😈 [ Binni Shah @binitamshah ]
x64 Assembly & Shellcoding 101
Part 1:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
🐥 [ tweet ]
#для_самых_маленьких
x64 Assembly & Shellcoding 101
Part 1:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
🔗 https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
🐥 [ tweet ]
#для_самых_маленьких
🔥11👍5
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ NetSPI @NetSPI ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
🐥 [ tweet ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
🐥 [ tweet ]
🔥5🥱3👍1
😈 [ John Hammond @_JohnHammond ]
Supply chain malware from an infected game mod 🤯😱 Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
🔗 https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
🐥 [ tweet ]
Supply chain malware from an infected game mod 🤯😱 Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
🔗 https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
🐥 [ tweet ]
🔥11👍5
😈 [ Lefteris Panos @lefterispan ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
🔗 https://github.com/nettitude/TokenCert
🐥 [ tweet ][ quote ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
🔗 https://github.com/nettitude/TokenCert
🐥 [ tweet ][ quote ]
🔥7🥱2
😈 [ NCV @nickvourd ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it 😃
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
🔗 https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
🐥 [ tweet ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it 😃
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
🔗 https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
🐥 [ tweet ]
👍4
Offensive Xwitter
😈 [ Lefteris Panos @lefterispan ] Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;) 🔗 https://github.com/nettitude/TokenCert 🐥 [ tweet ][ quote ]
😈 [ freefirex @freefirex2 ]
Saw some other folks realize its actually really easy to use certificates to authenticate as other users on windows if you have access to the API.
We're now releasing our previously internal make_token_cert bof to auth using only a .pfx file :)
🔗 https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/bc0cdd7997ebbf37a1cfee26be97eb3faa06ab50/src/Remote/make_token_cert/entry.c#L69
🐥 [ tweet ]
Saw some other folks realize its actually really easy to use certificates to authenticate as other users on windows if you have access to the API.
We're now releasing our previously internal make_token_cert bof to auth using only a .pfx file :)
🔗 https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/bc0cdd7997ebbf37a1cfee26be97eb3faa06ab50/src/Remote/make_token_cert/entry.c#L69
🐥 [ tweet ]
👍9
😈 [ Daniel @0x64616e ]
Hash-based driver blocklists are insecure, because of how Authenticode signatures are computed. Nothing new, but not as well known as it should be.
🔗 https://github.com/akkuman/gSigFlip
🐥 [ tweet ]
Hash-based driver blocklists are insecure, because of how Authenticode signatures are computed. Nothing new, but not as well known as it should be.
🔗 https://github.com/akkuman/gSigFlip
🐥 [ tweet ]
🔥10
😈 [ Synacktiv @Synacktiv ]
Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏
Check out our latest blogpost by @hugow_vincent to discover how to perform this attack:
🔗 https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
🐥 [ tweet ]
Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏
Check out our latest blogpost by @hugow_vincent to discover how to perform this attack:
🔗 https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
🐥 [ tweet ]
🔥3👍2
😈 [ silentwarble @silentwarble ]
Something Emerges:
🔗 https://github.com/MythicAgents/Hannibal
🐥 [ tweet ]
Something Emerges:
🔗 https://github.com/MythicAgents/Hannibal
🐥 [ tweet ]
красивое🤯4
😈 [ Matt Ehrnschwender @M_alphaaa ]
I'm trying to get better at keeping up with and publishing more on my blog. Here's a new post I just released on "Writing Beacon Object Files Without DFR"
🔗 https://blog.cybershenanigans.space/posts/writing-bofs-without-dfr/
🐥 [ tweet ]
I'm trying to get better at keeping up with and publishing more on my blog. Here's a new post I just released on "Writing Beacon Object Files Without DFR"
🔗 https://blog.cybershenanigans.space/posts/writing-bofs-without-dfr/
🐥 [ tweet ]
👍1
😈 [ @ChrisTruncer@infosec.exchange @christruncer ]
It’s always awesome when we (@CISAGov) gets to release a red team report that we worked on, and today is another one of those days!
Go check out our latest report and hopefully you can apply some of the same lessons to your environment!
🔗 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
🐥 [ tweet ]
It’s always awesome when we (@CISAGov) gets to release a red team report that we worked on, and today is another one of those days!
Go check out our latest report and hopefully you can apply some of the same lessons to your environment!
🔗 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
🐥 [ tweet ]
🔥5👍2
😈 [ Gigel Vrancea @GigelV41464 ]
Someone on my team asked me if there was a way I could prevent in-proc tools like a BOF from crashing the process
After some research, I came to the conclusion that using RtlSetUnhandledExceptionFilter is the most elegant way to achieve this
Read here:
🔗 https://luci4.net/blog/2024/11/13/EternalLife/
🐥 [ tweet ]
Someone on my team asked me if there was a way I could prevent in-proc tools like a BOF from crashing the process
After some research, I came to the conclusion that using RtlSetUnhandledExceptionFilter is the most elegant way to achieve this
Read here:
🔗 https://luci4.net/blog/2024/11/13/EternalLife/
🐥 [ tweet ]
👍3
😈 [ Volexity @Volexity ]
@Volexity’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target, while the attacker was halfway around the world.
🔗 https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
🐥 [ tweet ]
@Volexity’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target, while the attacker was halfway around the world.
🔗 https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
🐥 [ tweet ]
познавательно👍5🔥3
😈 [ Yehuda Smirnov @yudasm_ ]
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them:
Blog:
🔗 https://blog.fndsec.net/2024/11/25/shadowhound/
Code:
🔗 https://github.com/Friends-Security/ShadowHound
🐥 [ tweet ]
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them:
Blog:
🔗 https://blog.fndsec.net/2024/11/25/shadowhound/
Code:
🔗 https://github.com/Friends-Security/ShadowHound
🐥 [ tweet ]
👍8
😈 [ PT SWARM @ptswarm ]
🎤✨ Our security researcher, Konstantin Polishin, presented “Red Team Social Engineering 2024: Initial Access TTP and Project Experience of Our Team” at #ROOTCON18 🚀
Recording:
🔗 https://youtube.com/watch?v=6nnZJiL0Tgk
🐥 [ tweet ]
🎤✨ Our security researcher, Konstantin Polishin, presented “Red Team Social Engineering 2024: Initial Access TTP and Project Experience of Our Team” at #ROOTCON18 🚀
Recording:
🔗 https://youtube.com/watch?v=6nnZJiL0Tgk
🐥 [ tweet ]
🔥8
😈 [ ap @decoder_it ]
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx
🐥 [ tweet ]
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx
🐥 [ tweet ]
👍11
😈 [ RedTeam Pentesting @RedTeamPT ]
So we implemented parsing the security denoscriptors of shares and files in the beautiful ✨smbclient-ng ✨ by @podalirius_
Here is our PR:
🔗 https://github.com/p0dalirius/smbclient-ng/pull/118
🐥 [ tweet ][ reply ]
So we implemented parsing the security denoscriptors of shares and files in the beautiful ✨smbclient-ng ✨ by @podalirius_
Here is our PR:
🔗 https://github.com/p0dalirius/smbclient-ng/pull/118
🐥 [ tweet ][ reply ]
👍9🔥3
😈 [ Check Point Research @_CPResearch_ ]
🚨 New Discovery! We uncovered an undocumented technique for executing commands through the #Godot #GameEngine. Exploited by #GodLoader, this method successfully bypassed most #antivirus software since June 2024, affecting over 17,000 potential victims.
🔗 https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
🐥 [ tweet ]
🚨 New Discovery! We uncovered an undocumented technique for executing commands through the #Godot #GameEngine. Exploited by #GodLoader, this method successfully bypassed most #antivirus software since June 2024, affecting over 17,000 potential victims.
🔗 https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
🐥 [ tweet ]
👍3🔥1
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
🔗 https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
🐥 [ tweet ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
🔗 https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
🐥 [ tweet ]
👍9🔥3
😈 [ Layle @layle_ctf ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
🔗 https://github.com/ioncodes/SilentLoad
🐥 [ tweet ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
🔗 https://github.com/ioncodes/SilentLoad
🐥 [ tweet ]
👍1
😈 [ drm @lowercase_drm ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
🌻
🔗 https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
🐥 [ tweet ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
🌻
🔗 https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
🐥 [ tweet ]
🔥3