😈 [ an0n_r0, an0n ]
WDAC bypass using InstallUtil today. Nothing new, original research by @tiraniddo from 2017. Recreated the technique using ysoserial[.]NET for InstallState file generation (the original tooling is broken for .NET 4.8+). The formatter+gadget chain for arbitrary .NET exec is below.
🐥 [ tweet ][ quote ]
WDAC bypass using InstallUtil today. Nothing new, original research by @tiraniddo from 2017. Recreated the technique using ysoserial[.]NET for InstallState file generation (the original tooling is broken for .NET 4.8+). The formatter+gadget chain for arbitrary .NET exec is below.
🐥 [ tweet ][ quote ]
😈 [ naksyn, Diego Capriotti ]
Here's a pure Python implementation of MemoryModule technique to load a dll from memory. If using python is an option in your engagement, you can execute your dlls without injection or shellcode.
check it out!
https://t.co/N7yDE061Hs
#redteaming #DYORredteamtip #evasion
🔗 https://github.com/naksyn/PythonMemoryModule/
🐥 [ tweet ]
Here's a pure Python implementation of MemoryModule technique to load a dll from memory. If using python is an option in your engagement, you can execute your dlls without injection or shellcode.
check it out!
https://t.co/N7yDE061Hs
#redteaming #DYORredteamtip #evasion
🔗 https://github.com/naksyn/PythonMemoryModule/
🐥 [ tweet ]
🔥1
😈 [ zer1t0, Eloy ]
I've been playing and implementing HellsGate technique for learning, but found cumbersome to use 2 procedures (HellsGate and HellDescent) for using syscalls, so implemented zsyscall to use syscall in one step. https://t.co/K2sIRzPQwW
🔗 https://gitlab.com/Zer1t0/zsyscall
🐥 [ tweet ]
I've been playing and implementing HellsGate technique for learning, but found cumbersome to use 2 procedures (HellsGate and HellDescent) for using syscalls, so implemented zsyscall to use syscall in one step. https://t.co/K2sIRzPQwW
🔗 https://gitlab.com/Zer1t0/zsyscall
🐥 [ tweet ]
😈 [ pdiscoveryio, ProjectDiscovery.io ]
Did you know that with the v9.3.3 release of nuclei-templates that you can now detect the top 200 WordPress Plugins with @pdnuclei?
A huge THANK YOU to @_ricardomaia from our community for this powerful addition to Nuclei Templates! Learn more: https://t.co/DmnF6znCmK
🔗 https://github.com/projectdiscovery/nuclei-templates/pull/6202
🐥 [ tweet ]
Did you know that with the v9.3.3 release of nuclei-templates that you can now detect the top 200 WordPress Plugins with @pdnuclei?
A huge THANK YOU to @_ricardomaia from our community for this powerful addition to Nuclei Templates! Learn more: https://t.co/DmnF6znCmK
🔗 https://github.com/projectdiscovery/nuclei-templates/pull/6202
🐥 [ tweet ]
😈 [ Nigglxax, weak ]
Today I released Alcaztaz - an x64 binary obfuscator featuring:
- Obfuscation of immediate moves
- Control flow flattening
- Mutation / Obfuscation of certain instructions like MOV, ADD, LEA
- Anti disassembly
- Entry point obfuscation
Read more at: https://t.co/UWMkq1Mt9J
🔗 https://github.com/weak1337/Alcatraz
🐥 [ tweet ]
Today I released Alcaztaz - an x64 binary obfuscator featuring:
- Obfuscation of immediate moves
- Control flow flattening
- Mutation / Obfuscation of certain instructions like MOV, ADD, LEA
- Anti disassembly
- Entry point obfuscation
Read more at: https://t.co/UWMkq1Mt9J
🔗 https://github.com/weak1337/Alcatraz
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
Submitted another @hackthebox_eu Endgame write-up to Hackplayers (@CyberVaca_, @OscarAkaElvis) - Odyssey this time. Protected with a concatenation of all the flags in the appropriate order. Check it out!
https://t.co/mftkKN7bUx
🔗 https://github.com/Hackplayers/hackthebox-writeups/pull/281
🐥 [ tweet ]
Submitted another @hackthebox_eu Endgame write-up to Hackplayers (@CyberVaca_, @OscarAkaElvis) - Odyssey this time. Protected with a concatenation of all the flags in the appropriate order. Check it out!
https://t.co/mftkKN7bUx
🔗 https://github.com/Hackplayers/hackthebox-writeups/pull/281
🐥 [ tweet ]
😈 [ daem0nc0re, daem0nc0re ]
Released my CSharp implementation of Phantom DLL Hollowing.
Thanks for your research @_ForrestOrr
https://t.co/kp3OGkauvj
🔗 https://github.com/daem0nc0re/TangledWinExec/tree/main/PhantomDllHollower
🐥 [ tweet ]
Released my CSharp implementation of Phantom DLL Hollowing.
Thanks for your research @_ForrestOrr
https://t.co/kp3OGkauvj
🔗 https://github.com/daem0nc0re/TangledWinExec/tree/main/PhantomDllHollower
🐥 [ tweet ]
😈 [ D1rkMtr, D1rkMtr ]
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://t.co/5qaUEFm78N
🔗 https://github.com/D1rkMtr/UnhookingPatch
🐥 [ tweet ]
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://t.co/5qaUEFm78N
🔗 https://github.com/D1rkMtr/UnhookingPatch
🐥 [ tweet ]
😈 [ an0n_r0, an0n ]
bumped into this openssl `unsupported hash type MD4` error again, this time tried to use Certipy in an offsec lab but not with Kali, used something else.
so here I pushed a micro HOWTO about what to add exactly to openssl cnf in order to solve this:
https://t.co/m0G5MJqC4w
🔗 https://gist.github.com/tothi/392dbb008ae0b60d25cfa4447bc21121
🐥 [ tweet ][ quote ]
bumped into this openssl `unsupported hash type MD4` error again, this time tried to use Certipy in an offsec lab but not with Kali, used something else.
so here I pushed a micro HOWTO about what to add exactly to openssl cnf in order to solve this:
https://t.co/m0G5MJqC4w
🔗 https://gist.github.com/tothi/392dbb008ae0b60d25cfa4447bc21121
🐥 [ tweet ][ quote ]
😈 [ TrustedSec, TrustedSec ]
Don't suffer a LAPS(e) in judgement! Your tools need protection too. Security Consultant @mega_spl0it outlines how to build #Splunk SPL queries to detect attacks against #MicrosoftLAPS in our new #blog. https://t.co/nhcuC6eZx4
🔗 https://hubs.la/Q01xvpTt0
🐥 [ tweet ]
Don't suffer a LAPS(e) in judgement! Your tools need protection too. Security Consultant @mega_spl0it outlines how to build #Splunk SPL queries to detect attacks against #MicrosoftLAPS in our new #blog. https://t.co/nhcuC6eZx4
🔗 https://hubs.la/Q01xvpTt0
🐥 [ tweet ]
😈 [ decoder_it, ap ]
We did it again with #LocalPotato!
A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM.
Tracked as #CVE-2023-21746 - Windows NTLM EoP
Soon more details --> https://t.co/Skyn0xdxNN
cc @splinter_code
🔗 http://www.localpotato.com
🐥 [ tweet ]
We did it again with #LocalPotato!
A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM.
Tracked as #CVE-2023-21746 - Windows NTLM EoP
Soon more details --> https://t.co/Skyn0xdxNN
cc @splinter_code
🔗 http://www.localpotato.com
🐥 [ tweet ]
🔥3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ D1rkMtr, D1rkMtr ]
implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
https://t.co/myUvfQ4JRN
🔗 https://github.com/D1rkMtr/RecyclePersist
🐥 [ tweet ]
implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
https://t.co/myUvfQ4JRN
🔗 https://github.com/D1rkMtr/RecyclePersist
🐥 [ tweet ]
😈 [ cnotin, Clément Notin / @cnotin@infosec.exchange ]
📄 New blog post about an investigation where SMB client got "access is denied" due to "Microsoft network server: Server SPN target name validation level" (#SmbServerNameHardeningLevel) which is an anti-NTLM relay security policy.
💡 Learn more about it!
https://t.co/3dm7dy9PKq
🔗 https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntlm-relay-protection-659c60089895
🐥 [ tweet ]
📄 New blog post about an investigation where SMB client got "access is denied" due to "Microsoft network server: Server SPN target name validation level" (#SmbServerNameHardeningLevel) which is an anti-NTLM relay security policy.
💡 Learn more about it!
https://t.co/3dm7dy9PKq
🔗 https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntlm-relay-protection-659c60089895
🐥 [ tweet ]
😈 [ filip_dragovic, Filip Dragovic ]
Here is PoC for CVE-2023-21752.
Arbitrary file delete in Windows Backup service.
https://t.co/72Dz1uUMCg
🔗 https://github.com/Wh04m1001/CVE-2023-21752
🐥 [ tweet ]
Here is PoC for CVE-2023-21752.
Arbitrary file delete in Windows Backup service.
https://t.co/72Dz1uUMCg
🔗 https://github.com/Wh04m1001/CVE-2023-21752
🐥 [ tweet ]
🔥2
Ищем торчащие наружу веб-морды OWA на большом скоупе таргетов с помощью httpx и dnsx:
#perimeter #owa
cat subdomains.txt
sub1.example.com
sub2.example.com
sub3.example.ru
sub4.example.ru
sub5.example.bz
sub6.example.bz
for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -noscript -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr
1.3.3.7 [mx1.example.com]
66.66.66.66 [mx2.example.ru]
123.123.123.123 [mx3.example.bz]
#perimeter #owa
🔥8
😈 [ SEKTOR7net, SEKTOR7 Institute ]
Bypassing Windows Mark-of-the-Web (MotW) feature with a crafted ZIP file, by @mrgretzky
Enjoy the journey!
https://t.co/IdjSacJNPd
🔗 https://breakdev.org/zip-motw-bug-analysis/
🐥 [ tweet ]
Bypassing Windows Mark-of-the-Web (MotW) feature with a crafted ZIP file, by @mrgretzky
Enjoy the journey!
https://t.co/IdjSacJNPd
🔗 https://breakdev.org/zip-motw-bug-analysis/
🐥 [ tweet ]
😈 [ _Mayyhem, Chris Thompson ]
SCCM takeover by abusing automatic client push installation has less requirements than I thought. Check this post out for a detailed walkthrough and recommendations. Install KB15599094 and disable NTLM for client push installation to prevent this attack.
https://t.co/cg5CYRCBZV
🔗 https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1
🐥 [ tweet ]
SCCM takeover by abusing automatic client push installation has less requirements than I thought. Check this post out for a detailed walkthrough and recommendations. Install KB15599094 and disable NTLM for client push installation to prevent this attack.
https://t.co/cg5CYRCBZV
🔗 https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1
🐥 [ tweet ]
😈 [ an0n_r0, an0n ]
not a new one, but might be useful: Detecting Lateral Movement (and other) techniques through Event Logs by @jpcert_en
https://t.co/xIyta9ZESK
#DFIR
🔗 https://jpcertcc.github.io/ToolAnalysisResultSheet/
🐥 [ tweet ]
not a new one, but might be useful: Detecting Lateral Movement (and other) techniques through Event Logs by @jpcert_en
https://t.co/xIyta9ZESK
#DFIR
🔗 https://jpcertcc.github.io/ToolAnalysisResultSheet/
🐥 [ tweet ]
😈 [ emil_lerner, Emil Lerner ]
Here's a story about how I hacked Redis from the current ubuntu 22.04 repository using a bug I found almost 7 years ago (also a write-up for the "hardened redis" challenge from the recent @RealWorldCTF)
https://t.co/LizzeKFjPM
🔗 https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1
🐥 [ tweet ]
Here's a story about how I hacked Redis from the current ubuntu 22.04 repository using a bug I found almost 7 years ago (also a write-up for the "hardened redis" challenge from the recent @RealWorldCTF)
https://t.co/LizzeKFjPM
🔗 https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1
🐥 [ tweet ]