😈 [ Nextron Systems @nextronsystems ]
In-Depth Analysis of Lynx Ransomware
Analyzing Lynx ransomware, active since mid-2024, with insights on its encryption methods, backup deletion, and printer-based ransom note delivery:
🔗 https://www.nextron-systems.com/2024/10/11/in-depth-analysis-of-lynx-ransomware/
🐥 [ tweet ]
In-Depth Analysis of Lynx Ransomware
Analyzing Lynx ransomware, active since mid-2024, with insights on its encryption methods, backup deletion, and printer-based ransom note delivery:
🔗 https://www.nextron-systems.com/2024/10/11/in-depth-analysis-of-lynx-ransomware/
🐥 [ tweet ]
👍4
😈 [ ap @decoder_it ]
OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB:
🐥 [ tweet ]
OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB:
{9EA82395-E31B-41CA-8DF7-EC1CEE7194DF}
{42C21DF5-FB58-4102-90E9-96A213DC7CE8}
{C63261E4-6052-41FF-B919-496FECF4C4E5}
{FFE1E5FE-F1F0-48C8-953E-72BA272F2744}🐥 [ tweet ]
🔥13
😈 [ Logan Goins @_logangoins ]
I just published a blog post focused on details of using offensive .NET for both enumeration and exploitation of #activedirectory environments! Including some customized code examples from a tool I've been developing!
🔗 https://logan-goins.com/2024-10-11-Dotnet-AD/
🔗 https://github.com/logangoins/Cable
🐥 [ tweet ]
#для_самых_маленьких
I just published a blog post focused on details of using offensive .NET for both enumeration and exploitation of #activedirectory environments! Including some customized code examples from a tool I've been developing!
🔗 https://logan-goins.com/2024-10-11-Dotnet-AD/
🔗 https://github.com/logangoins/Cable
🐥 [ tweet ]
#для_самых_маленьких
👍5🔥1
😈 [ Daniel F. @VirtualAllocEx ]
I wanted to learn more about using content delivery networks (CDNs) in Azure in conjunction with an Nginx reverse proxy in the context of using Cobalt Strike as a C2 framework. As a result, I've written the following blog post.
🔗 https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
🐥 [ tweet ]
I wanted to learn more about using content delivery networks (CDNs) in Azure in conjunction with an Nginx reverse proxy in the context of using Cobalt Strike as a C2 framework. As a result, I've written the following blog post.
🔗 https://redops.at/en/blog/cobalt-strike-cdn-reverse-proxy-setup
🐥 [ tweet ]
👍6
😈 [ Matt Zorich @reprise_99 ]
In case you missed it, a deep dive into how Kerberoasting works, how to detect it, and maybe most importantly of all, how to reduce the risk of it within your Active Directory environment:
🔗 https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
🐥 [ tweet ]
In case you missed it, a deep dive into how Kerberoasting works, how to detect it, and maybe most importantly of all, how to reduce the risk of it within your Active Directory environment:
🔗 https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
🐥 [ tweet ]
верните мне мой 2017😁4👍3
😈 [ Daniel F. @VirtualAllocEx ]
I was interested in better understanding a specific detection mechanism of an EDR, focusing on fake DLLs, page guard hooking, PEB manipulation, and vectored exception handling - techniques inspired by the game hacking community.
I'm not a reverse engineer, but in this blog post I tried my best to explain in detail how the detection logic (probably) works and how it could be "bypassed" from an attacker's (red team's) perspective.
By bypassing I mean avoiding prevention and detection by the respective EPP/EDR based on active alerts, it does not include all the telemetry related stuff. I just want to mention this because in general I think the term bypassing should be used very sensitively, carefully and precisely.
In general, in this case the focus was not primarily on finding a "bypass", I was much more interested in learning a bit about reverse engineering in the context of EDRs.
If there are any mistakes or if something is not described correctly, please let me know. Also feel free to give constructive feedback at any time.
The blog post is available in English and German, just switch from EN to DE on the website.
🔗 https://redops.at/en/blog/edr-analysis-leveraging-fake-dlls-guard-pages-and-veh-for-enhanced-detection
🐥 [ tweet ]
I was interested in better understanding a specific detection mechanism of an EDR, focusing on fake DLLs, page guard hooking, PEB manipulation, and vectored exception handling - techniques inspired by the game hacking community.
I'm not a reverse engineer, but in this blog post I tried my best to explain in detail how the detection logic (probably) works and how it could be "bypassed" from an attacker's (red team's) perspective.
By bypassing I mean avoiding prevention and detection by the respective EPP/EDR based on active alerts, it does not include all the telemetry related stuff. I just want to mention this because in general I think the term bypassing should be used very sensitively, carefully and precisely.
In general, in this case the focus was not primarily on finding a "bypass", I was much more interested in learning a bit about reverse engineering in the context of EDRs.
If there are any mistakes or if something is not described correctly, please let me know. Also feel free to give constructive feedback at any time.
The blog post is available in English and German, just switch from EN to DE on the website.
🔗 https://redops.at/en/blog/edr-analysis-leveraging-fake-dlls-guard-pages-and-veh-for-enhanced-detection
🐥 [ tweet ]
👍8
😈 [ Lsec @lsecqt ]
I am happy to share a recent blogpost about weaponizing DLL Hijacking / Sideloading for getting initial access and establishing persistence:
🔗 https://www.r-tec.net/r-tec-blog-dll-sideloading.html
Hope this is useful, and as always, reach out if you have questions.
🐥 [ tweet ]
I am happy to share a recent blogpost about weaponizing DLL Hijacking / Sideloading for getting initial access and establishing persistence:
🔗 https://www.r-tec.net/r-tec-blog-dll-sideloading.html
Hope this is useful, and as always, reach out if you have questions.
🐥 [ tweet ]
🔥6👍1
Offensive Xwitter
😈 [ ap @decoder_it ] Following up on my earlier tweet regarding Kerberos relay with SMB server, I've uploaded my quick & dirty version. It's far from perfect, so feel free to improve it! 🔗 https://github.com/decoder-it/KrbRelay-SMBServer/tree/master 🐥 […
😈 [ Daniel @0x64616e ]
Kerberos relaying from SMB to ADCS. Especially great when ESC8 was mitigated by disabling NTLM auth on the ADCS server.
Powered by:
🔗 https://github.com/decoder-it/KrbRelay-SMBServer
🔗 https://github.com/wh04m1001/dfscoerce
🔗 https://github.com/CCob/gssapi-abuse
🐥 [ tweet ][ quote ]
Kerberos relaying from SMB to ADCS. Especially great when ESC8 was mitigated by disabling NTLM auth on the ADCS server.
Powered by:
🔗 https://github.com/decoder-it/KrbRelay-SMBServer
🔗 https://github.com/wh04m1001/dfscoerce
🔗 https://github.com/CCob/gssapi-abuse
🐥 [ tweet ][ quote ]
🥱7👍4🔥3🤯3
😈 [ eversinc33 🤍🔪⋆。˚ ⋆ @eversinc33 ]
I sometimes do recreational malware analysis with random samples 4fun. In this one, I unpacked 2 stages of .NET to reveal SnakeKeylogger and subsequently enumerated info about the threat actor via his Telegram API token.
🔗 https://eversinc33.com/posts/unpacking-snake-keylogger.html
🐥 [ tweet ]
I sometimes do recreational malware analysis with random samples 4fun. In this one, I unpacked 2 stages of .NET to reveal SnakeKeylogger and subsequently enumerated info about the threat actor via his Telegram API token.
🔗 https://eversinc33.com/posts/unpacking-snake-keylogger.html
🐥 [ tweet ]
🔥9👍1
😈 [ Outflank @OutflankNL ]
New Blog Alert! 🚨
Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs.
Learn how it combines Early Bird APC Injection & EDR-Preloading:
🔗 https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/
🐥 [ tweet ]
New Blog Alert! 🚨
Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs.
Learn how it combines Early Bird APC Injection & EDR-Preloading:
🔗 https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/
🐥 [ tweet ]
🥱7👍6🔥2
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Интересные у них отчеты, люблю такое чтиво и всем рекомендую) и атакерам, и защитникам))
https://news.1rj.ru/str/s3Ch1n7/427
#report
https://news.1rj.ru/str/s3Ch1n7/427
#report
Telegram
README.hta
👍10🥱1
😈 [ cod @wolfcod ]
Combining RtlCreateProcessReflection plus NanoDump Writer to avoid MiniDump callback api:
🔗 https://github.com/wolfcod/lsassdump
🐥 [ tweet ]
Combining RtlCreateProcessReflection plus NanoDump Writer to avoid MiniDump callback api:
🔗 https://github.com/wolfcod/lsassdump
🐥 [ tweet ]
👍5🔥3
😈 [ Elastic Security Labs @elasticseclabs ]
Threat hunting just got easier! This new repo of detection rules is crafted by our veteran detection engineers and powered by different Elastic query languages. Get the details of what’s included and see the future of this repo here:
🔗 https://www.elastic.co/security-labs/elevate-your-threat-hunting
🐥 [ tweet ]
Threat hunting just got easier! This new repo of detection rules is crafted by our veteran detection engineers and powered by different Elastic query languages. Get the details of what’s included and see the future of this repo here:
🔗 https://www.elastic.co/security-labs/elevate-your-threat-hunting
🐥 [ tweet ]
🔥7👍2
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Here's my journey/blog of an entire wasted day on reversing the NTAPI call and the internals of
Blog:
🔗 https://bruteratel.com/research/2024/10/20/Exception-Junction/
PoC:
🔗 https://github.com/paranoidninja/Exception-Junction
🐥 [ tweet ]
Here's my journey/blog of an entire wasted day on reversing the NTAPI call and the internals of
ntdll!LdrpVectorHandlerList to write my own RtlpAddVectoredExceptionHandler from scratch. The code is hosted on my git.Blog:
🔗 https://bruteratel.com/research/2024/10/20/Exception-Junction/
PoC:
🔗 https://github.com/paranoidninja/Exception-Junction
🐥 [ tweet ]
🔥7👍3
😈 [ Steph @w34kp455 ]
Call it the biggest #NTLM #password database or monstrous #MD5 leak, but on, you can find precomputed datasets for various wordlists and different hashes - all free!
FYI:
🔗 http://weakpass.com
🐥 [ tweet ]
Call it the biggest #NTLM #password database or monstrous #MD5 leak, but on, you can find precomputed datasets for various wordlists and different hashes - all free!
FYI:
all_in_one.latin.txt for NTLM contains 26.5 billion pairs of hash:password inside!🔥🔗 http://weakpass.com
🐥 [ tweet ]
🔥19👍5
😈 [ CICADA8Research @CICADA8Research ]
Hi! We'd like to share our new research with you. You've probably heard about COM Hijacking, but we've found another way of persistence via COM. Typelib! Read the article here:
🔗 https://medium.com/@cicada-8/hijack-the-typelib-new-com-persistence-technique-32ae1d284661
🐥 [ tweet ]
Hi! We'd like to share our new research with you. You've probably heard about COM Hijacking, but we've found another way of persistence via COM. Typelib! Read the article here:
🔗 https://medium.com/@cicada-8/hijack-the-typelib-new-com-persistence-technique-32ae1d284661
🐥 [ tweet ]
🔥12🥱6👍4🤔3
😈 [ Chris Au @netero_1010 ]
Something interesting I found in SCCM remote control.
🔗 https://www.netero1010-securitylab.com/red-team/abuse-sccm-remote-control-as-native-vnc
🐥 [ tweet ]
Something interesting I found in SCCM remote control.
🔗 https://www.netero1010-securitylab.com/red-team/abuse-sccm-remote-control-as-native-vnc
🐥 [ tweet ]
👍3🥱2🔥1
😈 [ Octoberfest7 @Octoberfest73 ]
Happy to share another open source project- An x64 position-independent shellcode stager that validates the downloaded payload stage prior to execution. Integration with Cobalt Strike out of the box. Check out Secure_Stager here:
🔗 https://github.com/Octoberfest7/Secure_Stager
🐥 [ tweet ]
Happy to share another open source project- An x64 position-independent shellcode stager that validates the downloaded payload stage prior to execution. Integration with Cobalt Strike out of the box. Check out Secure_Stager here:
🔗 https://github.com/Octoberfest7/Secure_Stager
🐥 [ tweet ]
👍4🔥3🥱2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Bnb @HulkOperator ]
I'm thrilled to share my latest project: AuthStager. This is a proof-of-concept tool that generates a shellcode stager with authentication.
Shout out to @MalDevAcademy, which is hands down the best resource to learn maldev.
Blog:
🔗 https://hulkops.gitbook.io/blog/red-team/stage-but-verify
Code:
🔗 https://github.com/HulkOperator/AuthStager
🐥 [ tweet ]
I'm thrilled to share my latest project: AuthStager. This is a proof-of-concept tool that generates a shellcode stager with authentication.
Shout out to @MalDevAcademy, which is hands down the best resource to learn maldev.
Blog:
🔗 https://hulkops.gitbook.io/blog/red-team/stage-but-verify
Code:
🔗 https://github.com/HulkOperator/AuthStager
🐥 [ tweet ]
👍7🔥4