👹 [ snovvcrash, sn🥶vvcr💥sh ]
🧵 (4/x) And now *tada* I can get my machine account certificate on a fully patched Windows 10 ⏬
🐥 [ tweet ]
🧵 (4/x) And now *tada* I can get my machine account certificate on a fully patched Windows 10 ⏬
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
🧵 (5/x) Check out @Flangvik’s stream to know more about ADCSPwn usage: https://t.co/nG8gRKo3rn
🔗 https://youtu.be/W9pUCVxe59Q
🐥 [ tweet ]
🧵 (5/x) Check out @Flangvik’s stream to know more about ADCSPwn usage: https://t.co/nG8gRKo3rn
🔗 https://youtu.be/W9pUCVxe59Q
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ _dirkjan, Dirk-jan ]
Working on some tooling, and managed to get PRT injection during browser sign-in working with Selenium. If you steal a PRT from a hybrid/compliant device, you can use this to "upgrade" the sign-in of other users, to comply with conditional access policies requiring this status.
🐥 [ tweet ]
Working on some tooling, and managed to get PRT injection during browser sign-in working with Selenium. If you steal a PRT from a hybrid/compliant device, you can use this to "upgrade" the sign-in of other users, to comply with conditional access policies requiring this status.
🐥 [ tweet ]
😈 [ m3g9tr0n, Spiros Fraganastasis ]
Similar to Petitpotam, the netdfs service is enabled in Windows Server and AD environments, and the abused RPC method allows privileged processes to access malicious pipes for exploitation https://t.co/DtcR08PDTN
🔗 https://github.com/crisprss/magicNetdefs
🐥 [ tweet ]
Similar to Petitpotam, the netdfs service is enabled in Windows Server and AD environments, and the abused RPC method allows privileged processes to access malicious pipes for exploitation https://t.co/DtcR08PDTN
🔗 https://github.com/crisprss/magicNetdefs
🐥 [ tweet ]
😈 [ d4rckh, d4rckh ]
btw, i made a very simple http redirector (also in nim) which can be used with probably any c2 you can imagine
https://t.co/GMfRMpXrSV #redteam
🔗 https://github.com/d4rckh/http-redirector
🐥 [ tweet ]
btw, i made a very simple http redirector (also in nim) which can be used with probably any c2 you can imagine
https://t.co/GMfRMpXrSV #redteam
🔗 https://github.com/d4rckh/http-redirector
🐥 [ tweet ]
😈 [ tifkin_, Lee Christensen ]
Users password/doc syncing in corporate environments is dangerous. I've seen many corporate users - particularly IT admins - with Chrome Password sync enabled or Last/pass/1pass installed.
The home computer the DA password is synced to that their kids use doesn't have <FancyEDR>
🐥 [ tweet ]
Users password/doc syncing in corporate environments is dangerous. I've seen many corporate users - particularly IT admins - with Chrome Password sync enabled or Last/pass/1pass installed.
The home computer the DA password is synced to that their kids use doesn't have <FancyEDR>
🐥 [ tweet ]
😈 [ vinopaljiri, Jiří Vinopal ]
Using #Powershell based on .NET >= 5 or .NET Core (so also latest Powershell Linux/Windows) you can easily natively manipulate with PE and do things like in the picture below (ML processing of .data section strings using #StringSifter) 🙃🙌👍
🐥 [ tweet ]
Using #Powershell based on .NET >= 5 or .NET Core (so also latest Powershell Linux/Windows) you can easily natively manipulate with PE and do things like in the picture below (ML processing of .data section strings using #StringSifter) 🙃🙌👍
🐥 [ tweet ]
😈 [ NinjaParanoid, Chetan Nayak (Brute Ratel C4) ]
Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!
https://t.co/WdS0z4PSyD
🔗 https://www.youtube.com/watch?v=qakZwswi5Jw
🐥 [ tweet ]
Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!
https://t.co/WdS0z4PSyD
🔗 https://www.youtube.com/watch?v=qakZwswi5Jw
🐥 [ tweet ]
😈 [ ORCA10K, ORCA ]
Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls
https://t.co/y3LKQrwOJL
🔗 https://gitlab.com/ORCA000/perunsfart
🐥 [ tweet ]
Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls
https://t.co/y3LKQrwOJL
🔗 https://gitlab.com/ORCA000/perunsfart
🐥 [ tweet ]
😈 [ BlWasp_, BlackWasp ]
PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket noscript in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA
🔗 https://github.com/Porchetta-Industries/CrackMapExec/pull/610
🐥 [ tweet ]
PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket noscript in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA
🔗 https://github.com/Porchetta-Industries/CrackMapExec/pull/610
🐥 [ tweet ]
😈 [ HuskyHacksMK, Matt | HuskyHacks ]
🔬A new section has been added to PMAT and it's available for everyone!
I've added a new sample to teach simple x86 binary patching methodology.
📚Lesson: https://t.co/cIuqUKd4Fw
🦠Lab Repo: https://t.co/apbskSMBkY
🔗 https://notes.huskyhacks.dev/notes/on-patching-binaries
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe
🐥 [ tweet ]
🔬A new section has been added to PMAT and it's available for everyone!
I've added a new sample to teach simple x86 binary patching methodology.
📚Lesson: https://t.co/cIuqUKd4Fw
🦠Lab Repo: https://t.co/apbskSMBkY
🔗 https://notes.huskyhacks.dev/notes/on-patching-binaries
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe
🐥 [ tweet ]
😈 [ httpyxel, yxel ]
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8
🔗 https://github.com/janoglezcampos/DeathSleep
🐥 [ tweet ]
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8
🔗 https://github.com/janoglezcampos/DeathSleep
🐥 [ tweet ]
😈 [ DirectoryRanger, DirectoryRanger ]
Good series by @martinsohndk:
🔗 https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted
🐥 [ tweet ]
Good series by @martinsohndk:
🔗 https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Really like the “Malware Dev” posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics 👌🔥
https://t.co/iRl72r4yz9
🔗 https://0xpat.github.io/
🐥 [ tweet ]
Really like the “Malware Dev” posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics 👌🔥
https://t.co/iRl72r4yz9
🔗 https://0xpat.github.io/
🐥 [ tweet ]
😈 [ podalirius_, Podalirius ]
[#thread 🧵] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! 🎉
https://t.co/EOWfTbFCRh
🔗 https://github.com/p0dalirius/ApacheTomcatScanner/
🐥 [ tweet ]
[#thread 🧵] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! 🎉
https://t.co/EOWfTbFCRh
🔗 https://github.com/p0dalirius/ApacheTomcatScanner/
🐥 [ tweet ]
😈 [ mariuszbit, mgeeky | Mariusz Banach ]
Can confirm - a nice DLL side-loading against Defender's executable.
Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public
Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp
Step 3:
"%WinDir%\Users\Public\NisSrv.exe"
Tasty Initial Access 🔥
🐥 [ tweet ][ quote ]
Can confirm - a nice DLL side-loading against Defender's executable.
Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public
Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp
Step 3:
"%WinDir%\Users\Public\NisSrv.exe"
Tasty Initial Access 🔥
🐥 [ tweet ][ quote ]
😈 [ ORCA10K, ORCA ]
decided to build libraries to help in malware development, so far I've done only little, but here it is:
https://t.co/d0AfK2ypr0
🔗 https://github.com/MalwareApiLib/MalwareApiLibrary
🐥 [ tweet ]
decided to build libraries to help in malware development, so far I've done only little, but here it is:
https://t.co/d0AfK2ypr0
🔗 https://github.com/MalwareApiLib/MalwareApiLibrary
🐥 [ tweet ]
😈 [ MDSecLabs, MDSec ]
"Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service" - @modexpblog
presents some lesser known techniques for enumerating LSASS PIDs https://t.co/o7uzJpA0Iq
🔗 https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
🐥 [ tweet ]
"Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service" - @modexpblog
presents some lesser known techniques for enumerating LSASS PIDs https://t.co/o7uzJpA0Iq
🔗 https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
🐥 [ tweet ]
😈 [ R0h1rr1m, Furkan Göksel ]
Another technique which is Call Stack Spoofing is in Nim right now! I developed the pure Nim version of the Call Stack Spoofing method thanks to @joehowwolf 's PoC and blogpost. You can find the repository below.
https://t.co/R7y34dQaYu
🔗 https://github.com/frkngksl/NimicStack
🐥 [ tweet ]
Another technique which is Call Stack Spoofing is in Nim right now! I developed the pure Nim version of the Call Stack Spoofing method thanks to @joehowwolf 's PoC and blogpost. You can find the repository below.
https://t.co/R7y34dQaYu
🔗 https://github.com/frkngksl/NimicStack
🐥 [ tweet ]