😈 [ S3cur3Th1sSh1t @ShitSecure ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
🔗 https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
🐥 [ tweet ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
🔗 https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
🐥 [ tweet ]
👍9🔥3
😈 [ Layle @layle_ctf ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
🔗 https://github.com/ioncodes/SilentLoad
🐥 [ tweet ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
🔗 https://github.com/ioncodes/SilentLoad
🐥 [ tweet ]
👍1
😈 [ drm @lowercase_drm ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
🌻
🔗 https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
🐥 [ tweet ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
🌻
🔗 https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
🐥 [ tweet ]
🔥3
😈 [ Mayfly @M4yFly ]
Goad v3 merged into the main branch 🥳
GitHub:
🔗 https://github.com/Orange-Cyberdefense/GOAD
Doc:
🔗 https://orange-cyberdefense.github.io/GOAD/
🐥 [ tweet ]
Goad v3 merged into the main branch 🥳
GitHub:
🔗 https://github.com/Orange-Cyberdefense/GOAD
Doc:
🔗 https://orange-cyberdefense.github.io/GOAD/
🐥 [ tweet ]
👍8😢1
😈 [ blueblue @piedpiper1616 ]
GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis
🔗 https://github.com/TheN00bBuilder/cve-2024-11477-writeup
🐥 [ tweet ]
GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis
🔗 https://github.com/TheN00bBuilder/cve-2024-11477-writeup
🐥 [ tweet ]
👍4
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
🔗 https://rastamouse.me/udrl-sleepmask-and-beacongate/
🐥 [ tweet ]
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
🔗 https://rastamouse.me/udrl-sleepmask-and-beacongate/
🐥 [ tweet ]
🤔1
😈 [ Fabian Bader @fabian_bader ]
🛡️Windows Firewall and WFP are only two ways to silence an #EDR agent.
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
🔗 https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
And if you want even more, checkout part 2 released by @Cyb3rMonk
🐥 [ tweet ]
🛡️Windows Firewall and WFP are only two ways to silence an #EDR agent.
📢In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
🔗 https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
And if you want even more, checkout part 2 released by @Cyb3rMonk
🐥 [ tweet ]
🔥4👍1
😈 [ Check Point Research @_CPResearch_ ]
A ransomware gang's Rust experiment naturally produced the kind of binary you "reverse-engineer" by staring at the strings and saying, "mm hm." Join us as we break through this technical barrier and gain some insight into ransomware author psychology.
🔗 https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
🐥 [ tweet ]
A ransomware gang's Rust experiment naturally produced the kind of binary you "reverse-engineer" by staring at the strings and saying, "mm hm." Join us as we break through this technical barrier and gain some insight into ransomware author psychology.
🔗 https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
🐥 [ tweet ]
👍2
😈 [ MDSec @MDSecLabs ]
Ever come across Altiris on a red team? We did.... Check out this post from @breakfix on how to extract ACC creds... Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris)
🔗 https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
🐥 [ tweet ]
Ever come across Altiris on a red team? We did.... Check out this post from @breakfix on how to extract ACC creds... Extracting Account Connectivity Credentials (ACCs) from Symantec Management Agent (aka Altiris)
🔗 https://www.mdsec.co.uk/2024/12/extracting-account-connectivity-credentials-accs-from-symantec-management-agent-aka-altiris/
🐥 [ tweet ]
👍2🍌2
😈 [ Ricardo Ruiz @RicardoJoseRF ]
Today I made public NativeBypassCredGuard, a tool to bypass Credential Guard by patching WDigest.dll using only NTAPI functions:
🔗 https://github.com/ricardojoserf/NativeBypassCredGuard
🐥 [ tweet ]
Today I made public NativeBypassCredGuard, a tool to bypass Credential Guard by patching WDigest.dll using only NTAPI functions:
🔗 https://github.com/ricardojoserf/NativeBypassCredGuard
🐥 [ tweet ]
👍12
😈 [ S3cur3Th1sSh1t @ShitSecure ]
Finally I was finally able to reproduce RemotePotat0 from @splinter_code and @decoder_it which still works perfectly fine when relaying against SMB and choosing the correct CLSID :-) Only LDAP relaying it patched and not possible anymore.
Super late but ¯\_(ツ)_/ ¯ 🤪
But you know what's even better? KrbRelay also works from a low privileged users perspective! 🔥🔥🔥
🐥 [ tweet ][ quote ]
Finally I was finally able to reproduce RemotePotat0 from @splinter_code and @decoder_it which still works perfectly fine when relaying against SMB and choosing the correct CLSID :-) Only LDAP relaying it patched and not possible anymore.
Super late but ¯\_(ツ)_/ ¯ 🤪
But you know what's even better? KrbRelay also works from a low privileged users perspective! 🔥🔥🔥
🐥 [ tweet ][ quote ]
🔥7👍4🤯1
😈 [ Rad @rad9800 ]
I figured out a new way to completely disable certain EDR products only with Admin privileges in less than 30 lines of code with native applications.
It works by deleting critical application files before they can do anything 🙃
🔗 https://github.com/rad9800/BootExecuteEDR
🐥 [ tweet ]
I figured out a new way to completely disable certain EDR products only with Admin privileges in less than 30 lines of code with native applications.
It works by deleting critical application files before they can do anything 🙃
🔗 https://github.com/rad9800/BootExecuteEDR
🐥 [ tweet ]
🥱8🔥4🤔4👍1
😈 [ Boris Larin @oct0xor ]
We've open-sourced GReAT’s plugin for the IDA Pro decompiler - an indispensable set of tools for analyzing malware, shellcodes, etc. Grab our secret ingredient for reverse engineering and check out the GIFs demonstrating its usage:
🔗 https://github.com/KasperskyLab/hrtng
🐥 [ tweet ]
We've open-sourced GReAT’s plugin for the IDA Pro decompiler - an indispensable set of tools for analyzing malware, shellcodes, etc. Grab our secret ingredient for reverse engineering and check out the GIFs demonstrating its usage:
🔗 https://github.com/KasperskyLab/hrtng
🐥 [ tweet ]
🔥4👍3
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Microsoft Threat Intelligence @MsftSecIntel ]
Microsoft observed a 146% rise in adversary-in-the-middle (AiTM) attacks over the last year, indicating that cybercriminals are continuing to find ways to compromise accounts that are protected by multifactor authentication (MFA).
🔗 https://techcommunity.microsoft.com/blog/identity/defeating-adversary-in-the-middle-phishing-attacks/1751777
🐥 [ tweet ]
Microsoft observed a 146% rise in adversary-in-the-middle (AiTM) attacks over the last year, indicating that cybercriminals are continuing to find ways to compromise accounts that are protected by multifactor authentication (MFA).
🔗 https://techcommunity.microsoft.com/blog/identity/defeating-adversary-in-the-middle-phishing-attacks/1751777
🐥 [ tweet ]
😁7👍1
😈 [ Eliran Nissan @eliran_nissan ]
I am excited to share with you my latest research - "DCOM Upload & Execute".
An advanced lateral movement technique to upload and execute custom payloads on remote targets.
Forget about PSEXEC and dive in!
Blog:
🔗 https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor
Code:
🔗 https://github.com/deepinstinct/DCOMUploadExec
🐥 [ tweet ]
I am excited to share with you my latest research - "DCOM Upload & Execute".
An advanced lateral movement technique to upload and execute custom payloads on remote targets.
Forget about PSEXEC and dive in!
Blog:
🔗 https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor
Code:
🔗 https://github.com/deepinstinct/DCOMUploadExec
🐥 [ tweet ]
👍9🤔3😁1
😈 [ Orange Cyberdefense Switzerland @orangecyberch ]
🚨 During a co-funded research project, @PMa1n and @Nodauf, Security Engineers Offensive Security, discovered vulnerabilities in Cortex XDR that could be exploited by unprivileged users.
🔗 https://blog.scrt.ch/2024/12/05/attacking-cortex-xdr-from-an-unprivileged-user-perspective/
🐥 [ tweet ]
🚨 During a co-funded research project, @PMa1n and @Nodauf, Security Engineers Offensive Security, discovered vulnerabilities in Cortex XDR that could be exploited by unprivileged users.
🔗 https://blog.scrt.ch/2024/12/05/attacking-cortex-xdr-from-an-unprivileged-user-perspective/
🐥 [ tweet ]
🔥5👍2
Forwarded from PT SWARM
🇻🇳 The Positive Hack Talks in Vietnam has finished!
Slides from our researcher Arseniy Sharoglazov: https://static.ptsecurity.com/events/exch-vietnam.pdf
Wordlist: https://github.com/mohemiv/dodgypass
🎁 Includes a PoC for MyQ Unauthenticated RCE! (CVE-2024-28059)
Slides from our researcher Arseniy Sharoglazov: https://static.ptsecurity.com/events/exch-vietnam.pdf
Wordlist: https://github.com/mohemiv/dodgypass
🎁 Includes a PoC for MyQ Unauthenticated RCE! (CVE-2024-28059)
🔥6👍4
Offensive Xwitter
😈 [ Synacktiv @Synacktiv ] Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏 Check out our latest blogpost by @hugow_vincent to discover how to perform this attack: 🔗 https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using…
😈 [ Synacktiv @Synacktiv ]
You can now relay any protocol to SMB over Kerberos with krbrelayx[.]py and the latest PRs from @hugow_vincent.
Thanks @_dirkjan for merging it!
Here is an example from SMB to SMB:
🔗 https://github.com/dirkjanm/krbrelayx/pull/46
🐥 [ tweet ]
You can now relay any protocol to SMB over Kerberos with krbrelayx[.]py and the latest PRs from @hugow_vincent.
Thanks @_dirkjan for merging it!
Here is an example from SMB to SMB:
🔗 https://github.com/dirkjanm/krbrelayx/pull/46
🐥 [ tweet ]
🔥9