😈 [ Elastic Security Labs @elasticseclabs ]
The ElasticSecurityLabs team breaks down a recent Chrome update that introduced App-Bound Encryption and how the most common infostealers have adapted:
🔗 https://www.elastic.co/security-labs/katz-and-mouse-game
🐥 [ tweet ]
The ElasticSecurityLabs team breaks down a recent Chrome update that introduced App-Bound Encryption and how the most common infostealers have adapted:
🔗 https://www.elastic.co/security-labs/katz-and-mouse-game
🐥 [ tweet ]
🔥4👍3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Diego Capriotti @naksyn ]
This has been one of my favorites for a while, but now it's time to let it go.
Here's my preferred way of getting the KeePass db that we often hunt for:
downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database.
The target can remain clean and you can simply check for the dump creation.
KeePass version 2.53 can still open kdbx created with the version 2.57 and if using a proper xml the user will likely notice nothing.
Update alerts can also be disabled within the xml.
🔗 https://gist.github.com/naksyn/6d5660dacd0730498a274b85d62a77e8
🐥 [ tweet ]
This has been one of my favorites for a while, but now it's time to let it go.
Here's my preferred way of getting the KeePass db that we often hunt for:
downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database.
The target can remain clean and you can simply check for the dump creation.
KeePass version 2.53 can still open kdbx created with the version 2.57 and if using a proper xml the user will likely notice nothing.
Update alerts can also be disabled within the xml.
🔗 https://gist.github.com/naksyn/6d5660dacd0730498a274b85d62a77e8
🐥 [ tweet ]
👍5
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Óscar Alfonso Díaz @OscarAkaElvis ]
Fresh meat! We've created a new Evil-WinRM branch with integrated multiple AI LLM support. New docker image, new gem (gem install evil-winrm-ai) and new possibilities.
Check it out and let us know what you think:
🔗 https://github.com/Hackplayers/evil-winrm/tree/ai
🐥 [ tweet ]
👍 - кринж
🔥 - рофл
Fresh meat! We've created a new Evil-WinRM branch with integrated multiple AI LLM support. New docker image, new gem (gem install evil-winrm-ai) and new possibilities.
Check it out and let us know what you think:
🔗 https://github.com/Hackplayers/evil-winrm/tree/ai
🐥 [ tweet ]
👍 - кринж
🔥 - рофл
👍19🔥16
Offensive Xwitter
😈 [ OtterHacker @OtterHacker ] I've published my #defcon32 workshop! If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside…
😈 [ OtterHacker @OtterHacker ]
A few months ago I've created a "Pefect DLL Loader". You can find some details on my article that was just published today!
The full implem can be found directly in the @defcon workshop in my github!
Hope you will learn something in this 😊
🔗 https://www.riskinsight-wavestone.com/en/2024/10/loadlibrary-madness-dynamically-load-winhttp-dll/
🐥 [ tweet ]
A few months ago I've created a "Pefect DLL Loader". You can find some details on my article that was just published today!
The full implem can be found directly in the @defcon workshop in my github!
Hope you will learn something in this 😊
🔗 https://www.riskinsight-wavestone.com/en/2024/10/loadlibrary-madness-dynamically-load-winhttp-dll/
🐥 [ tweet ]
👍2
😈 [ Cobalt Strike @_CobaltStrike ]
Curious about Cobalt Strike's #UDRL capabilities? Get a walkthrough on how to easily develop custom loaders.
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development
🐥 [ tweet ]
Curious about Cobalt Strike's #UDRL capabilities? Get a walkthrough on how to easily develop custom loaders.
🔗 https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development
🐥 [ tweet ]
🔥4
😈 [ Matt Creel @Tw1sm ]
New blog up to cover manual AD CS enumeration using ldapsearch and the new release of bofhound 🔍
🔗 https://posts.specterops.io/bofhound-ad-cs-integration-91b706bc7958
🐥 [ tweet ]
New blog up to cover manual AD CS enumeration using ldapsearch and the new release of bofhound 🔍
🔗 https://posts.specterops.io/bofhound-ad-cs-integration-91b706bc7958
🐥 [ tweet ]
🔥4🥱1
😈 [ Chris Thompson @_Mayyhem ]
Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:
Code:
🔗 https://github.com/Mayyhem/Maestro
Blog:
🔗 https://posts.specterops.io/maestro-9ed71d38d546
🐥 [ tweet ]
Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:
Code:
🔗 https://github.com/Mayyhem/Maestro
Blog:
🔗 https://posts.specterops.io/maestro-9ed71d38d546
🐥 [ tweet ]
Лайфхак, как найти офсеты до интересующего символа в пачке PE разных ревизий Windows
1. Идем на winbindex.m417z.com, ищем нужный бинарь.
2. Сохраняем страничку локально (нормальной апихи не завезли, а результаты формируются на клиент сайде).
3. Граббим версии и ссылочки на загрузку (pup в помощь):
4. Формируем команды вида (ниже), копипастим в консоль, ждем пока все загрузится:
5. Питоним скрипт для Binary Ninja по базовому экзамплу, получаем список офсетов:
Результат может быть полезен, например, для оценки примерных границ при поиске паттерна, когда заморачиваться с крафтом более аккуратного паттерна под все ОС лень, а так можно считерить и вывезти на грязном паттерне и более узких границах поиска:
1. Идем на winbindex.m417z.com, ищем нужный бинарь.
2. Сохраняем страничку локально (нормальной апихи не завезли, а результаты формируются на клиент сайде).
3. Граббим версии и ссылочки на загрузку (pup в помощь):
curl -s 'http://127.0.0.1/ntdll.dll%20-%20Winbindex.htm' | pup 'td:nth-of-type(5) text{}'
curl -s 'http://127.0.0.1/ntdll.dll%20-%20Winbindex.htm' | pup 'td:nth-of-type(8) a[href] attr{href}'4. Формируем команды вида (ниже), копипастим в консоль, ждем пока все загрузится:
curl -sSL https://msdl.microsoft.com/download/symbols/ntdll.dll/<BLOB>/ntdll.dll -o ntdll_<VERSION>.dll
5. Питоним скрипт для Binary Ninja по базовому экзамплу, получаем список офсетов:
import sys
import hashlib
from pathlib import Path
from multiprocessing import Pool, cpu_count, set_start_method
import binaryninja as bn
pe_dir = Path(sys.argv[1])
symbol_name = sys.argv[2]
def spawn(dll_path):
bn.set_worker_thread_count(2)
with bn.load(dll_path, update_analysis=True) as bv:
symbol_obj = bv.get_symbol_by_raw_name(symbol_name)
if symbol_obj:
with open(dll_path, 'rb') as f:
md5sum = hashlib.md5(f.read()).hexdigest()
print(f'[*] {dll_path.name}:{md5sum} -> {hex(symbol_obj.address)}')
if __name__ == '__main__':
set_start_method('spawn')
processes = cpu_count()-1 if cpu_count() > 1 else 1
pool = Pool(processes=processes)
results = []
for dll_path in pe_dir.glob('*.dll'):
results.append(pool.apply_async(spawn, (dll_path,)))
output = [result.get() for result in results]
Результат может быть полезен, например, для оценки примерных границ при поиске паттерна, когда заморачиваться с крафтом более аккуратного паттерна под все ОС лень, а так можно считерить и вывезти на грязном паттерне и более узких границах поиска:
PVOID getPattern(BYTE* pattern, DWORD patternSize, BYTE* startAddress) {
BYTE* addr = startAddress;
while (addr != (BYTE*)startAddress + 0xffff - patternSize)
{
if (addr[0] == pattern[0])
{
DWORD j = 1;
while (j < patternSize && (pattern[j] == '?' || addr[j] == pattern[j])) j++;
if (j == patternSize) return addr;
}
addr = addr + 1;
}
return NULL;
}👍20
😈 [ Thomas Roccia 🤘 @fr0gger_ ]
New LOL project, LOLAD a collection of Active Directory techniques!👇
🔗 https://lolad-project.github.io/
🐥 [ tweet ]
New LOL project, LOLAD a collection of Active Directory techniques!👇
🔗 https://lolad-project.github.io/
🐥 [ tweet ]
🥱8🔥5👍2
😈 [ Renzon @r3nzsec ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
🔗 https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
🐥 [ tweet ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
🔗 https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
🐥 [ tweet ]
👍4😁2
😈 [ Cerbersec @cerbersec ]
🐥 [ tweet ]
nc -lvnp 4444
python -c 'import pty; pty.spawn("/bin/bash")'
🐥 [ tweet ]
спать, режим🔥17🥱8👍3🍌3
😈 [ Clement Rouault @hakril ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
🔗 https://blog.exatrack.com/STUBborn/
🐥 [ tweet ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
🔗 https://blog.exatrack.com/STUBborn/
🐥 [ tweet ]
👍3🔥1
😈 [ eversinc33 🤍🔪⋆。˚ ⋆ @eversinc33 ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
🔗 https://eversinc33.com/posts/unxorstringsnet.html
🐥 [ tweet ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
🔗 https://eversinc33.com/posts/unxorstringsnet.html
🐥 [ tweet ]
👍5
😈 [ ap @decoder_it ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅
🔗 https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
🐥 [ tweet ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅
🔗 https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
🐥 [ tweet ]
🔥6
😈 [ Octoberfest7 @Octoberfest73 ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
🔗 https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
🐥 [ tweet ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
🔗 https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
🐥 [ tweet ]
👍8🤔2
Offensive Xwitter
😈 [ Outflank @OutflankNL ] New Blog Alert! 🚨 Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs. Learn how it combines Early Bird APC Injection…
😈 [ 5pider @C5pider ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
🔗 https://github.com/Cracked5pider/earlycascade-injection
🐥 [ tweet ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
🔗 https://github.com/Cracked5pider/earlycascade-injection
🐥 [ tweet ]
🔥4🥱3👍2
😈 [ Usman Sikander @UsmanSikander13 ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
🔗 https://github.com/Offensive-Panda/ShadowDumper
🐥 [ tweet ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
🔗 https://github.com/Offensive-Panda/ShadowDumper
🐥 [ tweet ]
👍7🥱2🔥1🍌1
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Rtl Dallas @RtlDallas ]
KrakenMask is back with more opsec
🔗 https://github.com/NtDallas/KrakenMask
🐥 [ tweet ]
KrakenMask is back with more opsec
🔗 https://github.com/NtDallas/KrakenMask
🐥 [ tweet ]
🔥7
😈 [ 7eRoM @7eRoM ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
🔗 https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
🐥 [ tweet ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
🔗 https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
🐥 [ tweet ]
👍4🥱1
😈 [ Steven @0xthirteen ]
I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
🔗 https://github.com/0xthirteen/Carseat
🐥 [ tweet ]
I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
🔗 https://github.com/0xthirteen/Carseat
🐥 [ tweet ]
🔥3
😈 [ mpgn @mpgn_x64 ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! 🩸
I've added a special flag
🐥 [ tweet ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! 🩸
I've added a special flag
--generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥🐥 [ tweet ]
👍7🔥4😁4