👹 [ snovvcrash, sn🥶vvcr💥sh ]
Submitted another @hackthebox_eu Endgame write-up to Hackplayers (@CyberVaca_, @OscarAkaElvis) - Odyssey this time. Protected with a concatenation of all the flags in the appropriate order. Check it out!
https://t.co/mftkKN7bUx
🔗 https://github.com/Hackplayers/hackthebox-writeups/pull/281
🐥 [ tweet ]
Submitted another @hackthebox_eu Endgame write-up to Hackplayers (@CyberVaca_, @OscarAkaElvis) - Odyssey this time. Protected with a concatenation of all the flags in the appropriate order. Check it out!
https://t.co/mftkKN7bUx
🔗 https://github.com/Hackplayers/hackthebox-writeups/pull/281
🐥 [ tweet ]
😈 [ daem0nc0re, daem0nc0re ]
Released my CSharp implementation of Phantom DLL Hollowing.
Thanks for your research @_ForrestOrr
https://t.co/kp3OGkauvj
🔗 https://github.com/daem0nc0re/TangledWinExec/tree/main/PhantomDllHollower
🐥 [ tweet ]
Released my CSharp implementation of Phantom DLL Hollowing.
Thanks for your research @_ForrestOrr
https://t.co/kp3OGkauvj
🔗 https://github.com/daem0nc0re/TangledWinExec/tree/main/PhantomDllHollower
🐥 [ tweet ]
😈 [ D1rkMtr, D1rkMtr ]
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://t.co/5qaUEFm78N
🔗 https://github.com/D1rkMtr/UnhookingPatch
🐥 [ tweet ]
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
https://t.co/5qaUEFm78N
🔗 https://github.com/D1rkMtr/UnhookingPatch
🐥 [ tweet ]
😈 [ an0n_r0, an0n ]
bumped into this openssl `unsupported hash type MD4` error again, this time tried to use Certipy in an offsec lab but not with Kali, used something else.
so here I pushed a micro HOWTO about what to add exactly to openssl cnf in order to solve this:
https://t.co/m0G5MJqC4w
🔗 https://gist.github.com/tothi/392dbb008ae0b60d25cfa4447bc21121
🐥 [ tweet ][ quote ]
bumped into this openssl `unsupported hash type MD4` error again, this time tried to use Certipy in an offsec lab but not with Kali, used something else.
so here I pushed a micro HOWTO about what to add exactly to openssl cnf in order to solve this:
https://t.co/m0G5MJqC4w
🔗 https://gist.github.com/tothi/392dbb008ae0b60d25cfa4447bc21121
🐥 [ tweet ][ quote ]
😈 [ TrustedSec, TrustedSec ]
Don't suffer a LAPS(e) in judgement! Your tools need protection too. Security Consultant @mega_spl0it outlines how to build #Splunk SPL queries to detect attacks against #MicrosoftLAPS in our new #blog. https://t.co/nhcuC6eZx4
🔗 https://hubs.la/Q01xvpTt0
🐥 [ tweet ]
Don't suffer a LAPS(e) in judgement! Your tools need protection too. Security Consultant @mega_spl0it outlines how to build #Splunk SPL queries to detect attacks against #MicrosoftLAPS in our new #blog. https://t.co/nhcuC6eZx4
🔗 https://hubs.la/Q01xvpTt0
🐥 [ tweet ]
😈 [ decoder_it, ap ]
We did it again with #LocalPotato!
A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM.
Tracked as #CVE-2023-21746 - Windows NTLM EoP
Soon more details --> https://t.co/Skyn0xdxNN
cc @splinter_code
🔗 http://www.localpotato.com
🐥 [ tweet ]
We did it again with #LocalPotato!
A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM.
Tracked as #CVE-2023-21746 - Windows NTLM EoP
Soon more details --> https://t.co/Skyn0xdxNN
cc @splinter_code
🔗 http://www.localpotato.com
🐥 [ tweet ]
🔥3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ D1rkMtr, D1rkMtr ]
implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
https://t.co/myUvfQ4JRN
🔗 https://github.com/D1rkMtr/RecyclePersist
🐥 [ tweet ]
implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
https://t.co/myUvfQ4JRN
🔗 https://github.com/D1rkMtr/RecyclePersist
🐥 [ tweet ]
😈 [ cnotin, Clément Notin / @cnotin@infosec.exchange ]
📄 New blog post about an investigation where SMB client got "access is denied" due to "Microsoft network server: Server SPN target name validation level" (#SmbServerNameHardeningLevel) which is an anti-NTLM relay security policy.
💡 Learn more about it!
https://t.co/3dm7dy9PKq
🔗 https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntlm-relay-protection-659c60089895
🐥 [ tweet ]
📄 New blog post about an investigation where SMB client got "access is denied" due to "Microsoft network server: Server SPN target name validation level" (#SmbServerNameHardeningLevel) which is an anti-NTLM relay security policy.
💡 Learn more about it!
https://t.co/3dm7dy9PKq
🔗 https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntlm-relay-protection-659c60089895
🐥 [ tweet ]
😈 [ filip_dragovic, Filip Dragovic ]
Here is PoC for CVE-2023-21752.
Arbitrary file delete in Windows Backup service.
https://t.co/72Dz1uUMCg
🔗 https://github.com/Wh04m1001/CVE-2023-21752
🐥 [ tweet ]
Here is PoC for CVE-2023-21752.
Arbitrary file delete in Windows Backup service.
https://t.co/72Dz1uUMCg
🔗 https://github.com/Wh04m1001/CVE-2023-21752
🐥 [ tweet ]
🔥2
Ищем торчащие наружу веб-морды OWA на большом скоупе таргетов с помощью httpx и dnsx:
#perimeter #owa
cat subdomains.txt
sub1.example.com
sub2.example.com
sub3.example.ru
sub4.example.ru
sub5.example.bz
sub6.example.bz
for i in `cat subdomains.txt | rev | cut -d. -f1-2 | rev | sort -u`; do echo https://autodiscover.$i; done | httpx -silent -random-agent -fr -t 20 -sc -noscript -td -ip | grep Outlook | grep -oP '\d+\.\d+\.\d+\.\d+' | dnsx -silent -re -ptr
1.3.3.7 [mx1.example.com]
66.66.66.66 [mx2.example.ru]
123.123.123.123 [mx3.example.bz]
#perimeter #owa
🔥8
😈 [ SEKTOR7net, SEKTOR7 Institute ]
Bypassing Windows Mark-of-the-Web (MotW) feature with a crafted ZIP file, by @mrgretzky
Enjoy the journey!
https://t.co/IdjSacJNPd
🔗 https://breakdev.org/zip-motw-bug-analysis/
🐥 [ tweet ]
Bypassing Windows Mark-of-the-Web (MotW) feature with a crafted ZIP file, by @mrgretzky
Enjoy the journey!
https://t.co/IdjSacJNPd
🔗 https://breakdev.org/zip-motw-bug-analysis/
🐥 [ tweet ]
😈 [ _Mayyhem, Chris Thompson ]
SCCM takeover by abusing automatic client push installation has less requirements than I thought. Check this post out for a detailed walkthrough and recommendations. Install KB15599094 and disable NTLM for client push installation to prevent this attack.
https://t.co/cg5CYRCBZV
🔗 https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1
🐥 [ tweet ]
SCCM takeover by abusing automatic client push installation has less requirements than I thought. Check this post out for a detailed walkthrough and recommendations. Install KB15599094 and disable NTLM for client push installation to prevent this attack.
https://t.co/cg5CYRCBZV
🔗 https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1
🐥 [ tweet ]
😈 [ an0n_r0, an0n ]
not a new one, but might be useful: Detecting Lateral Movement (and other) techniques through Event Logs by @jpcert_en
https://t.co/xIyta9ZESK
#DFIR
🔗 https://jpcertcc.github.io/ToolAnalysisResultSheet/
🐥 [ tweet ]
not a new one, but might be useful: Detecting Lateral Movement (and other) techniques through Event Logs by @jpcert_en
https://t.co/xIyta9ZESK
#DFIR
🔗 https://jpcertcc.github.io/ToolAnalysisResultSheet/
🐥 [ tweet ]
😈 [ emil_lerner, Emil Lerner ]
Here's a story about how I hacked Redis from the current ubuntu 22.04 repository using a bug I found almost 7 years ago (also a write-up for the "hardened redis" challenge from the recent @RealWorldCTF)
https://t.co/LizzeKFjPM
🔗 https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1
🐥 [ tweet ]
Here's a story about how I hacked Redis from the current ubuntu 22.04 repository using a bug I found almost 7 years ago (also a write-up for the "hardened redis" challenge from the recent @RealWorldCTF)
https://t.co/LizzeKFjPM
🔗 https://medium.com/@emil.lerner/hacking-redis-for-fun-and-ctf-points-3450c351bec1
🐥 [ tweet ]
😈 [ 0xdeaddood, leandro ]
#Impacket is back! We're already working to take it to the next level! 🚀🌕
https://t.co/wLMsZOYauN
🔗 https://0xdeaddood.rocks/2023/01/14/we-are-back
🐥 [ tweet ]
#Impacket is back! We're already working to take it to the next level! 🚀🌕
https://t.co/wLMsZOYauN
🔗 https://0xdeaddood.rocks/2023/01/14/we-are-back
🐥 [ tweet ]
😈 [ SEKTOR7net, SEKTOR7 Institute ]
Detecting already in-memory loaded artifacts from kernel in real time, by @alonsocandado
https://t.co/0sxvPgIBfK
🔗 https://www.countercraftsec.com/blog/detecting-malicious-artifacts-using-an-etw-consumer-in-kernel-mode/
🐥 [ tweet ]
Detecting already in-memory loaded artifacts from kernel in real time, by @alonsocandado
https://t.co/0sxvPgIBfK
🔗 https://www.countercraftsec.com/blog/detecting-malicious-artifacts-using-an-etw-consumer-in-kernel-mode/
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Max_Mal_, Max_Malyutin ]
#IcedID (#BokBot), #Qakbot & #Bumblebee use Batch Obfuscation
Windows Command Shell Defense Evasion🔥
[+] set environment variable: set variable=string
https://t.co/tlJDIPZeOW
Quick and simple de-obfuscation;
Replace each %variable% with the string to get the malicious command
🔗 https://ss64.com/nt/set.html
🐥 [ tweet ]
#IcedID (#BokBot), #Qakbot & #Bumblebee use Batch Obfuscation
Windows Command Shell Defense Evasion🔥
[+] set environment variable: set variable=string
https://t.co/tlJDIPZeOW
Quick and simple de-obfuscation;
Replace each %variable% with the string to get the malicious command
🔗 https://ss64.com/nt/set.html
🐥 [ tweet ]
🤔1
😈 [ xct_de, xct ]
My first three videos on testing a relatively large, custom active directory environment are out. To get started, check out the first part here:
https://t.co/SFIq5svJjN
🔗 https://vulndev.io/2023/01/07/vl-shinra-and-so-it-begins-sqli-command-injection-hash-cracking/
🐥 [ tweet ]
My first three videos on testing a relatively large, custom active directory environment are out. To get started, check out the first part here:
https://t.co/SFIq5svJjN
🔗 https://vulndev.io/2023/01/07/vl-shinra-and-so-it-begins-sqli-command-injection-hash-cracking/
🐥 [ tweet ]