😈 [ NSG650 @nsg650 ]

New blog about bootkitting Windows.
Done in collab with @pdawg11239

🔗 https://nsg650.github.io/blogs/29-12-2024.html

🐥 [ tweet ]

😈 [ SafeBreach @safebreach ]

Starting 2025 strong! We’ve developed a PoC exploit for CVE-2024-49112. Read the blog and check out the GitHub repo.

Blog:
🔗 https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/

PoC:
🔗 https://github.com/SafeBreach-Labs/CVE-2024-49112

🐥 [ tweet ]

😈 [ Dirk-jan @_dirkjan ]

Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx.

🔗 https://github.com/dirkjanm/BloodHound.py

🐥 [ tweet ]

тоже недавно обновлял читшит по быстрому разворачиванию "нового" бх:

🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/ad#setup

😈 [ Synacktiv @Synacktiv ]

You can now use LDAP/LDAPs protocols with the SOCKS proxy of ntlmrelayx thanks to the PR from @b1two_ (now merged upstream).
Here is an example with ldeep using relayed authentication from HTTP to LDAPs.

🐥 [ tweet ]

😈 [ CICADA8Research @CICADA8Research ]

SpyWare 2.0 🔍

Read our new research and learn about MS UIA technology. You will explore the depths of COM, graphical elements in Windows and spy on WhatsApp, Telegram, Slack, and Keepass 🕵️‍♂️💻

Blog:
🔗 https://cicada-8.medium.com/im-watching-you-how-to-spy-windows-users-via-ms-uia-c9acd30f94c4

Tool:
🔗 https://github.com/CICADA8-Research/Spyndicapped

🐥 [ tweet ]

😈 [ mpgn @mpgn_x64 ]

So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👆

NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @_dirkjan original work on PKINITtools ⛱️

🐥 [ tweet ]

😈 [ Adam Chester 🏴‍☠️ @_xpn_ ]

Achievement unlocked, my first blog with SoecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion.

🔗 https://posts.specterops.io/adfs-living-in-the-legacy-of-drs-c11f9b371811

🐥 [ tweet ]

😈 [ Orange Tsai 🍊 @orange_8361 ]

The detailed version of our #WorstFit attack is available now! 🔥

Check it out! 👇

🔗 https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

🐥 [ tweet ][ quote ]

😈 [ Nithin Chenthur Prabhu @Azr43lKn1ght ]

Introducing Rusty-PE-Packer: a sophisticated Windows PE packer written in Rust, featuring progressive masked RC4 encryption, VEH exploitation for ROP gadget execution via RIP manipulation, and injection into legitimate Windows processes.

🔗 https://github.com/Azr43lKn1ght/Rusty-PE-Packer

🐥 [ tweet ]

😈 [ Bnb @HulkOperator ]

Recently, I’ve been experimenting with Return Address Spoofing and developed a tool to call any WinAPI and spoof the return address.

For a deeper dive, check out my blog post:

🔗 https://hulkops.gitbook.io/blog/red-team/x64-return-address-spoofing

🐥 [ tweet ]

😈 [ mpgn @mpgn_x64 ]

imo way to complicated to extract the ntds, once you got a user with backup privilege group just do:

nxc smb dc -u user -p pass -M backup_operator

🏆

🐥 [ tweet ][ quote ]

😈 [ Matt Ehrnschwender @M_alphaaa ]

Keeping the blog alive. For people who may be unaware, you can embed a file in a C/C++ program without needing to make a giant byte array in a header file for it. Kind of went a little bit overboard on the detail with this lol but it's pretty useful

🔗 https://blog.cybershenanigans.space/posts/embedding-files-in-c-cpp-programs/

🐥 [ tweet ]

😈 [ MrAle98 @MrAle_98 ]

Finally finished to develop an exploit for CVE-2024-49138: vulnerability in CLFS.sys.

I'll provide a detailed analysis in a blog post.

🔗 https://github.com/MrAle98/CVE-2024-49138-POC

🐥 [ tweet ]

😈 [ Synacktiv @Synacktiv ]

A few months ago, Microsoft released a critical patch for CVE-2024-43468, an unauthenticated SQL injection vulnerability in SCCM/ConfigMgr leading to remote code execution, discovered by @kalimer0x00.

🔗 https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections

🐥 [ tweet ]

😈 [ Cellebrite Labs @CellebriteLabs ]

We just released our lightweight IDA syncing solution, LabSync, on GitHub! 🎉 LabSync uses YAML files in a git repo to sync your IDB with other researchers whenever you save it. Check it out:

🔗 https://github.com/cellebrite-labs/LabSync

🐥 [ tweet ]

😈 [ Rad @rad9800 ]

For those unable to get their hands on EDR software for reversing, TrendMicro kindly publishes their resources at:

🔗 https://help.deepsecurity.trendmicro.com/software.html

It's possible to download and extract the on-prem appliance and explore to understand how EDRs (if you can even call it that) work.

🐥 [ tweet ]

😈 [ Josh @passthehashbrwn ]

New blog from me on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that I identified in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.

🔗 https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/

🐥 [ tweet ]

😈 [ Grzegorz Tworek @0gtweet ]

Wait, what? 😮

And to be precise, it affects the GetComputernameW itself, and not just one tool using it.

🐥 [ tweet ]

🔍 Exploring WinRM plugins for lateral movement

In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the CIM_LogicFile WMI class to bypass certain tricky detections by Microsoft Defender is examined. Finally, all the logic is incorporated into a Cobalt Strike BOF.

🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/

🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump

#ad #winrm #cobaltstrike #bof #redteam