😈 [ NetSPI @NetSPI ]
Beacon Object Files (BOFs) in C2 platforms limit developers.
Read NetSPI's blog post to explore a reference design for a new BOF portable executable (PE) concept that bridges the gap between modern C++ development and memory-executable C2 integration.
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/the-future-of-beacon-object-files/
🐥 [ tweet ]
Beacon Object Files (BOFs) in C2 platforms limit developers.
Read NetSPI's blog post to explore a reference design for a new BOF portable executable (PE) concept that bridges the gap between modern C++ development and memory-executable C2 integration.
🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/the-future-of-beacon-object-files/
🐥 [ tweet ]
😈 [ Daniel @0x64616e ]
You can relay a user to LDAP that has WriteDacl/GenericAll on a valuable object but you can't use ShadowCredentials? Fear no more! You can now use "gain_fullcontrol" in ntlmrelayx ldapshell to give your account control over that object.
🔗 https://github.com/fortra/impacket/pull/1927
🐥 [ tweet ]
You can relay a user to LDAP that has WriteDacl/GenericAll on a valuable object but you can't use ShadowCredentials? Fear no more! You can now use "gain_fullcontrol" in ntlmrelayx ldapshell to give your account control over that object.
🔗 https://github.com/fortra/impacket/pull/1927
🐥 [ tweet ]
👍6🔥3
😈 [ Wietze @Wietze ]
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters:
🔗 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation
🐥 [ tweet ]
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters:
🔗 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation
🐥 [ tweet ]
🔥23🥱6😁3
😈 [ bohops @bohops ]
This ended up being a great applied research project with @d_tranman on weaponizing a technique for fileless DCOM lateral movement based on the original work of @tiraniddo. Excellent work, Dylan!
Blog:
🔗 https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects
PoC:
🔗 https://github.com/xforcered/ForsHops
🐥 [ tweet ][ quote ]
This ended up being a great applied research project with @d_tranman on weaponizing a technique for fileless DCOM lateral movement based on the original work of @tiraniddo. Excellent work, Dylan!
Blog:
🔗 https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects
PoC:
🔗 https://github.com/xforcered/ForsHops
🐥 [ tweet ][ quote ]
👍3🥱2
😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
This new Linux noscript from THC will encrypt and obfuscate any executable or noscript to hide from on-disk detection:
🔗 https://github.com/hackerschoice/bincrypter
I'm going to show you how to detect it with command line tools in this thread:
🔗 https://threadreaderapp.com/thread/1905052948935377402.html
🐥 [ tweet ]
This new Linux noscript from THC will encrypt and obfuscate any executable or noscript to hide from on-disk detection:
🔗 https://github.com/hackerschoice/bincrypter
I'm going to show you how to detect it with command line tools in this thread:
🔗 https://threadreaderapp.com/thread/1905052948935377402.html
🐥 [ tweet ]
🔥12👍3🥱2
😈 [ Oddvar Moe @Oddvarmoe ]
Many people wanted my slides from the Windows Client Privilege Escalation webinar yesterday.
Here are links to the slides and the recording of the webinar.
Slides:
🔗 https://www.slideshare.net/slideshow/windows-client-privilege-escalation-shared-pptx/277239036
Recording:
🔗 https://youtu.be/EG2Mbw2DVnU?si=rlx-GG2QMQpIxQYi
🐥 [ tweet ]
Many people wanted my slides from the Windows Client Privilege Escalation webinar yesterday.
Here are links to the slides and the recording of the webinar.
Slides:
🔗 https://www.slideshare.net/slideshow/windows-client-privilege-escalation-shared-pptx/277239036
Recording:
🔗 https://youtu.be/EG2Mbw2DVnU?si=rlx-GG2QMQpIxQYi
🐥 [ tweet ]
👍7🔥5
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Duncan Ogilvie 🍍 @mrexodia ]
Success! Claude 3.7 with my IDA Pro MCP server managed to solve the crackme that was previously failing🦾
The trick was adding a convert_number tool and stress to always use it for conversions. It took ~7 minutes to run and the cost was $1.85. Also includes an analysis report.
🔗 https://github.com/mrexodia/ida-pro-mcp
🐥 [ tweet ]
Success! Claude 3.7 with my IDA Pro MCP server managed to solve the crackme that was previously failing🦾
The trick was adding a convert_number tool and stress to always use it for conversions. It took ~7 minutes to run and the cost was $1.85. Also includes an analysis report.
🔗 https://github.com/mrexodia/ida-pro-mcp
🐥 [ tweet ]
рип цтфы категории пвн👍7😁4🤯3🔥1
😈 [ Yehuda Smirnov @yudasm_ ]
Excited to release a tool I've been working on lately: ShareFiltrator
ShareFiltrator finds credentials exposed in SharePoint/OneDrive via the Search API (_api/search/query) and also automates mass downloading of the discovered items.
Blog:
🔗 https://blog.fndsec.net/2025/04/02/breaking-down-sharepoint-walls/
Code:
🔗 https://github.com/Friends-Security/sharefiltrator
🐥 [ tweet ]
Excited to release a tool I've been working on lately: ShareFiltrator
ShareFiltrator finds credentials exposed in SharePoint/OneDrive via the Search API (_api/search/query) and also automates mass downloading of the discovered items.
Blog:
🔗 https://blog.fndsec.net/2025/04/02/breaking-down-sharepoint-walls/
Code:
🔗 https://github.com/Friends-Security/sharefiltrator
🐥 [ tweet ]
👍11😁1
Offensive Xwitter
😈 [ Bobby Cooke @0xBoku ] Loki C2 blog drop! Thank you for all those who helped and all the support from the community. Big shoutout to @d_tranman and @chompie1337 for all their contributions to Loki C2! @IBM @IBMSecurity @XForce 🔗 https://securityintelligence.com/x…
😈 [ Bobby Cooke @0xBoku ]
As promised... this is Loki Command & Control! 🧙♂️🔮🪄
Thanks to @d_tranman for his work done on the project and everyone else on the team for making this release happen!
🔗 https://github.com/boku7/Loki
🐥 [ tweet ]
As promised... this is Loki Command & Control! 🧙♂️🔮🪄
Thanks to @d_tranman for his work done on the project and everyone else on the team for making this release happen!
🔗 https://github.com/boku7/Loki
🐥 [ tweet ]
👍6
😈 [ ippsec @ippsec ]
After using Python for so long, I've been trying to switch to GoLang over the last two years just to try something new. I'm finally somewhat confident in being able to write I'd try to create a video series to help others. This is the first video:
🔗 https://youtu.be/uJFW4c4QE0U
🐥 [ tweet ]
After using Python for so long, I've been trying to switch to GoLang over the last two years just to try something new. I'm finally somewhat confident in being able to write I'd try to create a video series to help others. This is the first video:
🔗 https://youtu.be/uJFW4c4QE0U
🐥 [ tweet ]
👍12🔥2🥱2
😈 [ Matt Creel @Tw1sm ]
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
🔗 https://medium.com/specter-ops-posts/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4
🐥 [ tweet ]
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
🔗 https://medium.com/specter-ops-posts/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4
🐥 [ tweet ]
🔥4
😈 [ Andrew Oliveau @AndrewOliveau ]
RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.
Hope you enjoy the blog & tool drop 🤟
Blog:
🔗 https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions
Code:
🔗 https://github.com/xforcered/RemoteMonologue
🐥 [ tweet ]
RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.
Hope you enjoy the blog & tool drop 🤟
Blog:
🔗 https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions
Code:
🔗 https://github.com/xforcered/RemoteMonologue
🐥 [ tweet ]
👍4🔥4🥱2
😈 [ Elad Shamir @elad_shamir ]
NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs.
Read my detailed post - the most comprehensive guide on NTLM relay & the new edges:
🔗 https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e
🐥 [ tweet ]
NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs.
Read my detailed post - the most comprehensive guide on NTLM relay & the new edges:
🔗 https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e
🐥 [ tweet ]
👍6
Offensive Xwitter
😈 [ Andrew Oliveau @AndrewOliveau ] RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope…
😈 [ S3cur3Th1sSh1t @ShitSecure ]
As this is public now - an alternative to modifying AppIds to make them use the interactive user via the remote registry you can also use a lot of existing CLSIDs which have the interactive user configured and coerce an incoming RPC authentication from loggedon users 😎
🐥 [ tweet ][ quote ]
As this is public now - an alternative to modifying AppIds to make them use the interactive user via the remote registry you can also use a lot of existing CLSIDs which have the interactive user configured and coerce an incoming RPC authentication from loggedon users 😎
🐥 [ tweet ][ quote ]
🤔2
Небольшой пример, как можно использовать Certipy как библиотеку для проведения #ESC1 через нативную веб-форму энрола
🔗 https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc1 (certrqxt2pfx[.]py)
Недавно был прикольный кейс, когда надо было получить сертификат сквозь Cisco SSL VPN Relay Add-On и легаси Internet Explorer без возможности нормального проксирования в целевую сетку ;)
/certsrv/certrqxt.asp:🔗 https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc1 (certrqxt2pfx[.]py)
Недавно был прикольный кейс, когда надо было получить сертификат сквозь Cisco SSL VPN Relay Add-On и легаси Internet Explorer без возможности нормального проксирования в целевую сетку ;)
🔥6👍2
😈 [ Microsoft Threat Intelligence @MsftSecIntel ]
Microsoft has discovered post-compromise exploitation of CVE 2025-29824, a zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS), against a small number of targets.
🔗 https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
🐥 [ tweet ]
Microsoft has discovered post-compromise exploitation of CVE 2025-29824, a zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS), against a small number of targets.
🔗 https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
🐥 [ tweet ]
😈 [ Vector 35 @vector35 ]
We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI:
🔗 https://scc.binary.ninja/
🔗 https://github.com/Vector35/scc
If you haven't seen it before, it's available under the Edit / Compile dialog.
🐥 [ tweet ]
We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI:
🔗 https://scc.binary.ninja/
🔗 https://github.com/Vector35/scc
If you haven't seen it before, it's available under the Edit / Compile dialog.
🐥 [ tweet ]
👍4
😈 [ Alex Neff @al3x_n3ff ]
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown:
🔗 https://github.com/Pennyw0rth/NetExec/releases/tag/v1.4.0
🐥 [ tweet ]
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown:
🔗 https://github.com/Pennyw0rth/NetExec/releases/tag/v1.4.0
🐥 [ tweet ]
🔥17👍6
😈 [ Orange Cyberdefense's SensePost Team @sensepost ]
The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. By @Defte_
Writeup:
🔗 https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
PR to impacket:
🔗 https://github.com/fortra/impacket/pull/1947/files
Demo:
🔗 https://youtu.be/3mG2Ouu3Umk
🐥 [ tweet ]
The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. By @Defte_
Writeup:
🔗 https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
PR to impacket:
🔗 https://github.com/fortra/impacket/pull/1947/files
Demo:
🔗 https://youtu.be/3mG2Ouu3Umk
🐥 [ tweet ]
🔥7👍2