😈 [ Chris Thompson @_Mayyhem ]
Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:
Code:
🔗 https://github.com/Mayyhem/Maestro
Blog:
🔗 https://posts.specterops.io/maestro-9ed71d38d546
🐥 [ tweet ]
Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:
Code:
🔗 https://github.com/Mayyhem/Maestro
Blog:
🔗 https://posts.specterops.io/maestro-9ed71d38d546
🐥 [ tweet ]
Лайфхак, как найти офсеты до интересующего символа в пачке PE разных ревизий Windows
1. Идем на winbindex.m417z.com, ищем нужный бинарь.
2. Сохраняем страничку локально (нормальной апихи не завезли, а результаты формируются на клиент сайде).
3. Граббим версии и ссылочки на загрузку (pup в помощь):
4. Формируем команды вида (ниже), копипастим в консоль, ждем пока все загрузится:
5. Питоним скрипт для Binary Ninja по базовому экзамплу, получаем список офсетов:
Результат может быть полезен, например, для оценки примерных границ при поиске паттерна, когда заморачиваться с крафтом более аккуратного паттерна под все ОС лень, а так можно считерить и вывезти на грязном паттерне и более узких границах поиска:
1. Идем на winbindex.m417z.com, ищем нужный бинарь.
2. Сохраняем страничку локально (нормальной апихи не завезли, а результаты формируются на клиент сайде).
3. Граббим версии и ссылочки на загрузку (pup в помощь):
curl -s 'http://127.0.0.1/ntdll.dll%20-%20Winbindex.htm' | pup 'td:nth-of-type(5) text{}'
curl -s 'http://127.0.0.1/ntdll.dll%20-%20Winbindex.htm' | pup 'td:nth-of-type(8) a[href] attr{href}'4. Формируем команды вида (ниже), копипастим в консоль, ждем пока все загрузится:
curl -sSL https://msdl.microsoft.com/download/symbols/ntdll.dll/<BLOB>/ntdll.dll -o ntdll_<VERSION>.dll
5. Питоним скрипт для Binary Ninja по базовому экзамплу, получаем список офсетов:
import sys
import hashlib
from pathlib import Path
from multiprocessing import Pool, cpu_count, set_start_method
import binaryninja as bn
pe_dir = Path(sys.argv[1])
symbol_name = sys.argv[2]
def spawn(dll_path):
bn.set_worker_thread_count(2)
with bn.load(dll_path, update_analysis=True) as bv:
symbol_obj = bv.get_symbol_by_raw_name(symbol_name)
if symbol_obj:
with open(dll_path, 'rb') as f:
md5sum = hashlib.md5(f.read()).hexdigest()
print(f'[*] {dll_path.name}:{md5sum} -> {hex(symbol_obj.address)}')
if __name__ == '__main__':
set_start_method('spawn')
processes = cpu_count()-1 if cpu_count() > 1 else 1
pool = Pool(processes=processes)
results = []
for dll_path in pe_dir.glob('*.dll'):
results.append(pool.apply_async(spawn, (dll_path,)))
output = [result.get() for result in results]
Результат может быть полезен, например, для оценки примерных границ при поиске паттерна, когда заморачиваться с крафтом более аккуратного паттерна под все ОС лень, а так можно считерить и вывезти на грязном паттерне и более узких границах поиска:
PVOID getPattern(BYTE* pattern, DWORD patternSize, BYTE* startAddress) {
BYTE* addr = startAddress;
while (addr != (BYTE*)startAddress + 0xffff - patternSize)
{
if (addr[0] == pattern[0])
{
DWORD j = 1;
while (j < patternSize && (pattern[j] == '?' || addr[j] == pattern[j])) j++;
if (j == patternSize) return addr;
}
addr = addr + 1;
}
return NULL;
}👍20
😈 [ Thomas Roccia 🤘 @fr0gger_ ]
New LOL project, LOLAD a collection of Active Directory techniques!👇
🔗 https://lolad-project.github.io/
🐥 [ tweet ]
New LOL project, LOLAD a collection of Active Directory techniques!👇
🔗 https://lolad-project.github.io/
🐥 [ tweet ]
🥱8🔥5👍2
😈 [ Renzon @r3nzsec ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
🔗 https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
🐥 [ tweet ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
🔗 https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
🐥 [ tweet ]
👍4😁2
😈 [ Cerbersec @cerbersec ]
🐥 [ tweet ]
nc -lvnp 4444
python -c 'import pty; pty.spawn("/bin/bash")'
🐥 [ tweet ]
спать, режим🔥17🥱8👍3🍌3
😈 [ Clement Rouault @hakril ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
🔗 https://blog.exatrack.com/STUBborn/
🐥 [ tweet ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
🔗 https://blog.exatrack.com/STUBborn/
🐥 [ tweet ]
👍3🔥1
😈 [ eversinc33 🤍🔪⋆。˚ ⋆ @eversinc33 ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
🔗 https://eversinc33.com/posts/unxorstringsnet.html
🐥 [ tweet ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
🔗 https://eversinc33.com/posts/unxorstringsnet.html
🐥 [ tweet ]
👍5
😈 [ ap @decoder_it ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅
🔗 https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
🐥 [ tweet ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅
🔗 https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
🐥 [ tweet ]
🔥6
😈 [ Octoberfest7 @Octoberfest73 ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
🔗 https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
🐥 [ tweet ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
🔗 https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
🐥 [ tweet ]
👍8🤔2
Offensive Xwitter
😈 [ Outflank @OutflankNL ] New Blog Alert! 🚨 Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs. Learn how it combines Early Bird APC Injection…
😈 [ 5pider @C5pider ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
🔗 https://github.com/Cracked5pider/earlycascade-injection
🐥 [ tweet ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
🔗 https://github.com/Cracked5pider/earlycascade-injection
🐥 [ tweet ]
🔥4🥱3👍2
😈 [ Usman Sikander @UsmanSikander13 ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
🔗 https://github.com/Offensive-Panda/ShadowDumper
🐥 [ tweet ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
🔗 https://github.com/Offensive-Panda/ShadowDumper
🐥 [ tweet ]
👍7🥱2🔥1🍌1
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Rtl Dallas @RtlDallas ]
KrakenMask is back with more opsec
🔗 https://github.com/NtDallas/KrakenMask
🐥 [ tweet ]
KrakenMask is back with more opsec
🔗 https://github.com/NtDallas/KrakenMask
🐥 [ tweet ]
🔥7
😈 [ 7eRoM @7eRoM ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
🔗 https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
🐥 [ tweet ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
🔗 https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
🐥 [ tweet ]
👍4🥱1
😈 [ Steven @0xthirteen ]
I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
🔗 https://github.com/0xthirteen/Carseat
🐥 [ tweet ]
I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
🔗 https://github.com/0xthirteen/Carseat
🐥 [ tweet ]
🔥3
😈 [ mpgn @mpgn_x64 ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! 🩸
I've added a special flag
🐥 [ tweet ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! 🩸
I've added a special flag
--generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥🐥 [ tweet ]
👍7🔥4😁4
😈 [ drm @lowercase_drm ]
TIL you can ask the DC to resolve a foreign security principal by querying the
🐥 [ tweet ]
TIL you can ask the DC to resolve a foreign security principal by querying the
msds-principalname (hidden) attribute. The DC will use the trust secret to perform authentication against the foreign domain and then call LsarLookupSids3 (so it even works with selective auth).🐥 [ tweet ]
👍3
😈 [ Octoberfest7 @Octoberfest73 ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
🔗 https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
🐥 [ tweet ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
🔗 https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
🐥 [ tweet ]
🔥4
😈 [ Zerotistic @gegrgtezrze ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? 👀
🔗 https://zerotistic.blog/posts/cff-remover/
🐥 [ tweet ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? 👀
🔗 https://zerotistic.blog/posts/cff-remover/
🐥 [ tweet ]
🤯2😁1
😈 [ Binni Shah @binitamshah ]
x64 Assembly & Shellcoding 101
Part 1:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
🐥 [ tweet ]
#для_самых_маленьких
x64 Assembly & Shellcoding 101
Part 1:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
🐥 [ tweet ]
#для_самых_маленьких
🔥11👍5
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ NetSPI @NetSPI ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
🐥 [ tweet ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
🐥 [ tweet ]
🔥5🥱3👍1