😈 [ Andrew Oliveau @AndrewOliveau ]
💥BOOM!💥 Another privilege escalation blog, this time showcasing how to convert arbitrary file deletions 🗑️ to SYSTEM command prompt🌈 CVE-2023-27470. Learn about TOCTOU, pseudo-symlinks, MSI rollback exploits, and, of course, how to protect yourselves!
🔗 https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities
🐥 [ tweet ]
💥BOOM!💥 Another privilege escalation blog, this time showcasing how to convert arbitrary file deletions 🗑️ to SYSTEM command prompt🌈 CVE-2023-27470. Learn about TOCTOU, pseudo-symlinks, MSI rollback exploits, and, of course, how to protect yourselves!
🔗 https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities
🐥 [ tweet ]
🔥4
😈 [ ShorSec Cyber Security @ShorSecLtd ]
🔥New Blog Post Alert!
The next chapter in our "The Path to DA" series is now live: "(Relaying) To The Internet And Back".
This entry, by @dec0ne, explores yet another route to DA, focusing on the intricacies of ADIDNS Abuse, LDAP relay, RBCD, and more.
🔗 https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
🐥 [ tweet ]
🔥New Blog Post Alert!
The next chapter in our "The Path to DA" series is now live: "(Relaying) To The Internet And Back".
This entry, by @dec0ne, explores yet another route to DA, focusing on the intricacies of ADIDNS Abuse, LDAP relay, RBCD, and more.
🔗 https://shorsec.io/blog/the-path-to-da-part-2-relaying-to-the-internet-and-back/
🐥 [ tweet ]
👍2🔥1
😈 [ Vincent Yiu @vysecurity ]
DevTunnels, blue are going to begin searching for DevTunnels.ms. Get ready ahead of time and use domains like:
🐥 [ tweet ]
DevTunnels, blue are going to begin searching for DevTunnels.ms. Get ready ahead of time and use domains like:
global.rel.tunnels.api.visualstudio.com
tunnels-prod-rel-tm.trafficmanager.net
*.app.github.dev
🔗 https://www.syonsecurity.com/post/devtunnels-for-c2🐥 [ tweet ]
🔥2
😈 [ Rohan Aggarwal @nahoragg ]
My talk "Bypassing Anti-Cheats & Hacking Competitive Games" from @securityfest is now available on Youtube. #game #Hacking
🔗 https://youtu.be/bTU7huCmFXA
🐥 [ tweet ]
My talk "Bypassing Anti-Cheats & Hacking Competitive Games" from @securityfest is now available on Youtube. #game #Hacking
🔗 https://youtu.be/bTU7huCmFXA
🐥 [ tweet ]
🔥4
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Just finished the talk "Playing Chess as Red-Teams" @MCTTP_Con! 🔥 Time to release my PoC to avoid Kernel Callback / ETWti triggered memory scans for process injection - Caro-Kann:
🔗 https://github.com/S3cur3Th1sSh1t/Caro-Kann
🐥 [ tweet ]
Just finished the talk "Playing Chess as Red-Teams" @MCTTP_Con! 🔥 Time to release my PoC to avoid Kernel Callback / ETWti triggered memory scans for process injection - Caro-Kann:
🔗 https://github.com/S3cur3Th1sSh1t/Caro-Kann
🐥 [ tweet ]
👍4
😈 [ Antonio Cocomazzi @splinter_code ]
Excited to share my hardest research about UAC 🤯
"Bypassing UAC with SSPI Datagram Contexts" 🔥
In a nutshell:
✅ Works on latest Windows 11 down to Windows 7
✅ Works on both domain-joined and non-domain-joined machines
✅ Works without using UI hacks or any auto Works without using UI hacks or any auto elevated binary/interface
✅ Works with maximum UAC level settings *Always Notify*
✅ Not a security boundary / Won’t Fix
Enjoy the read! 👇
🔗 https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
🐥 [ tweet ]
Excited to share my hardest research about UAC 🤯
"Bypassing UAC with SSPI Datagram Contexts" 🔥
In a nutshell:
✅ Works on latest Windows 11 down to Windows 7
✅ Works on both domain-joined and non-domain-joined machines
✅ Works without using UI hacks or any auto Works without using UI hacks or any auto elevated binary/interface
✅ Works with maximum UAC level settings *Always Notify*
✅ Not a security boundary / Won’t Fix
Enjoy the read! 👇
🔗 https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
🐥 [ tweet ]
🔥6
😈 [ SkelSec @SkelSec ]
Weeeee! My Defcon talk is now on Youtube!
🔗 https://www.youtube.com/watch?v=7oAZK8x_mL0
🔗 https://github.com/skelsec/wsnet
🔗 https://github.com/skelsec/wsnet-dotnet
🐥 [ tweet ]
Weeeee! My Defcon talk is now on Youtube!
🔗 https://www.youtube.com/watch?v=7oAZK8x_mL0
🔗 https://github.com/skelsec/wsnet
🔗 https://github.com/skelsec/wsnet-dotnet
🐥 [ tweet ]
@skelsec гений, indeed👍2🔥1
Offensive Xwitter
😈 [ SkelSec @SkelSec ] Weeeee! My Defcon talk is now on Youtube! 🔗 https://www.youtube.com/watch?v=7oAZK8x_mL0 🔗 https://github.com/skelsec/wsnet 🔗 https://github.com/skelsec/wsnet-dotnet 🐥 [ tweet ] @skelsec гений, indeed
Tamas Jos - Spooky authentication at a distance.pdf
3.6 MB
👍2🔥1
😈 [ Adam Chester 🏴☠️ @_xpn_ ]
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
🔗 https://www.trustedsec.com/blog/okta-for-red-teamers/
🐥 [ tweet ]
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
🔗 https://www.trustedsec.com/blog/okta-for-red-teamers/
🐥 [ tweet ]
🔥2
Offensive Xwitter
😈 [ Adam Chester 🏴☠️ @_xpn_ ] My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth…
😈 [ јаmеѕ ███████ @rotarydrone ]
Awesome stuff 🔥 The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
🔗 https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
🐥 [ tweet ][ quote ]
Awesome stuff 🔥 The AD agent hijack here is much stealthier (and cooler) than injecting a DLL.
Here's a nim example for LogonUser hooking, ala PTASpy or @_xpn_'s blog on AADC for red teams. This also works for the AD agent:
🔗 https://gist.githubusercontent.com/rotarydrone/645f77f7e778da75800d1cde4013da2f/raw/a7a12e6e4529f4d09037ee6d908ead89500aa1ad/LogonUserSpy.nim
🐥 [ tweet ][ quote ]
🔥2
😈 [ Dylan Tran @d_tranman ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
🔗 https://dtsec.us/2023-09-15-StackSpoofin/
🐥 [ tweet ]
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
🔗 https://dtsec.us/2023-09-15-StackSpoofin/
🐥 [ tweet ]
🔥2
😈 [ Greg Darwin @gregdarwin ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
🔗 https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
🐥 [ tweet ]
Cobalt Strike 4.9 is now live. This release adds UDRL support for post-ex DLLs, the ability to export Beacon without a reflective loader, support for callbacks, a Beacon data store and more. Check out the blog post for details:
🔗 https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
🐥 [ tweet ]
🔥2
Психанул, когда rpcclient в очередной раз сломался о старые протоколы, а сделать резолв имя↔️сид надо было здесь и сейчас:
🔗 https://github.com/fortra/impacket/pull/1618
🔗 https://github.com/fortra/impacket/pull/1618
GitHub
Add lookupname.py example by snovvcrash · Pull Request #1618 · fortra/impacket
A tiny example for hLsarLookupNames3 and hLsarLookupSids2 calls that I use when rpcclient refuses to work 😒
🔥8😁1
😈 [ Omri Baso @omri_baso ]
Any new novel technique I researched for lateral movement by stealing tokens while abusing the RPC named pipe \
🔗 https://medium.com/p/a23965e8227e
🐥 [ tweet ]
Any new novel technique I researched for lateral movement by stealing tokens while abusing the RPC named pipe \
\pipe\LSM_API_service🔗 https://medium.com/p/a23965e8227e
🐥 [ tweet ]
🔥1
😈 [ Rasta Mouse @_RastaMouse ]
Experimenting with a basic stage0 that allows you to roll your own implants and stage them from external C2 frameworks.
🔗 https://youtu.be/wvDm6Ro0g1g
🐥 [ tweet ]
Experimenting with a basic stage0 that allows you to roll your own implants and stage them from external C2 frameworks.
🔗 https://youtu.be/wvDm6Ro0g1g
🐥 [ tweet ]
🔥2
😈 [ MalDev Academy @MalDevAcademy ]
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
🔗 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
🐥 [ tweet ]
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
🔗 https://github.com/Maldev-Academy/MaldevAcademyLdr.1
🐥 [ tweet ]
🔥1
😈 [ Louis Dion-Marcil @ldionmarcil ]
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E)
Links in <a> tags will show the fake domain, but open the real domain.
No need to buy .zip! :) Convincing #phishing #redteam
🐥 [ tweet ]
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E)
Links in <a> tags will show the fake domain, but open the real domain.
No need to buy .zip! :) Convincing #phishing #redteam
🐥 [ tweet ]
🔥5👍1🥱1
Хз че это, но все постят https://news.1rj.ru/str/OffensiveTwitter?boost
🥱16👍3