😈 [ Elastic Security Labs @elasticseclabs ]
Threat hunting just got easier! This new repo of detection rules is crafted by our veteran detection engineers and powered by different Elastic query languages. Get the details of what’s included and see the future of this repo here:
🔗 https://www.elastic.co/security-labs/elevate-your-threat-hunting
🐥 [ tweet ]
Threat hunting just got easier! This new repo of detection rules is crafted by our veteran detection engineers and powered by different Elastic query languages. Get the details of what’s included and see the future of this repo here:
🔗 https://www.elastic.co/security-labs/elevate-your-threat-hunting
🐥 [ tweet ]
🔥7👍2
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Here's my journey/blog of an entire wasted day on reversing the NTAPI call and the internals of
Blog:
🔗 https://bruteratel.com/research/2024/10/20/Exception-Junction/
PoC:
🔗 https://github.com/paranoidninja/Exception-Junction
🐥 [ tweet ]
Here's my journey/blog of an entire wasted day on reversing the NTAPI call and the internals of
ntdll!LdrpVectorHandlerList to write my own RtlpAddVectoredExceptionHandler from scratch. The code is hosted on my git.Blog:
🔗 https://bruteratel.com/research/2024/10/20/Exception-Junction/
PoC:
🔗 https://github.com/paranoidninja/Exception-Junction
🐥 [ tweet ]
🔥7👍3
😈 [ Steph @w34kp455 ]
Call it the biggest #NTLM #password database or monstrous #MD5 leak, but on, you can find precomputed datasets for various wordlists and different hashes - all free!
FYI:
🔗 http://weakpass.com
🐥 [ tweet ]
Call it the biggest #NTLM #password database or monstrous #MD5 leak, but on, you can find precomputed datasets for various wordlists and different hashes - all free!
FYI:
all_in_one.latin.txt for NTLM contains 26.5 billion pairs of hash:password inside!🔥🔗 http://weakpass.com
🐥 [ tweet ]
🔥19👍5
😈 [ CICADA8Research @CICADA8Research ]
Hi! We'd like to share our new research with you. You've probably heard about COM Hijacking, but we've found another way of persistence via COM. Typelib! Read the article here:
🔗 https://medium.com/@cicada-8/hijack-the-typelib-new-com-persistence-technique-32ae1d284661
🐥 [ tweet ]
Hi! We'd like to share our new research with you. You've probably heard about COM Hijacking, but we've found another way of persistence via COM. Typelib! Read the article here:
🔗 https://medium.com/@cicada-8/hijack-the-typelib-new-com-persistence-technique-32ae1d284661
🐥 [ tweet ]
🔥12🥱6👍4🤔3
😈 [ Chris Au @netero_1010 ]
Something interesting I found in SCCM remote control.
🔗 https://www.netero1010-securitylab.com/red-team/abuse-sccm-remote-control-as-native-vnc
🐥 [ tweet ]
Something interesting I found in SCCM remote control.
🔗 https://www.netero1010-securitylab.com/red-team/abuse-sccm-remote-control-as-native-vnc
🐥 [ tweet ]
👍3🥱2🔥1
😈 [ Octoberfest7 @Octoberfest73 ]
Happy to share another open source project- An x64 position-independent shellcode stager that validates the downloaded payload stage prior to execution. Integration with Cobalt Strike out of the box. Check out Secure_Stager here:
🔗 https://github.com/Octoberfest7/Secure_Stager
🐥 [ tweet ]
Happy to share another open source project- An x64 position-independent shellcode stager that validates the downloaded payload stage prior to execution. Integration with Cobalt Strike out of the box. Check out Secure_Stager here:
🔗 https://github.com/Octoberfest7/Secure_Stager
🐥 [ tweet ]
👍4🔥3🥱2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Bnb @HulkOperator ]
I'm thrilled to share my latest project: AuthStager. This is a proof-of-concept tool that generates a shellcode stager with authentication.
Shout out to @MalDevAcademy, which is hands down the best resource to learn maldev.
Blog:
🔗 https://hulkops.gitbook.io/blog/red-team/stage-but-verify
Code:
🔗 https://github.com/HulkOperator/AuthStager
🐥 [ tweet ]
I'm thrilled to share my latest project: AuthStager. This is a proof-of-concept tool that generates a shellcode stager with authentication.
Shout out to @MalDevAcademy, which is hands down the best resource to learn maldev.
Blog:
🔗 https://hulkops.gitbook.io/blog/red-team/stage-but-verify
Code:
🔗 https://github.com/HulkOperator/AuthStager
🐥 [ tweet ]
👍7🔥4
😈 [ MalDev Academy @MalDevAcademy ]
Embed an encrypted payload within a PNG file across multiple sections.
🔗 https://github.com/Maldev-Academy/EmbedPayloadInPng
🐥 [ tweet ]
Embed an encrypted payload within a PNG file across multiple sections.
🔗 https://github.com/Maldev-Academy/EmbedPayloadInPng
🐥 [ tweet ]
👍6🥱5
😈 [ TrustedSec @TrustedSec ]
It’s time to get Groovy! In our new #blog, @__mez0__ goes over a variety of post-exploitation tasks in the #Groovy programming language for the next time you’re #enumerating a network. Read it now!
🔗 https://hubs.la/Q02Vhm2G0
🐥 [ tweet ]
It’s time to get Groovy! In our new #blog, @__mez0__ goes over a variety of post-exploitation tasks in the #Groovy programming language for the next time you’re #enumerating a network. Read it now!
🔗 https://hubs.la/Q02Vhm2G0
🐥 [ tweet ]
👍3
😈 [ 0xdf @0xdf_ ]
Mist from @hackthebox_eu is just a monster active directory challenge. My favorite parts were exploiting PetitPotam with ntlmrelayx to relay into LDAP access on the DC, enumerating Defender exclusion directories, and exploiting ESC13.
🔗 https://0xdf.gitlab.io/2024/10/26/htb-mist.html
🐥 [ tweet ]
Mist from @hackthebox_eu is just a monster active directory challenge. My favorite parts were exploiting PetitPotam with ntlmrelayx to relay into LDAP access on the DC, enumerating Defender exclusion directories, and exploiting ESC13.
🔗 https://0xdf.gitlab.io/2024/10/26/htb-mist.html
🐥 [ tweet ]
👍4🔥2
😈 [ Lampros @lampnout ]
Did you know attackers can register scheduled tasks configured with a custom handler (COM) to hide the full path of their payload? In my revisited post I explore (source code) how it is possible to register a task using the
🔗 https://stmxcsr.com/persistence/scheduled-tasks.html#programmatically-register-a-scheduled-task-using-com-icomhandleraction
🐥 [ tweet ]
Did you know attackers can register scheduled tasks configured with a custom handler (COM) to hide the full path of their payload? In my revisited post I explore (source code) how it is possible to register a task using the
IComHandlerAction interface:🔗 https://stmxcsr.com/persistence/scheduled-tasks.html#programmatically-register-a-scheduled-task-using-com-icomhandleraction
🐥 [ tweet ]
👍4🔥3
😈 [ Elastic Security Labs @elasticseclabs ]
The ElasticSecurityLabs team breaks down a recent Chrome update that introduced App-Bound Encryption and how the most common infostealers have adapted:
🔗 https://www.elastic.co/security-labs/katz-and-mouse-game
🐥 [ tweet ]
The ElasticSecurityLabs team breaks down a recent Chrome update that introduced App-Bound Encryption and how the most common infostealers have adapted:
🔗 https://www.elastic.co/security-labs/katz-and-mouse-game
🐥 [ tweet ]
🔥4👍3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Diego Capriotti @naksyn ]
This has been one of my favorites for a while, but now it's time to let it go.
Here's my preferred way of getting the KeePass db that we often hunt for:
downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database.
The target can remain clean and you can simply check for the dump creation.
KeePass version 2.53 can still open kdbx created with the version 2.57 and if using a proper xml the user will likely notice nothing.
Update alerts can also be disabled within the xml.
🔗 https://gist.github.com/naksyn/6d5660dacd0730498a274b85d62a77e8
🐥 [ tweet ]
This has been one of my favorites for a while, but now it's time to let it go.
Here's my preferred way of getting the KeePass db that we often hunt for:
downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database.
The target can remain clean and you can simply check for the dump creation.
KeePass version 2.53 can still open kdbx created with the version 2.57 and if using a proper xml the user will likely notice nothing.
Update alerts can also be disabled within the xml.
🔗 https://gist.github.com/naksyn/6d5660dacd0730498a274b85d62a77e8
🐥 [ tweet ]
👍5
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Óscar Alfonso Díaz @OscarAkaElvis ]
Fresh meat! We've created a new Evil-WinRM branch with integrated multiple AI LLM support. New docker image, new gem (gem install evil-winrm-ai) and new possibilities.
Check it out and let us know what you think:
🔗 https://github.com/Hackplayers/evil-winrm/tree/ai
🐥 [ tweet ]
👍 - кринж
🔥 - рофл
Fresh meat! We've created a new Evil-WinRM branch with integrated multiple AI LLM support. New docker image, new gem (gem install evil-winrm-ai) and new possibilities.
Check it out and let us know what you think:
🔗 https://github.com/Hackplayers/evil-winrm/tree/ai
🐥 [ tweet ]
👍 - кринж
🔥 - рофл
👍19🔥16
Offensive Xwitter
😈 [ OtterHacker @OtterHacker ] I've published my #defcon32 workshop! If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside…
😈 [ OtterHacker @OtterHacker ]
A few months ago I've created a "Pefect DLL Loader". You can find some details on my article that was just published today!
The full implem can be found directly in the @defcon workshop in my github!
Hope you will learn something in this 😊
🔗 https://www.riskinsight-wavestone.com/en/2024/10/loadlibrary-madness-dynamically-load-winhttp-dll/
🐥 [ tweet ]
A few months ago I've created a "Pefect DLL Loader". You can find some details on my article that was just published today!
The full implem can be found directly in the @defcon workshop in my github!
Hope you will learn something in this 😊
🔗 https://www.riskinsight-wavestone.com/en/2024/10/loadlibrary-madness-dynamically-load-winhttp-dll/
🐥 [ tweet ]
👍2
😈 [ Cobalt Strike @_CobaltStrike ]
Curious about Cobalt Strike's #UDRL capabilities? Get a walkthrough on how to easily develop custom loaders.
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development
🐥 [ tweet ]
Curious about Cobalt Strike's #UDRL capabilities? Get a walkthrough on how to easily develop custom loaders.
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development
🐥 [ tweet ]
🔥4
😈 [ Matt Creel @Tw1sm ]
New blog up to cover manual AD CS enumeration using ldapsearch and the new release of bofhound 🔍
🔗 https://posts.specterops.io/bofhound-ad-cs-integration-91b706bc7958
🐥 [ tweet ]
New blog up to cover manual AD CS enumeration using ldapsearch and the new release of bofhound 🔍
🔗 https://posts.specterops.io/bofhound-ad-cs-integration-91b706bc7958
🐥 [ tweet ]
🔥4🥱1
😈 [ Chris Thompson @_Mayyhem ]
Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:
Code:
🔗 https://github.com/Mayyhem/Maestro
Blog:
🔗 https://posts.specterops.io/maestro-9ed71d38d546
🐥 [ tweet ]
Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:
Code:
🔗 https://github.com/Mayyhem/Maestro
Blog:
🔗 https://posts.specterops.io/maestro-9ed71d38d546
🐥 [ tweet ]
Лайфхак, как найти офсеты до интересующего символа в пачке PE разных ревизий Windows
1. Идем на winbindex.m417z.com, ищем нужный бинарь.
2. Сохраняем страничку локально (нормальной апихи не завезли, а результаты формируются на клиент сайде).
3. Граббим версии и ссылочки на загрузку (pup в помощь):
4. Формируем команды вида (ниже), копипастим в консоль, ждем пока все загрузится:
5. Питоним скрипт для Binary Ninja по базовому экзамплу, получаем список офсетов:
Результат может быть полезен, например, для оценки примерных границ при поиске паттерна, когда заморачиваться с крафтом более аккуратного паттерна под все ОС лень, а так можно считерить и вывезти на грязном паттерне и более узких границах поиска:
1. Идем на winbindex.m417z.com, ищем нужный бинарь.
2. Сохраняем страничку локально (нормальной апихи не завезли, а результаты формируются на клиент сайде).
3. Граббим версии и ссылочки на загрузку (pup в помощь):
curl -s 'http://127.0.0.1/ntdll.dll%20-%20Winbindex.htm' | pup 'td:nth-of-type(5) text{}'
curl -s 'http://127.0.0.1/ntdll.dll%20-%20Winbindex.htm' | pup 'td:nth-of-type(8) a[href] attr{href}'4. Формируем команды вида (ниже), копипастим в консоль, ждем пока все загрузится:
curl -sSL https://msdl.microsoft.com/download/symbols/ntdll.dll/<BLOB>/ntdll.dll -o ntdll_<VERSION>.dll
5. Питоним скрипт для Binary Ninja по базовому экзамплу, получаем список офсетов:
import sys
import hashlib
from pathlib import Path
from multiprocessing import Pool, cpu_count, set_start_method
import binaryninja as bn
pe_dir = Path(sys.argv[1])
symbol_name = sys.argv[2]
def spawn(dll_path):
bn.set_worker_thread_count(2)
with bn.load(dll_path, update_analysis=True) as bv:
symbol_obj = bv.get_symbol_by_raw_name(symbol_name)
if symbol_obj:
with open(dll_path, 'rb') as f:
md5sum = hashlib.md5(f.read()).hexdigest()
print(f'[*] {dll_path.name}:{md5sum} -> {hex(symbol_obj.address)}')
if __name__ == '__main__':
set_start_method('spawn')
processes = cpu_count()-1 if cpu_count() > 1 else 1
pool = Pool(processes=processes)
results = []
for dll_path in pe_dir.glob('*.dll'):
results.append(pool.apply_async(spawn, (dll_path,)))
output = [result.get() for result in results]
Результат может быть полезен, например, для оценки примерных границ при поиске паттерна, когда заморачиваться с крафтом более аккуратного паттерна под все ОС лень, а так можно считерить и вывезти на грязном паттерне и более узких границах поиска:
PVOID getPattern(BYTE* pattern, DWORD patternSize, BYTE* startAddress) {
BYTE* addr = startAddress;
while (addr != (BYTE*)startAddress + 0xffff - patternSize)
{
if (addr[0] == pattern[0])
{
DWORD j = 1;
while (j < patternSize && (pattern[j] == '?' || addr[j] == pattern[j])) j++;
if (j == patternSize) return addr;
}
addr = addr + 1;
}
return NULL;
}👍20