😈 [ blackorbird @blackorbird ]
#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
Beyond BYOVD with an Admin-to-Kernel Zero-Day
🔗 https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
🐥 [ tweet ]
#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
Beyond BYOVD with an Admin-to-Kernel Zero-Day
🔗 https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
🐥 [ tweet ]
👍7🔥3
😈 [ CODE WHITE GmbH @codewhitesec ]
Struggeling to get those precious certificates with #certipy and AD CS instances that do not support web enrollment and do not expose CertSvc via RPC? @qtc_de has you covered and added functionality to use DCOM instead of good old RPC #redteaming
🔗 https://github.com/ly4k/Certipy/pull/201
🐥 [ tweet ]
Struggeling to get those precious certificates with #certipy and AD CS instances that do not support web enrollment and do not expose CertSvc via RPC? @qtc_de has you covered and added functionality to use DCOM instead of good old RPC #redteaming
🔗 https://github.com/ly4k/Certipy/pull/201
🐥 [ tweet ]
🔥7
😈 [ Grzegorz Tworek @0gtweet ]
Writable SYSVOL --> Domain Admin:
🔗 http://x.com/i/article/1763673505873240064
🐥 [ tweet ]
Writable SYSVOL --> Domain Admin:
🔗 http://x.com/i/article/1763673505873240064
🐥 [ tweet ]
👍3🔥1🤔1
😈 [ Ninad Mishra @NinadMishra5 ]
Nice blog about Recon Automation using tools like Subfinder, Chaos, Nuclei, Httpx, Notify, and Anew to find bugs and vulnerabilities.
🔗 https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/
🐥 [ tweet ]
Nice blog about Recon Automation using tools like Subfinder, Chaos, Nuclei, Httpx, Notify, and Anew to find bugs and vulnerabilities.
🔗 https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/
🐥 [ tweet ]
🔥3
😈 [ zimnyaa @zimnyaatishina ]
I’ve tried replicating some basic AD techniques in FreeIPA:
There’s still a lot to explore, so I’ll return to it at some point in the future.
🔗 https://tishina.in/ops/freeipa-postexploitation
🐥 [ tweet ]
I’ve tried replicating some basic AD techniques in FreeIPA:
There’s still a lot to explore, so I’ll return to it at some point in the future.
🔗 https://tishina.in/ops/freeipa-postexploitation
🐥 [ tweet ]
🔥7👍2
😈 [ Thorsten E. @endi24 ]
Script to perform some hardening of Windows OS
by @mackwage
🔗 https://gist.github.com/mackwage/08604751462126599d7e52f233490efe
🐥 [ tweet ]
Script to perform some hardening of Windows OS
by @mackwage
🔗 https://gist.github.com/mackwage/08604751462126599d7e52f233490efe
🐥 [ tweet ]
👍3🔥1🤔1
😈 [ Octoberfest7 @Octoberfest73 ]
Check out my latest blog post released during my internship at @RedSiege where I explore how a method for dumping LSASS popularized in 2019 can avoid detection by Microsoft Defender for Endpoint in 2024:
🔗 https://redsiege.com/blog/2024/03/dumping-lsass-like-its-2019/
🐥 [ tweet ]
Check out my latest blog post released during my internship at @RedSiege where I explore how a method for dumping LSASS popularized in 2019 can avoid detection by Microsoft Defender for Endpoint in 2024:
🔗 https://redsiege.com/blog/2024/03/dumping-lsass-like-its-2019/
🐥 [ tweet ]
🔥7👍1
😈 [ delivr.to @delivr_to ]
A fresh take on traditional HTML smuggling techniques - Rust-based WebAssembly payloads that can call native JavaScript functions 👀
Read our latest blog for code examples, delivr.to payloads and detection rules:
🔗 https://blog.delivr.to/webassembly-smuggling-it-wasmt-me-648a62547ff4
🐥 [ tweet ]
A fresh take on traditional HTML smuggling techniques - Rust-based WebAssembly payloads that can call native JavaScript functions 👀
Read our latest blog for code examples, delivr.to payloads and detection rules:
🔗 https://blog.delivr.to/webassembly-smuggling-it-wasmt-me-648a62547ff4
🐥 [ tweet ]
🔥3👍1
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Theori @theori_io ]
Do you use a virtual machine to browse dangerous links safely? If you use the Chrome browser inside that virtual machine, is it secure enough?
As you might have guessed, the answer is not so much.
We chained six unique CVEs from 2023 listed below.
• Chrome Renderer RCE: CVE-2023-3079
• Chrome Sandbox Escape: CVE-2023-21674
• LPE in guest OS: CVE-2023-29360
• VMware Info Leak: CVE-2023-34044
• VMware Escape: CVE-2023-20869
• LPE in host OS: CVE-2023-36802
Over the next few weeks, we will be releasing the detailed analysis write-ups on each vulnerability used in this chain on our blog.
All of these CVEs are featured in Fermium-252, our Cyber Threat Intelligence Database Platform.
You can check out the information about Fermium-252 on our website and blog post:
🔗 https://theori.io/service/vr#fermium
🔗 https://blog.theori.io/fermium-252-the-cyber-threat-intelligence-database-b30ce06e7c5e?source=social.tw
🐥 [ tweet ]
Do you use a virtual machine to browse dangerous links safely? If you use the Chrome browser inside that virtual machine, is it secure enough?
As you might have guessed, the answer is not so much.
We chained six unique CVEs from 2023 listed below.
• Chrome Renderer RCE: CVE-2023-3079
• Chrome Sandbox Escape: CVE-2023-21674
• LPE in guest OS: CVE-2023-29360
• VMware Info Leak: CVE-2023-34044
• VMware Escape: CVE-2023-20869
• LPE in host OS: CVE-2023-36802
Over the next few weeks, we will be releasing the detailed analysis write-ups on each vulnerability used in this chain on our blog.
All of these CVEs are featured in Fermium-252, our Cyber Threat Intelligence Database Platform.
You can check out the information about Fermium-252 on our website and blog post:
🔗 https://theori.io/service/vr#fermium
🔗 https://blog.theori.io/fermium-252-the-cyber-threat-intelligence-database-b30ce06e7c5e?source=social.tw
🐥 [ tweet ]
👍10🔥3😢1
😈 [ n0km @n0km ]
New examples GetADComputers.py and readLAPS.py are now merged in impacket's master branch. Go check them out. Thanks F-Masood
🔗 https://github.com/fortra/impacket/pull/1673
🐥 [ tweet ]
New examples GetADComputers.py and readLAPS.py are now merged in impacket's master branch. Go check them out. Thanks F-Masood
🔗 https://github.com/fortra/impacket/pull/1673
🐥 [ tweet ]
🔥6
Forwarded from PT SWARM
🎁 Source Code Disclosure in IIS 10.0! Almost.
There is a method to reveal the source code of some .NET apps. Here's how it works.
👉 https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
There is a method to reveal the source code of some .NET apps. Here's how it works.
👉 https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
🔥12
😈 [ SEKTOR7 Institute @SEKTOR7net ]
Wondering what telemetry an EDR collects?
Wonder no more! @Kostastsale and @ateixei run an EDR Telemetry Project, covering all major EDRs:
"The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide".
Blog:
🔗 https://detect.fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b
Table:
🔗 https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit?usp=sharing
Github:
🔗 https://github.com/tsale/EDR-Telemetry
🐥 [ tweet ]
Wondering what telemetry an EDR collects?
Wonder no more! @Kostastsale and @ateixei run an EDR Telemetry Project, covering all major EDRs:
"The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide".
Blog:
🔗 https://detect.fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b
Table:
🔗 https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit?usp=sharing
Github:
🔗 https://github.com/tsale/EDR-Telemetry
🐥 [ tweet ]
🔥3👍2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Akamai Security Intelligence Group @akamai_research ]
Today’s Theme is vulnerability 👀
Akamai researchers have discovered a vuln in Windows Themes that can trigger an authentication coercion - with almost zero user interaction.
User views the file, Explorer sends SMB packets with credentials.
Full post:
🔗 https://www.akamai.com/blog/security-research/2024/mar/leaking-ntlm-credentials-through-windows-themes
🐥 [ tweet ]
Today’s Theme is vulnerability 👀
Akamai researchers have discovered a vuln in Windows Themes that can trigger an authentication coercion - with almost zero user interaction.
User views the file, Explorer sends SMB packets with credentials.
Full post:
🔗 https://www.akamai.com/blog/security-research/2024/mar/leaking-ntlm-credentials-through-windows-themes
🐥 [ tweet ]
😁2🥱2👍1
😈 [ Pen Test Partners @PenTestPartners ]
SSH Split Tunnelling attacks are not new but with so many organisations still using the MS native SSH client they can be deadly effective- if all the holes in the cheese line up. It needs minimal setup and reduces likelihood of Blue team detection.
🔗 https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/
🐥 [ tweet ]
SSH Split Tunnelling attacks are not new but with so many organisations still using the MS native SSH client they can be deadly effective- if all the holes in the cheese line up. It needs minimal setup and reduces likelihood of Blue team detection.
🔗 https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/
🐥 [ tweet ]
🔥1
😈 [ Winslow @senzee1984 ]
My new article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.
🔗 https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading
Thank @0xBoku @MalDevAcademy @stephenfewer @hasherezade and all other authors(and their articles/tools/projects) for the inspiration and help.
🐥 [ tweet ]
My new article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.
🔗 https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading
Thank @0xBoku @MalDevAcademy @stephenfewer @hasherezade and all other authors(and their articles/tools/projects) for the inspiration and help.
🐥 [ tweet ]
👍3🔥3
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
Small experiment with using YARP as a C2 redirector.
🔗 https://rastamouse.me/yarp-as-a-c2-redirector/
🐥 [ tweet ]
[BLOG]
Small experiment with using YARP as a C2 redirector.
🔗 https://rastamouse.me/yarp-as-a-c2-redirector/
🐥 [ tweet ]
👍6
Давненько у нас не было ничего авторского, да и Твиттер последнее время скуп на интересные материалы, поэтому давайте развлечемся и насисярпим что-нибудь полезное.
На текущем проекте мы уже долгое время работаем через невероятно узкий 5-хоповый канал, о который по кд ломается смбклиент при эксфильтрации больших объемов данных. Обычно в этих случаях очень выручает 7-Zip, который умеет разбивать и упаковывать дату в множественные тома по
N байт – таким образом можно утащить тяжеловесные файлы по чанкам, не боясь отвала соединения: если случается отвал, мы можем продолжить передачу данных практически с того же места, на котором остановились.Но ведь 7-Zip предустановлен далеко не везде. Глобально, как можно догадаться, это решается 500IQ-техникой «Bring Your Own 7-Zip», благо его не нужно инсталлировать, но ведь это дополнительное действие
Там, где есть C#, есть и Costura.Fody, который волшебным образом умеет упаковывать зависимости (в том числе, неуправляемый код) в одну конечную сборку. Покажу, как за 10 минут можно сделать свой self-contained 7-Zip враппер для fun & profit
1. Создаем консольный проект в визуалке под .NET Framework 4.5 x64.
2. Ставим зависимости:
PM> Install-Package Costura.Fody
PM> Install-Package SevenZipSharp.Net45
3. Забираем единственно необходимую unmanaged DLL
7za.dll с оф. сайта (standalone console version), размещаем ее в директории Costura64 и включаем в проект как Embedded Resource:PS > mkdir Costura64
PS > curl https://www.7-zip.org/a/7z2401-extra.7z -o .\Costura64\7z.7z
PS > & 'C:\Program Files\7-Zip\7z.exe' x .\Costura64\7z.7z -oCostura64 x64\7za.dll License.txt
PS > rm .\Costura64\7z.7z
4. Создаем манифест для Costura.Fody:
<?xml version="1.0" encoding="utf-8"?>
<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
<Costura CreateTemporaryAssemblies='true' IncludeDebugSymbols='false' />
</Weavers>
5. Погроммируем PoC, компилим в релиаз, убеждаемся, что все работает:
using System.IO;
using SevenZip;
namespace Sharp7Zip
{
internal class Program
{
static void Main()
{
// workaround for issue #75: https://github.com/Fody/Costura/issues/75
var costura = typeof(ArchiveFileInfo).Assembly.GetFile("sevenzipsharp.dll").Name;
SevenZipBase.SetLibraryPath(Path.Combine(Path.GetDirectoryName(costura), @"64\7za.dll"));
var compressor = new SevenZipCompressor
{
ArchiveFormat = OutArchiveFormat.SevenZip,
CompressionLevel = CompressionLevel.Ultra,
CompressionMethod = CompressionMethod.Lzma2,
VolumeSize = 1000,
EncryptHeaders = true,
DirectoryStructure = true,
IncludeEmptyDirectories = true,
PreserveDirectoryRoot = false,
CompressionMode = CompressionMode.Create
};
compressor.CompressDirectory(@"C:\Windows\System32\drivers\etc\", @"C:\ProgramData\etc.7z");
}
}
}
6. Клянчим у чатагпт полноценное консольное приложение с
7. Опционально делаем PS cradle любым удобным способом и наслаждаемся результатом
P. S. Стоит отметить, что это решение ни разу не с целью повышения опсека, т. к. зависимости костуры все равно распаковываются на диск в рантайме (по дефолту в
%TEMP%\Costura), но от утомляющей загрузки 7-Zip на таргет вручную избавляет.Please open Telegram to view this post
VIEW IN TELEGRAM
🔥13👍4🥱1
😈 [ Alex neff @al3x_n3ff ]
A new Module by @Shad0wCntr0ller just got merged into NetExec.
You can now automatically query for all outdated operating systems in ldap🔥
Besides the OS and the name, you will also get the IP as well as the pwdLastSet attribute for that computer account.
🐥 [ tweet ]
A new Module by @Shad0wCntr0ller just got merged into NetExec.
You can now automatically query for all outdated operating systems in ldap🔥
Besides the OS and the name, you will also get the IP as well as the pwdLastSet attribute for that computer account.
🐥 [ tweet ]
🔥6👍4