😈 [ Balthasar @BalthasarMartin ]
Today at #Troopers24 we released Certiception – the ADCS honeypot we always wanted to have.
Blog:
🔗 https://srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted
Source code:
🔗 https://github.com/srlabs/Certiception
Slide deck, including our guide to deception strategy:
🔗 https://github.com/srlabs/Certiception/blob/main/documentation/
🐥 [ tweet ]
Today at #Troopers24 we released Certiception – the ADCS honeypot we always wanted to have.
Blog:
🔗 https://srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted
Source code:
🔗 https://github.com/srlabs/Certiception
Slide deck, including our guide to deception strategy:
🔗 https://github.com/srlabs/Certiception/blob/main/documentation/
🐥 [ tweet ]
👍1🔥1🤔1
😈 [ Nikhil Mittal @nikhil_mitt ]
"When the hunter becomes the hunted: Using custom callbacks to disable EDRs"
A fantastic blog post by @d1rkmtr that is full of knowledge and a teaser!
🔗 https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
🐥 [ tweet ]
"When the hunter becomes the hunted: Using custom callbacks to disable EDRs"
A fantastic blog post by @d1rkmtr that is full of knowledge and a teaser!
🔗 https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
🐥 [ tweet ]
🔥6👍1
😈 [ Daniel @0x64616e ]
My friend @mojeda_101 and I had the funny idea to leverage GPO item-level targeting for domain persistence.
🔗 https://pentest.party/posts/2024/persistence-with-wmi-filters/
🐥 [ tweet ]
My friend @mojeda_101 and I had the funny idea to leverage GPO item-level targeting for domain persistence.
🔗 https://pentest.party/posts/2024/persistence-with-wmi-filters/
🐥 [ tweet ]
кому тоже в первую очередь в голову пришло сравнение с port knocking?🔥4🥱1
😈 [ DSAS by INJECT @DevSecAS ]
Active Directory Dumper - ADFind on Python
🔗 https://blog.injectexp.dev/2024/06/30/active-directory-dumper/
🔗 https://blog.injectexp.dev/2024/06/30/active-directory-dumper-2/
🐥 [ tweet ]
Active Directory Dumper - ADFind on Python
🔗 https://blog.injectexp.dev/2024/06/30/active-directory-dumper/
🔗 https://blog.injectexp.dev/2024/06/30/active-directory-dumper-2/
🐥 [ tweet ]
🔥5🍌3
Forwarded from APT
The Qualys Threat Research Unit has discovered a Remote Unauthenticated Code Execution vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387.
The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems.
🔗 Research:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
🔗 PoC:
https://github.com/7etsuo/cve-2024-6387-poc
#openssh #glibc #rce #cve
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥12
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Ege Balcı @egeblc ]
New tool drop! 🔥🔥 de-optimizer uses several mathematical approaches for mutating machine code instructions to their functional equivalents. Very good for bypassing rule-based detection without using any RWE memory.
🔗 https://github.com/EgeBalci/deoptimizer
🐥 [ tweet ]
New tool drop! 🔥🔥 de-optimizer uses several mathematical approaches for mutating machine code instructions to their functional equivalents. Very good for bypassing rule-based detection without using any RWE memory.
🔗 https://github.com/EgeBalci/deoptimizer
🐥 [ tweet ]
👍7
😈 [ Diego Capriotti @naksyn ]
Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with:
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A generic PE loader to hook Sleep and quickly prototype evasion ideas.
- Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners.
I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory.
Here’s the blog post:
🔗 https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
And the PE loader used, dubbed Dojoloader:
🔗 https://github.com/naksyn/DojoLoader
In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.
🐥 [ tweet ]
Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with:
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A way to generate and load, via a PE loader, a UDRL-less Beacon payload.
- A generic PE loader to hook Sleep and quickly prototype evasion ideas.
- Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners.
I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory.
Here’s the blog post:
🔗 https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
And the PE loader used, dubbed Dojoloader:
🔗 https://github.com/naksyn/DojoLoader
In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.
🐥 [ tweet ]
🔥6👍2
😈 [ Winslow @senzee1984 ]
Check out my new article - EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Blog:
🔗 https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
Github:
🔗 https://github.com/senzee1984/EDRPrison
🐥 [ tweet ]
Check out my new article - EDRPrison: Borrow a Legitimate Driver to Mute EDR Agent
Blog:
🔗 https://www.3nailsinfosec.com/post/edrprison-borrow-a-legitimate-driver-to-mute-edr-agent
Github:
🔗 https://github.com/senzee1984/EDRPrison
🐥 [ tweet ]
🔥5🤯2
😈 [ Tyler Hudak @SecShoggoth ]
I recommend reading this thread as it gives some great insight and stories into incidents.
Also, the current top comment on there is freaking incredible!
🔗 https://www.reddit.com/r/sysadmin/comments/1dsgi6t/sysadmins_who_went_through_a_breach_how_did_the
🐥 [ tweet ]
I recommend reading this thread as it gives some great insight and stories into incidents.
Also, the current top comment on there is freaking incredible!
🔗 https://www.reddit.com/r/sysadmin/comments/1dsgi6t/sysadmins_who_went_through_a_breach_how_did_the
🐥 [ tweet ]
👍9
😈 [ ap @decoder_it ]
Cool finding from my colleague @cj_berlin detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack 😲
🔗 https://it-pro-berlin.de/2024/07/use-ssh-on-windows-they-said/
🐥 [ tweet ]
Cool finding from my colleague @cj_berlin detailed here: . PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack 😲
🔗 https://it-pro-berlin.de/2024/07/use-ssh-on-windows-they-said/
🐥 [ tweet ]
👍6🔥3🥱1
😈 [ Frey @Freyxfi ]
Rockyou2024[.]Zip Word list
🔗 https://s3.timeweb.cloud/fd51ce25-6f95e3f8-263a-4b13-92af-12bc265adb44/rockyou2024.zip
🔗 https://news.1rj.ru/str/frx3y/178
🐥 [ tweet ]
Rockyou2024[.]Zip Word list
🔗 https://s3.timeweb.cloud/fd51ce25-6f95e3f8-263a-4b13-92af-12bc265adb44/rockyou2024.zip
🔗 https://news.1rj.ru/str/frx3y/178
🐥 [ tweet ]
(45 Gb zip)👍13🔥4🥱1
😈 [ sh4dy @sh4dy_0011 ]
Wrote a short blog about running a simple LLVM pass. I’ll add even more cool stuff in upcoming posts :)
🔗 https://sh4dy.com/2024/06/29/learning_llvm_01/
Source code:
🔗 https://github.com/0xSh4dy/learning_llvm
🐥 [ tweet ]
Wrote a short blog about running a simple LLVM pass. I’ll add even more cool stuff in upcoming posts :)
🔗 https://sh4dy.com/2024/06/29/learning_llvm_01/
Source code:
🔗 https://github.com/0xSh4dy/learning_llvm
🐥 [ tweet ]
🔥5👍3
😈 [ sh4dy @sh4dy_0011 ]
Here’s the second part of my blog series on Compiler and LLVM internals, where I’ve explained the following concepts:
1. Basic blocks
2. Control flow graphs
3. Modules
4. Some applications of LLVM passes
🔗 https://sh4dy.com/2024/07/06/learning_llvm_02
Source code:
🔗 https://github.com/0xSh4dy/learning_llvm/tree/master/part_2
🐥 [ tweet ]
Here’s the second part of my blog series on Compiler and LLVM internals, where I’ve explained the following concepts:
1. Basic blocks
2. Control flow graphs
3. Modules
4. Some applications of LLVM passes
🔗 https://sh4dy.com/2024/07/06/learning_llvm_02
Source code:
🔗 https://github.com/0xSh4dy/learning_llvm/tree/master/part_2
🐥 [ tweet ]
🔥10👍1
😈 [ Orange Cyberdefense's SensePost Team @sensepost ]
Decorrelate attack tool behaviour to avoid EDR interference. In this post, @Defte_ writes about how remote LSA secrets dumping works and retrieves a Windows computer's BOOTKEY using less common methods.
🔗 https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
🐥 [ tweet ]
Decorrelate attack tool behaviour to avoid EDR interference. In this post, @Defte_ writes about how remote LSA secrets dumping works and retrieves a Windows computer's BOOTKEY using less common methods.
🔗 https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
🐥 [ tweet ]
👍10🔥2
😈 [ Rayan Bouyaiche @rayanlecat ]
Hello everyone !
This weekend I participated at @_leHACK_ where I did the #NetExec workshop animated by @mpgn_x64. Here is my writeup for those of you that are interested
🔗 https://www.rayanle.cat/lehack-2024-netexec-workshop-writeup/
🐥 [ tweet ]
Hello everyone !
This weekend I participated at @_leHACK_ where I did the #NetExec workshop animated by @mpgn_x64. Here is my writeup for those of you that are interested
🔗 https://www.rayanle.cat/lehack-2024-netexec-workshop-writeup/
🐥 [ tweet ]
👍8
😈 [ Kuba Gretzky @mrgretzky ]
A covert and smart way of implanting Chrome extensions through direct modification of Chrome setting files 🤯🔥
🔗 https://syntax-err0r.github.io/Silently_Install_Chrome_Extension.html
🐥 [ tweet ]
A covert and smart way of implanting Chrome extensions through direct modification of Chrome setting files 🤯🔥
🔗 https://syntax-err0r.github.io/Silently_Install_Chrome_Extension.html
🐥 [ tweet ]
👍8
😈 [ Justin Elze @HackingLZ ]
Recent addition to the shelf
"This is just a simplified version of the following but written in C and and runs on both mac and linux."
🔗 https://github.com/its-a-feature/bifrost
🔗 https://github.com/trustedsec/The_Shelf/tree/main/Retired/KerberosDump
🐥 [ tweet ]
Recent addition to the shelf
"This is just a simplified version of the following but written in C and and runs on both mac and linux."
🔗 https://github.com/its-a-feature/bifrost
🔗 https://github.com/trustedsec/The_Shelf/tree/main/Retired/KerberosDump
🐥 [ tweet ]
👍5
Когда-то давно мы с моим хорошим другом @DrunkF0x на пентесте опробовали скрипт LDAPmonitor (как раз тогда он только вышел) - на тот момент все, что он делал, это
Поздравляю с релизом!
Blog:
🔗 https://habr.com/ru/companies/angarasecurity/articles/697938/
Code:
🔗 https://github.com/DrunkF0x/ADSpider
"(objectClass=*)" на все объекты каждые N секунд и сравнивал результаты. Разумеется, это было жутко неэффективно, создает кучу трафика в эфире, а на больших доменах я бы вообще не рискнул запускать… Тогда у Ромы и появилась идея опроса изменений по значениям USN (Update Sequence Number), на основе которой им был разработан ADSpider 🕷️Поздравляю с релизом!
Blog:
🔗 https://habr.com/ru/companies/angarasecurity/articles/697938/
Code:
🔗 https://github.com/DrunkF0x/ADSpider
🔥19👍6
😈 [ SEKTOR7 Institute @SEKTOR7net ]
Krbtgt password reset is dead aka Eternal Persistence, by Rindert Kramer of @huntandhackett
Part 1:
🔗 https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence
Part 2:
🔗 https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence-part-2
Part 3:
🔗 https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence-part-3
PoC:
🔗 https://github.com/huntandhackett/PassiveAggression
🐥 [ tweet ]
Krbtgt password reset is dead aka Eternal Persistence, by Rindert Kramer of @huntandhackett
Part 1:
🔗 https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence
Part 2:
🔗 https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence-part-2
Part 3:
🔗 https://www.huntandhackett.com/blog/how-to-achieve-eternal-persistence-part-3
PoC:
🔗 https://github.com/huntandhackett/PassiveAggression
🐥 [ tweet ]
👍8🔥2