😈 [ DirectoryRanger, DirectoryRanger ]
A Syscall Journey in the Windows Kernel, by @AliceCliment
https://t.co/xlGizX3pEm
🔗 https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
🐥 [ tweet ]
A Syscall Journey in the Windows Kernel, by @AliceCliment
https://t.co/xlGizX3pEm
🔗 https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
After @clearbluejar's post of using NtObjectManager for RPC I thought I should finish a post about how a few approaches to narrow down the enumeration to individual running processes rather than having to parse all executables on disk. https://t.co/xh22G6Ek80
🔗 https://www.tiraniddo.dev/2022/06/finding-running-rpc-server-information.html
🐥 [ tweet ]
After @clearbluejar's post of using NtObjectManager for RPC I thought I should finish a post about how a few approaches to narrow down the enumeration to individual running processes rather than having to parse all executables on disk. https://t.co/xh22G6Ek80
🔗 https://www.tiraniddo.dev/2022/06/finding-running-rpc-server-information.html
🐥 [ tweet ]
😈 [ ORCA10K, ORCA ]
after hiding the payload in the thread denoscription, i decided to search for new places for the same purpose, so im releasing a new poc, that hide your payload in nvidia's gpu memory.
https://t.co/06mPPffWIt
🔗 https://gitlab.com/ORCA000/gp
🐥 [ tweet ]
after hiding the payload in the thread denoscription, i decided to search for new places for the same purpose, so im releasing a new poc, that hide your payload in nvidia's gpu memory.
https://t.co/06mPPffWIt
🔗 https://gitlab.com/ORCA000/gp
🐥 [ tweet ]
😈 [ n00py1, n00py ]
Do you use AADInternals Invoke-AADIntReconAsOutsider by @DrAzureAD? Surer useful when finding related domains when doing an External Penetration Test.
https://t.co/mWGz0YqhDK
🔗 https://o365blog.com/aadinternals/#invoke-aadintreconasoutsider
🐥 [ tweet ]
Do you use AADInternals Invoke-AADIntReconAsOutsider by @DrAzureAD? Surer useful when finding related domains when doing an External Penetration Test.
https://t.co/mWGz0YqhDK
🔗 https://o365blog.com/aadinternals/#invoke-aadintreconasoutsider
🐥 [ tweet ]
😈 [ S0ufi4n3, Soufiane Tahiri ]
Here is the code of my #Ransomware simulator: https://t.co/iOlPkPL0xx
I ended up replacing AES with simple XOR.
- Exfiltrating Documents (SMTP and/or FTP)
- Creating/Deleting Volume Shadow Copies
- Encrypting documents
- Dropping a ransomware note to the user's desktop
🔗 https://github.com/soufianetahiri/RansomwareSimulator.public
🐥 [ tweet ]
Here is the code of my #Ransomware simulator: https://t.co/iOlPkPL0xx
I ended up replacing AES with simple XOR.
- Exfiltrating Documents (SMTP and/or FTP)
- Creating/Deleting Volume Shadow Copies
- Encrypting documents
- Dropping a ransomware note to the user's desktop
🔗 https://github.com/soufianetahiri/RansomwareSimulator.public
🐥 [ tweet ]
😈 [ bitsadmin, Arris Huijgen ]
New blog post on my experiences with importing and querying large #BloodHound datasets using Neo4j's Cypher query language: https://t.co/Gux8V1ZJSJ. Utilities for importing large dumps available at https://t.co/n7yrzoIDDO.
🔗 https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets
🔗 https://github.com/bitsadmin/chophound
🐥 [ tweet ]
New blog post on my experiences with importing and querying large #BloodHound datasets using Neo4j's Cypher query language: https://t.co/Gux8V1ZJSJ. Utilities for importing large dumps available at https://t.co/n7yrzoIDDO.
🔗 https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets
🔗 https://github.com/bitsadmin/chophound
🐥 [ tweet ]
😈 [ n00py1, n00py ]
LAPSDumper can now export to CSV. Thanks to @NaisuBanana
https://t.co/sc0YJk5ITX
🔗 https://github.com/n00py/LAPSDumper/pull/5
🐥 [ tweet ]
LAPSDumper can now export to CSV. Thanks to @NaisuBanana
https://t.co/sc0YJk5ITX
🔗 https://github.com/n00py/LAPSDumper/pull/5
🐥 [ tweet ]
😈 [ daem0nc0re, daem0nc0re ]
Released a PoC for SeTrustedCredmanAccessPrivilege.
This PoC tries to get decrypted DPAPI blob for user account who execute it.
As far as I tested, it seems that SYSTEM integrity level is required to use this privilege.
https://t.co/XivEJdZS4Y
🔗 https://github.com/daem0nc0re/PrivFu#privilegedoperations
🐥 [ tweet ]
Released a PoC for SeTrustedCredmanAccessPrivilege.
This PoC tries to get decrypted DPAPI blob for user account who execute it.
As far as I tested, it seems that SYSTEM integrity level is required to use this privilege.
https://t.co/XivEJdZS4Y
🔗 https://github.com/daem0nc0re/PrivFu#privilegedoperations
🐥 [ tweet ]
😈 [ codewhitesec, Code White GmbH ]
Bypassing .NET Serialization Binders: case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange https://t.co/G90Qg7gQ9m
🔗 https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html
🐥 [ tweet ]
Bypassing .NET Serialization Binders: case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange https://t.co/G90Qg7gQ9m
🔗 https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html
🐥 [ tweet ]
😈 [ splinter_code, Antonio Cocomazzi ]
My blog series "The hidden side of Seclogon" continues with part 3: Racing for LSASS dumps 🔥
Enjoy the read :D
https://t.co/awa5i9ZoJE
🔗 https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
🐥 [ tweet ]
My blog series "The hidden side of Seclogon" continues with part 3: Racing for LSASS dumps 🔥
Enjoy the read :D
https://t.co/awa5i9ZoJE
🔗 https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
🐥 [ tweet ]
😈 [ SEKTOR7net, SEKTOR7 Institute ]
"Things that were hard to bear are sweet to remember."
- Seneca Minor
🐥 [ tweet ][ quote ]
"Things that were hard to bear are sweet to remember."
- Seneca Minor
🐥 [ tweet ][ quote ]
😈 [ metasploit, Metasploit Project ]
EfsPotato-efspotahto
https://t.co/1yskSWb6qD
🔗 https://youtu.be/QVorNIfY5Ow
🐥 [ tweet ]
EfsPotato-efspotahto
https://t.co/1yskSWb6qD
🔗 https://youtu.be/QVorNIfY5Ow
🐥 [ tweet ]
😈 [ _mohemiv, Arseniy Sharoglazov ]
💣 If you have access to a Windows machine, try to get NAA credentials via Impacket:
1. https://t.co/HfDmnqOOl7 -rpc-auth-level privacy -namespace '//./root/ccm/policy/Machine/ActualConfig' CONTOSO/user:pass@host
2. SELECT * FROM CCM_NetworkAccessAccount
Credits: @subat0mik
🔗 http://wmiquery.py
🐥 [ tweet ][ quote ]
💣 If you have access to a Windows machine, try to get NAA credentials via Impacket:
1. https://t.co/HfDmnqOOl7 -rpc-auth-level privacy -namespace '//./root/ccm/policy/Machine/ActualConfig' CONTOSO/user:pass@host
2. SELECT * FROM CCM_NetworkAccessAccount
Credits: @subat0mik
🔗 http://wmiquery.py
🐥 [ tweet ][ quote ]
😈 [ JasonFossen, Jason Fossen ]
How to host the PowerShell engine inside of Python and then run PowerShell code inside Python (and not spawn an external process):
https://t.co/kDal7LhP1e
#PowerShell #Python #SEC573 #SEC505 @MarkBaggett
🔗 https://devblogs.microsoft.com/powershell/hosting-powershell-in-a-python-noscript/
🐥 [ tweet ]
How to host the PowerShell engine inside of Python and then run PowerShell code inside Python (and not spawn an external process):
https://t.co/kDal7LhP1e
#PowerShell #Python #SEC573 #SEC505 @MarkBaggett
🔗 https://devblogs.microsoft.com/powershell/hosting-powershell-in-a-python-noscript/
🐥 [ tweet ]
😈 [ Tarlogic, Tarlogic ]
#ZeroTrust is one of the trending concepts in the #cybersecurity world. But the hype around it is perhaps a bit excessive. In this article, we explain why... 👇
https://t.co/hUiMeq6bnR
🔗 https://www.tarlogic.com/blog/demystifying-zero-trust/
🐥 [ tweet ]
#ZeroTrust is one of the trending concepts in the #cybersecurity world. But the hype around it is perhaps a bit excessive. In this article, we explain why... 👇
https://t.co/hUiMeq6bnR
🔗 https://www.tarlogic.com/blog/demystifying-zero-trust/
🐥 [ tweet ]
😈 [ itm4n, Clément Labro ]
@splinter_code Yeaaaaaaaah! Love this series! 😀
Recently, I also tested this technique to evade the LSASS dump detection. cc @k4nfr3
👉 https://t.co/e0rZHBcWZN
Overriding the first occurrence of "lsass.pdb" seems to be enough but of course there are plenty of ways to achieve the same result.
🔗 https://www.bussink.net/lsass-minidump-file-seen-as-malicious-by-mcafee-av/
🐥 [ tweet ]
@splinter_code Yeaaaaaaaah! Love this series! 😀
Recently, I also tested this technique to evade the LSASS dump detection. cc @k4nfr3
👉 https://t.co/e0rZHBcWZN
Overriding the first occurrence of "lsass.pdb" seems to be enough but of course there are plenty of ways to achieve the same result.
🔗 https://www.bussink.net/lsass-minidump-file-seen-as-malicious-by-mcafee-av/
🐥 [ tweet ]
😈 [ PortSwiggerRes, PortSwigger Research ]
Bypassing Firefox's HTML Sanitizer API by @garethheyes
https://t.co/ePGrxxTVDW
🔗 https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api
🐥 [ tweet ]
Bypassing Firefox's HTML Sanitizer API by @garethheyes
https://t.co/ePGrxxTVDW
🔗 https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api
🐥 [ tweet ]
😈 [ __mez0__, 𝓂ε乙0 ]
Obfuscating Reflective DLL Memory Regions with Timers: https://t.co/dxLLXjmZui
🔗 https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
🐥 [ tweet ]
Obfuscating Reflective DLL Memory Regions with Timers: https://t.co/dxLLXjmZui
🔗 https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
🐥 [ tweet ]
🤯1
😈 [ NinjaParanoid, Paranoid Ninja (Brute Ratel C4) ]
Recorded a video demonstration explaining full thread stack spoofing. Video includes Process Hacker for POC. Should be useful for both analysts on hunting suspicious threads and mapped regions in memory, unless of course someone is using Brute Ratel C4 🙂
https://t.co/qB6hzJESR9
🔗 https://youtu.be/7EheXiC3MJE
🐥 [ tweet ]
Recorded a video demonstration explaining full thread stack spoofing. Video includes Process Hacker for POC. Should be useful for both analysts on hunting suspicious threads and mapped regions in memory, unless of course someone is using Brute Ratel C4 🙂
https://t.co/qB6hzJESR9
🔗 https://youtu.be/7EheXiC3MJE
🐥 [ tweet ]
😈 [ joehowwolf, William Burgess ]
Ever wanted to make your sketchy sys calls look squeaky clean? I wrote a blog demonstrating a PoC which calls NtOpenProcess to grab a handle to lsass with an arbitrary/spoofed call stack: https://t.co/SWLenJazWW
PoC: https://t.co/jChX0KJrL8
🔗 https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs/
🔗 https://github.com/countercept/CallStackSpoofer
🐥 [ tweet ]
Ever wanted to make your sketchy sys calls look squeaky clean? I wrote a blog demonstrating a PoC which calls NtOpenProcess to grab a handle to lsass with an arbitrary/spoofed call stack: https://t.co/SWLenJazWW
PoC: https://t.co/jChX0KJrL8
🔗 https://labs.withsecure.com/blog/spoofing-call-stacks-to-confuse-edrs/
🔗 https://github.com/countercept/CallStackSpoofer
🐥 [ tweet ]