😈 [ Jiří Vinopal @vinopaljiri ]

Inspired by @0gtweet, I created PoC: EXE-or-DLL-or-ShellCode that can be:

Executed as a normal #exe
Loaded as #dll + export function can be invoked
Run via "rundll32.exe"
Executed as #shellcode right from the DOS (MZ) header that works as polyglot stub

🔗 https://github.com/Dump-GUY/EXE-or-DLL-or-ShellCode

🐥 [ tweet ]

😈 [ Sam ☁️🪵 @Sam0x90 ]

Interesting ZIP trick with __Macosx__ folder and LNK executing ftp noscript to execute embedded pythonw.exe

zip > docx LNK > ftp.exe > disguised pythonw.exe > CS shellcode

🔗 https://www.ctfiot.com/203334.html

🐥 [ tweet ]

😈 [ Het Mehta @hetmehtaa ]

Reversing a VPN client to hijack sessions

🔗 https://rotarydrone.medium.com/decrypting-and-replaying-vpn-cookies-4a1d8fc7773e

🐥 [ tweet ]

😈 [ John Hammond @_JohnHammond ]

Well, this was a stupid insomnia project, but... 😂

Playground code is here:

🔗 https://github.com/JohnHammond/recaptcha-phish

🐥 [ tweet ][ quote ]

завирусилось, прикольно

😈 [ Kurosh Dabbagh @_Kudaes_ ]

Somebody asked if you can run a dll directly without rundll32 as you would do with an exe. You just need to remove the IMAGE_FILE_DLL flag from IMAGE_FILE_HEADER->Characteristics, which can be done with the option -e. Don't see much use for it tho ^^

🔗 https://github.com/Kudaes/CustomEntryPoint

🐥 [ tweet ]

😈 [ Usman Sikander @UsmanSikander13 ]

Basics to advanced process injection. Covering 25 techniques:

🔗 https://github.com/Offensive-Panda/ProcessInjectionTechniques

🐥 [ tweet ]

😈 [ Aleem Ladha @LadhaAleem ]

I've fully automated the lab used for @_leHACK_ Active Directory 2024 workshop done by @mpgn_x64 and it's available for everyone ! 🔥
Also big kudos to @M4yFly for the playbooks and NetExec dev teams for this awesome tool !
Hope you enjoy, more to come

🔗 https://github.com/Pennyw0rth/NetExec-Lab

🐥 [ tweet ]

😈 [ Nikhil Hegde @ka1do9 ]

In this one, I go into great detail about how malware walks the Process Environment Block (PEB) to find particular DLLs and parses their export table to find address of functions.

🔗 https://nikhilh-20.github.io/blog/peb_phobos_ransomware/

🐥 [ tweet ]

😈 [ Justin Elze @HackingLZ ]

Pwning C2 frameworks

🔗 https://blog.includesecurity.com/2024/09/vulnerabilities-in-open-source-c2-frameworks/

🐥 [ tweet ]

😈 [ konrad @konradgajdus ]

From Theory to Code: Implementing a Neural Network in 200 Lines of C

🔗 http://x.com/i/article/1837064930832404482

🐥 [ tweet ]

😈 [ Orange Cyberdefense Switzerland @orangecyberch ]

💻🛡️ In this series of blog posts, Clément Labro (itm4n) one of our ethical hacker, explores yet another avenue for bypassing LSA Protection in Userland.

Blog series:
🔗 https://itm4n.github.io/ghost-in-the-ppl-part-1/
🔗 https://itm4n.github.io/ghost-in-the-ppl-part-2/
🔗 https://itm4n.github.io/ghost-in-the-ppl-part-3/

Code:
🔗 https://github.com/itm4n/PPLrevenant
🔗 https://github.com/itm4n/Pentest-Windows/tree/main/NdrServerCallAll

🐥 [ tweet ]

😈 [ Remko Weijnen @RemkoWeijnen ]

Proof of Concept to leverage Windows App to create an LSASS dump

🔗 https://github.com/rweijnen/createdump

🐥 [ tweet ]

😈 [ DSAS by INJECT @DevSecAS ]

Recursive Loader

Explanation of code: The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware.

🔗 https://github.com/Evi1Grey5/Recursive-Loader

🐥 [ tweet ]

😈 [ Will @BushidoToken ]

I am happy to share another new resource I recently made called The Russian APT Tool Matrix 🇷🇺

🔗 https://blog.bushidotoken.net/2024/09/the-russian-apt-tool-matrix.html
🔗 https://github.com/BushidoUK/Russian-APT-Tool-Matrix

🐥 [ tweet ]

ищем себя, пацаны

😈 [ Check Point Research @_CPResearch_ ]

10 years of DLL hijacking - featuring abused executables that shouldn't have existed, exported and malicious DLLs with discount bin "packing." Includes a PoC for app developers to pre-emptively stop hijacking without dealing with a certificate authority.

🔗 https://research.checkpoint.com/2024/10-years-of-dll-hijacking-and-what-we-can-do-to-prevent-10-more/

🐥 [ tweet ]

😈 [ Fox-IT @foxit ]

Check out our latest blog from our Red Team about EDR evasion through malware virtualisation:

🔗 https://blog.fox-it.com/2024/09/25/red-teaming-in-the-age-of-edr-evasion-of-endpoint-detection-through-malware-virtualisation/

🐥 [ tweet ]

UnderConf. От сообщества – для сообщества

Keynote-спикеры и докладчики крупных конференций, авторы ваших любимых телеграм-каналов про ИБ, ведущие самых известных воркшопов и легенды индустрии в одном месте – на UnderConf, 29.09.

@crytech7, Сергей Голованов a.k.a. @sk1ks, @n0nvme и другие представят свои последние разработки и исследования, а Сергей Норд, локпикеры Autopsy Will Tell и хардварщики “Танец Роботов” параллельно проведут для вас топовые воркшопы.

На конференции также будет развернута лаборатория Pentest Lab, где можно будет разобраться в сценариях различных атак на части сетевой инфраструктуры компании.

В середине дня пройдут дебаты между Алексеем Гришиным и @i_bo0om о том, как расходятся интересы специалистов и бизнеса.

Подробная программа уже доступна на сайте.

Канал | Чат

Не рекламы ради, а просто поделиться, куда я решил заглянуть в честь начала отпуска

😈 [ Mandiant (part of Google Cloud) @Mandiant ]

🚨 Mandiant observed #LummaC2 stealers leveraging a new obfuscation technique to thwart analysis tools and stifle reverse engineering efforts.

Read about this tactic, and how we developed an automated method for removing this protection layer →

🔗 https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscation-through-indirect-control-flow/

🐥 [ tweet ]