#Cobalt_Strike
Cobalt Strike UDRL for memory scanner evasion.
Features
Easy to Use:
Import a single CNA noscript before generating shellcode.
Dynamic Memory Encryption:
Creates a new heap for any allocations from Beacon and encrypts entries before sleep.
Code Obfuscation and Encryption:
Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).
Return Address Spoofing at Execution:
Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).
Sleep Without Sleep:
Delayed execution using WaitForSingleObjectEx.
RC4 Encryption:
All encryption performed with SystemFunction032.
https://github.com/kyleavery/AceLdr
@BlueRedTeam
Cobalt Strike UDRL for memory scanner evasion.
Features
Easy to Use:
Import a single CNA noscript before generating shellcode.
Dynamic Memory Encryption:
Creates a new heap for any allocations from Beacon and encrypts entries before sleep.
Code Obfuscation and Encryption:
Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).
Return Address Spoofing at Execution:
Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).
Sleep Without Sleep:
Delayed execution using WaitForSingleObjectEx.
RC4 Encryption:
All encryption performed with SystemFunction032.
https://github.com/kyleavery/AceLdr
@BlueRedTeam
GitHub
GitHub - kyleavery/AceLdr: Cobalt Strike UDRL for memory scanner evasion.
Cobalt Strike UDRL for memory scanner evasion. Contribute to kyleavery/AceLdr development by creating an account on GitHub.
#Red_Team
List of Awesome Red Team / Red Teaming Resources This list is for anyone wishing to learn about Red Teaming but do not have a starting point.
https://github.com/0xMrNiko/Awesome-Red-Teaming
https://github.com/J0hnbX/RedTeam-Resources
https://github.com/A0RX/Red-Blueteam-party
@BlueRedTeam
List of Awesome Red Team / Red Teaming Resources This list is for anyone wishing to learn about Red Teaming but do not have a starting point.
https://github.com/0xMrNiko/Awesome-Red-Teaming
https://github.com/J0hnbX/RedTeam-Resources
https://github.com/A0RX/Red-Blueteam-party
@BlueRedTeam
GitHub
GitHub - 0xMrNiko/Awesome-Red-Teaming: List of Awesome Red Team / Red Teaming Resources This list is for anyone wishing to learn…
List of Awesome Red Team / Red Teaming Resources This list is for anyone wishing to learn about Red Teaming but do not have a starting point. - 0xMrNiko/Awesome-Red-Teaming
🔥6❤1👍1
Media is too big
VIEW IN TELEGRAM
#Red_Team
👺 Red team: Pentest two organizations at the same time.
• I would like to remind you about the useful webinar "Red team: Pentest with two contractors at the same time". Where real examples of attacks are analyzed:
➖ Methods and tactics of physical penetration into the territory of the organization.
➖ Penetration into the company's perimeter from the outside, through IoT in the apartment of the organization's management.
➖ Gaining administrator access, including information security specialists through Active Directory, a client for MacOS (0-day)
➖ Hacking ACS and camera systems in a cafe.
➖ Installation of an eternal backdoor that could not be found even after reinstallation.
and much more...
@BlueRedTeam
👺 Red team: Pentest two organizations at the same time.
• I would like to remind you about the useful webinar "Red team: Pentest with two contractors at the same time". Where real examples of attacks are analyzed:
➖ Methods and tactics of physical penetration into the territory of the organization.
➖ Penetration into the company's perimeter from the outside, through IoT in the apartment of the organization's management.
➖ Gaining administrator access, including information security specialists through Active Directory, a client for MacOS (0-day)
➖ Hacking ACS and camera systems in a cafe.
➖ Installation of an eternal backdoor that could not be found even after reinstallation.
and much more...
@BlueRedTeam
#Red_Team
Caching the Un-cacheables - Abusing URL Parser Confusions (Web Cache Poisoning Technique)
https://nokline.github.io/bugbounty/2022/09/02/Glassdoor-Cache-Poisoning.html
HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name
https://github.com/ryan-weil/HideProcessHook
@BlueRedTeam
Caching the Un-cacheables - Abusing URL Parser Confusions (Web Cache Poisoning Technique)
https://nokline.github.io/bugbounty/2022/09/02/Glassdoor-Cache-Poisoning.html
HideProcessHook - DLL that hooks the NtQuerySystemInformation API and hides a process name
https://github.com/ryan-weil/HideProcessHook
@BlueRedTeam
GitHub
GitHub - ryan-weil/HideProcessHook: DLL that hooks the NtQuerySystemInformation API and hides a process name
DLL that hooks the NtQuerySystemInformation API and hides a process name - ryan-weil/HideProcessHook
#Red_Team
+ Practical Attacks Against NTLMV1
https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1
+ Exploiting Laravel based applications with leaked APP_KEYs and Queues
https://mogwailabs.de/en/blog/2022/08/exploiting-laravel-based-applications-with-leaked-app_keys-and-queues
@BlueRedTeam
+ Practical Attacks Against NTLMV1
https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1
+ Exploiting Laravel based applications with leaked APP_KEYs and Queues
https://mogwailabs.de/en/blog/2022/08/exploiting-laravel-based-applications-with-leaked-app_keys-and-queues
@BlueRedTeam
TrustedSec
Practical Attacks against NTLMv1
Two different attack methods will be covered: Authentication Downgrade -> Cracking LDAP Relay -> Resource Based Constrained Delegation (RBCD) / Shadow…
🔥1
#Blue_Team
Elkeid - Cloud-Native Host-Based IDS to provide next-generation Threat Detection and Behavior Audition with modern architecture
https://github.com/bytedance/Elkeid
@BlueRedTeam
Elkeid - Cloud-Native Host-Based IDS to provide next-generation Threat Detection and Behavior Audition with modern architecture
https://github.com/bytedance/Elkeid
@BlueRedTeam
GitHub
GitHub - bytedance/Elkeid: Elkeid is an open source solution that can meet the security requirements of various workloads such…
Elkeid is an open source solution that can meet the security requirements of various workloads such as hosts, containers and K8s, and serverless. It is derived from ByteDance's internal bes...
❤1
#Red_Team
+ Writing a simple rootkit for linux
https://0x00sec.org/t/writing-a-simple-rootkit-for-linux/29034
+ A Windows box with MSSQL injection in a PHP site, local and remote file includes, and LAPS
https://0xdf.gitlab.io/2022/09/17/htb-streamio.html
@BlueRedTeam
+ Writing a simple rootkit for linux
https://0x00sec.org/t/writing-a-simple-rootkit-for-linux/29034
+ A Windows box with MSSQL injection in a PHP site, local and remote file includes, and LAPS
https://0xdf.gitlab.io/2022/09/17/htb-streamio.html
@BlueRedTeam
0x00sec - The Home of the Hacker
The Home of the Hacker - Malware, Reverse Engineering, and Computer Science.
👍2
#Red_Team
+ Anonymously bruteforce AD usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
https://github.com/lkarlslund/ldapnomnom
+ Relaying YubiKeys
https://cube0x0.github.io/Relaying-YubiKeys
+ Stealing Access Tokens From Office Desktop Applications
https://mrd0x.com/stealing-tokens-from-office-applications
@BlueRedTeam
+ Anonymously bruteforce AD usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
https://github.com/lkarlslund/ldapnomnom
+ Relaying YubiKeys
https://cube0x0.github.io/Relaying-YubiKeys
+ Stealing Access Tokens From Office Desktop Applications
https://mrd0x.com/stealing-tokens-from-office-applications
@BlueRedTeam
GitHub
GitHub - lkarlslund/ldapnomnom: Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers…
Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP) - lkarlslund/ldapnomnom
#Blue_Team
Practical Guidance For IT Admins To Respond After Ransomware Attacks
https://m365internals.com/2022/09/19/practical-guidance-for-it-admins-to-respond-to-ransomware-attacks
@BlueRedTeam
Practical Guidance For IT Admins To Respond After Ransomware Attacks
https://m365internals.com/2022/09/19/practical-guidance-for-it-admins-to-respond-to-ransomware-attacks
@BlueRedTeam
Microsoft 365 Security
Practical Guidance for IT Admins to respond after Ransomware attacks
Keep in mind that hiring an IR firm is recommended before executing all of these steps. Perform the steps that are applicable to you and your organization. It’s been a while that I’ve b…
👍1
#Red_Team
1. Kerberoast attack "pure python"
https://github.com/skelsec/kerberoast
2. A Guide to DNS Takeovers
https://blog.projectdiscovery.io/guide-to-dns-takeovers
3. Maquerade any legitimate Windows binary by changing some fields in the PEB structure
https://github.com/D1rkMtr/MasqueradingPEB
@BlueRedTeam
1. Kerberoast attack "pure python"
https://github.com/skelsec/kerberoast
2. A Guide to DNS Takeovers
https://blog.projectdiscovery.io/guide-to-dns-takeovers
3. Maquerade any legitimate Windows binary by changing some fields in the PEB structure
https://github.com/D1rkMtr/MasqueradingPEB
@BlueRedTeam
GitHub
GitHub - skelsec/kerberoast: Kerberoast attack -pure python-
Kerberoast attack -pure python-. Contribute to skelsec/kerberoast development by creating an account on GitHub.
👍2
#Red_Team
+ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions
https://www.huntandhackett.com/blog/bypassing-sysmon
+ Windows 11 Shift F10 Bypass and Autopilot privilge escalation
https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html
@BlueRedTeam
+ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions
https://www.huntandhackett.com/blog/bypassing-sysmon
+ Windows 11 Shift F10 Bypass and Autopilot privilge escalation
https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html
@BlueRedTeam
Huntandhackett
Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions
Understanding the operation and limitations of Sysmon's first preventive mechanism: the FileBlockExecutable event.
#Red_Team
+ A tool for generating multiple types of NTLMv2 hash theft files
https://github.com/Greenwolf/ntlm_theft
+ Find dead-links
https://github.com/hahwul/deadfinder
@BlueRedTeam
+ A tool for generating multiple types of NTLMv2 hash theft files
https://github.com/Greenwolf/ntlm_theft
+ Find dead-links
https://github.com/hahwul/deadfinder
@BlueRedTeam
GitHub
GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)
A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) - Greenwolf/ntlm_theft
#Red_Team
+ Car Hacking - Manual Bypass of Modern Rolling Code Implementations
https://labs.jumpsec.com/car-hacking-manual-bypass-of-modern-rolling-code-implementations
+ How To Attack Admin Panels Successfully
https://infosecwriteups.com/how-to-attack-admin-panels-successfully-72c90eeb818c
@BlueRedTeam
+ Car Hacking - Manual Bypass of Modern Rolling Code Implementations
https://labs.jumpsec.com/car-hacking-manual-bypass-of-modern-rolling-code-implementations
+ How To Attack Admin Panels Successfully
https://infosecwriteups.com/how-to-attack-admin-panels-successfully-72c90eeb818c
@BlueRedTeam
JUMPSEC Labs
Car Hacking – Manual Bypass of Modern Rolling Code Implementations
Introduction
#Red_Team
+ Phishing With Chromium's Application Mode
https://mrd0x.com/phishing-with-chromium-application-mode
+ FUD-UUID-Shellcode
https://github.com/Bl4ckM1rror/FUD-UUID-Shellcode#compile
@BlueRedTeam
+ Phishing With Chromium's Application Mode
https://mrd0x.com/phishing-with-chromium-application-mode
+ FUD-UUID-Shellcode
https://github.com/Bl4ckM1rror/FUD-UUID-Shellcode#compile
@BlueRedTeam
Mrd0X
Security Research | mr.d0x
Providing security research and red team techniques
🔥1
#Red_Team
+ Spoofing Calendar Invites Using .ics Files
https://mrd0x.com/spoofing-calendar-invites-using-ics-files
+ Opera Browser VPN Bypass
https://medium.com/@renwa/opera-browser-vpn-bypass-20877aaf08c0
@BlueRedTeam
+ Spoofing Calendar Invites Using .ics Files
https://mrd0x.com/spoofing-calendar-invites-using-ics-files
+ Opera Browser VPN Bypass
https://medium.com/@renwa/opera-browser-vpn-bypass-20877aaf08c0
@BlueRedTeam
#Blue_Team
+ PowerShell noscript to collect a packet trace with option to convert .etl to .pcap
https://github.com/dwmetz/QuickPcap
+ Zeroday MS Exchange Server checker
(Virtual Patching checker)
https://github.com/VNCERT-CC/0dayex-checker
+ Exchange On-premises Mitigation Tool v2 (EOMTv2)
https://microsoft.github.io/CSS-Exchange/Security/EOMTv2
@BlueRedTeam
+ PowerShell noscript to collect a packet trace with option to convert .etl to .pcap
https://github.com/dwmetz/QuickPcap
+ Zeroday MS Exchange Server checker
(Virtual Patching checker)
https://github.com/VNCERT-CC/0dayex-checker
+ Exchange On-premises Mitigation Tool v2 (EOMTv2)
https://microsoft.github.io/CSS-Exchange/Security/EOMTv2
@BlueRedTeam
GitHub
GitHub - dwmetz/QuickPcap: A quick and easy PowerShell noscript to collect a packet trace with option to convert .etl to .pcap.
A quick and easy PowerShell noscript to collect a packet trace with option to convert .etl to .pcap. - dwmetz/QuickPcap
multi-command mimikatz functionality in a CS beacon
https://gist.github.com/tothi/2809d548f7407de781892c4f840fdee1
@BlueRedTeam
https://gist.github.com/tothi/2809d548f7407de781892c4f840fdee1
@BlueRedTeam
Gist
multi-command mimikatz functionality in a Cobalt Strike beacon
multi-command mimikatz functionality in a Cobalt Strike beacon - mmimikatz.cna
👍2
#Red_Team
+ Certifried combined with KrbRelayUp
https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25
+ Using NTLMRawUnHide to Uncover NTLMv2 Hashes
https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol
@BlueRedTeam
+ Certifried combined with KrbRelayUp
https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25
+ Using NTLMRawUnHide to Uncover NTLMv2 Hashes
https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol
@BlueRedTeam
Gist
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts - certifried_with_krbrelayup.md
#Blue_Team
1. LMD - Linux Malware Detection
https://github.com/rfxn/linux-malware-detect
2. Aftermath - free macOS IR framework
https://github.com/jamf/aftermath
@BlueRedTeam
1. LMD - Linux Malware Detection
https://github.com/rfxn/linux-malware-detect
2. Aftermath - free macOS IR framework
https://github.com/jamf/aftermath
@BlueRedTeam
GitHub
GitHub - rfxn/linux-malware-detect: Linux Malware Detection (LMD)
Linux Malware Detection (LMD). Contribute to rfxn/linux-malware-detect development by creating an account on GitHub.
#Blue_Team
Advanced Sysmon ATT&CK configuration
https://github.com/ion-storm/sysmon-config
@BlueRedTeam
Advanced Sysmon ATT&CK configuration
https://github.com/ion-storm/sysmon-config
@BlueRedTeam
GitHub
GitHub - ion-storm/sysmon-config: Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source…
Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source in MITRE ATT&CK, Provide Visibility into Forensic Artifact Events for UEBA, Detect Ex...