😈 [ Elliot @ElliotKillick ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
🔗 https://elliotonsecurity.com/perfect-dll-hijacking/
🐥 [ tweet ]
Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain.
🔗 https://elliotonsecurity.com/perfect-dll-hijacking/
🐥 [ tweet ]
🔥5
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking 🔥by @BlackSnufkin42 👍
🔗 https://github.com/BlackSnufkin/NovaLdr
🐥 [ tweet ]
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking 🔥by @BlackSnufkin42 👍
🔗 https://github.com/BlackSnufkin/NovaLdr
🐥 [ tweet ]
🔥2
😈 [ Outflank @OutflankNL ]
We’ve pushed “RemotePipeList” on our GitHub and released a blog post. The tools is used to list named pipes of remote systems. Useful for remote reconnaissance.
Blog post here
C2 Tool Collection here
🔗 https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/
🔗 https://github.com/outflanknl/C2-Tool-Collection/tree/main/Other/RemotePipeList
🐥 [ tweet ]
We’ve pushed “RemotePipeList” on our GitHub and released a blog post. The tools is used to list named pipes of remote systems. Useful for remote reconnaissance.
Blog post here
C2 Tool Collection here
🔗 https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/
🔗 https://github.com/outflanknl/C2-Tool-Collection/tree/main/Other/RemotePipeList
🐥 [ tweet ]
👍5
😈 [ Andrew @4ndr3w6S ]
Happy to finally share our slide
deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!”
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph 🤗
🔗 https://github.com/4ndr3w6/Presentations/tree/main/Texas_Cyber_Summit_2023
🐥 [ tweet ]
Happy to finally share our slide
deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!”
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph 🤗
🔗 https://github.com/4ndr3w6/Presentations/tree/main/Texas_Cyber_Summit_2023
🐥 [ tweet ]
👍2🔥2
😈 [ Antonio Cocomazzi @splinter_code ]
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe 👆
🐥 [ tweet ]
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe 👆
🐥 [ tweet ]
🤯13😁1
😈 [ Tony Gore @nullg0re ]
Dcsync without triggering traditional alerts?
🔗 https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/
🐥 [ tweet ]
Dcsync without triggering traditional alerts?
🔗 https://nullg0re.com/2023/09/hijacking-someone-else-dcsync/
🐥 [ tweet ]
Offensive Xwitter
😈 [ Andrew @4ndr3w6S ] Happy to finally share our slide deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!” Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner…
You_Disliked_DCSync_Wait_For_NetSync_Texas_Cyber_Summit_2023_Charlie.pdf
31.6 MB
🔥3
😈 [ Kleiton Kurti @kleiton0x7e ]
Spent some time reversing undocumented Syscalls residing in Kernel32/Ntdll and created a PoC for proxying DLL loads. This leads to a clean call stack as the return address pointing to shellcode won't be pushed to stack.
#CyberSecurity #redteam #infosec
🔗 https://github.com/kleiton0x00/Proxy-DLL-Loads
🐥 [ tweet ]
Spent some time reversing undocumented Syscalls residing in Kernel32/Ntdll and created a PoC for proxying DLL loads. This leads to a clean call stack as the return address pointing to shellcode won't be pushed to stack.
#CyberSecurity #redteam #infosec
🔗 https://github.com/kleiton0x00/Proxy-DLL-Loads
🐥 [ tweet ]
👍4🔥1
😈 [ spencer @techspence ]
A .net port of @ZeroMemoryEx AMSI Killer with an added feature to continuously patch new powershell processes by @S1lky_1337
🔗 https://github.com/S1lkys/SharpKiller
🔗 https://github.com/ZeroMemoryEx/Amsi-Killer
🐥 [ tweet ]
A .net port of @ZeroMemoryEx AMSI Killer with an added feature to continuously patch new powershell processes by @S1lky_1337
🔗 https://github.com/S1lkys/SharpKiller
🔗 https://github.com/ZeroMemoryEx/Amsi-Killer
🐥 [ tweet ]
🔥4
😈 [ N1k0la @webdxg ]
Exchange Server CVE-2023-36745
Standing on the Shoulder of Giants @chudyPB
🔗 https://n1k0la-t.github.io/2023/10/24/Microsoft-Exchange-Server-CVE-2023-36745/
🐥 [ tweet ]
Exchange Server CVE-2023-36745
Standing on the Shoulder of Giants @chudyPB
🔗 https://n1k0la-t.github.io/2023/10/24/Microsoft-Exchange-Server-CVE-2023-36745/
🐥 [ tweet ]
🔥4
😈 [ Mayfly @M4yFly ]
A new Lab 🏰 is available on GOAD: NHA.
This time it is a challenge, 5 vms, you start with no account and try to get domain admin on the two domains.
Have fun !
🔗 https://github.com/Orange-Cyberdefense/GOAD/tree/main/ad/NHA
🐥 [ tweet ]
A new Lab 🏰 is available on GOAD: NHA.
This time it is a challenge, 5 vms, you start with no account and try to get domain admin on the two domains.
Have fun !
🔗 https://github.com/Orange-Cyberdefense/GOAD/tree/main/ad/NHA
🐥 [ tweet ]
🔥5
😈 [ Garrett @garrfoster ]
Pushed an update to SCCMHunter to include @SkelSec's python unobfuscator for @_xpn_'s sccmwtf NAA attack. Shout out to you both for the awesome work!
🔗 https://github.com/garrettfoster13/sccmhunter
🔗 https://github.com/xpn/sccmwtf/blob/main/policysecretunobfuscate.py
🐥 [ tweet ]
Pushed an update to SCCMHunter to include @SkelSec's python unobfuscator for @_xpn_'s sccmwtf NAA attack. Shout out to you both for the awesome work!
🔗 https://github.com/garrettfoster13/sccmhunter
🔗 https://github.com/xpn/sccmwtf/blob/main/policysecretunobfuscate.py
🐥 [ tweet ]
👍4🔥1
😈 [ Justin Elze @HackingLZ ]
wmiexec is so reliable with so many great detections avaliable. Cortex does a really good job without of the box Impacket as well.
🔗 https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
🔗 https://micahbabinski.medium.com/brace-for-impacket-5191dff82c74
🐥 [ tweet ]
wmiexec is so reliable with so many great detections avaliable. Cortex does a really good job without of the box Impacket as well.
🔗 https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
🔗 https://micahbabinski.medium.com/brace-for-impacket-5191dff82c74
🐥 [ tweet ]
🔥3
🔥3👍1
😈 [ Chris Au @netero_1010 ]
Made a tool to create/modify schedule task using just registry keys. It has some requirements (require SYSTEM) but the beauty of it is it wont generate schedule task creation event log.
🔗 https://github.com/netero1010/GhostTask
🐥 [ tweet ]
Made a tool to create/modify schedule task using just registry keys. It has some requirements (require SYSTEM) but the beauty of it is it wont generate schedule task creation event log.
🔗 https://github.com/netero1010/GhostTask
🐥 [ tweet ]
🔥4👍2🥱1
😈 [ Fabian @testert01 ]
[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process.
This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog.
🔗 https://nothingspecialforu.github.io/EvtPsstBlog/
🐥 [ tweet ]
[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process.
This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog.
🔗 https://nothingspecialforu.github.io/EvtPsstBlog/
🐥 [ tweet ]
🔥3👍2