😈 [ n00py @n00py1 ]
The craziest BloodHound art I've made yet (password sharing clusters)
🐥 [ tweet ]
плагиат - очевидно же, что это Волосатый бублик
The craziest BloodHound art I've made yet (password sharing clusters)
🐥 [ tweet ]
плагиат - очевидно же, что это Волосатый бублик
🔥6
Offensive Xwitter
😈 [ Elliot @ElliotKillick ] Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute…
😈 [ Elliot @ElliotKillick ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
🔗 https://github.com/ElliotKillick/LdrLockLiberator
🐥 [ tweet ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
🔗 https://github.com/ElliotKillick/LdrLockLiberator
🐥 [ tweet ]
🔥2
😈 [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
🔗 https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
🐥 [ tweet ]
🔥2
😈 [ sinusoid @the_bit_diddler ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? ✔️
Ability to revert said changes? ✔️
Support processes, paths, and extensions? ✔️
BOF? ✔️
C# ✔️
Code is public:
🔗 https://github.com/EspressoCake/DefenderPathExclusions
🔗 https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
🐥 [ tweet ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? ✔️
Ability to revert said changes? ✔️
Support processes, paths, and extensions? ✔️
BOF? ✔️
C# ✔️
Code is public:
🔗 https://github.com/EspressoCake/DefenderPathExclusions
🔗 https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
🐥 [ tweet ]
🔥6
😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
Daily Linux whoami:
🐥 [ tweet ]
Daily Linux whoami:
$(echo -e "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69")
🐥 [ tweet ]
😁5🔥1
Offensive Xwitter
😈 [ Antonio Cocomazzi @splinter_code ] Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe 👆 🐥 [ tweet ]
😈 [ Geiseric @Geiseric4 ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This noscript could help:
It works from low privileged user 😉
🔗 https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
🐥 [ tweet ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This noscript could help:
It works from low privileged user 😉
🔗 https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
🐥 [ tweet ]
🔥4
😈 [ Thomas Seigneuret @_zblurx ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥
For example with RBCD 👆🏻
🐥 [ tweet ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities 🔥
For example with RBCD 👆🏻
🐥 [ tweet ]
🔥8👍1
😈 [ Antonio Cocomazzi @splinter_code ]
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out!
cc @decoder_it
🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
🐥 [ tweet ]
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out!
cc @decoder_it
🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
🐥 [ tweet ]
🔥7
Offensive Xwitter
😈 [ Antonio Cocomazzi @splinter_code ] The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out! cc @decoder_it 🔗 https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Priv…
10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
1.6 MB
🔥4
😈 [ уυηg ՏΝАΤ @yunginnanet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
🔗 https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
🐥 [ tweet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
🔗 https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
🐥 [ tweet ]
🔥6
😈 [ 5pider @C5pider ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
🔗 https://github.com/Cracked5pider/LdrLibraryEx
🐥 [ tweet ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
🔗 https://github.com/Cracked5pider/LdrLibraryEx
🐥 [ tweet ]
🔥3
😈 [ Charlie Clark @exploitph ]
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
🔗 https://github.com/0xe7/RoastInTheMiddle/pull/1
🐥 [ tweet ]
спасибо @Michaelzhm, что пнул 😅
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
🔗 https://github.com/0xe7/RoastInTheMiddle/pull/1
🐥 [ tweet ]
спасибо @Michaelzhm, что пнул 😅
🔥4👍1😁1
😈 [ S4ntiagoP @s4ntiago_p ]
🔥 New blogpost 🔥
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
🔗 https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
🐥 [ tweet ]
🔥 New blogpost 🔥
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
🔗 https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
🐥 [ tweet ]
🔥4
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
🔗 https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
🐥 [ tweet ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
🔗 https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
🐥 [ tweet ]
👍3🔥1
😈 [ Rémi GASCOU (Podalirius) @podalirius_ ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ⤵️
🔗 https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
🐥 [ tweet ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ⤵️
🔗 https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
🐥 [ tweet ]
👍2
😈 [ an0n @an0n_r0 ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
🐥 [ tweet ]
а кто сделал-то execute-assembly а а а👍7🤔1
😈 [ Matt Creel @Tw1sm ]
New post 👇
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
🔗 https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
🐥 [ tweet ]
New post 👇
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
🔗 https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
🐥 [ tweet ]
🔥2
Offensive Xwitter
😈 [ S3cur3Th1sSh1t @ShitSecure ] Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job: 🔗 https://github.com/S3cur…
😈 [ an0n @an0n_r0 ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
🔗 https://www.veeam.com/kb4349
🐥 [ tweet ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
🔗 https://www.veeam.com/kb4349
🐥 [ tweet ]
🔥3