelay
That's huge news from my perspectiveπ₯
π₯ [ tweet ]
Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now:
π https://github.com/CICADA8-Research/RemoteKrbRelay
That's huge news from my perspectiveπ₯
π₯ [ tweet ]
Π΄Π΅ΠΆΠ°Π²Ρ, Π³Π΄Π΅-ΡΠΎ Ρ ΡΡΠΎ ΡΠΆΠ΅ Π²ΠΈΠ΄Π΅Π»... whateverπ₯9π4π₯±1
π [ HADESS @Hadess_security ]
64 Methods For Execute Mimikatz
π https://redteamrecipe.com/64-methods-for-execute-mimikatzrtc0003
π₯ [ tweet ]
64 Methods For Execute Mimikatz
π https://redteamrecipe.com/64-methods-for-execute-mimikatzrtc0003
π₯ [ tweet ]
π₯±8π6π₯1
π [ Balthasar @BalthasarMartin ]
Today at #Troopers24 we released Certiception β the ADCS honeypot we always wanted to have.
Blog:
π https://srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted
Source code:
π https://github.com/srlabs/Certiception
Slide deck, including our guide to deception strategy:
π https://github.com/srlabs/Certiception/blob/main/documentation/
π₯ [ tweet ]
Today at #Troopers24 we released Certiception β the ADCS honeypot we always wanted to have.
Blog:
π https://srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted
Source code:
π https://github.com/srlabs/Certiception
Slide deck, including our guide to deception strategy:
π https://github.com/srlabs/Certiception/blob/main/documentation/
π₯ [ tweet ]
π1π₯1π€1
π [ Nikhil Mittal @nikhil_mitt ]
"When the hunter becomes the hunted: Using custom callbacks to disable EDRs"
A fantastic blog post by @d1rkmtr that is full of knowledge and a teaser!
π https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
π₯ [ tweet ]
"When the hunter becomes the hunted: Using custom callbacks to disable EDRs"
A fantastic blog post by @d1rkmtr that is full of knowledge and a teaser!
π https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
π₯ [ tweet ]
π₯6π1
π [ Daniel @0x64616e ]
My friend @mojeda_101 and I had the funny idea to leverage GPO item-level targeting for domain persistence.
π https://pentest.party/posts/2024/persistence-with-wmi-filters/
π₯ [ tweet ]
My friend @mojeda_101 and I had the funny idea to leverage GPO item-level targeting for domain persistence.
π https://pentest.party/posts/2024/persistence-with-wmi-filters/
π₯ [ tweet ]
ΠΊΠΎΠΌΡ ΡΠΎΠΆΠ΅ Π² ΠΏΠ΅ΡΠ²ΡΡ ΠΎΡΠ΅ΡΠ΅Π΄Ρ Π² Π³ΠΎΠ»ΠΎΠ²Ρ ΠΏΡΠΈΡΠ»ΠΎ ΡΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ Ρ port knocking?π₯4π₯±1
π [ DSAS by INJECT @DevSecAS ]
Active Directory Dumper - ADFind on Python
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper/
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper-2/
π₯ [ tweet ]
Active Directory Dumper - ADFind on Python
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper/
π https://blog.injectexp.dev/2024/06/30/active-directory-dumper-2/
π₯ [ tweet ]
π₯5π3
Forwarded from APT
The Qualys Threat Research Unit has discovered a Remote Unauthenticated Code Execution vulnerability in OpenSSHβs server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387.
The vulnerability, which is a signal handler race condition in OpenSSHβs server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems.
π Research:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
π PoC:
https://github.com/7etsuo/cve-2024-6387-poc
#openssh #glibc #rce #cve
Please open Telegram to view this post
VIEW IN TELEGRAM
π₯12
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Ege BalcΔ± @egeblc ]
New tool drop! π₯π₯ de-optimizer uses several mathematical approaches for mutating machine code instructions to their functional equivalents. Very good for bypassing rule-based detection without using any RWE memory.
π https://github.com/EgeBalci/deoptimizer
π₯ [ tweet ]
New tool drop! π₯π₯ de-optimizer uses several mathematical approaches for mutating machine code instructions to their functional equivalents. Very good for bypassing rule-based detection without using any RWE memory.
π https://github.com/EgeBalci/deoptimizer
π₯ [ tweet ]
π7
π [ Diego Capriotti @naksyn ]
Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with:
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A generic PE loader to hook Sleep and quickly prototype evasion ideas.
- Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners.
I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory.
Hereβs the blog post:
π https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
And the PE loader used, dubbed Dojoloader:
π https://github.com/naksyn/DojoLoader
In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.
π₯ [ tweet ]
Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with:
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A generic PE loader to hook Sleep and quickly prototype evasion ideas.
- Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners.
I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory.
Hereβs the blog post:
π https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
And the PE loader used, dubbed Dojoloader:
π https://github.com/naksyn/DojoLoader
In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.
π₯ [ tweet ]
π₯6π2
π [ Winslow @senzee1984 ]
Check out my new article - EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Blog:
π https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
Github:
π https://github.com/senzee1984/EDRPrison
π₯ [ tweet ]
Check out my new article - EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Blog:
π https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
Github:
π https://github.com/senzee1984/EDRPrison
π₯ [ tweet ]
π₯5π€―2
π [ Tyler Hudak @SecShoggoth ]
I recommend reading this thread as it gives some great insight and stories into incidents.
Also, the current top comment on there is freaking incredible!
π https://www.reddit.com/r/sysadmin/comments/1dsgi6t/sysadmins_who_went_through_a_breach_how_did_the
π₯ [ tweet ]
I recommend reading this thread as it gives some great insight and stories into incidents.
Also, the current top comment on there is freaking incredible!
π https://www.reddit.com/r/sysadmin/comments/1dsgi6t/sysadmins_who_went_through_a_breach_how_did_the
π₯ [ tweet ]
π9
π [ ap @decoder_it ]
Cool finding from my colleague @cj_berlin detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack π²
π https://it-pro-berlin.de/2024/07/use-ssh-on-windows-they-said/
π₯ [ tweet ]
Cool finding from my colleague @cj_berlin detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack π²
π https://it-pro-berlin.de/2024/07/use-ssh-on-windows-they-said/
π₯ [ tweet ]
π6π₯3π₯±1
π [ Frey @Freyxfi ]
Rockyou2024[.]Zip Word list
π https://s3.timeweb.cloud/fd51ce25-6f95e3f8-263a-4b13-92af-12bc265adb44/rockyou2024.zip
π https://t.iss.one/frx3y/178
π₯ [ tweet ]
Rockyou2024[.]Zip Word list
π https://s3.timeweb.cloud/fd51ce25-6f95e3f8-263a-4b13-92af-12bc265adb44/rockyou2024.zip
π https://t.iss.one/frx3y/178
π₯ [ tweet ]
(45 Gb zip)π13π₯4π₯±1
π [ sh4dy @sh4dy_0011 ]
Wrote a short blog about running a simple LLVM pass. Iβll add even more cool stuff in upcoming posts :)
π https://sh4dy.com/2024/06/29/learning_llvm_01/
Source code:
π https://github.com/0xSh4dy/learning_llvm
π₯ [ tweet ]
Wrote a short blog about running a simple LLVM pass. Iβll add even more cool stuff in upcoming posts :)
π https://sh4dy.com/2024/06/29/learning_llvm_01/
Source code:
π https://github.com/0xSh4dy/learning_llvm
π₯ [ tweet ]
π₯5π3
π [ sh4dy @sh4dy_0011 ]
Hereβs the second part of my blog series on Compiler and LLVM internals, where Iβve explained the following concepts:
1. Basic blocks
2. Control flow graphs
3. Modules
4. Some applications of LLVM passes
π https://sh4dy.com/2024/07/06/learning_llvm_02
Source code:
π https://github.com/0xSh4dy/learning_llvm/tree/master/part_2
π₯ [ tweet ]
Hereβs the second part of my blog series on Compiler and LLVM internals, where Iβve explained the following concepts:
1. Basic blocks
2. Control flow graphs
3. Modules
4. Some applications of LLVM passes
π https://sh4dy.com/2024/07/06/learning_llvm_02
Source code:
π https://github.com/0xSh4dy/learning_llvm/tree/master/part_2
π₯ [ tweet ]
π₯10π1
π [ Orange Cyberdefense's SensePost Team @sensepost ]
Decorrelate attack tool behaviour to avoid EDR interference. In this post, @Defte_ writes about how remote LSA secrets dumping works and retrieves a Windows computer's BOOTKEY using less common methods.
π https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
π₯ [ tweet ]
Decorrelate attack tool behaviour to avoid EDR interference. In this post, @Defte_ writes about how remote LSA secrets dumping works and retrieves a Windows computer's BOOTKEY using less common methods.
π https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
π₯ [ tweet ]
π10π₯2
π [ Rayan Bouyaiche @rayanlecat ]
Hello everyone !
This weekend I participated at @_leHACK_ where I did the #NetExec workshop animated by @mpgn_x64. Here is my writeup for those of you that are interested
π https://www.rayanle.cat/lehack-2024-netexec-workshop-writeup/
π₯ [ tweet ]
Hello everyone !
This weekend I participated at @_leHACK_ where I did the #NetExec workshop animated by @mpgn_x64. Here is my writeup for those of you that are interested
π https://www.rayanle.cat/lehack-2024-netexec-workshop-writeup/
π₯ [ tweet ]
π8