😈 [ bugch3ck, Jonas Vestberg ]
Disclosed today at @Disobey_fi - psexec from #impacket expose the target system for authenticated command execution as SYSTEM. That means any user that can authenticate over the network (usually Domain Users) can run code as SYSTEM over the network.
🐥 [ tweet ]
Disclosed today at @Disobey_fi - psexec from #impacket expose the target system for authenticated command execution as SYSTEM. That means any user that can authenticate over the network (usually Domain Users) can run code as SYSTEM over the network.
🐥 [ tweet ]
Forwarded from RedTeam brazzers
После компрометации домена встала задача: проанализировать, проводились ли какие нибудь атаки на ACL в AD и остались ли какие нибудь закладки? Беглый взгляд на текущие состояние домена привел меня в ужас. Было совершенно не понятно какие ACL появились после компрометации, а какие были до. При этом под рукой был бэкап контроллера домена до взлома. Оказывается в инструменте ADExplorer есть режим сравнения двух дампов LDAP схемы. Этот функционал просто прекрасен! Сравнив 2 дампа я выявил странные аномалии и изменения в атрибуте NtSecurityDenoscriptor, которые удобее было уже посмотреть в BloodHound (напомню, можно дамп ADExplorer удобно конвертировать в json для BloodHound с помощью скрипта). Зачем смотреть в BloodHound? Дело в том, что ACL в ADExplorer представляются в формате Security Denoscriptor Definition Language (SDDL) , к тому же не все ACL нам интересны, а только опасные (Generic'и и специфичные), а их нам подсветит именно BloodHound.
Так же данный приём по сравнению схем LDAP удобно использовать BlueTeam: уходя в отпуск сделайте один дамп, а вернувшись - второй. А потом сравните что и где наделали админы, пока вас не было на рабочем месте))
Так же данный приём по сравнению схем LDAP удобно использовать BlueTeam: уходя в отпуск сделайте один дамп, а вернувшись - второй. А потом сравните что и где наделали админы, пока вас не было на рабочем месте))
🔥3
😈 [ ustayready, Mike Felch (Stay Ready) ]
Dropped a small utility that splits a large BloodHound/AzureHound JSON file into a bunch of smaller files. Is helpful when you encounter a large environment and have a multi-gb JSON file. https://t.co/Fh91IEVrPO
🔗 https://github.com/ustayready/ShredHound
🐥 [ tweet ]
Dropped a small utility that splits a large BloodHound/AzureHound JSON file into a bunch of smaller files. Is helpful when you encounter a large environment and have a multi-gb JSON file. https://t.co/Fh91IEVrPO
🔗 https://github.com/ustayready/ShredHound
🐥 [ tweet ]
😈 [ _Kudaes_, Kurosh Dabbagh ]
This was such a simple and "stupid" idea, but at the end it seems it's working. Apply a divide and conquer approach to perform remote process injection (or any other activity) bypassing some of the most common EDRs out there.
https://t.co/CIGsgZ447q
🔗 https://github.com/Kudaes/Split
🐥 [ tweet ]
This was such a simple and "stupid" idea, but at the end it seems it's working. Apply a divide and conquer approach to perform remote process injection (or any other activity) bypassing some of the most common EDRs out there.
https://t.co/CIGsgZ447q
🔗 https://github.com/Kudaes/Split
🐥 [ tweet ]
😈 [ 0xLegacyy, Jordan Jay ]
Converted @_EthicalChaos_'s novel threadless process injection project into a BOF.
Gain shellcode execution via using a relative call to hook an exported function within the remote process.
https://t.co/TLGfEmDCGs
🔗 https://github.com/iiLegacyyii/ThreadlessInject-BOF
🐥 [ tweet ]
Converted @_EthicalChaos_'s novel threadless process injection project into a BOF.
Gain shellcode execution via using a relative call to hook an exported function within the remote process.
https://t.co/TLGfEmDCGs
🔗 https://github.com/iiLegacyyii/ThreadlessInject-BOF
🐥 [ tweet ]
Offensive Xwitter
😈 [ bugch3ck, Jonas Vestberg ] Disclosed today at @Disobey_fi - psexec from #impacket expose the target system for authenticated command execution as SYSTEM. That means any user that can authenticate over the network (usually Domain Users) can run code as…
😈 [ cube0x0, Cube0x0 ]
@bugch3ck @Disobey_fi @ippsec is way ahead of you ;) https://t.co/zfbBrPEKTP
🔗 https://youtu.be/VVZZgqIyD0Q?t=2692
🐥 [ tweet ]
@bugch3ck @Disobey_fi @ippsec is way ahead of you ;) https://t.co/zfbBrPEKTP
🔗 https://youtu.be/VVZZgqIyD0Q?t=2692
🐥 [ tweet ]
хд хд😈 [ an0n_r0, an0n ]
here is the public release of the serviceDetector noscript (featuring [MS-LSAT] LsarLookupNames() for detecting the installed state and named pipe enumeration for detecting the running state of a service): https://t.co/7A0s6jfgTM
🔗 https://github.com/tothi/serviceDetector
🐥 [ tweet ][ quote ]
here is the public release of the serviceDetector noscript (featuring [MS-LSAT] LsarLookupNames() for detecting the installed state and named pipe enumeration for detecting the running state of a service): https://t.co/7A0s6jfgTM
🔗 https://github.com/tothi/serviceDetector
🐥 [ tweet ][ quote ]
😈 [ M4yFly, Mayfly ]
Major GOAD refactor and update today 🥳
Add RDP bot user
Add Webdav support
Ansible inventory was refactored, you can now find it on the lab folder (ad/sevenkingdoms.local/inventory).
And now you can easily build your own lab from the template : https://t.co/MM8H9y9ze6
🔗 https://github.com/Orange-Cyberdefense/GOAD/tree/main/ad/template.lab
🐥 [ tweet ]
Major GOAD refactor and update today 🥳
Add RDP bot user
Add Webdav support
Ansible inventory was refactored, you can now find it on the lab folder (ad/sevenkingdoms.local/inventory).
And now you can easily build your own lab from the template : https://t.co/MM8H9y9ze6
🔗 https://github.com/Orange-Cyberdefense/GOAD/tree/main/ad/template.lab
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
It's 2023, CrackMapExec can now dump DPAPI credentials as a core feature !🚀
This is possible thanks to the work of @_zblurx and his library dploot ! He also added a module to dump firefox passwords 🔥
Pushed on @porchetta_ind v5.4.5 Bruce Wayne 🪂
No excuse, DA everytime, 🔽
🐥 [ tweet ]
It's 2023, CrackMapExec can now dump DPAPI credentials as a core feature !🚀
This is possible thanks to the work of @_zblurx and his library dploot ! He also added a module to dump firefox passwords 🔥
Pushed on @porchetta_ind v5.4.5 Bruce Wayne 🪂
No excuse, DA everytime, 🔽
🐥 [ tweet ]
😈 [ beriberikix, Jonathan Beri ]
👀 Browser-based Telnet demo using the much-discussed Direct Sockets API: https://t.co/6YUFHdYXne
🔗 https://github.com/GoogleChromeLabs/telnet-client
🐥 [ tweet ]
👀 Browser-based Telnet demo using the much-discussed Direct Sockets API: https://t.co/6YUFHdYXne
🔗 https://github.com/GoogleChromeLabs/telnet-client
🐥 [ tweet ]
телнет в хроме? 🤔😈 [ pdiscoveryio, ProjectDiscovery.io ]
Check out the first video in our new series, “Nuclei Fundamentals.” In this series, we'll cover all of @pdnuclei – from the basics of getting started to advanced use cases for penetration testing.
https://t.co/WG1YdfskW0
🔗 https://www.youtube.com/watch?v=b5qMyQvL1ZA
🐥 [ tweet ]
Check out the first video in our new series, “Nuclei Fundamentals.” In this series, we'll cover all of @pdnuclei – from the basics of getting started to advanced use cases for penetration testing.
https://t.co/WG1YdfskW0
🔗 https://www.youtube.com/watch?v=b5qMyQvL1ZA
🐥 [ tweet ]
😈 [ FuzzySec, b33f ]
Check out the blog post I wrote for IBM @XForce. I provide an analysis of DKOM attacks on Kernel ETW providers, give technical implementation details and tie that back to in-the-wild capabilities used by Lazarus last year 🔪🔥 https://t.co/pcSGzXvYxg
🔗 https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/
🐥 [ tweet ]
Check out the blog post I wrote for IBM @XForce. I provide an analysis of DKOM attacks on Kernel ETW providers, give technical implementation details and tie that back to in-the-wild capabilities used by Lazarus last year 🔪🔥 https://t.co/pcSGzXvYxg
🔗 https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/
🐥 [ tweet ]
Forwarded from Netsec
A Deep Dive Into a PoshC2 Implant
https://ift.tt/ZXC31Eo
Submitted February 21, 2023 at 08:32PM by CyberMasterV
via reddit https://ift.tt/UYRiqj5
https://ift.tt/ZXC31Eo
Submitted February 21, 2023 at 08:32PM by CyberMasterV
via reddit https://ift.tt/UYRiqj5
SecurityScorecard
Resources
Explore cybersecurity white papers, data sheets, webinars, videos, informative blogs, and more with SecurityScorecard.
😈 [ N4k3dTurtl3, NA ]
New post and Impacket improvement from @Icebreaker_Team's @Crypt0s https://t.co/EaNpnK8SWL
🔗 https://icebreaker.team/blogs/dumping-passwords-from-microsoft-active-directory-lightweight-directory-services-ad-lds/
🐥 [ tweet ]
New post and Impacket improvement from @Icebreaker_Team's @Crypt0s https://t.co/EaNpnK8SWL
🔗 https://icebreaker.team/blogs/dumping-passwords-from-microsoft-active-directory-lightweight-directory-services-ad-lds/
🐥 [ tweet ]
😈 [ 0xBoku, Bobby Cooke ]
DLL module stomping and all beacon memory allocators are now supported! The options are pulled right from the malleable C2 profile!
VirtualAlloc is the only one via direct syscall. The new allocators DLL module stomping, HeapAlloc, MapViewOfFile, were https://t.co/WnolPE5YIw
🔗 https://github.com/xforcered/BokuLoader
🐥 [ tweet ]
DLL module stomping and all beacon memory allocators are now supported! The options are pulled right from the malleable C2 profile!
VirtualAlloc is the only one via direct syscall. The new allocators DLL module stomping, HeapAlloc, MapViewOfFile, were https://t.co/WnolPE5YIw
🔗 https://github.com/xforcered/BokuLoader
🐥 [ tweet ]
😈 [ yarden_shafir, Yarden Shafir ]
PPLs (aka "not a security boundary") are getting some new protections in Windows 11. One of them fixes a technique documented by @elastic last year where they "sandbox" Windows Defender by modifying its token: https://t.co/kt6bl3czjN
🔗 https://www.elastic.co/security-labs/sandboxing-antimalware-products
🐥 [ tweet ]
PPLs (aka "not a security boundary") are getting some new protections in Windows 11. One of them fixes a technique documented by @elastic last year where they "sandbox" Windows Defender by modifying its token: https://t.co/kt6bl3czjN
🔗 https://www.elastic.co/security-labs/sandboxing-antimalware-products
🐥 [ tweet ]
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Offensive Xwitter
Photo
Небольшой тизер 🙈
Пока готовится вторая часть, с первой можно ознакомиться по ссылке ⬇️
🔗 https://habr.com/ru/company/angarasecurity/blog/661341/
UPD. Произошли технические шоколадки, пока релиз переносится на неопределенный срок (сказали, что незя про такое писать в паблик). We’re sorry.
Пока готовится вторая часть, с первой можно ознакомиться по ссылке ⬇️
🔗 https://habr.com/ru/company/angarasecurity/blog/661341/
UPD. Произошли технические шоколадки, пока релиз переносится на неопределенный срок (сказали, что незя про такое писать в паблик). We’re sorry.
🔥8😢2