😈 [ Renzon @r3nzsec ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
🔗 https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
🐥 [ tweet ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actor’s custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
🔗 https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
🐥 [ tweet ]
👍4😁2
😈 [ Cerbersec @cerbersec ]
🐥 [ tweet ]
nc -lvnp 4444
python -c 'import pty; pty.spawn("/bin/bash")'
🐥 [ tweet ]
спать, режим🔥17🥱8👍3🍌3
😈 [ Clement Rouault @hakril ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
🔗 https://blog.exatrack.com/STUBborn/
🐥 [ tweet ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
🔗 https://blog.exatrack.com/STUBborn/
🐥 [ tweet ]
👍3🔥1
😈 [ eversinc33 🤍🔪⋆。˚ ⋆ @eversinc33 ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
🔗 https://eversinc33.com/posts/unxorstringsnet.html
🐥 [ tweet ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
🔗 https://eversinc33.com/posts/unxorstringsnet.html
🐥 [ tweet ]
👍5
😈 [ ap @decoder_it ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅
🔗 https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
🐥 [ tweet ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅
🔗 https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
🐥 [ tweet ]
🔥6
😈 [ Octoberfest7 @Octoberfest73 ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
🔗 https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
🐥 [ tweet ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
🔗 https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
🐥 [ tweet ]
👍8🤔2
Offensive Xwitter
😈 [ Outflank @OutflankNL ] New Blog Alert! 🚨 Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs. Learn how it combines Early Bird APC Injection…
😈 [ 5pider @C5pider ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
🔗 https://github.com/Cracked5pider/earlycascade-injection
🐥 [ tweet ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
🔗 https://github.com/Cracked5pider/earlycascade-injection
🐥 [ tweet ]
🔥4🥱3👍2
😈 [ Usman Sikander @UsmanSikander13 ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
🔗 https://github.com/Offensive-Panda/ShadowDumper
🐥 [ tweet ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
🔗 https://github.com/Offensive-Panda/ShadowDumper
🐥 [ tweet ]
👍7🥱2🔥1🍌1
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Rtl Dallas @RtlDallas ]
KrakenMask is back with more opsec
🔗 https://github.com/NtDallas/KrakenMask
🐥 [ tweet ]
KrakenMask is back with more opsec
🔗 https://github.com/NtDallas/KrakenMask
🐥 [ tweet ]
🔥7
😈 [ 7eRoM @7eRoM ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
🔗 https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
🐥 [ tweet ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
🔗 https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
🐥 [ tweet ]
👍4🥱1
😈 [ Steven @0xthirteen ]
I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
🔗 https://github.com/0xthirteen/Carseat
🐥 [ tweet ]
I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
🔗 https://github.com/0xthirteen/Carseat
🐥 [ tweet ]
🔥3
😈 [ mpgn @mpgn_x64 ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! 🩸
I've added a special flag
🐥 [ tweet ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! 🩸
I've added a special flag
--generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥🐥 [ tweet ]
👍7🔥4😁4
😈 [ drm @lowercase_drm ]
TIL you can ask the DC to resolve a foreign security principal by querying the
🐥 [ tweet ]
TIL you can ask the DC to resolve a foreign security principal by querying the
msds-principalname (hidden) attribute. The DC will use the trust secret to perform authentication against the foreign domain and then call LsarLookupSids3 (so it even works with selective auth).🐥 [ tweet ]
👍3
😈 [ Octoberfest7 @Octoberfest73 ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
🔗 https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
🐥 [ tweet ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
🔗 https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
🐥 [ tweet ]
🔥4
😈 [ Zerotistic @gegrgtezrze ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? 👀
🔗 https://zerotistic.blog/posts/cff-remover/
🐥 [ tweet ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? 👀
🔗 https://zerotistic.blog/posts/cff-remover/
🐥 [ tweet ]
🤯2😁1
😈 [ Binni Shah @binitamshah ]
x64 Assembly & Shellcoding 101
Part 1:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
🐥 [ tweet ]
#для_самых_маленьких
x64 Assembly & Shellcoding 101
Part 1:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
🐥 [ tweet ]
#для_самых_маленьких
🔥11👍5
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ NetSPI @NetSPI ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
🐥 [ tweet ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
🐥 [ tweet ]
🔥5🥱3👍1
😈 [ John Hammond @_JohnHammond ]
Supply chain malware from an infected game mod 🤯😱 Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
🔗 https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
🐥 [ tweet ]
Supply chain malware from an infected game mod 🤯😱 Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
🔗 https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
🐥 [ tweet ]
🔥11👍5
😈 [ Lefteris Panos @lefterispan ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
🔗 https://github.com/nettitude/TokenCert
🐥 [ tweet ][ quote ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
🔗 https://github.com/nettitude/TokenCert
🐥 [ tweet ][ quote ]
🔥7🥱2
😈 [ NCV @nickvourd ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it 😃
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
🔗 https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
🐥 [ tweet ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it 😃
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
🔗 https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
🐥 [ tweet ]
👍4