😈 [ DSAS by INJECT @DevSecAS ]
🖥 Let's analyze one of the ways to bypass the smart screen and write our own simple cryptor that runs the shellcode:
🔗 https://github.com/Evi1Grey5/Bypass-Smartscreen-
🐥 [ tweet ]
🖥 Let's analyze one of the ways to bypass the smart screen and write our own simple cryptor that runs the shellcode:
🔗 https://github.com/Evi1Grey5/Bypass-Smartscreen-
🐥 [ tweet ]
👍10🥱3
😈 [ Alex Neff @al3x_n3ff ]
🔥We have big news for you, NetExec now has a new protocol: NFS🔥
Main features:
- Detecting NFS servers
- List exported shares
- Recursive enumeration of shares
- Up&Download files
Many thanks to @mehmetcanterman who had the idea and implemented the protocol with me.
🐥 [ tweet ]
🔥We have big news for you, NetExec now has a new protocol: NFS🔥
Main features:
- Detecting NFS servers
- List exported shares
- Recursive enumeration of shares
- Up&Download files
Many thanks to @mehmetcanterman who had the idea and implemented the protocol with me.
🐥 [ tweet ]
несправедливо мы тогда залупались на тех, кто форкнул цме, даже вот активно развивается походу🔥12👍5🤔1
😈 [ nyxgeek @nyxgeek ]
I think most pentesters have used the classic OWA time-based user enum at some point. Or time-based enum in Lync.
What if I told you that time-based user enum lives on in Azure? And it's tied to Basic Auth.
Basic Auth is dead. Long live Basic Auth!
🔗 https://trustedsec.com/blog/kicking-it-old-school-with-time-based-enumeration-in-azure
🐥 [ tweet ]
I think most pentesters have used the classic OWA time-based user enum at some point. Or time-based enum in Lync.
What if I told you that time-based user enum lives on in Azure? And it's tied to Basic Auth.
Basic Auth is dead. Long live Basic Auth!
🔗 https://trustedsec.com/blog/kicking-it-old-school-with-time-based-enumeration-in-azure
🐥 [ tweet ]
🤯2
😈 [ Cyber Advising @cyber_advising ]
CVE-2024-7479 & CVE-2024-7481: exploit proof of concept of a vulnerability in TeamViewer that enables an unprivileged user to load an arbitrary Kernel Driver into the system.
PoC:
🔗 https://github.com/PeterGabaldon/CVE-2024-7479_CVE-2024-7481
🐥 [ tweet ]
CVE-2024-7479 & CVE-2024-7481: exploit proof of concept of a vulnerability in TeamViewer that enables an unprivileged user to load an arbitrary Kernel Driver into the system.
PoC:
🔗 https://github.com/PeterGabaldon/CVE-2024-7479_CVE-2024-7481
🐥 [ tweet ]
🍌3👍2
Offensive Xwitter
😈 [ LuemmelSec @theluemmel ] New blog by @itm4n is a must read for blue and red alike: 🔗 https://itm4n.github.io/printnightmare-exploitation/ Quality stuff as always. Thanks I updated my Client-Checker to evaluate the affected reg keys so you can quickly…
😈 [ parzel @parzel2 ]
During a #redteam at @mod0 we discovered a limited but neat bypass for #printnightmare. I talked to @itm4n about it and he had an indepth look. Read about it here:
🔗 https://itm4n.github.io/printnightmare-not-over/
🐥 [ tweet ]
During a #redteam at @mod0 we discovered a limited but neat bypass for #printnightmare. I talked to @itm4n about it and he had an indepth look. Read about it here:
🔗 https://itm4n.github.io/printnightmare-not-over/
🐥 [ tweet ]
👍2
😈 [ Binni Shah @binitamshah ]
Hacking Windows through iTunes - Local Privilege Escalation 0-day (Patched September 12, 2024):
🔗 https://github.com/mbog14/CVE-2024-44193
🐥 [ tweet ]
Hacking Windows through iTunes - Local Privilege Escalation 0-day (Patched September 12, 2024):
🔗 https://github.com/mbog14/CVE-2024-44193
🐥 [ tweet ]
🥱2👍1🤔1
😈 [ ap @decoder_it ]
Following up on my earlier tweet regarding Kerberos relay with SMB server, I've uploaded my quick & dirty version. It's far from perfect, so feel free to improve it!
🔗 https://github.com/decoder-it/KrbRelay-SMBServer/tree/master
🐥 [ tweet ][ quote ]
Following up on my earlier tweet regarding Kerberos relay with SMB server, I've uploaded my quick & dirty version. It's far from perfect, so feel free to improve it!
🔗 https://github.com/decoder-it/KrbRelay-SMBServer/tree/master
🐥 [ tweet ][ quote ]
👍4🔥1
😈 [ Ohm-I (Oh My) @mcohmi ]
Dropping a POC and naming the specific person who found and disclosed it WHILE they are going through a disclosure process is a dick move, tbh.
Keep your POCs internal or in small groups until Drop Day.
ESC15 (EKUwu):
🔗 https://github.com/ly4k/Certipy/pull/228
🐥 [ tweet ]
Dropping a POC and naming the specific person who found and disclosed it WHILE they are going through a disclosure process is a dick move, tbh.
Keep your POCs internal or in small groups until Drop Day.
ESC15 (EKUwu):
🔗 https://github.com/ly4k/Certipy/pull/228
🐥 [ tweet ]
🔥5👍3😢3
😈 [ Adam Chester 🏴☠️ @_xpn_ ]
New tool published which is proving to be useful. Cred1py allows execution of the CRED-1 SCCM attack published by @Raiona_ZA over SOCKS5 UDP by wrapping the awesome PxeThiefy[.]py from @0xcsandker. Enjoy :)
🔗 https://github.com/SpecterOps/cred1py
🐥 [ tweet ]
New tool published which is proving to be useful. Cred1py allows execution of the CRED-1 SCCM attack published by @Raiona_ZA over SOCKS5 UDP by wrapping the awesome PxeThiefy[.]py from @0xcsandker. Enjoy :)
🔗 https://github.com/SpecterOps/cred1py
🐥 [ tweet ]
👍5🔥1
Offensive Xwitter
😈 [ Ohm-I (Oh My) @mcohmi ] Dropping a POC and naming the specific person who found and disclosed it WHILE they are going through a disclosure process is a dick move, tbh. Keep your POCs internal or in small groups until Drop Day. ESC15 (EKUwu): 🔗 htt…
😈 [ TrustedSec @TrustedSec ]
During a recent engagement, @Bandrel discovered how an attacker can craft a CSR by using default system certificates. After finding out this method was novel, the team kept digging. Read what they found in our new blog!
🔗 https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc
🐥 [ tweet ]
During a recent engagement, @Bandrel discovered how an attacker can craft a CSR by using default system certificates. After finding out this method was novel, the team kept digging. Read what they found in our new blog!
🔗 https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc
🐥 [ tweet ]
🔥4👍1🥱1
😈 [ safe @safe0x17 ]
I'm excited to share 𝗥𝘂𝘀𝘁𝗶𝗰𝟲𝟰. A Modern 64-bit 𝗣𝗼𝘀𝗶𝘁𝗶𝗼𝗻-𝗜𝗻𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝘁 Shellcode Template for 𝗪𝗶𝗻𝗱𝗼𝘄𝘀, written 𝗶𝗻 𝗥𝘂𝘀𝘁!
🔗 https://github.com/safedv/Rustic64
🐥 [ tweet ]
I'm excited to share 𝗥𝘂𝘀𝘁𝗶𝗰𝟲𝟰. A Modern 64-bit 𝗣𝗼𝘀𝗶𝘁𝗶𝗼𝗻-𝗜𝗻𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝘁 Shellcode Template for 𝗪𝗶𝗻𝗱𝗼𝘄𝘀, written 𝗶𝗻 𝗥𝘂𝘀𝘁!
🔗 https://github.com/safedv/Rustic64
🐥 [ tweet ]
🔥2🥱1
Offensive Xwitter
😈 [ TrustedSec @TrustedSec ] During a recent engagement, @Bandrel discovered how an attacker can craft a CSR by using default system certificates. After finding out this method was novel, the team kept digging. Read what they found in our new blog! 🔗 ht…
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Justin Bollinger @Bandrel ]
Here is the original PoC video. As you can see Certipy isn't needed to exploit. Just makes it easier.
🐥 [ tweet ]
Here is the original PoC video. As you can see Certipy isn't needed to exploit. Just makes it easier.
🐥 [ tweet ]
👍7🔥4
😈 [ Empire @EmpireC2Project ]
Read the latest blog on It's Not Your Grandfather's Empire! If you haven't used it in some time come take a look at just how it's grown into a multi-language powerhouse:
🔗 https://bc-security.org/not-your-grandfathers-empire/
🐥 [ tweet ]
Read the latest blog on It's Not Your Grandfather's Empire! If you haven't used it in some time come take a look at just how it's grown into a multi-language powerhouse:
🔗 https://bc-security.org/not-your-grandfathers-empire/
🐥 [ tweet ]
👍6🔥1
😈 [ Nextron Systems @nextronsystems ]
In-Depth Analysis of Lynx Ransomware
Analyzing Lynx ransomware, active since mid-2024, with insights on its encryption methods, backup deletion, and printer-based ransom note delivery:
🔗 https://www.nextron-systems.com/2024/10/11/in-depth-analysis-of-lynx-ransomware/
🐥 [ tweet ]
In-Depth Analysis of Lynx Ransomware
Analyzing Lynx ransomware, active since mid-2024, with insights on its encryption methods, backup deletion, and printer-based ransom note delivery:
🔗 https://www.nextron-systems.com/2024/10/11/in-depth-analysis-of-lynx-ransomware/
🐥 [ tweet ]
👍4
😈 [ ap @decoder_it ]
OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB:
🐥 [ tweet ]
OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB:
{9EA82395-E31B-41CA-8DF7-EC1CEE7194DF}
{42C21DF5-FB58-4102-90E9-96A213DC7CE8}
{C63261E4-6052-41FF-B919-496FECF4C4E5}
{FFE1E5FE-F1F0-48C8-953E-72BA272F2744}🐥 [ tweet ]
🔥13
😈 [ Logan Goins @_logangoins ]
I just published a blog post focused on details of using offensive .NET for both enumeration and exploitation of #activedirectory environments! Including some customized code examples from a tool I've been developing!
🔗 https://logan-goins.com/2024-10-11-Dotnet-AD/
🔗 https://github.com/logangoins/Cable
🐥 [ tweet ]
#для_самых_маленьких
I just published a blog post focused on details of using offensive .NET for both enumeration and exploitation of #activedirectory environments! Including some customized code examples from a tool I've been developing!
🔗 https://logan-goins.com/2024-10-11-Dotnet-AD/
🔗 https://github.com/logangoins/Cable
🐥 [ tweet ]
#для_самых_маленьких
👍5🔥1
😈 [ Daniel F. @VirtualAllocEx ]
I wanted to learn more about using content delivery networks (CDNs) in Azure in conjunction with an Nginx reverse proxy in the context of using Cobalt Strike as a C2 framework. As a result, I've written the following blog post.
🔗 https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
🐥 [ tweet ]
I wanted to learn more about using content delivery networks (CDNs) in Azure in conjunction with an Nginx reverse proxy in the context of using Cobalt Strike as a C2 framework. As a result, I've written the following blog post.
🔗 https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
🐥 [ tweet ]
👍6
😈 [ Matt Zorich @reprise_99 ]
In case you missed it, a deep dive into how Kerberoasting works, how to detect it, and maybe most importantly of all, how to reduce the risk of it within your Active Directory environment:
🔗 https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
🐥 [ tweet ]
In case you missed it, a deep dive into how Kerberoasting works, how to detect it, and maybe most importantly of all, how to reduce the risk of it within your Active Directory environment:
🔗 https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
🐥 [ tweet ]
верните мне мой 2017😁4👍3
😈 [ Daniel F. @VirtualAllocEx ]
I was interested in better understanding a specific detection mechanism of an EDR, focusing on fake DLLs, page guard hooking, PEB manipulation, and vectored exception handling - techniques inspired by the game hacking community.
I'm not a reverse engineer, but in this blog post I tried my best to explain in detail how the detection logic (probably) works and how it could be "bypassed" from an attacker's (red team's) perspective.
By bypassing I mean avoiding prevention and detection by the respective EPP/EDR based on active alerts, it does not include all the telemetry related stuff. I just want to mention this because in general I think the term bypassing should be used very sensitively, carefully and precisely.
In general, in this case the focus was not primarily on finding a "bypass", I was much more interested in learning a bit about reverse engineering in the context of EDRs.
If there are any mistakes or if something is not described correctly, please let me know. Also feel free to give constructive feedback at any time.
The blog post is available in English and German, just switch from EN to DE on the website.
🔗 https://redops.at/en/blog/edr-analysis-leveraging-fake-dlls-guard-pages-and-veh-for-enhanced-detection
🐥 [ tweet ]
I was interested in better understanding a specific detection mechanism of an EDR, focusing on fake DLLs, page guard hooking, PEB manipulation, and vectored exception handling - techniques inspired by the game hacking community.
I'm not a reverse engineer, but in this blog post I tried my best to explain in detail how the detection logic (probably) works and how it could be "bypassed" from an attacker's (red team's) perspective.
By bypassing I mean avoiding prevention and detection by the respective EPP/EDR based on active alerts, it does not include all the telemetry related stuff. I just want to mention this because in general I think the term bypassing should be used very sensitively, carefully and precisely.
In general, in this case the focus was not primarily on finding a "bypass", I was much more interested in learning a bit about reverse engineering in the context of EDRs.
If there are any mistakes or if something is not described correctly, please let me know. Also feel free to give constructive feedback at any time.
The blog post is available in English and German, just switch from EN to DE on the website.
🔗 https://redops.at/en/blog/edr-analysis-leveraging-fake-dlls-guard-pages-and-veh-for-enhanced-detection
🐥 [ tweet ]
👍8
😈 [ Lsec @lsecqt ]
I am happy to share a recent blogpost about weaponizing DLL Hijacking / Sideloading for getting initial access and establishing persistence:
🔗 https://www.r-tec.net/r-tec-blog-dll-sideloading.html
Hope this is useful, and as always, reach out if you have questions.
🐥 [ tweet ]
I am happy to share a recent blogpost about weaponizing DLL Hijacking / Sideloading for getting initial access and establishing persistence:
🔗 https://www.r-tec.net/r-tec-blog-dll-sideloading.html
Hope this is useful, and as always, reach out if you have questions.
🐥 [ tweet ]
🔥6👍1