😈 [ TrustedSec @TrustedSec ]
Today, TrustedSec is releasing #Specula (our previously internal framework) into the world, which will transform the Outlook email client into a beaconing C2 agent. @oddvarmoe and @freefirex2 walk through how to use Specula in our latest blog!
🔗 https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
🐥 [ tweet ]
Today, TrustedSec is releasing #Specula (our previously internal framework) into the world, which will transform the Outlook email client into a beaconing C2 agent. @oddvarmoe and @freefirex2 walk through how to use Specula in our latest blog!
🔗 https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
🐥 [ tweet ]
👍6🔥3
😈 [ PT SWARM @ptswarm ]
🤖 New article by our researcher Nikita Petrov: "From opcode to code: how AI chatbots can help with decompilation".
Read the blog post:
🔗 https://swarm.ptsecurity.com/from-opcode-to-code-how-ai-chatbots-can-help-with-decompilation/
🐥 [ tweet ]
🤖 New article by our researcher Nikita Petrov: "From opcode to code: how AI chatbots can help with decompilation".
Read the blog post:
🔗 https://swarm.ptsecurity.com/from-opcode-to-code-how-ai-chatbots-can-help-with-decompilation/
🐥 [ tweet ]
👍6
😈 [ Will Harris @parityzero ]
With Chrome 127 on Windows, we're introducing enhanced encryption to protect sensitive data, starting with your cookies🍪! This helps protect your personal information and keeps your online accounts secure from hackers. Read more about this protection:
🔗 https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html
🐥 [ tweet ]
With Chrome 127 on Windows, we're introducing enhanced encryption to protect sensitive data, starting with your cookies🍪! This helps protect your personal information and keeps your online accounts secure from hackers. Read more about this protection:
🔗 https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html
🐥 [ tweet ]
гг, dploot😢14👍2
😈 [ Dirk-jan @_dirkjan ]
New blog: Persisting on Entra ID applications and User Managed Identities with Federated Credentials.
In this blog we set up our own IdP with roadtools, allowing us to authenticate to apps and user managed identities with federated credentials 😀
🔗 https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/
🐥 [ tweet ]
New blog: Persisting on Entra ID applications and User Managed Identities with Federated Credentials.
In this blog we set up our own IdP with roadtools, allowing us to authenticate to apps and user managed identities with federated credentials 😀
🔗 https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/
🐥 [ tweet ]
👍5🤔2
😈 [ Luigi Fiore @lypd0 ]
Check out my windows privilege escalation utility DeadPotato on GitHub!
This customization of GodPotato abuses the SeImpersonatePrivilege rights on Windows to execute commands, spawn reverse shells, create new local admins on the systems and more!
🔗 https://github.com/lypd0/DeadPotato
🐥 [ tweet ]
Check out my windows privilege escalation utility DeadPotato on GitHub!
This customization of GodPotato abuses the SeImpersonatePrivilege rights on Windows to execute commands, spawn reverse shells, create new local admins on the systems and more!
🔗 https://github.com/lypd0/DeadPotato
🐥 [ tweet ]
🔥9👍3🥱3
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
Is Crystal Lang the next big thing in maldev?
🔗 https://rastamouse.me/crystal-malware/
🐥 [ tweet ]
[BLOG]
Is Crystal Lang the next big thing in maldev?
🔗 https://rastamouse.me/crystal-malware/
🐥 [ tweet ]
🥱4🔥1
Offensive Xwitter
😈 [ Daniel @0x64616e ] Binding to port 445 on Windows without WinDivert. This is highly useful for NTLM relaying. Big thanks to @zyn3rgy for the talk: 🔗 https://youtu.be/iBqOOkQGJEA 🐥 [ tweet ][ quote ]
😈 [ Nick Powers @zyn3rgy ]
[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at the bottom of the blog post, which provides technical analysis of the technique.
Blog:
🔗 https://posts.specterops.io/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover-1c9b4666c8ac
GitHub:
🔗 https://github.com/zyn3rgy/smbtakeover
🐥 [ tweet ]
[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at the bottom of the blog post, which provides technical analysis of the technique.
Blog:
🔗 https://posts.specterops.io/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover-1c9b4666c8ac
GitHub:
🔗 https://github.com/zyn3rgy/smbtakeover
🐥 [ tweet ]
🔥6
😈 [ Pen Test Partners @PenTestPartners ]
🚨New Blog Alert!
Our own Ceri Coburn uncovered serious vulnerabilities in three KnowBe4 applications — Phish Alert Button, PasswordIQ, and Second Chance.
Read our full analysis and learn how to help protect your systems from these threats:
🔗 https://www.pentestpartners.com/security-blog/knowbe4-rce-and-lpe/
🐥 [ tweet ]
🚨New Blog Alert!
Our own Ceri Coburn uncovered serious vulnerabilities in three KnowBe4 applications — Phish Alert Button, PasswordIQ, and Second Chance.
Read our full analysis and learn how to help protect your systems from these threats:
🔗 https://www.pentestpartners.com/security-blog/knowbe4-rce-and-lpe/
🐥 [ tweet ]
👍4🥱1
😈 [ ap @decoder_it ]
#FakePotato (CVE-2024-38100) post is out! Check out the short write-up on this unexpected vulnerability 😅
🔗 https://decoder.cloud/2024/08/02/the-fake-potato/
🐥 [ tweet ]
#FakePotato (CVE-2024-38100) post is out! Check out the short write-up on this unexpected vulnerability 😅
🔗 https://decoder.cloud/2024/08/02/the-fake-potato/
🐥 [ tweet ]
👍9
Итак, закончилось ежегодное награждение Pentest Award 2024 (by @JustSecurity), поэтому время для стильной фоточки. Снова большой респект организаторам - по сравнению с прошлым годом масштабы инициативы выросли, как и зрелость ее проведения (привет усатым барменам, педантично следящим за наполненностью бокалов гостей вне зависимости от их местоположения на веранде). Конечно, не хватало рубрики «анекдоты от @i_bo0om», имевшей место на предыдущем ивенте, но ведь не бывает ничего идеального? Было много гига крутых кейсов, более подробное описание которых теперь мы все с нетерпением ждем на страницах ][
Получил море удовольствия от общения с коллегами по цеху. Уверен, что в следующем году будет только круче. Так держать!
#pentest_award
Получил море удовольствия от общения с коллегами по цеху. Уверен, что в следующем году будет только круче. Так держать!
#pentest_award
🔥27🥱3
😈 [ Alex Neff @al3x_n3ff ]
Inspired by the great talk by @subat0mik, @_Mayyhem and @garrfoster at #Troopers24, I wrote a new SCCM reconnaissance module that implements the RECON-1 (LDAP) part of the Misconfiguration Manager.
This makes it much easier to enumerate the existing SCCM infrastructure 🎯
🐥 [ tweet ]
Inspired by the great talk by @subat0mik, @_Mayyhem and @garrfoster at #Troopers24, I wrote a new SCCM reconnaissance module that implements the RECON-1 (LDAP) part of the Misconfiguration Manager.
This makes it much easier to enumerate the existing SCCM infrastructure 🎯
🐥 [ tweet ]
👍8
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Got a question from a BruteRatel operator in the BRC4 discord channel as to what the newly implemented csxumd64_xxxxx.dll module in Crowdstrike does. So, heres my little explanation post reversing it.
Crowdstrike implants 3 DLLs in their latest version - umppcxxxxx.dll, csxumd64_xxxxx.dll and umpdc.dll. UMPPC is the main usermode DLL which hooks into various NTAPI. UMPDC is more focused towards ADDC related attacks. Maybe another tweet on this later. But the CSXUMD64 (or Extended User Mode Data Module as CS likes to call it) is mainly responsible for analyzing the call stacks of various API calls, as well as a few new thread pool hooks such as CreateThreadPoolWork, maybe to check for loaded libraries or similar. The callstacks are analyzed only when a certain set of conditions are hit. Heres a walkthrough of the Callstack which I've lablelled and explained:
Image 1: Hooked API call (CreateThreadPoolWork in combase.dll) jumps to csxumd64
Image 2: csxumd64 saves the registers to stack before calling RtlAddVectoredExceptionHandler. This API call enables VEH hooking for an internal function of csxumd64 (rdx register)
Image 3: VEH function checks a few arguments and if the profile fits, it will jump to another internal function
Image 4: This function calls RtlCaptureContext to get register and stack information about the thread which call the Hooked API call in Image 1 (CreateThreadPoolWork), Now here...
a. RtlCaptureContext returns a pointer to a CONTEXT structer which has the current thread metadata required to walk the stack.
b. The return address captured from the CONTEXT structure is passed on to RtlLookupFunctionEntry which returns a pointer to RUNTIME_FUNCTION structure containing the unwind data for the stack.
c. This unwind data is then verified against the output from API RtlVirtualUnwind to check if the callstack is being backed to disk. If this is not backed, VEH is removed and the process is killed using ZwTerminateProcess API.
Crowdstrike mentions in their documentation that this module captures additional data, but can incur greater performance penalities, which does make sense, as VEH and stack tracing can seriously affect process performance when done on a large scale. However, what is extremely dumb here is, that they are not performing ETWTI stack tracing from the Kernel like ATP/Elastic or FortiEDR to avoid being simply unhooked from the userland. Wondering if I should release the tool to simply undo all the hooks that CS has placed, or just let it play out. :D
Theres a lot more that happens within these three DLLs which I've incorporated in my v1.8 release for BRC4, and will also be discussing about some of them in the January 2024 Malware On Steroids workshop.
🐥 [ tweet ]
Got a question from a BruteRatel operator in the BRC4 discord channel as to what the newly implemented csxumd64_xxxxx.dll module in Crowdstrike does. So, heres my little explanation post reversing it.
Crowdstrike implants 3 DLLs in their latest version - umppcxxxxx.dll, csxumd64_xxxxx.dll and umpdc.dll. UMPPC is the main usermode DLL which hooks into various NTAPI. UMPDC is more focused towards ADDC related attacks. Maybe another tweet on this later. But the CSXUMD64 (or Extended User Mode Data Module as CS likes to call it) is mainly responsible for analyzing the call stacks of various API calls, as well as a few new thread pool hooks such as CreateThreadPoolWork, maybe to check for loaded libraries or similar. The callstacks are analyzed only when a certain set of conditions are hit. Heres a walkthrough of the Callstack which I've lablelled and explained:
Image 1: Hooked API call (CreateThreadPoolWork in combase.dll) jumps to csxumd64
Image 2: csxumd64 saves the registers to stack before calling RtlAddVectoredExceptionHandler. This API call enables VEH hooking for an internal function of csxumd64 (rdx register)
Image 3: VEH function checks a few arguments and if the profile fits, it will jump to another internal function
Image 4: This function calls RtlCaptureContext to get register and stack information about the thread which call the Hooked API call in Image 1 (CreateThreadPoolWork), Now here...
a. RtlCaptureContext returns a pointer to a CONTEXT structer which has the current thread metadata required to walk the stack.
b. The return address captured from the CONTEXT structure is passed on to RtlLookupFunctionEntry which returns a pointer to RUNTIME_FUNCTION structure containing the unwind data for the stack.
c. This unwind data is then verified against the output from API RtlVirtualUnwind to check if the callstack is being backed to disk. If this is not backed, VEH is removed and the process is killed using ZwTerminateProcess API.
Crowdstrike mentions in their documentation that this module captures additional data, but can incur greater performance penalities, which does make sense, as VEH and stack tracing can seriously affect process performance when done on a large scale. However, what is extremely dumb here is, that they are not performing ETWTI stack tracing from the Kernel like ATP/Elastic or FortiEDR to avoid being simply unhooked from the userland. Wondering if I should release the tool to simply undo all the hooks that CS has placed, or just let it play out. :D
Theres a lot more that happens within these three DLLs which I've incorporated in my v1.8 release for BRC4, and will also be discussing about some of them in the January 2024 Malware On Steroids workshop.
🐥 [ tweet ]
🔥7👍6
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Now that cats out of the bag, Let me state that I've been exploiting the last part (IE Proxy modification) in my last few Red team engagements to deploy a local proxy via BOF which blocks all Crowdstrike traffic and only allows only the ones I've whitelisted 😛. Heres a quick snapshot to identify Crowdstrike traffic (cloudsink.net) via local socks proxy 🫢. Might post its BOF later, unless someone beats me to it.
🐥 [ tweet ]
Комментарий относительно этого разбора бсода от 360
Now that cats out of the bag, Let me state that I've been exploiting the last part (IE Proxy modification) in my last few Red team engagements to deploy a local proxy via BOF which blocks all Crowdstrike traffic and only allows only the ones I've whitelisted 😛. Heres a quick snapshot to identify Crowdstrike traffic (cloudsink.net) via local socks proxy 🫢. Might post its BOF later, unless someone beats me to it.
🐥 [ tweet ]
Комментарий относительно этого разбора бсода от 360
👍6🔥1
😈 [ SpecterOps @SpecterOps ]
Do you like BloodHound & PowerShell? Do you want to automate all things BloodHound?
Check out @SadProcessor's new blog post diving into a new PowerShell module he created, & instructions on how to get started ⤵️
🔗 https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156020b7c5e9
🔗 https://github.com/SadProcessor/BloodHoundOperator
🐥 [ tweet ]
Do you like BloodHound & PowerShell? Do you want to automate all things BloodHound?
Check out @SadProcessor's new blog post diving into a new PowerShell module he created, & instructions on how to get started ⤵️
🔗 https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156020b7c5e9
🔗 https://github.com/SadProcessor/BloodHoundOperator
🐥 [ tweet ]
🔥3🥱2
😈 [ Cube0x0 @cube0x0 ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
🔗 https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
🐥 [ tweet ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
🔗 https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
🐥 [ tweet ]
👍9🔥1
Forwarded from Блог Kaimi & d_x
Эксплуатация состояния гонки в «тапалках» в Telegram
https://kaimi.io/2024/08/exploit-race-condition-in-telegram-mini-apps/
https://kaimi.io/2024/08/exploit-race-condition-in-telegram-mini-apps/
Misc
Эксплуатация состояния гонки в «тапалках» в Telegram - Misc
Эксплуатация состояния гонки (race condition) в ‘тапалках’ в Telegram Mini Apps (Blum, CalmMe и других)
🔥4🥱1