😈 [ t3l3machus @t3l3machus ]
New experimental tool for rapid extraction and analysis of Windows service configs and ACEs for potential PE candidates, removing the need for tools like accesschk.exe or other non-native binaries.
🔗 https://github.com/t3l3machus/ACEshark
🐥 [ tweet ]
New experimental tool for rapid extraction and analysis of Windows service configs and ACEs for potential PE candidates, removing the need for tools like accesschk.exe or other non-native binaries.
🔗 https://github.com/t3l3machus/ACEshark
🐥 [ tweet ]
🔥11
😈 [ CICADA8Research @CICADA8Research ]
Read our new research and learn about MS UIA technology. You will explore the depths of COM, graphical elements in Windows and spy on WhatsApp, Telegram, Slack, and Keepass 🕵️♂️💻
Blog:
🔗 https://cicada-8.medium.com/im-watching-you-how-to-spy-windows-users-via-ms-uia-c9acd30f94c4
Tool:
🔗 https://github.com/CICADA8-Research/Spyndicapped
🐥 [ tweet ]
SpyWare 2.0 🔍
Read our new research and learn about MS UIA technology. You will explore the depths of COM, graphical elements in Windows and spy on WhatsApp, Telegram, Slack, and Keepass 🕵️♂️💻
Blog:
🔗 https://cicada-8.medium.com/im-watching-you-how-to-spy-windows-users-via-ms-uia-c9acd30f94c4
Tool:
🔗 https://github.com/CICADA8-Research/Spyndicapped
🐥 [ tweet ]
🔥9👍6🎄3🤯2
😈 [ Adam Chester 🏴☠️ @_xpn_ ]
Achievement unlocked, my first blog with SoecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion.
🔗 https://posts.specterops.io/adfs-living-in-the-legacy-of-drs-c11f9b371811
🐥 [ tweet ]
Achievement unlocked, my first blog with SoecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion.
🔗 https://posts.specterops.io/adfs-living-in-the-legacy-of-drs-c11f9b371811
🐥 [ tweet ]
👍6
😈 [ Orange Tsai 🍊 @orange_8361 ]
The detailed version of our #WorstFit attack is available now! 🔥
Check it out! 👇
🔗 https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/
🐥 [ tweet ][ quote ]
The detailed version of our #WorstFit attack is available now! 🔥
Check it out! 👇
🔗 https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/
🐥 [ tweet ][ quote ]
🔥6👍3
😈 [ Nithin Chenthur Prabhu @Azr43lKn1ght ]
Introducing Rusty-PE-Packer: a sophisticated Windows PE packer written in Rust, featuring progressive masked RC4 encryption, VEH exploitation for ROP gadget execution via RIP manipulation, and injection into legitimate Windows processes.
🔗 https://github.com/Azr43lKn1ght/Rusty-PE-Packer
🐥 [ tweet ]
Introducing Rusty-PE-Packer: a sophisticated Windows PE packer written in Rust, featuring progressive masked RC4 encryption, VEH exploitation for ROP gadget execution via RIP manipulation, and injection into legitimate Windows processes.
🔗 https://github.com/Azr43lKn1ght/Rusty-PE-Packer
🐥 [ tweet ]
🔥12
😈 [ Bnb @HulkOperator ]
Recently, I’ve been experimenting with Return Address Spoofing and developed a tool to call any WinAPI and spoof the return address.
For a deeper dive, check out my blog post:
🔗 https://hulkops.gitbook.io/blog/red-team/x64-return-address-spoofing
🐥 [ tweet ]
Recently, I’ve been experimenting with Return Address Spoofing and developed a tool to call any WinAPI and spoof the return address.
For a deeper dive, check out my blog post:
🔗 https://hulkops.gitbook.io/blog/red-team/x64-return-address-spoofing
🐥 [ tweet ]
🔥7👍4
😈 [ Matt Ehrnschwender @M_alphaaa ]
Keeping the blog alive. For people who may be unaware, you can embed a file in a C/C++ program without needing to make a giant byte array in a header file for it. Kind of went a little bit overboard on the detail with this lol but it's pretty useful
🔗 https://blog.cybershenanigans.space/posts/embedding-files-in-c-cpp-programs/
🐥 [ tweet ]
Keeping the blog alive. For people who may be unaware, you can embed a file in a C/C++ program without needing to make a giant byte array in a header file for it. Kind of went a little bit overboard on the detail with this lol but it's pretty useful
🔗 https://blog.cybershenanigans.space/posts/embedding-files-in-c-cpp-programs/
🐥 [ tweet ]
🔥7
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ MrAle98 @MrAle_98 ]
Finally finished to develop an exploit for CVE-2024-49138: vulnerability in CLFS.sys.
I'll provide a detailed analysis in a blog post.
🔗 https://github.com/MrAle98/CVE-2024-49138-POC
🐥 [ tweet ]
Finally finished to develop an exploit for CVE-2024-49138: vulnerability in CLFS.sys.
I'll provide a detailed analysis in a blog post.
🔗 https://github.com/MrAle98/CVE-2024-49138-POC
🐥 [ tweet ]
🔥12👍1
😈 [ Synacktiv @Synacktiv ]
A few months ago, Microsoft released a critical patch for CVE-2024-43468, an unauthenticated SQL injection vulnerability in SCCM/ConfigMgr leading to remote code execution, discovered by @kalimer0x00.
🔗 https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
🐥 [ tweet ]
A few months ago, Microsoft released a critical patch for CVE-2024-43468, an unauthenticated SQL injection vulnerability in SCCM/ConfigMgr leading to remote code execution, discovered by @kalimer0x00.
🔗 https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections
🐥 [ tweet ]
🔥5👍1
😈 [ Cellebrite Labs @CellebriteLabs ]
We just released our lightweight IDA syncing solution, LabSync, on GitHub! 🎉 LabSync uses YAML files in a git repo to sync your IDB with other researchers whenever you save it. Check it out:
🔗 https://github.com/cellebrite-labs/LabSync
🐥 [ tweet ]
We just released our lightweight IDA syncing solution, LabSync, on GitHub! 🎉 LabSync uses YAML files in a git repo to sync your IDB with other researchers whenever you save it. Check it out:
🔗 https://github.com/cellebrite-labs/LabSync
🐥 [ tweet ]
🔥4
😈 [ Rad @rad9800 ]
For those unable to get their hands on EDR software for reversing, TrendMicro kindly publishes their resources at:
🔗 https://help.deepsecurity.trendmicro.com/software.html
It's possible to download and extract the on-prem appliance and explore to understand how EDRs (if you can even call it that) work.
🐥 [ tweet ]
For those unable to get their hands on EDR software for reversing, TrendMicro kindly publishes their resources at:
🔗 https://help.deepsecurity.trendmicro.com/software.html
It's possible to download and extract the on-prem appliance and explore to understand how EDRs (if you can even call it that) work.
🐥 [ tweet ]
👍4
😈 [ Josh @passthehashbrwn ]
New blog from me on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that I identified in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.
🔗 https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/
🐥 [ tweet ]
New blog from me on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that I identified in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.
🔗 https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/
🐥 [ tweet ]
👍8🔥3
Forwarded from APT
🔍 Exploring WinRM plugins for lateral movement
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the
CIM_LogicFile WMI class to bypass certain tricky detections by Microsoft Defender is examined. Finally, all the logic is incorporated into a Cobalt Strike BOF.🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/
🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump
#ad #winrm #cobaltstrike #bof #redteam
FalconForce
Exploring WinRM plugins for lateral movement - FalconForce
We explore how to leverage WinRM plugins to perform lateral movement to other systems and put all the logic in a Cobalt Strike BOF.
👍7🔥2
😈 [ ssno @ssnossnossno ]
I spent the last month reverse engineering Call of Duty's anti-cheat!
Blog post here:
🔗 https://ssno.cc/posts/reversing-tac-1-4-2025/
Code:
🔗 https://github.com/ssnob/hidden_syscall_monitoring
🐥 [ tweet ]
I spent the last month reverse engineering Call of Duty's anti-cheat!
Blog post here:
🔗 https://ssno.cc/posts/reversing-tac-1-4-2025/
Code:
🔗 https://github.com/ssnob/hidden_syscall_monitoring
🐥 [ tweet ]
🔥4👍3
Forwarded from RedTeam brazzers (Pavel Shlundin)
Сегодня я увидел в нескольких каналах информацию про атаку Targeted Timeroasting и очень вдохновился ею.
В двух словах, что такое атака Timeroasting - Это атака, позволяющая получить хеш пароля машинной учетной записи. В целом, мы знаем, что это для нас бесполезно, т.к. пароль машины чаще всего очень длинный и сложный. Но есть сценарии, когда пароль все таки бывает простой и, в совокупности с атакой pre2k, можно построить интересный вектор. Об этом в своем блоге недавно писал @snovvcrash.
Суть атаки Targeted Timeroasting немного в другом: если у нас есть права GenericWrite на объект пользователя, то мы можем превратить этого пользователя в компьютер (что?) и запросить хеш для него. Превратить пользователя в компьютер можно двумя простыми шагами:
1. Меняем userAccountControl на 4096 (UF_WORKSTATION_TRUST_ACCOUNT)
2. Переименовываем sAMAccountName в тоже имя, но со знаком $ на конце
После этих действий сервис времени будет уверен, что это теперь компьютер и отдаст вам хеш.
Хорошо, как можно это использовать?
1 Сценарий.
У нас есть права Domain Admins и не хочется шуметь с помощью атаки DcSync, тогда можно запустить Targeted Timeroasting на всех пользователей и вы получите хеши учеток, которые потом надо будет еще сбрутать.
2 Сценарий.
Захватили учетку HelpDesk. Чаще всего у этой учетки есть права GenericWrite на половину домена. CA в домене нет, значит не провести атаку Shadow Creds. Проведя атаки Targeted Kerberoasting или Targeted AsReproasting мы получим билеты, которые нет возможности побрутить по большим словарям. А с помощью атаки Targeted Timeroasting мы, во-первых, не сильно нашумим на SIEM (не факт, конечно), а во-вторых, получим хеши, которые можно перебирать с чудовещной скоростью.
Остальные сценарии придумайте сами :)
Свежий ресерч про эту атаку вы можете прочитать в блоге. Брутить хеши на hashcat можно так:
Для атаки Targeted Timeroasting был разработан PowerShell скрипт. Но сегодня я переписал атаку на Python и выложил у себя в репозитории: https://github.com/PShlyundin/TimeSync
Назвал инструмент TimeSync, потому что мне эта атака очень напомнила классический DcSync.
В двух словах, что такое атака Timeroasting - Это атака, позволяющая получить хеш пароля машинной учетной записи. В целом, мы знаем, что это для нас бесполезно, т.к. пароль машины чаще всего очень длинный и сложный. Но есть сценарии, когда пароль все таки бывает простой и, в совокупности с атакой pre2k, можно построить интересный вектор. Об этом в своем блоге недавно писал @snovvcrash.
Суть атаки Targeted Timeroasting немного в другом: если у нас есть права GenericWrite на объект пользователя, то мы можем превратить этого пользователя в компьютер (что?) и запросить хеш для него. Превратить пользователя в компьютер можно двумя простыми шагами:
1. Меняем userAccountControl на 4096 (UF_WORKSTATION_TRUST_ACCOUNT)
2. Переименовываем sAMAccountName в тоже имя, но со знаком $ на конце
После этих действий сервис времени будет уверен, что это теперь компьютер и отдаст вам хеш.
Хорошо, как можно это использовать?
1 Сценарий.
У нас есть права Domain Admins и не хочется шуметь с помощью атаки DcSync, тогда можно запустить Targeted Timeroasting на всех пользователей и вы получите хеши учеток, которые потом надо будет еще сбрутать.
2 Сценарий.
Захватили учетку HelpDesk. Чаще всего у этой учетки есть права GenericWrite на половину домена. CA в домене нет, значит не провести атаку Shadow Creds. Проведя атаки Targeted Kerberoasting или Targeted AsReproasting мы получим билеты, которые нет возможности побрутить по большим словарям. А с помощью атаки Targeted Timeroasting мы, во-первых, не сильно нашумим на SIEM (не факт, конечно), а во-вторых, получим хеши, которые можно перебирать с чудовещной скоростью.
Остальные сценарии придумайте сами :)
Свежий ресерч про эту атаку вы можете прочитать в блоге. Брутить хеши на hashcat можно так:
git clone https://github.com/hashcat/hashcat && cd hashcat
git checkout 5236f3bd7 && make
./hashcat -m31300
Для атаки Targeted Timeroasting был разработан PowerShell скрипт. Но сегодня я переписал атаку на Python и выложил у себя в репозитории: https://github.com/PShlyundin/TimeSync
Назвал инструмент TimeSync, потому что мне эта атака очень напомнила классический DcSync.
👍6🔥4
😈 [ silentwarble @silentwarble ]
These posts on reversing Brute Ratel are for an older version, but still some useful tidbits you can extract for building your own c2 agents:
🔗 https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
🔗 https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
🔗 https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/
🐥 [ tweet ]
These posts on reversing Brute Ratel are for an older version, but still some useful tidbits you can extract for building your own c2 agents:
🔗 https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
🔗 https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
🔗 https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/
🐥 [ tweet ]
🔥2
😈 [ klez @KlezVirus ]
For anyone curious, the OffensiveX talk on RpcInvoke is out now! Fair warning: the content’s solid, but the presenter might have a few bugs of its own. 😅
🔗 https://www.youtube.com/watch?v=HxtUiJcItDE
🐥 [ tweet ]
For anyone curious, the OffensiveX talk on RpcInvoke is out now! Fair warning: the content’s solid, but the presenter might have a few bugs of its own. 😅
🔗 https://www.youtube.com/watch?v=HxtUiJcItDE
🐥 [ tweet ]
YouTube
OFFENSIVEX 2024 - Alessandro Magnosi - RPC Abuse: Exploiting Server Calls for Code Execution
Original Title: Unraveling the RPC Thread: How Attackers Abuse Server Calls for Code Execution.
😈 [ x86matthew @x86matthew ]
I created a hypervisor-based emulator for Windows x64 binaries. This project uses Windows Hypervisor Platform to build a virtualized user-mode environment, allowing syscalls and memory accesses to be logged or intercepted.
Blog:
🔗 https://www.elastic.co/security-labs/winvisor-hypervisor-based-emulator
Code:
🔗 https://github.com/x86matthew/WinVisor
🐥 [ tweet ]
I created a hypervisor-based emulator for Windows x64 binaries. This project uses Windows Hypervisor Platform to build a virtualized user-mode environment, allowing syscalls and memory accesses to be logged or intercepted.
Blog:
🔗 https://www.elastic.co/security-labs/winvisor-hypervisor-based-emulator
Code:
🔗 https://github.com/x86matthew/WinVisor
🐥 [ tweet ]
🔥9👍2