😈 [ Orange Cyberdefense's SensePost Team @sensepost ]
Traditional methods of blinding EDR's are to remove hooks. In this post @vikingfr investigates a new technique (and tool) for blinding an EDR in kernel land by limiting connections to the EDR driver's filter communication port.
🔗 https://sensepost.com/blog/2023/filter-mute-operation-investigating-edr-internal-communication/
🔗 https://v1k1ngfr.github.io/edrsnowblast/
🐥 [ tweet ]
Traditional methods of blinding EDR's are to remove hooks. In this post @vikingfr investigates a new technique (and tool) for blinding an EDR in kernel land by limiting connections to the EDR driver's filter communication port.
🔗 https://sensepost.com/blog/2023/filter-mute-operation-investigating-edr-internal-communication/
🔗 https://v1k1ngfr.github.io/edrsnowblast/
🐥 [ tweet ]
ультра интересно про препятствие взаимодействия подсистем user mode <-> kernel mode EDR, ослепление последнего без вайпа ядерных колбеков🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/av-edr-evasion/byovd
ссылочки про BYOVD я коллекционирую вот тут:
👍6🔥1
😈 [ HADESS @Hadess_security ]
The Art Of Hiding In Windows: techniques used by malicious actors to obscure their activities, making detection and analysis significantly more challenging for security professionals.
Article:
🔗 https://hadess.io/the-art-of-hiding-in-windows/
EBook:
🔗 https://hadess.io/the-art-of-hiding-in-windows-ebook/
#windows #redteam
🐥 [ tweet ]
The Art Of Hiding In Windows: techniques used by malicious actors to obscure their activities, making detection and analysis significantly more challenging for security professionals.
Article:
🔗 https://hadess.io/the-art-of-hiding-in-windows/
EBook:
🔗 https://hadess.io/the-art-of-hiding-in-windows-ebook/
#windows #redteam
🐥 [ tweet ]
(pdf-ка в комментах)👍2🔥2
😈 [ eversinc33 @eversinc33 ]
Nice tool:) Reminded me of a noscript I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The noscript simply uses the LDAP pwdLastSet attr to generate a wordlist.
🔗 https://github.com/eversinc33/CredGuess
🐥 [ tweet ][ quote ]
Nice tool:) Reminded me of a noscript I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The noscript simply uses the LDAP pwdLastSet attr to generate a wordlist.
🔗 https://github.com/eversinc33/CredGuess
🐥 [ tweet ][ quote ]
👍3
😈 [ Gabriel Landau @GabrielLandau ]
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
🔗 http://tiny.cc/FVDX
Article #2:
🔗 http://tiny.cc/KillingPPLFault
Code:
🔗 https://github.com/gabriellandau/PPLFault
Talk:
🔗 https://youtu.be/5xteW8Tm410
🐥 [ tweet ]
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
🔗 http://tiny.cc/FVDX
Article #2:
🔗 http://tiny.cc/KillingPPLFault
Code:
🔗 https://github.com/gabriellandau/PPLFault
Talk:
🔗 https://youtu.be/5xteW8Tm410
🐥 [ tweet ]
👍1🔥1
😈 [ Csaba Fitzl @theevilbit ]
🎉🥁 The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite. 🤩 In the blog:
🍎 background and details
🍎 how to create and use
🍎 how to detect
🍎 sample code and binary
🔗 https://theevilbit.github.io/beyond/beyond_0032/
🐥 [ tweet ][ quote ]
🎉🥁 The wait is over. Please welcome "Dock Tile Plugins" to the persistence club. My new favorite. 🤩 In the blog:
🍎 background and details
🍎 how to create and use
🍎 how to detect
🍎 sample code and binary
🔗 https://theevilbit.github.io/beyond/beyond_0032/
🐥 [ tweet ][ quote ]
🔥3
😈 [ Orange Cyberdefense Switzerland @orangecyberch ]
The correct IP address is sometimes all you need to exploit a remote target.
Want to know more ? Have a look at the latest post by @plopz0r on our blog:
🔗 https://blog.scrt.ch/2023/09/25/exploiting-stale-adidns-entries/
🐥 [ tweet ]
The correct IP address is sometimes all you need to exploit a remote target.
Want to know more ? Have a look at the latest post by @plopz0r on our blog:
🔗 https://blog.scrt.ch/2023/09/25/exploiting-stale-adidns-entries/
🐥 [ tweet ]
👍3
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Here is my blog post detailing the secure hosting of a C2 infrastructure and the exploitation of various Azure services for C2 purposes:
🔗 https://0xdarkvortex.dev/c2-infra-on-azure/
🐥 [ tweet ]
Here is my blog post detailing the secure hosting of a C2 infrastructure and the exploitation of various Azure services for C2 purposes:
🔗 https://0xdarkvortex.dev/c2-infra-on-azure/
🐥 [ tweet ]
👍3🤔1
😈 [ eversinc33 @eversinc33 ]
Wrote a blog post for my company on how we implement obfuscation for our C# post-exploitation arsenal. Discussing some detection opportunities and our ways around them. Special thx to @Flangvik for his video on SharpCollection, which is our pipelines base
🔗 https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html
🐥 [ tweet ]
Wrote a blog post for my company on how we implement obfuscation for our C# post-exploitation arsenal. Discussing some detection opportunities and our ways around them. Special thx to @Flangvik for his video on SharpCollection, which is our pipelines base
🔗 https://www.r-tec.net/r-tec-blog-net-assembly-obfuscation-for-memory-scanner-evasion.html
🐥 [ tweet ]
🔥3
😈 [ Md Ismail Šojal @0x0SojalSec ]
The new cs.github.com search allows for regex, which means brand new regex GitHub Dorks are possible!
Eg, find SSH and FTP passwords via connection strings with:
/ssh:\/\/.*:.*@.*target\.com/
/ftp:\/\/.*:.*@.*target\.com/
🐥 [ tweet ]
The new cs.github.com search allows for regex, which means brand new regex GitHub Dorks are possible!
Eg, find SSH and FTP passwords via connection strings with:
/ssh:\/\/.*:.*@.*target\.com/
/ftp:\/\/.*:.*@.*target\.com/
🐥 [ tweet ]
🔥4
😈 [ 📔 Michael Grafnetter @MGrafnetter ]
Introducing a new offline variant of the Golden gMSA attack against AD with time shifting. Enables Pass-the-Hash and Silver Ticket attacks. Requires access to ntds.dit backup and works until a new KDS Root Key is generated. #DSInternals CC: @YuG0rd
🔗 https://www.dsinternals.com/en/dsinternals-v4.11/
🐥 [ tweet ]
Introducing a new offline variant of the Golden gMSA attack against AD with time shifting. Enables Pass-the-Hash and Silver Ticket attacks. Requires access to ntds.dit backup and works until a new KDS Root Key is generated. #DSInternals CC: @YuG0rd
🔗 https://www.dsinternals.com/en/dsinternals-v4.11/
🐥 [ tweet ]
🔥4
This media is not supported in your browser
VIEW IN TELEGRAM
Недавно поймал себя на мысли, что я скрафтил 31337ный хацкерский промпт для zsh, а на рабочей тачке все равно пользуюсь дефолтным, потому что некрасиво пихать скрины с консолью, где 100500 эмоджи, в многомиллионные отчеты заказчикам – поймут подумают ведь, что дурачок какой-то работал. Поэтому спиздил разработал такую вот новинку – автоскрываемый промпт,
после выполнения команд в котором остается только таймстемп, который можно по красоте пихать в отчеты 🤓
🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/zsh-transient-prompt.zsh
после выполнения команд в котором остается только таймстемп, который можно по красоте пихать в отчеты 🤓
🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/zsh-transient-prompt.zsh
👍11🔥4😁2
😈 [ D1rkMtr @D1rkMtr ]
My Humble Windows Defender Undetectable: Data Exfiltration project that Exfitrate Personal Documents like: .doc .docx .xls .xlsx .ppt .pptx .pdf .jpeg .jpg .png .txt .json ...
Link to Project:
🔗 https://github.com/TheD1rkMtr/DocPlz
🐥 [ tweet ]
My Humble Windows Defender Undetectable: Data Exfiltration project that Exfitrate Personal Documents like: .doc .docx .xls .xlsx .ppt .pptx .pdf .jpeg .jpg .png .txt .json ...
Link to Project:
🔗 https://github.com/TheD1rkMtr/DocPlz
🐥 [ tweet ]
😁2👍1🥱1
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
🔗 https://rastamouse.me/cobalt-strike-aggressor-callbacks/
🐥 [ tweet ]
[BLOG]
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
🔗 https://rastamouse.me/cobalt-strike-aggressor-callbacks/
🐥 [ tweet ]
👍2🔥1🤔1🤯1🥱1
😈 [ icyguider @icyguider ]
LatLoader is a PoC Havoc module that performs lateral movement via DLL sideloading while evading default Elastic EDR rules. Making it was a great learning exercise, and I'm hoping others can learn from it too. Enjoy! ✌️
🔗 https://github.com/icyguider/LatLoader
🔗 https://youtu.be/W0PZZPpsO6U
🐥 [ tweet ]
LatLoader is a PoC Havoc module that performs lateral movement via DLL sideloading while evading default Elastic EDR rules. Making it was a great learning exercise, and I'm hoping others can learn from it too. Enjoy! ✌️
🔗 https://github.com/icyguider/LatLoader
🔗 https://youtu.be/W0PZZPpsO6U
🐥 [ tweet ]
👍4🔥1😁1
Offensive Xwitter
Недавно поймал себя на мысли, что я скрафтил 31337ный хацкерский промпт для zsh, а на рабочей тачке все равно пользуюсь дефолтным, потому что некрасиво пихать скрины с консолью, где 100500 эмоджи, в многомиллионные отчеты заказчикам – поймут подумают ведь…
This media is not supported in your browser
VIEW IN TELEGRAM
Еще немного ZSH-задротства на ночь глядя: если вы когда-нибудь работали с большими git-репозиториями, где внушительная история коммитов и большой размер файлов в отдельных ветках, то могли заметить подвисание промпта при включенном git-статусе (когда прозрачно отображается имя текущей ветки, состояние stage-файлов и т. д.). Это обусловлено тем, что при каждой отрисовке промпта, шелл выполняет под капотом
Умные люди решили, что можно вынести определенные таски, как например, обработка статуса git-репозитория, в асинхронные задачи, которые выполняются в бэкграунде, и написали библиотеку zsh-async. Нам лишь остается написать небольшой плагин, который использует эту библиотеку для реализации своей версии
🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/async-git-info.zsh
git status. Объем кода, ответственный за эти манипуляции, действительно поражает воображение (пример для oh-my-zsh здесь). Что можно придумать, чтобы оптимизировать подобные задачи?Умные люди решили, что можно вынести определенные таски, как например, обработка статуса git-репозитория, в асинхронные задачи, которые выполняются в бэкграунде, и написали библиотеку zsh-async. Нам лишь остается написать небольшой плагин, который использует эту библиотеку для реализации своей версии
git_prompt_info. Результат можно наблюдать выше на примере огромной репы Empire: наверху промпт рисуется синхронно, поэтому виден лаг при переходе в директорию с git-репозиторием, внизу – асинхронно, поэтому шелл возвращается мгновенно, а git-статус дорисовывается через полсекунды.🔗 https://github.com/snovvcrash/dotfiles-linux/blob/master/zsh/plugins/async-git-info.zsh
🤯6🔥3😁1
😈 [ Bobby Cooke @0xBoku ]
We just released Reflective Call Stack Detections and Evasions! This was co-authored by our @XForce Red intern Dylan Tran @d_tranman! Dylan is wicked smart and it was fun working with him! Check it out!🥷
🔗 https://securityintelligence.com/x-force/reflective-call-stack-detections-evasions/
🐥 [ tweet ]
We just released Reflective Call Stack Detections and Evasions! This was co-authored by our @XForce Red intern Dylan Tran @d_tranman! Dylan is wicked smart and it was fun working with him! Check it out!🥷
🔗 https://securityintelligence.com/x-force/reflective-call-stack-detections-evasions/
🐥 [ tweet ]
😁1
😈 [ drm @lowercase_drm ]
pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib.
🔗 https://github.com/the-useless-one/pywerview/commit/ba08fa2b29ef72ddc658d448465a8343f8536f6f
🐥 [ tweet ]
очень прикольная техника для аутентификации в захарженном LDAPS (с навешенным Channel Binding) без необходимости устанавливать патченную версию ldap3 с вот этим коммитом
pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib.
🔗 https://github.com/the-useless-one/pywerview/commit/ba08fa2b29ef72ddc658d448465a8343f8536f6f
🐥 [ tweet ]
очень прикольная техника для аутентификации в захарженном LDAPS (с навешенным Channel Binding) без необходимости устанавливать патченную версию ldap3 с вот этим коммитом
🔥3😁1
Offensive Xwitter
😈 [ drm @lowercase_drm ] pywerview v0.5.2 is out! It implements, among other things, the "simple authentication trick" to use the tool against hardened DCs and without install custom ldap3 lib. 🔗 https://github.com/the-useless-one/pywerview/commit/ba08f…
👹 [ sn🥶vvcr💥sh @snovvcrash ]
A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjan’s adidnsdump👆🏻
🐥 [ tweet ][ quote ]
A mega cool trick indeed! It can be easily adopted for existing LDAP tooling, an example for @_dirkjan’s adidnsdump👆🏻
🐥 [ tweet ][ quote ]
🔥4😁2🥱1
😈 [ an0n @an0n_r0 ]
my favorite (and might be the most complete) wifi hacking guide (+pwnbox setup) by @Xst3nZ:
🔗 https://github.com/koutto/pi-pwnbox-rogueap/wiki
following this it was relatively easy to perform an evil twin attack after setting up a wpa-eap home lab (managed to capture a challenge using eaphammer 🙂).
🐥 [ tweet ]
my favorite (and might be the most complete) wifi hacking guide (+pwnbox setup) by @Xst3nZ:
🔗 https://github.com/koutto/pi-pwnbox-rogueap/wiki
following this it was relatively easy to perform an evil twin attack after setting up a wpa-eap home lab (managed to capture a challenge using eaphammer 🙂).
🐥 [ tweet ]
👍6
😈 [ Felipe Molina @felmoltor ]
Great reading about Sliver and OSEP:
🔗 https://bishopfox.com/blog/passing-the-osep-exam-using-sliver
🐥 [ tweet ]
Great reading about Sliver and OSEP:
🔗 https://bishopfox.com/blog/passing-the-osep-exam-using-sliver
🐥 [ tweet ]
🔥10