😈 [ Aurélien Chalot @Defte_ ]
It's finally out: from a Windows driver to a fully functionnal driver. In this blogpost we'll go through the history of EDR's, how they used to work, how they work now and how we can build a fully functionnal one. Last step is a chall, bypass MyDumbEDR
🔗 https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/
🐥 [ tweet ]
It's finally out: from a Windows driver to a fully functionnal driver. In this blogpost we'll go through the history of EDR's, how they used to work, how they work now and how we can build a fully functionnal one. Last step is a chall, bypass MyDumbEDR
🔗 https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/
🐥 [ tweet ]
👍3
😈 [ Slowerzs @slowerzs ]
I recently released ThievingFox, a collection of post-exploitation tools to gather credentials from various password managers and Windows utilities.
You can find my blogpost about it:
🔗 https://blog.slowerzs.net/posts/thievingfox/
And the Github repo of the tool:
🔗 https://github.com/Slowerzs/ThievingFox/
🐥 [ tweet ]
I recently released ThievingFox, a collection of post-exploitation tools to gather credentials from various password managers and Windows utilities.
You can find my blogpost about it:
🔗 https://blog.slowerzs.net/posts/thievingfox/
And the Github repo of the tool:
🔗 https://github.com/Slowerzs/ThievingFox/
🐥 [ tweet ]
👍2🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ stacksmashing @ghidraninja ]
Lenovo X1 Carbon Bitlocker Key Sniffing any% Speedrun
(42.9 seconds)
Breaking Bitlocker: Bypassing the Windows Disk Encryption - using less than $10 of equipment:
🔗 https://youtu.be/wTl4vEednkQ
🐥 [ tweet ]
Lenovo X1 Carbon Bitlocker Key Sniffing any% Speedrun
(42.9 seconds)
Breaking Bitlocker: Bypassing the Windows Disk Encryption - using less than $10 of equipment:
🔗 https://youtu.be/wTl4vEednkQ
🐥 [ tweet ]
расскажите этому парню про аккумуляторную отвертку😁13👍4🤔1
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
I ported @0gtweet's token theft code to C#.
🔗 https://offensivedefence.co.uk/posts/nt-token-theft/
🐥 [ tweet ]
[BLOG]
I ported @0gtweet's token theft code to C#.
🔗 https://offensivedefence.co.uk/posts/nt-token-theft/
🐥 [ tweet ]
👍3
😈 [ Antonio 's4tan' Parata @s4tan ]
I wrote a new post: "Exploiting a vulnerable Minifilter Driver to create a process killer" source code: #malware #byovd
🔗 https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html
🔗 https://github.com/enkomio/s4killer
🐥 [ tweet ]
I wrote a new post: "Exploiting a vulnerable Minifilter Driver to create a process killer" source code: #malware #byovd
🔗 https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html
🔗 https://github.com/enkomio/s4killer
🐥 [ tweet ]
👍3🥱2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Cody Thomas @its_a_feature_ ]
Have you used a web shell on an offensive assessment recently? Were you able to task and create it through your C2 framework? I'm excited to announce the new Arachne agent for Mythic that allows you to do just that! Check it out
🔗 https://posts.specterops.io/spinning-webs-unveiling-arachne-for-web-shell-c2-26c40f570ea1
🐥 [ tweet ]
Have you used a web shell on an offensive assessment recently? Were you able to task and create it through your C2 framework? I'm excited to announce the new Arachne agent for Mythic that allows you to do just that! Check it out
🔗 https://posts.specterops.io/spinning-webs-unveiling-arachne-for-web-shell-c2-26c40f570ea1
🐥 [ tweet ]
🔥5
😈 [ Steve S. @0xTriboulet ]
Diago's writeup on Thread Pool manipulations is exactly what you need to read before your next Pool Party
🔗 https://urien.gitbook.io/diago-lima/a-deep-dive-into-exploiting-windows-thread-pools
🐥 [ tweet ]
Diago's writeup on Thread Pool manipulations is exactly what you need to read before your next Pool Party
🔗 https://urien.gitbook.io/diago-lima/a-deep-dive-into-exploiting-windows-thread-pools
🐥 [ tweet ]
🤯4
😈 [ James Forshaw @tiraniddo ]
I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings.
The main take away is, writing Rust won't save you from logical bugs :)
🔗 https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html
🐥 [ tweet ]
I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings.
The main take away is, writing Rust won't save you from logical bugs :)
🔗 https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html
🐥 [ tweet ]
про новый sudo в win 11🔥8
😈 [ WithSecure™ @WithSecure ]
Threat actors often sign malware using either stolen, or even legally acquired, code signing certificates.
Check out the latest @Github update from @WithSecure's @dottor_morte, with a repository of certs known to have been leaked/stolen, and then abused.
🔗 https://github.com/WithSecureLabs/lolcerts
🐥 [ tweet ]
Threat actors often sign malware using either stolen, or even legally acquired, code signing certificates.
Check out the latest @Github update from @WithSecure's @dottor_morte, with a repository of certs known to have been leaked/stolen, and then abused.
🔗 https://github.com/WithSecureLabs/lolcerts
🐥 [ tweet ]
🔥2
😈 [ Soumyani1 @reveng007 ]
I wanna thank all of them (Not In Order):
@SEKTOR7net
@VirtualAllocEx
@peterwintrsmith
@D1rkMtr
@Jean_Maes_1994
@0xBoku
@Sh0ckFR
@_winterknife_
@jack_halon
For helping me develop this POC, DarkWidow:
🔗 https://github.com/reveng007/DarkWidow
🐥 [ tweet ]
I wanna thank all of them (Not In Order):
@SEKTOR7net
@VirtualAllocEx
@peterwintrsmith
@D1rkMtr
@Jean_Maes_1994
@0xBoku
@Sh0ckFR
@_winterknife_
@jack_halon
For helping me develop this POC, DarkWidow:
🔗 https://github.com/reveng007/DarkWidow
🐥 [ tweet ]
👍8🔥5
😈 [ MDSec @MDSecLabs ]
Interested in sharpening your red team AD recon? Check out our latest post by @domchell, "Active Directory Enumeration for Red Teams"
🔗 https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
🐥 [ tweet ]
Interested in sharpening your red team AD recon? Check out our latest post by @domchell, "Active Directory Enumeration for Red Teams"
🔗 https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
🐥 [ tweet ]
🔥6👍2
😈 [ Andy Robbins @_wald0 ]
Directory.ReadWrite.All is not as powerful as you might think. In this post:
● Why that matters
● How I came to that conclusion
● Which app roles matter more
🔗 https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-you-might-think-c5b09a8f78a8
🐥 [ tweet ]
Directory.ReadWrite.All is not as powerful as you might think. In this post:
● Why that matters
● How I came to that conclusion
● Which app roles matter more
🔗 https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-you-might-think-c5b09a8f78a8
🐥 [ tweet ]
👍6
😈 [ V❄️ @vincenzosantuc1 ]
Blog post about how I granted the Reflective DLL I worked on with Indirect Syscall skills. PIC to enumerate SSN and few Windows calling convention theory "pills". Among the other challenges :)
🔗 https://oldboy21.github.io/posts/2024/02/reflective-dll-got-indirect-syscall-skills/
🐥 [ tweet ]
Blog post about how I granted the Reflective DLL I worked on with Indirect Syscall skills. PIC to enumerate SSN and few Windows calling convention theory "pills". Among the other challenges :)
🔗 https://oldboy21.github.io/posts/2024/02/reflective-dll-got-indirect-syscall-skills/
🐥 [ tweet ]
👍7
😈 [ Soufiane @S0ufi4n3 ]
New technique to bypassing EDRs with EDR-Preloading.
Tldr: blocking EDR from loading it's DLL into a process preventing the deployment of user land hooks.
🔗 https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html
🔗 https://github.com/MalwareTech/EDR-Preloader
🐥 [ tweet ]
New technique to bypassing EDRs with EDR-Preloading.
Tldr: blocking EDR from loading it's DLL into a process preventing the deployment of user land hooks.
🔗 https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html
🔗 https://github.com/MalwareTech/EDR-Preloader
🐥 [ tweet ]
🔥7👍1
😈 [ WHOAMI @wh0amitz ]
SharpADWS implements MS-ADDM, MS-WSTIM and MS-WSDS protocol, you can use the source code of it to easily implement the following operations on Active Directory Web Services:
Enumerate
Pull
Delete
Get
Put
Add
Replace
Delete
Create
🔗 https://github.com/wh0amitz/SharpADWS
🐥 [ tweet ]
SharpADWS implements MS-ADDM, MS-WSTIM and MS-WSDS protocol, you can use the source code of it to easily implement the following operations on Active Directory Web Services:
Enumerate
Pull
Delete
Get
Put
Add
Replace
Delete
Create
🔗 https://github.com/wh0amitz/SharpADWS
🐥 [ tweet ]
🔥5👍4
😈 [ SpecterOps @SpecterOps ]
Check out our latest blog post about ADCS ESC13. @Jonas_B_K discusses how the abuse technique works, the ADCS feature it abuses, where the feature is used in the wild, how we can audit for ESC13, and how to deal with it from a defensive perspective.
🔗 https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
🐥 [ tweet ]
😒
Check out our latest blog post about ADCS ESC13. @Jonas_B_K discusses how the abuse technique works, the ADCS feature it abuses, where the feature is used in the wild, how we can audit for ESC13, and how to deal with it from a defensive perspective.
🔗 https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
🐥 [ tweet ]
я запутався в этих эсках уже Please open Telegram to view this post
VIEW IN TELEGRAM
🔥4👍2😁1
😈 [ BlackArrow @BlackArrowSec ]
Enhanced version of secretsdump from #Impacket to dump credentials without touching disk.
This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives.
🔗 https://github.com/fortra/impacket/pull/1698
🔗 https://github.com/jfjallid/go-secdump
🐥 [ tweet ]
Enhanced version of secretsdump from #Impacket to dump credentials without touching disk.
This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives.
🔗 https://github.com/fortra/impacket/pull/1698
🔗 https://github.com/jfjallid/go-secdump
🐥 [ tweet ]
🔥7👍2
😈 [ icyguider @icyguider ]
I recently implemented 7 public UAC bypasses as BOFs and integrated them into a Havoc module and Sliver extensions. Requests to add more bypass methods are also welcome!
🔗 https://github.com/icyguider/UAC-BOF-Bonanza
🐥 [ tweet ]
I recently implemented 7 public UAC bypasses as BOFs and integrated them into a Havoc module and Sliver extensions. Requests to add more bypass methods are also welcome!
🔗 https://github.com/icyguider/UAC-BOF-Bonanza
🐥 [ tweet ]
🔥8👍4
😈 [ Thorsten E. @endi24 ]
A PowerShell noscript to create an HTML report on recent changes in Active Directory.
🔗 https://gist.github.com/jdhitsolutions/9255f0bf7fe0dc6d2dde868c18d5049f
🐥 [ tweet ]
A PowerShell noscript to create an HTML report on recent changes in Active Directory.
🔗 https://gist.github.com/jdhitsolutions/9255f0bf7fe0dc6d2dde868c18d5049f
🐥 [ tweet ]
👍5🔥2🤔1
😈 [ Hyp3rlinx @hyp3rlinx ]
Windows Defender Trojan.Win32/Powessere.G / Mitigation Bypass
🐥 [ tweet ]
Windows Defender Trojan.Win32/Powessere.G / Mitigation Bypass
C:\sec>rundll32.exe javanoscript:"\..\..\mshtml,,RunHTMLApplication ";alert(13)
Access is denied.
C:\sec>rundll32.exe javanoscript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX')🐥 [ tweet ]
👍10🥱2😁1