😈 [ TalBeerySec, Tal Be'ery ]
NTLM relay is dead and living in AAD.
An interesting @BlackHatEvents talk by @rubin_mor
https://t.co/9lVZdlkPHy
CC: @SteveSyfuhs @gentilkiwi
#BHUSA2022
🔗 https://i.blackhat.com/USA-22/Wednesday/US-22-Rubin-AAD-Joined-Machines-New-Lateral-Movement.pdf
🐥 [ tweet ]
NTLM relay is dead and living in AAD.
An interesting @BlackHatEvents talk by @rubin_mor
https://t.co/9lVZdlkPHy
CC: @SteveSyfuhs @gentilkiwi
#BHUSA2022
🔗 https://i.blackhat.com/USA-22/Wednesday/US-22-Rubin-AAD-Joined-Machines-New-Lateral-Movement.pdf
🐥 [ tweet ]
😈 [ rubin_mor, Mor Rubin ]
Glad that NTLM relay replacement found for AAD😆
Releasing My NegoEx relay tool which also allows you to modify the PKU2U part and bypass NegoEx message validation
https://t.co/UibeH6cuXB https://t.co/XpRFXu7pRr
🔗 https://github.com/morRubin/NegoExRelay
🐥 [ tweet ][ quote ]
Glad that NTLM relay replacement found for AAD😆
Releasing My NegoEx relay tool which also allows you to modify the PKU2U part and bypass NegoEx message validation
https://t.co/UibeH6cuXB https://t.co/XpRFXu7pRr
🔗 https://github.com/morRubin/NegoExRelay
🐥 [ tweet ][ quote ]
😈 [ NinjaParanoid, Chetan Nayak (Author of Brute Ratel C4) ]
Released a bunch of video tutorials and a sneak peak of the upcoming release.. Webhooks, Antidebugging, Stack Duplication and Bring Your Own Injection.. Release blog incoming.... #BRc4
https://t.co/MIlykf9Yz6
https://t.co/YkQQzUtZVh
https://t.co/kUeWIlF59g
https://t.co/ct15mE6VOC
🔗 https://www.youtube.com/watch?v=K-xbRN_ur0A
🔗 https://www.youtube.com/watch?v=Bd0fnV4w6tg
🔗 https://www.youtube.com/watch?v=i-xbu0O2fN8
🔗 https://www.youtube.com/watch?v=hc4X82gTvfg
🐥 [ tweet ]
Released a bunch of video tutorials and a sneak peak of the upcoming release.. Webhooks, Antidebugging, Stack Duplication and Bring Your Own Injection.. Release blog incoming.... #BRc4
https://t.co/MIlykf9Yz6
https://t.co/YkQQzUtZVh
https://t.co/kUeWIlF59g
https://t.co/ct15mE6VOC
🔗 https://www.youtube.com/watch?v=K-xbRN_ur0A
🔗 https://www.youtube.com/watch?v=Bd0fnV4w6tg
🔗 https://www.youtube.com/watch?v=i-xbu0O2fN8
🔗 https://www.youtube.com/watch?v=hc4X82gTvfg
🐥 [ tweet ]
😈 [ hasherezade, hasherezade ]
My new paper for @MBThreatIntel: "#JSSLoader - the #shellcode edition" : https://t.co/gzpnhlr6mf // #FIN7
🔗 https://malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition
🐥 [ tweet ]
My new paper for @MBThreatIntel: "#JSSLoader - the #shellcode edition" : https://t.co/gzpnhlr6mf // #FIN7
🔗 https://malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition
🐥 [ tweet ]
😈 [ 0xdf_, 0xdf ]
There's a been a string of nice easy-rated active directory boxes on @hackthebox_eu lately, and Late was one of those. The box requires abusing WinRM using keys/certificates, PowerShell history, and LAPS.
https://t.co/t66gFWGlZM
🔗 https://0xdf.gitlab.io/2022/08/20/htb-timelapse.html
🐥 [ tweet ]
There's a been a string of nice easy-rated active directory boxes on @hackthebox_eu lately, and Late was one of those. The box requires abusing WinRM using keys/certificates, PowerShell history, and LAPS.
https://t.co/t66gFWGlZM
🔗 https://0xdf.gitlab.io/2022/08/20/htb-timelapse.html
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] While guys @_EthicalChaos_ and @an0n_r0 are talking about a legitimate way of jumping into RDP via smart card auth having a certificate, I’ll give a more clumsy approach: UnPAC-the-Hash (PKINIT) ⏭ DisableRestrictedAdmin=0 ⏭ scforceoption=0 ⏭ xfreerdp /pth 🎉
🐥 [ tweet ]
[#HackTip ⚒] While guys @_EthicalChaos_ and @an0n_r0 are talking about a legitimate way of jumping into RDP via smart card auth having a certificate, I’ll give a more clumsy approach: UnPAC-the-Hash (PKINIT) ⏭ DisableRestrictedAdmin=0 ⏭ scforceoption=0 ⏭ xfreerdp /pth 🎉
🐥 [ tweet ]
🔥1
😈 [ thefLinkk, thefLink ]
Just pushed a detection idea for Foliage/AceLdr to Hunt-Sleeping-Beacons.
State Wait:UserRequest is triggered by KiUserApcDispatcher? Probably a Beacon :-)
https://t.co/ro4WETq9Ox
🔗 https://github.com/thefLink/Hunt-Sleeping-Beacons
🐥 [ tweet ]
Just pushed a detection idea for Foliage/AceLdr to Hunt-Sleeping-Beacons.
State Wait:UserRequest is triggered by KiUserApcDispatcher? Probably a Beacon :-)
https://t.co/ro4WETq9Ox
🔗 https://github.com/thefLink/Hunt-Sleeping-Beacons
🐥 [ tweet ]
😈 [ _ZakSec, Zak ]
If you're interested by an alternative way to dump domain users' NT hashes and TGT without touching LSASS, take a look at the new Masky tool :)
Everything is explained in this article: https://t.co/jbcgupxvGi
Thanks @harmj0y, @tifkin_ and @ly4k_ for their amazing work on ADCS!
🔗 https://z4ksec.github.io/posts/masky-release-v0.0.3/
🐥 [ tweet ]
If you're interested by an alternative way to dump domain users' NT hashes and TGT without touching LSASS, take a look at the new Masky tool :)
Everything is explained in this article: https://t.co/jbcgupxvGi
Thanks @harmj0y, @tifkin_ and @ly4k_ for their amazing work on ADCS!
🔗 https://z4ksec.github.io/posts/masky-release-v0.0.3/
🐥 [ tweet ]
😈 [ albertzsigovits, Albert Zsigovits ]
"Don't write malware in Nim please."
17dcfd678baabb152dad73f8d2af3a6fe3504d98667f92795897c164a5983a39
C:\Users\abc\Desktop\NimShellCodeLoader_Winx64\NimShellCodeLoader\bin\OEP_Hiijack_Inject_Load.exe
@malwrhunterteam @vxunderground @HuskyHacksMK @Hexacorn @0verfl0w_
🐥 [ tweet ]
"Don't write malware in Nim please."
17dcfd678baabb152dad73f8d2af3a6fe3504d98667f92795897c164a5983a39
C:\Users\abc\Desktop\NimShellCodeLoader_Winx64\NimShellCodeLoader\bin\OEP_Hiijack_Inject_Load.exe
@malwrhunterteam @vxunderground @HuskyHacksMK @Hexacorn @0verfl0w_
🐥 [ tweet ]
😈 [ s4ntiago_p, S4ntiagoP ]
Just finished implementing the new Shtinkering technique on nanodump, credits to @asaf_gilboa!
https://t.co/yEutAPBnS8
🔗 https://github.com/helpsystems/nanodump/pull/25
🐥 [ tweet ]
Just finished implementing the new Shtinkering technique on nanodump, credits to @asaf_gilboa!
https://t.co/yEutAPBnS8
🔗 https://github.com/helpsystems/nanodump/pull/25
🐥 [ tweet ]
😈 [ bohops, bohops ]
[Blog] Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion (Part 2)
https://t.co/02HD37quHe
I finally had the time to finish this post! Included are two 'new' Usage Log tampering techniques and additional defensive recommendations.
🔗 https://bohops.com/2022/08/22/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion-part-2/
🐥 [ tweet ]
[Blog] Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion (Part 2)
https://t.co/02HD37quHe
I finally had the time to finish this post! Included are two 'new' Usage Log tampering techniques and additional defensive recommendations.
🔗 https://bohops.com/2022/08/22/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion-part-2/
🐥 [ tweet ]
😈 [ ORCx41, ORCA ]
released a poc on etw session hijacking, blocking network events monitoring on procmon
https://t.co/E2BPjdVIBj
🔗 https://github.com/ORCx41/EtwSessionHijacking
🐥 [ tweet ]
released a poc on etw session hijacking, blocking network events monitoring on procmon
https://t.co/E2BPjdVIBj
🔗 https://github.com/ORCx41/EtwSessionHijacking
🐥 [ tweet ]
😈 [ m3g9tr0n, Spiros Fraganastasis ]
Creating Shellcode from any Code Using Visual Studio and C++
https://t.co/p10vUufQEH
🔗 https://www.codeproject.com/Articles/5304605/Creating-Shellcode-from-any-Code-Using-Visual-Stud
🐥 [ tweet ]
Creating Shellcode from any Code Using Visual Studio and C++
https://t.co/p10vUufQEH
🔗 https://www.codeproject.com/Articles/5304605/Creating-Shellcode-from-any-Code-Using-Visual-Stud
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
I don’t think it’s suitable for the upstream (just too lazy to clean up the code for a proper PR) but here’s a dirty PoC of semi-execute-assembly with #CrackMapExec. Enjoy 😈
https://t.co/1nfUudCpZI
🔗 https://github.com/snovvcrash/CrackMapExec/tree/dotnetassembly
🐥 [ tweet ][ quote ]
I don’t think it’s suitable for the upstream (just too lazy to clean up the code for a proper PR) but here’s a dirty PoC of semi-execute-assembly with #CrackMapExec. Enjoy 😈
https://t.co/1nfUudCpZI
🔗 https://github.com/snovvcrash/CrackMapExec/tree/dotnetassembly
🐥 [ tweet ][ quote ]
😈 [ mansk1es, MANSK1ES ]
An article of mine called "Attacking on Behalf on Defense" which talks about abusing EDRs/XDRs to dump lsass (and much beyond), plus a bonus collab with @dec0ne.
https://t.co/9JxS9tjXxH
🔗 https://mansk1es.gitbook.io/edr-binary-abuse/
🐥 [ tweet ]
An article of mine called "Attacking on Behalf on Defense" which talks about abusing EDRs/XDRs to dump lsass (and much beyond), plus a bonus collab with @dec0ne.
https://t.co/9JxS9tjXxH
🔗 https://mansk1es.gitbook.io/edr-binary-abuse/
🐥 [ tweet ]
😈 [ MsftSecIntel, Microsoft Security Intelligence ]
Microsoft has observed various threat actors adopting and integrating the Sliver C2 framework in intrusion campaigns with—or as a replacement for—Cobalt Strike. Get technical info and hunting queries from this blog by Microsoft Security Experts: https://t.co/FBXYRsif0K
🔗 https://msft.it/6010jdC1q
🐥 [ tweet ]
Microsoft has observed various threat actors adopting and integrating the Sliver C2 framework in intrusion campaigns with—or as a replacement for—Cobalt Strike. Get technical info and hunting queries from this blog by Microsoft Security Experts: https://t.co/FBXYRsif0K
🔗 https://msft.it/6010jdC1q
🐥 [ tweet ]
лол🔥1
😈 [ m8sec, Mike Brown ]
Just released a new blog post on "Exploiting PrintNightmare (CVE-2021-34527)" - which includes my version of the exploit that uses a built-in SMB server for payload delivery (no more open file shares!)
https://t.co/61dPOeD6ok
https://t.co/a9KXbbghe3
🔗 https://github.com/m8sec/CVE-2021-34527
🔗 https://infosecwriteups.com/exploiting-printnightmare-cve-2021-34527-10c6e0f5b83f?source=social.tw
🐥 [ tweet ]
Just released a new blog post on "Exploiting PrintNightmare (CVE-2021-34527)" - which includes my version of the exploit that uses a built-in SMB server for payload delivery (no more open file shares!)
https://t.co/61dPOeD6ok
https://t.co/a9KXbbghe3
🔗 https://github.com/m8sec/CVE-2021-34527
🔗 https://infosecwriteups.com/exploiting-printnightmare-cve-2021-34527-10c6e0f5b83f?source=social.tw
🐥 [ tweet ]