😈 [ ap @decoder_it ]
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx
🐥 [ tweet ]
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx
🐥 [ tweet ]
👍11
😈 [ RedTeam Pentesting @RedTeamPT ]
So we implemented parsing the security denoscriptors of shares and files in the beautiful ✨smbclient-ng ✨ by @podalirius_
Here is our PR:
🔗 https://github.com/p0dalirius/smbclient-ng/pull/118
🐥 [ tweet ][ reply ]
So we implemented parsing the security denoscriptors of shares and files in the beautiful ✨smbclient-ng ✨ by @podalirius_
Here is our PR:
🔗 https://github.com/p0dalirius/smbclient-ng/pull/118
🐥 [ tweet ][ reply ]
👍9🔥3
😈 [ Check Point Research @_CPResearch_ ]
🚨 New Discovery! We uncovered an undocumented technique for executing commands through the #Godot #GameEngine. Exploited by #GodLoader, this method successfully bypassed most #antivirus software since June 2024, affecting over 17,000 potential victims.
🔗 https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
🐥 [ tweet ]
🚨 New Discovery! We uncovered an undocumented technique for executing commands through the #Godot #GameEngine. Exploited by #GodLoader, this method successfully bypassed most #antivirus software since June 2024, affecting over 17,000 potential victims.
🔗 https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
🐥 [ tweet ]
👍3🔥1
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
🔗 https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
🐥 [ tweet ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
🔗 https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
🐥 [ tweet ]
👍9🔥3
😈 [ Layle @layle_ctf ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
🔗 https://github.com/ioncodes/SilentLoad
🐥 [ tweet ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
🔗 https://github.com/ioncodes/SilentLoad
🐥 [ tweet ]
👍1
😈 [ drm @lowercase_drm ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
🌻
🔗 https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
🐥 [ tweet ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
🌻
🔗 https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
🐥 [ tweet ]
🔥3
😈 [ Mayfly @M4yFly ]
Goad v3 merged into the main branch 🥳
GitHub:
🔗 https://github.com/Orange-Cyberdefense/GOAD
Doc:
🔗 https://orange-cyberdefense.github.io/GOAD/
🐥 [ tweet ]
Goad v3 merged into the main branch 🥳
GitHub:
🔗 https://github.com/Orange-Cyberdefense/GOAD
Doc:
🔗 https://orange-cyberdefense.github.io/GOAD/
🐥 [ tweet ]
👍8😢1
😈 [ blueblue @piedpiper1616 ]
GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis
🔗 https://github.com/TheN00bBuilder/cve-2024-11477-writeup
🐥 [ tweet ]
GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis
🔗 https://github.com/TheN00bBuilder/cve-2024-11477-writeup
🐥 [ tweet ]
👍4
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
🔗 https://rastamouse.me/udrl-sleepmask-and-beacongate/
🐥 [ tweet ]
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
🔗 https://rastamouse.me/udrl-sleepmask-and-beacongate/
🐥 [ tweet ]
🤔1
😈 [ Fabian Bader @fabian_bader ]
🛡️Windows Firewall and WFP are only two ways to silence an #EDR agent.
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
🔗 https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
And if you want even more, checkout part 2 released by @Cyb3rMonk
🐥 [ tweet ]
🛡️Windows Firewall and WFP are only two ways to silence an #EDR agent.
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
🔗 https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
And if you want even more, checkout part 2 released by @Cyb3rMonk
🐥 [ tweet ]
🔥4👍1
😈 [ Check Point Research @_CPResearch_ ]
A ransomware gang's Rust experiment naturally produced the kind of binary you "reverse-engineer" by staring at the strings and saying, "mm hm." Join us as we break through this technical barrier and gain some insight into ransomware author psychology.
🔗 https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
🐥 [ tweet ]
A ransomware gang's Rust experiment naturally produced the kind of binary you "reverse-engineer" by staring at the strings and saying, "mm hm." Join us as we break through this technical barrier and gain some insight into ransomware author psychology.
🔗 https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
🐥 [ tweet ]
👍2
😈 [ MDSec @MDSecLabs ]
Ever come across Altiris on a red team? We did.... Check out this post from @breakfix on how to extract ACC creds... Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris)
🔗 https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
🐥 [ tweet ]
Ever come across Altiris on a red team? We did.... Check out this post from @breakfix on how to extract ACC creds... Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris)
🔗 https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
🐥 [ tweet ]
👍2🍌2
😈 [ Ricardo Ruiz @RicardoJoseRF ]
Today I made public NativeBypassCredGuard, a tool to bypass Credential Guard by patching WDigest.dll using only NTAPI functions:
🔗 https://github.com/ricardojoserf/NativeBypassCredGuard
🐥 [ tweet ]
Today I made public NativeBypassCredGuard, a tool to bypass Credential Guard by patching WDigest.dll using only NTAPI functions:
🔗 https://github.com/ricardojoserf/NativeBypassCredGuard
🐥 [ tweet ]
👍12
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Finally I was finally able to reproduce RemotePotat0 from @splinter_code and @decoder_it which still works perfectly fine when relaying against SMB and choosing the correct CLSID :-) Only LDAP relaying it patched and not possible anymore.
Super late but ¯\_(ツ)_/ ¯ 🤪
But you know what's even better? KrbRelay also works from a low privileged users perspective! 🔥🔥🔥
🐥 [ tweet ][ quote ]
Finally I was finally able to reproduce RemotePotat0 from @splinter_code and @decoder_it which still works perfectly fine when relaying against SMB and choosing the correct CLSID :-) Only LDAP relaying it patched and not possible anymore.
Super late but ¯\_(ツ)_/ ¯ 🤪
But you know what's even better? KrbRelay also works from a low privileged users perspective! 🔥🔥🔥
🐥 [ tweet ][ quote ]
🔥7👍4🤯1
😈 [ Rad @rad9800 ]
I figured out a new way to completely disable certain EDR products only with Admin privileges in less than 30 lines of code with native applications.
It works by deleting critical application files before they can do anything 🙃
🔗 https://github.com/rad9800/BootExecuteEDR
🐥 [ tweet ]
I figured out a new way to completely disable certain EDR products only with Admin privileges in less than 30 lines of code with native applications.
It works by deleting critical application files before they can do anything 🙃
🔗 https://github.com/rad9800/BootExecuteEDR
🐥 [ tweet ]
🥱8🔥4🤔4👍1
😈 [ Boris Larin @oct0xor ]
We've open-sourced GReAT’s plugin for the IDA Pro decompiler - an indispensable set of tools for analyzing malware, shellcodes, etc. Grab our secret ingredient for reverse engineering and check out the GIFs demonstrating its usage:
🔗 https://github.com/KasperskyLab/hrtng
🐥 [ tweet ]
We've open-sourced GReAT’s plugin for the IDA Pro decompiler - an indispensable set of tools for analyzing malware, shellcodes, etc. Grab our secret ingredient for reverse engineering and check out the GIFs demonstrating its usage:
🔗 https://github.com/KasperskyLab/hrtng
🐥 [ tweet ]
🔥4👍3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Microsoft Threat Intelligence @MsftSecIntel ]
Microsoft observed a 146% rise in adversary-in-the-middle (AiTM) attacks over the last year, indicating that cybercriminals are continuing to find ways to compromise accounts that are protected by multifactor authentication (MFA).
🔗 https://techcommunity.microsoft.com/blog/identity/defeating-adversary-in-the-middle-phishing-attacks/1751777
🐥 [ tweet ]
Microsoft observed a 146% rise in adversary-in-the-middle (AiTM) attacks over the last year, indicating that cybercriminals are continuing to find ways to compromise accounts that are protected by multifactor authentication (MFA).
🔗 https://techcommunity.microsoft.com/blog/identity/defeating-adversary-in-the-middle-phishing-attacks/1751777
🐥 [ tweet ]
😁7👍1
😈 [ Eliran Nissan @eliran_nissan ]
I am excited to share with you my latest research - "DCOM Upload & Execute".
An advanced lateral movement technique to upload and execute custom payloads on remote targets.
Forget about PSEXEC and dive in!
Blog:
🔗 https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor
Code:
🔗 https://github.com/deepinstinct/DCOMUploadExec
🐥 [ tweet ]
I am excited to share with you my latest research - "DCOM Upload & Execute".
An advanced lateral movement technique to upload and execute custom payloads on remote targets.
Forget about PSEXEC and dive in!
Blog:
🔗 https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor
Code:
🔗 https://github.com/deepinstinct/DCOMUploadExec
🐥 [ tweet ]
👍9🤔3😁1