👹 [ snovvcrash, sn🥶vvcr💥sh ]
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
🐥 [ tweet ]
(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy 🎉
🐥 [ tweet ]
(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy 🎉
🐥 [ tweet ]
🔥2
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. There’re also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with 🤫
🐥 [ tweet ]
(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. There’re also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with 🤫
🐥 [ tweet ]
😈 [ mariuszbit, Mariusz Banach ]
💎 Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!⚡
Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it
https://t.co/2ChJ1n7Qzo
Helpful? Lemme know!💀
🔗 https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
🐥 [ tweet ]
💎 Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!⚡
Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it
https://t.co/2ChJ1n7Qzo
Helpful? Lemme know!💀
🔗 https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
🐥 [ tweet ]
😈 [ 0xdf_, 0xdf ]
Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.
https://t.co/ItYsl66OVM
🔗 https://0xdf.gitlab.io/2022/07/02/htb-undetected.html
🐥 [ tweet ]
Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.
https://t.co/ItYsl66OVM
🔗 https://0xdf.gitlab.io/2022/07/02/htb-undetected.html
🐥 [ tweet ]
😈 [ HuskyHacksMK, Matt | HuskyHacks ]
the user said it looked safe🤦♂️ New PMAT bonus binary sample is up!
Difficulty: 🟨(med)
Available here (the labs are free and always will be):
https://t.co/YvMIe2D0DR
https://t.co/H9OaPt1XtJ
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
🔗 https://github.com/HuskyHacks/PMAT-labs
🐥 [ tweet ]
the user said it looked safe🤦♂️ New PMAT bonus binary sample is up!
Difficulty: 🟨(med)
Available here (the labs are free and always will be):
https://t.co/YvMIe2D0DR
https://t.co/H9OaPt1XtJ
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
🔗 https://github.com/HuskyHacks/PMAT-labs
🐥 [ tweet ]
😈 [ cry__pto, Ammar Amer🇸🇾 ]
AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP
🔗 https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
🐥 [ tweet ]
AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP
🔗 https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120
🐥 [ tweet ]
😈 [ _nwodtuhs, Charlie Bromberg (Shutdown) ]
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
🐥 [ tweet ]
So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
CrackMapExec version 5.3.0 "OPERATION C01NS 🪙" is now public 🎉🎉🎉
Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)🚀
https://t.co/ozLmJNyUmn
🔗 https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
🔗 https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns
🐥 [ tweet ]
CrackMapExec version 5.3.0 "OPERATION C01NS 🪙" is now public 🎉🎉🎉
Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)🚀
https://t.co/ozLmJNyUmn
🔗 https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
🔗 https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns
🐥 [ tweet ]
GitHub
Release 5.3.0 - Operation C01NS · Porchetta-Industries/CrackMapExec
More on https://mpgn.gitbook.io/crackmapexec/
What's Changed
Add RDP protocol thanks to @skelsec
Set computer accounts as owned in BloodHound by @snovvcrash in #532
fix filename for IPv6 on wi...
What's Changed
Add RDP protocol thanks to @skelsec
Set computer accounts as owned in BloodHound by @snovvcrash in #532
fix filename for IPv6 on wi...
😈 [ EricaZelic, malCOM ]
New UAC bypass credited to @filip_dragovic
https://t.co/yVo7xnbWJj
🔗 https://github.com/Wh04m1001/IDiagnosticProfileUAC
🐥 [ tweet ]
New UAC bypass credited to @filip_dragovic
https://t.co/yVo7xnbWJj
🔗 https://github.com/Wh04m1001/IDiagnosticProfileUAC
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
https://t.co/CSqnqAuUaz
https://t.co/4W8RSPuzVG
Tested both, works perfectly fine. 👌
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
🔗 https://github.com/byt3bl33d3r/OffensiveNim/pull/51
🐥 [ tweet ]
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
https://t.co/CSqnqAuUaz
https://t.co/4W8RSPuzVG
Tested both, works perfectly fine. 👌
🔗 https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
🔗 https://github.com/byt3bl33d3r/OffensiveNim/pull/51
🐥 [ tweet ]
😈 [ mrd0x, mr.d0x ]
Nothing too crazy in this blog post, but thought it may be useful for some people. Enjoy!
Social engineering your way into the network.
https://t.co/uPVBiClrXc
🔗 https://mrd0x.com/social-engineering-your-way-into-the-network/
🐥 [ tweet ]
Nothing too crazy in this blog post, but thought it may be useful for some people. Enjoy!
Social engineering your way into the network.
https://t.co/uPVBiClrXc
🔗 https://mrd0x.com/social-engineering-your-way-into-the-network/
🐥 [ tweet ]
😈 [ ReconOne_, ReconOne ]
Easy trick: From Shodan to nuclei one liner 👇🔥
Credits: @pdnuclei, @PhilippeDelteil
#recontips #AttackSurface #shodan #bugbountytips #nuclei #recon
🐥 [ tweet ]
Easy trick: From Shodan to nuclei one liner 👇🔥
Credits: @pdnuclei, @PhilippeDelteil
#recontips #AttackSurface #shodan #bugbountytips #nuclei #recon
🐥 [ tweet ]
😈 [ M4yFly, Mayfly ]
GOAD v2 is out !
You can now test your AD commands and pentest skill on a multi-domain AD lab.
Have fun :)
https://t.co/Rpawi6FFl8
https://t.co/pKN8WwSDli
🔗 https://github.com/Orange-Cyberdefense/GOAD
🔗 https://mayfly277.github.io/posts/GOADv2/
🐥 [ tweet ]
GOAD v2 is out !
You can now test your AD commands and pentest skill on a multi-domain AD lab.
Have fun :)
https://t.co/Rpawi6FFl8
https://t.co/pKN8WwSDli
🔗 https://github.com/Orange-Cyberdefense/GOAD
🔗 https://mayfly277.github.io/posts/GOADv2/
🐥 [ tweet ]
😈 [ _nwodtuhs, Charlie Bromberg (Shutdown) ]
Did you know the WriteOwner ACE doesn't allow to change an object's owner arbitrarily? If userA has that privilege against userB, he can set userB's owner to itself, userA. That's it.
You'd need SeRestorePrivilege to set the owner to any other user.
Thanks @BlWasp_ for the info!
🔗 https://github.com/SecureAuthCorp/impacket/pull/1323
🐥 [ tweet ]
Did you know the WriteOwner ACE doesn't allow to change an object's owner arbitrarily? If userA has that privilege against userB, he can set userB's owner to itself, userA. That's it.
You'd need SeRestorePrivilege to set the owner to any other user.
Thanks @BlWasp_ for the info!
🔗 https://github.com/SecureAuthCorp/impacket/pull/1323
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
Opened up one of my RCG bugs, you could use a Kerberos relay attack to authenticate as that user to an RDP server due to a lack of user checking in the ticket authentication process. https://t.co/MvGmjYa5sm
🔗 https://bugs.chromium.org/p/project-zero/issues/detail?id=2268
🐥 [ tweet ]
Opened up one of my RCG bugs, you could use a Kerberos relay attack to authenticate as that user to an RDP server due to a lack of user checking in the ticket authentication process. https://t.co/MvGmjYa5sm
🔗 https://bugs.chromium.org/p/project-zero/issues/detail?id=2268
🐥 [ tweet ]
😈 [ s4ntiago_p, S4ntiagoP ]
Ok, a few updates on nanodump:
1) implemented a cool new technique by @splinter_code where seclogon opens a handle to LSASS and then you duplicate it by winning a race condition using file locks
2) now you can call NtOpenProcess with a fake calling stack and produce fake telemetry, got it from @joehowwolf
https://t.co/nRVmSuZ9qP
🔗 https://github.com/helpsystems/nanodump/commit/c890da208511bacb09f91c68b935915821f4f0f0
🐥 [ tweet ]
Ok, a few updates on nanodump:
1) implemented a cool new technique by @splinter_code where seclogon opens a handle to LSASS and then you duplicate it by winning a race condition using file locks
2) now you can call NtOpenProcess with a fake calling stack and produce fake telemetry, got it from @joehowwolf
https://t.co/nRVmSuZ9qP
🔗 https://github.com/helpsystems/nanodump/commit/c890da208511bacb09f91c68b935915821f4f0f0
🐥 [ tweet ]