Offensive Xwitter
π [ Grzegorz Tworek @0gtweet ] Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShellβ¦
π [ Octoberfest7 @Octoberfest73 ]
Here is the full tool. Small and quick but still learned some things π Enjoy!
π https://github.com/Octoberfest7/enumhandles_BOF
π₯ [ tweet ][ quote ]
Here is the full tool. Small and quick but still learned some things π Enjoy!
π https://github.com/Octoberfest7/enumhandles_BOF
π₯ [ tweet ][ quote ]
π5π€1π₯±1
π [ DSAS by INJECT @DevSecAS ]
π Most cryptographers and packers use various methods to unpack and run a PE file from memory.
The most common techniques to this day are RunPE and LoadPE π¨βπ»
π https://injectexp.dev/b/LoadLibraryReloaded
π https://t.iss.one/INJECTCRYPT/156
π₯ [ tweet ]
π Most cryptographers and packers use various methods to unpack and run a PE file from memory.
The most common techniques to this day are RunPE and LoadPE π¨βπ»
π https://injectexp.dev/b/LoadLibraryReloaded
π https://t.iss.one/INJECTCRYPT/156
π₯ [ tweet ]
π₯6π3π1
π [ Alice Climent-Pommeret @AliceCliment ]
Hi there!
My latest article on the @harfanglab blog has just been published!
I'm talking about unpacking, XMRig, R77 and FIN7 (or not π€)
A special S/O to @splinter_code @JusticeRage and @securechicken
To check it out β¬οΈ
π https://harfanglab.io/insidethelab/unpacking-packxor/
π₯ [ tweet ][ quote ]
Hi there!
My latest article on the @harfanglab blog has just been published!
I'm talking about unpacking, XMRig, R77 and FIN7 (or not π€)
A special S/O to @splinter_code @JusticeRage and @securechicken
To check it out β¬οΈ
π https://harfanglab.io/insidethelab/unpacking-packxor/
π₯ [ tweet ][ quote ]
π₯3
π [ William Burgess @joehowwolf ]
New CS Blog - Revisiting the UDRL Part 3: If you like the idea of loading a custom c2 channel in your UDRL then this blog may be of interest π
π https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-3-beacon-user-data
π₯ [ tweet ]
New CS Blog - Revisiting the UDRL Part 3: If you like the idea of loading a custom c2 channel in your UDRL then this blog may be of interest π
π https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-3-beacon-user-data
π₯ [ tweet ]
π3
π [ Praetorian @praetorianlabs ]
π₯ Bypassing fully patched endpoint detection with Goffloader
Weβre excited to introduce Goffloader, an open-source Golang COFFLoader. Compatible with Cobalt Strike BOFs π
Read more on our blog here:
π https://www.praetorian.com/blog/introducing-goffloader-a-pure-go-implementation-of-an-in-memory-coffloader-and-pe-loader/
π₯ [ tweet ]
π₯ Bypassing fully patched endpoint detection with Goffloader
Weβre excited to introduce Goffloader, an open-source Golang COFFLoader. Compatible with Cobalt Strike BOFs π
Read more on our blog here:
π https://www.praetorian.com/blog/introducing-goffloader-a-pure-go-implementation-of-an-in-memory-coffloader-and-pe-loader/
π₯ [ tweet ]
π₯11π1
π [ CoreLabs Research @CoreAdvisories ]
In his latest blog, Core Labs' @ricnar456 takes a deep dive into CVE-2024-30051, reversing this Windows #vulnerability to create a functional #PoC.
π https://www.coresecurity.com/core-labs/articles/windows-dwm-core-library-elevation-privilege-vulnerability-cve-2024-30051
π₯ [ tweet ]
In his latest blog, Core Labs' @ricnar456 takes a deep dive into CVE-2024-30051, reversing this Windows #vulnerability to create a functional #PoC.
π https://www.coresecurity.com/core-labs/articles/windows-dwm-core-library-elevation-privilege-vulnerability-cve-2024-30051
π₯ [ tweet ]
π₯7π1
π [ Maurice Heumann @momo5502 ]
I have finished my blog post about my journey through KiUserExceptionDispatcher and how I added exception support to my emulator :D
π https://momo5502.com/posts/2024-09-07-a-journey-through-kiuserexceptiondispatcher/
π₯ [ tweet ]
I have finished my blog post about my journey through KiUserExceptionDispatcher and how I added exception support to my emulator :D
π https://momo5502.com/posts/2024-09-07-a-journey-through-kiuserexceptiondispatcher/
π₯ [ tweet ]
π3π€―1
π [ Cas van Cooten @chvancooten ]
I just published the pre-recorded video version of my Nimplant demonstration for @BlackHatEvents Arsenal 2024! Check it out if you're interested in Nimplant and its new features, such as the Rust implant.
π½οΈ Recording available here:
π https://youtu.be/9xQGjdPyDJc
π₯ [ tweet ]
I just published the pre-recorded video version of my Nimplant demonstration for @BlackHatEvents Arsenal 2024! Check it out if you're interested in Nimplant and its new features, such as the Rust implant.
π½οΈ Recording available here:
π https://youtu.be/9xQGjdPyDJc
π₯ [ tweet ]
π2π₯1
Forwarded from Just Security
This media is not supported in your browser
VIEW IN TELEGRAM
ΠΠΏΡΠ±Π»ΠΈΠΊΠΎΠ²Π°Π»ΠΈ Π²ΠΈΠ΄Π΅ΠΎΡΠΎΠ»ΠΈΠΊ ΠΎ ΡΠΎΠΌ, ΠΊΠ°ΠΊ ΠΏΡΠΎΡΠ»Π° Π΅ΠΆΠ΅Π³ΠΎΠ΄Π½Π°Ρ Π½Π΅Π·Π°Π²ΠΈΡΠΈΠΌΠ°Ρ ΠΏΡΠ΅ΠΌΠΈΡ Pentest award 2024!
Π Π°Π΄ΠΎΡΡΠ½ΡΠ΅ Π»ΠΈΡΠ°, ΡΠΎΠ»ΠΏΠ° Π·Π°ΡΡΠΆΠ΅Π½Π½ΡΡ ΡΠΏΠ΅ΡΠΈΠ°Π»ΠΈΡΡΠΎΠ², ΠΈ, ΠΊΠΎΠ½Π΅ΡΠ½ΠΎ, ΡΡΠ°ΡΡΠ»ΠΈΠ²ΡΠ΅ ΠΏΠΎΠ±Π΅Π΄ΠΈΡΠ΅Π»ΠΈ Ρ Π½Π°Π³ΡΠ°Π΄Π°ΠΌΠΈ Π² ΡΡΠΊΠ°Ρ β Π½Π°ΡΡΠΎΡΡΠΈΠΉ ΠΏΡΠ°Π·Π΄Π½ΠΈΠΊ ΡΡΠΈΡΠ½ΠΎΠ³ΠΎ Ρ Π°ΠΊΠΈΠ½Π³Π°.
ΠΠ΄ΠΎΡΠΎΠ²ΠΎ Π±ΡΠ»ΠΎ Π²ΡΡΡΠ΅ΡΠΈΡΡΡ Π² ΠΎΡΠ»Π°ΠΉΠ½Π΅ ΡΠΎ ΡΡΠ°ΡΡΠΌΠΈ Π΄ΡΡΠ·ΡΡΠΌΠΈ ΠΈ ΠΊΠΎΠ»Π»Π΅Π³Π°ΠΌΠΈ, ΠΏΠΎΠ·Π½Π°ΠΊΠΎΠΌΠΈΡΡΡΡ Ρ Π½ΠΎΠ²ΡΠΌΠΈ Π»ΡΠ΄ΡΠΌΠΈ, ΠΎΠ±ΠΌΠ΅Π½ΡΡΡΡΡ Π·Π½Π°Π½ΠΈΡΠΌΠΈ ΠΈ ΠΈΠ΄Π΅ΡΠΌΠΈ, ΠΏΠΎΠ³ΠΎΠ²ΠΎΡΠΈΡΡ ΠΎ Π²Π°ΠΆΠ½ΠΎΠΌ, ΠΏΡΠΎΡΠ΅ΡΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎΠΌ, Π½Π°Π±ΠΎΠ»Π΅Π²ΡΠ΅ΠΌ.
ΠΠΎ Π²ΡΡΡΠ΅ΡΠΈ Π² 2025 Π³ΠΎΠ΄Ρ π
ΠΡΠ΄Π΅Π»ΡΠ½Π°Ρ Π±Π»Π°Π³ΠΎΠ΄Π°ΡΠ½ΠΎΡΡΡ ΠΏΠ°ΡΡΠ½Π΅ΡΠ°ΠΌ ΠΏΡΠΎΠ΅ΠΊΡΠ°: BI.ZONE Bug Bounty, VK Bug Bounty, OFFZONE ΠΈ CyberED.
πΊ ΠΠΎΠ»Π½ΠΎΠ΅ Π²ΠΈΠ΄Π΅ΠΎ
π Pentest award (Π°ΡΡ
ΠΈΠ²)
β€ @justsecurity
Π Π°Π΄ΠΎΡΡΠ½ΡΠ΅ Π»ΠΈΡΠ°, ΡΠΎΠ»ΠΏΠ° Π·Π°ΡΡΠΆΠ΅Π½Π½ΡΡ ΡΠΏΠ΅ΡΠΈΠ°Π»ΠΈΡΡΠΎΠ², ΠΈ, ΠΊΠΎΠ½Π΅ΡΠ½ΠΎ, ΡΡΠ°ΡΡΠ»ΠΈΠ²ΡΠ΅ ΠΏΠΎΠ±Π΅Π΄ΠΈΡΠ΅Π»ΠΈ Ρ Π½Π°Π³ΡΠ°Π΄Π°ΠΌΠΈ Π² ΡΡΠΊΠ°Ρ β Π½Π°ΡΡΠΎΡΡΠΈΠΉ ΠΏΡΠ°Π·Π΄Π½ΠΈΠΊ ΡΡΠΈΡΠ½ΠΎΠ³ΠΎ Ρ Π°ΠΊΠΈΠ½Π³Π°.
ΠΠ΄ΠΎΡΠΎΠ²ΠΎ Π±ΡΠ»ΠΎ Π²ΡΡΡΠ΅ΡΠΈΡΡΡ Π² ΠΎΡΠ»Π°ΠΉΠ½Π΅ ΡΠΎ ΡΡΠ°ΡΡΠΌΠΈ Π΄ΡΡΠ·ΡΡΠΌΠΈ ΠΈ ΠΊΠΎΠ»Π»Π΅Π³Π°ΠΌΠΈ, ΠΏΠΎΠ·Π½Π°ΠΊΠΎΠΌΠΈΡΡΡΡ Ρ Π½ΠΎΠ²ΡΠΌΠΈ Π»ΡΠ΄ΡΠΌΠΈ, ΠΎΠ±ΠΌΠ΅Π½ΡΡΡΡΡ Π·Π½Π°Π½ΠΈΡΠΌΠΈ ΠΈ ΠΈΠ΄Π΅ΡΠΌΠΈ, ΠΏΠΎΠ³ΠΎΠ²ΠΎΡΠΈΡΡ ΠΎ Π²Π°ΠΆΠ½ΠΎΠΌ, ΠΏΡΠΎΡΠ΅ΡΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎΠΌ, Π½Π°Π±ΠΎΠ»Π΅Π²ΡΠ΅ΠΌ.
ΠΠΎ Π²ΡΡΡΠ΅ΡΠΈ Π² 2025 Π³ΠΎΠ΄Ρ π
ΠΡΠ΄Π΅Π»ΡΠ½Π°Ρ Π±Π»Π°Π³ΠΎΠ΄Π°ΡΠ½ΠΎΡΡΡ ΠΏΠ°ΡΡΠ½Π΅ΡΠ°ΠΌ ΠΏΡΠΎΠ΅ΠΊΡΠ°: BI.ZONE Bug Bounty, VK Bug Bounty, OFFZONE ΠΈ CyberED.
Please open Telegram to view this post
VIEW IN TELEGRAM
π7π’2π₯±2π₯1
π [ Daniel @0x64616e ]
Do you like ZSH, SOCKS proxies and Impacket? Then you might want to check this out:
π https://github.com/dadevel/impacket-zsh-integration
π₯ [ tweet ]
ΠΠ½ΡΠ΅ΡΠ΅ΡΠ½ΠΎ ΠΏΠΎΡΠΌΠΎΡΡΠ΅ΡΡ Π½Π° ΠΏΠΎΠ΄Ρ ΠΎΠ΄Ρ Π΄ΡΡΠ³ΠΈΡ Π»ΡΠ΄Π΅ΠΉ ΠΊ Π²ΠΎΠΏΡΠΎΡΡ ΠΌΠ΅Π½Π΅Π΄ΠΆΠ΅ΡΡΡΠ²Π° ΠΊΠΎΠ½ΡΠΈΠ³Π°ΠΌΠΈ ΠΏΡΠΎΠΊΡΠΈΡΠ΅ΠΉΠ½Ρ, Ρ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π΄Π΅Π»Π°Ρ ΡΡΠΎ ΡΠ°ΠΊ:
π https://github.com/snovvcrash/dotfiles-linux/blob/2c4ab52c09749190c63a8e05187c28800e196f0a/system/funcs#L62-L74
Do you like ZSH, SOCKS proxies and Impacket? Then you might want to check this out:
π https://github.com/dadevel/impacket-zsh-integration
π₯ [ tweet ]
ΠΠ½ΡΠ΅ΡΠ΅ΡΠ½ΠΎ ΠΏΠΎΡΠΌΠΎΡΡΠ΅ΡΡ Π½Π° ΠΏΠΎΠ΄Ρ ΠΎΠ΄Ρ Π΄ΡΡΠ³ΠΈΡ Π»ΡΠ΄Π΅ΠΉ ΠΊ Π²ΠΎΠΏΡΠΎΡΡ ΠΌΠ΅Π½Π΅Π΄ΠΆΠ΅ΡΡΡΠ²Π° ΠΊΠΎΠ½ΡΠΈΠ³Π°ΠΌΠΈ ΠΏΡΠΎΠΊΡΠΈΡΠ΅ΠΉΠ½Ρ, Ρ, Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π΄Π΅Π»Π°Ρ ΡΡΠΎ ΡΠ°ΠΊ:
π https://github.com/snovvcrash/dotfiles-linux/blob/2c4ab52c09749190c63a8e05187c28800e196f0a/system/funcs#L62-L74
π4
π [ Antonio Cocomazzi @splinter_code ]
Great talk by my friend @decoder_it at Troopers π₯
10 Years of Windows Privilege Escalation that includes the last iteration of the Potato exploits. Worth a watch! π
π https://www.youtube.com/watch?v=rPZx1zbKJnI
π₯ [ tweet ]
Great talk by my friend @decoder_it at Troopers π₯
10 Years of Windows Privilege Escalation that includes the last iteration of the Potato exploits. Worth a watch! π
π https://www.youtube.com/watch?v=rPZx1zbKJnI
π₯ [ tweet ]
π4
π [ Scott Sutherland @_nullbind ]
[BLOG] Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
π https://www.netspi.com/blog/technical-blog/network-pentesting/hijacking-sql-server-credentials-with-agent-jobs-for-domain-privilege-escalation/
π₯ [ tweet ]
[BLOG] Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
π https://www.netspi.com/blog/technical-blog/network-pentesting/hijacking-sql-server-credentials-with-agent-jobs-for-domain-privilege-escalation/
π₯ [ tweet ]
π₯5π₯±1
π [ lazarusholic @lazarusholic ]
"Fake recruiter coding tests target devs with malicious Python packages" published by ReversingLabs.
π https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
π₯ [ tweet ]
"Fake recruiter coding tests target devs with malicious Python packages" published by ReversingLabs.
π https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
π₯ [ tweet ]
X (formerly Twitter)
lazarusholic (@lazarusholic) on X
a big fan of lazarus.
π3π€2
π [ Pen Test Partners @PenTestPartners ]
Discover how our @_EthicalChaos_ edited Group Policy Objects (GPOs) without being tied to a domain-joined system π This technical blog explores the challenges of manipulating GPOs from non-domain environments using native Windows tools β minimising IOCs and maximising stealth in your red teaming efforts π΄
@_EthicalChaos_ details the process of manipulating the Group Policy Manager MMC snap-in, diving into debugging techniques, function manipulation, and the strategic use of hooks to bypass typical domain checks.
Discover how to intercept and modify critical functions like GetUserNameExW to bypass domain checks and tackle further complexities in the Group Policy Editor using hooks with the DGPOEdit tool, which @_EthicalChaos_ has put on GitHub for free.
This blog covers the technical barriers, API call modifications, and the challenges in creating a seamless experience with native toolingβwithout compromising operational security. Perfect for those looking to leverage native Windows tools in their red teaming arsenal, this guide provides detailed insights into pushing beyond the limitations of standard approaches.
π οΈ Look at @_EthicalChaos_ methods and get access to the free DGPOEdit tool from the full blog now.
Read it here:
π https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
π₯ [ tweet ]
Discover how our @_EthicalChaos_ edited Group Policy Objects (GPOs) without being tied to a domain-joined system π This technical blog explores the challenges of manipulating GPOs from non-domain environments using native Windows tools β minimising IOCs and maximising stealth in your red teaming efforts π΄
@_EthicalChaos_ details the process of manipulating the Group Policy Manager MMC snap-in, diving into debugging techniques, function manipulation, and the strategic use of hooks to bypass typical domain checks.
Discover how to intercept and modify critical functions like GetUserNameExW to bypass domain checks and tackle further complexities in the Group Policy Editor using hooks with the DGPOEdit tool, which @_EthicalChaos_ has put on GitHub for free.
This blog covers the technical barriers, API call modifications, and the challenges in creating a seamless experience with native toolingβwithout compromising operational security. Perfect for those looking to leverage native Windows tools in their red teaming arsenal, this guide provides detailed insights into pushing beyond the limitations of standard approaches.
π οΈ Look at @_EthicalChaos_ methods and get access to the free DGPOEdit tool from the full blog now.
Read it here:
π https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
π₯ [ tweet ]
π₯6π4π1
This media is not supported in your browser
VIEW IN TELEGRAM
π [ konrad @konradgajdus ]
I made a donut using the C standard library:
π https://github.com/konrad-gajdus/donut
π₯ [ tweet ]
I made a donut using the C standard library:
π https://github.com/konrad-gajdus/donut
π₯ [ tweet ]
ΠΊΡΠ°ΡΠΈΠ²ΠΎΠ΅π15π₯±6π4π€―2π₯1
This media is not supported in your browser
VIEW IN TELEGRAM
π [ JiΕΓ Vinopal @vinopaljiri ]
Inspired by @0gtweet, I created PoC: EXE-or-DLL-or-ShellCode that can be:
Executed as a normal #exe
Loaded as #dll + export function can be invoked
Run via "rundll32.exe"
Executed as #shellcode right from the DOS (MZ) header that works as polyglot stub
π https://github.com/Dump-GUY/EXE-or-DLL-or-ShellCode
π₯ [ tweet ]
Inspired by @0gtweet, I created PoC: EXE-or-DLL-or-ShellCode that can be:
Executed as a normal #exe
Loaded as #dll + export function can be invoked
Run via "rundll32.exe"
Executed as #shellcode right from the DOS (MZ) header that works as polyglot stub
π https://github.com/Dump-GUY/EXE-or-DLL-or-ShellCode
π₯ [ tweet ]
π5π€1
π [ Sam βοΈπͺ΅ @Sam0x90 ]
Interesting ZIP trick with
zip > docx LNK > ftp.exe > disguised pythonw.exe > CS shellcode
π https://www.ctfiot.com/203334.html
π₯ [ tweet ]
Interesting ZIP trick with
__Macosx__ folder and LNK executing ftp script to execute embedded pythonw.exe zip > docx LNK > ftp.exe > disguised pythonw.exe > CS shellcode
π https://www.ctfiot.com/203334.html
π₯ [ tweet ]
π10
π [ Het Mehta @hetmehtaa ]
Reversing a VPN client to hijack sessions
π https://rotarydrone.medium.com/decrypting-and-replaying-vpn-cookies-4a1d8fc7773e
π₯ [ tweet ]
Reversing a VPN client to hijack sessions
π https://rotarydrone.medium.com/decrypting-and-replaying-vpn-cookies-4a1d8fc7773e
π₯ [ tweet ]
π₯9
This media is not supported in your browser
VIEW IN TELEGRAM
π [ John Hammond @_JohnHammond ]
Well, this was a stupid insomnia project, but... π
Playground code is here:
π https://github.com/JohnHammond/recaptcha-phish
π₯ [ tweet ][ quote ]
Well, this was a stupid insomnia project, but... π
Playground code is here:
π https://github.com/JohnHammond/recaptcha-phish
π₯ [ tweet ][ quote ]
Π·Π°Π²ΠΈΡΡΡΠΈΠ»ΠΎΡΡ, ΠΏΡΠΈΠΊΠΎΠ»ΡΠ½ΠΎπ18π1π₯±1
Offensive Xwitter
π [ JiΕΓ Vinopal @vinopaljiri ] Inspired by @0gtweet, I created PoC: EXE-or-DLL-or-ShellCode that can be: Executed as a normal #exe Loaded as #dll + export function can be invoked Run via "rundll32.exe" Executed as #shellcode right from the DOS (MZ) headerβ¦
π [ Kurosh Dabbagh @_Kudaes_ ]
Somebody asked if you can run a dll directly without rundll32 as you would do with an exe. You just need to remove the IMAGE_FILE_DLL flag from IMAGE_FILE_HEADER->Characteristics, which can be done with the option -e. Don't see much use for it tho ^^
π https://github.com/Kudaes/CustomEntryPoint
π₯ [ tweet ]
Somebody asked if you can run a dll directly without rundll32 as you would do with an exe. You just need to remove the IMAGE_FILE_DLL flag from IMAGE_FILE_HEADER->Characteristics, which can be done with the option -e. Don't see much use for it tho ^^
π https://github.com/Kudaes/CustomEntryPoint
π₯ [ tweet ]
π18
π [ Usman Sikander @UsmanSikander13 ]
Basics to advanced process injection. Covering 25 techniques:
π https://github.com/Offensive-Panda/ProcessInjectionTechniques
π₯ [ tweet ]
Basics to advanced process injection. Covering 25 techniques:
π https://github.com/Offensive-Panda/ProcessInjectionTechniques
π₯ [ tweet ]
π14