😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATP which constantly scan the memory region for known patterns should easily pick this up. FYI, if BRc4 gets leaked, I would do the same for BRc4 too, like I've done in the past. No hard feelings, just helping the community.
🔗 https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/cs49.yara
🔗 https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/scan_process.c
🐥 [ tweet ]
Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATP which constantly scan the memory region for known patterns should easily pick this up. FYI, if BRc4 gets leaked, I would do the same for BRc4 too, like I've done in the past. No hard feelings, just helping the community.
🔗 https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/cs49.yara
🔗 https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/scan_process.c
🐥 [ tweet ]
👍4
😈 [ Charlie Bromberg « Shutdown » @_nwodtuhs ]
pyWhisker can now do cross-domain shadow credentials 👁️🫦👁️
🔗 https://github.com/ShutdownRepo/pywhisker
🐥 [ tweet ]
pyWhisker can now do cross-domain shadow credentials 👁️🫦👁️
pywhisker.py --action add -d domainA -u owned_user -p password --target user_in_domainB --target-domain domainB🔗 https://github.com/ShutdownRepo/pywhisker
🐥 [ tweet ]
🔥8
Кому немного кириллицы для Havoc?
🔗 https://github.com/snovvcrash/Havoc/commit/438f52b8e68110862dfbb841dd5b440e9c9f3ca1
Ну и фикс для InvokeAssembly до кучи:
🔗 https://github.com/snovvcrash/HavocModules/commit/dc017e254660bb7f416b8d04e27c15c388e849ef
🔗 https://github.com/snovvcrash/Havoc/commit/438f52b8e68110862dfbb841dd5b440e9c9f3ca1
Ну и фикс для InvokeAssembly до кучи:
🔗 https://github.com/snovvcrash/HavocModules/commit/dc017e254660bb7f416b8d04e27c15c388e849ef
🔥14
😈 [ Mayfly @M4yFly ]
GOAD update available 🥳
- Azure provider is now supported thx to @Zeph_RooT !
- Two versions of the lab are available (A light version with 3 computers has been added).
- Some noscripts to help install.
- Refactoring to simplify adding lab and providers.
🔗 https://github.com/Orange-Cyberdefense/GOAD
🐥 [ tweet ]
GOAD update available 🥳
- Azure provider is now supported thx to @Zeph_RooT !
- Two versions of the lab are available (A light version with 3 computers has been added).
- Some noscripts to help install.
- Refactoring to simplify adding lab and providers.
🔗 https://github.com/Orange-Cyberdefense/GOAD
🐥 [ tweet ]
👍7
Offensive Xwitter
😈 [ TrustedSec @TrustedSec ] Our new #blog post by @mega_spl0it and @4ndr3W6S takes a deep dive into how Active Directory (AD) attribute-based detections can be built and how to identify where an adversary may be hiding. Read the first of this 3-part series…
😈 [ TrustedSec @TrustedSec ]
In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now!
🔗 https://hubs.ly/Q025hFdr0
🐥 [ tweet ]
In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now!
🔗 https://hubs.ly/Q025hFdr0
🐥 [ tweet ]
🔥2👍1
Offensive Xwitter
😈 [ TrustedSec @TrustedSec ] In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now! 🔗 https://hubs.ly/Q025hFdr0…
😈 [ TrustedSec @TrustedSec ]
In the third and final installment of our #blog series by @mega_spl0it @4ndr3W6S DACL-based detections are built, identifying attacks that focus on obscure or lesser-known AD Attributes that fall outside of the scope of Parts 1 and 2. Read it now!
🔗 https://hubs.la/Q025N0lk0
🐥 [ tweet ]
In the third and final installment of our #blog series by @mega_spl0it @4ndr3W6S DACL-based detections are built, identifying attacks that focus on obscure or lesser-known AD Attributes that fall outside of the scope of Parts 1 and 2. Read it now!
🔗 https://hubs.la/Q025N0lk0
🐥 [ tweet ]
🔥4👍1
😈 [ Check Point Research @_CPResearch_ ]
CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries ➡️ R2R stomping ⬅️
🤓Implementation and resulting problems
🛠️Techniques and tools to analyze R2R stomped Assemblies
⚠️Detecting R2R stomping
🔗 https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/
🐥 [ tweet ]
CP<r> introduces a new method for running hidden implanted code in #ReadyToRun (R2R) compiled .NET binaries ➡️ R2R stomping ⬅️
🤓Implementation and resulting problems
🛠️Techniques and tools to analyze R2R stomped Assemblies
⚠️Detecting R2R stomping
🔗 https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/
🐥 [ tweet ]
👍1
Offensive Xwitter
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ] Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATP…
😈 [ Florian Roth @cyb3rops ]
Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned
🐥 [ tweet ]
Teaser: we're working on a new #YARA module to enhance in-memory matching, allowing detection engineers to craft more precise rules. Stay tuned
🐥 [ tweet ]
когда навел суеты...😁2
😈 [ Elliot @ElliotKillick ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
🔗 https://elliotonsecurity.com/perfect-dll-hijacking/
🐥 [ tweet ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
🔗 https://elliotonsecurity.com/perfect-dll-hijacking/
🐥 [ tweet ]
🔥5
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking 🔥by @BlackSnufkin42 👍
🔗 https://github.com/BlackSnufkin/NovaLdr
🐥 [ tweet ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking 🔥by @BlackSnufkin42 👍
🔗 https://github.com/BlackSnufkin/NovaLdr
🐥 [ tweet ]
🔥2
😈 [ Outflank @OutflankNL ]
We’ve pushed “RemotePipeList” on our GitHub and released a blog post. The tools is used to list named pipes of remote systems. Useful for remote reconnaissance.
Blog post here
C2 Tool Collection here
🔗 https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/
🔗 https://github.com/outflanknl/C2-Tool-Collection/tree/main/Other/RemotePipeList
🐥 [ tweet ]
We’ve pushed “RemotePipeList” on our GitHub and released a blog post. The tools is used to list named pipes of remote systems. Useful for remote reconnaissance.
Blog post here
C2 Tool Collection here
🔗 https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/
🔗 https://github.com/outflanknl/C2-Tool-Collection/tree/main/Other/RemotePipeList
🐥 [ tweet ]
👍5
😈 [ Andrew @4ndr3w6S ]
Happy to finally share our slide
deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!”
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph 🤗
🔗 https://github.com/4ndr3w6/Presentations/tree/main/Texas_Cyber_Summit_2023
🐥 [ tweet ]
Happy to finally share our slide
deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!”
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph 🤗
🔗 https://github.com/4ndr3w6/Presentations/tree/main/Texas_Cyber_Summit_2023
🐥 [ tweet ]
👍2🔥2
😈 [ Antonio Cocomazzi @splinter_code ]
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe 👆
🐥 [ tweet ]
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe 👆
🐥 [ tweet ]
🤯13😁1
😈 [ Tony Gore @nullg0re ]
Dcsync without triggering traditional alerts?
🔗 https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/
🐥 [ tweet ]
Dcsync without triggering traditional alerts?
🔗 https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/
🐥 [ tweet ]
Offensive Xwitter
😈 [ Andrew @4ndr3w6S ] Happy to finally share our slide deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!” Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner…
You_Disliked_DCSync_Wait_For_NetSync_Texas_Cyber_Summit_2023_Charlie.pdf
31.6 MB
🔥3