😈 [ ly4k_, Oliver Lyak ]
Certipy reached 1k stars on GitHub. Let’s celebrate with a brand new version, new research, a forked BloodHound GUI with ADCS support, and many new features, for instance Schannel authentication via LDAPS, SSPI authentication, and much more!
https://t.co/h85p3cCO1N
🔗 https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
🐥 [ tweet ]
Certipy reached 1k stars on GitHub. Let’s celebrate with a brand new version, new research, a forked BloodHound GUI with ADCS support, and many new features, for instance Schannel authentication via LDAPS, SSPI authentication, and much more!
https://t.co/h85p3cCO1N
🔗 https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] A cool technique for initial AD access during a pentest. Got a Cisco IP Phone nearby? Congrats, you’re (almost) a domain user!
#pentest #ad #cisco
🔗 https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/
🔗 https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/
🔗 https://github.com/llt4l/iCULeak.py
🐥 [ tweet ]
[#HackTip ⚒] A cool technique for initial AD access during a pentest. Got a Cisco IP Phone nearby? Congrats, you’re (almost) a domain user!
#pentest #ad #cisco
🔗 https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/
🔗 https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/
🔗 https://github.com/llt4l/iCULeak.py
🐥 [ tweet ]
😈 [ ntlmrelay, Ring3API ]
📌How Does Windows Execute Shortcuts (.LNK)? - by @LabsSentinel
➡️https://t.co/azJmSz7A5T
#BlueTeam #ThreatHunting #DFIR
🔗 https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts/
🐥 [ tweet ]
📌How Does Windows Execute Shortcuts (.LNK)? - by @LabsSentinel
➡️https://t.co/azJmSz7A5T
#BlueTeam #ThreatHunting #DFIR
🔗 https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts/
🐥 [ tweet ]
😈 [ mariuszbit, mgeeky | Mariusz Banach ]
☢️OFFICE_VBA VBE7.dll AMSI picks up on SaveToFile(.exe)
but sees no problem with saving the same PE MZ to DLL
¯\_(ツ)_/¯
Just as I pointed out in my Modern Initial Access slides:
Office VBA -> File Dropper -> DLL Side-Loading -> Teams/Defender/Anything
🐥 [ tweet ]
☢️OFFICE_VBA VBE7.dll AMSI picks up on SaveToFile(.exe)
but sees no problem with saving the same PE MZ to DLL
¯\_(ツ)_/¯
Just as I pointed out in my Modern Initial Access slides:
Office VBA -> File Dropper -> DLL Side-Loading -> Teams/Defender/Anything
🐥 [ tweet ]
😈 [ mariuszbit, mgeeky | Mariusz Banach ]
☢️ Backdooring Office Structures. Part 1: The Oldschool
I've just published a blog post touching on different payload hiding strategies within macro-enabled Office documents.
First part touches on basics, whilst the Part 2 will reveal my novel technique
https://t.co/8XLuYbnEqU
🔗 https://bit.ly/3vKKZaZ
🐥 [ tweet ]
☢️ Backdooring Office Structures. Part 1: The Oldschool
I've just published a blog post touching on different payload hiding strategies within macro-enabled Office documents.
First part touches on basics, whilst the Part 2 will reveal my novel technique
https://t.co/8XLuYbnEqU
🔗 https://bit.ly/3vKKZaZ
🐥 [ tweet ]
Pentester's Promiscuous Notebook (by snovvcrash).pdf
7 MB
Я тут решил поиграться с пробной подпиской GitBook ради фичи выгрузки спейса Pentester's Promiscuous Notebook в PDF (было множество запросов в ЛС). Не знаю, зачем вам это, но все для людей, как говорится.
Получите, распишитесь.
Получите, распишитесь.
🔥5
👹 [ snovvcrash, sn🥶vvcr💥sh ]
🧶 (1/3) PCredz in Docker Thread
I’m a big fan of the #Impacket multi-relay feature that not only allows an attacker to keep multiple relay targets alive, but can also be used for performing both #NTLM relay AND #hashes dump at the same time ⏬
https://t.co/EZtH02ynTN
#pentest
🔗 https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/
🐥 [ tweet ]
🧶 (1/3) PCredz in Docker Thread
I’m a big fan of the #Impacket multi-relay feature that not only allows an attacker to keep multiple relay targets alive, but can also be used for performing both #NTLM relay AND #hashes dump at the same time ⏬
https://t.co/EZtH02ynTN
#pentest
🔗 https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/
🐥 [ tweet ]
🔥1
👹 [ snovvcrash, sn🥶vvcr💥sh ]
🧶 (2/3) Unfortunately, I couldn’t get it working recently (no idea why), so I decided to use another great tool PCredz (👋🏻 @porchetta_ind) to capture hashes directly from my network interface. That also failed due to the Cython bug with Python 3.10 ⏬
https://t.co/sX0Q6Pchyz
🔗 https://stackoverflow.com/a/70454853/6253579
🐥 [ tweet ]
🧶 (2/3) Unfortunately, I couldn’t get it working recently (no idea why), so I decided to use another great tool PCredz (👋🏻 @porchetta_ind) to capture hashes directly from my network interface. That also failed due to the Cython bug with Python 3.10 ⏬
https://t.co/sX0Q6Pchyz
🔗 https://stackoverflow.com/a/70454853/6253579
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
(3/3) 🧶 So I decide to come up with a quick Dockerfile for PCredz. Feel free to use the snovvcrash/pcredz image (available on Docker Hub) if you find yourself in a similar situation!
https://t.co/rTf6PDiykA
🔗 https://github.com/snovvcrash/PCredz
🐥 [ tweet ]
(3/3) 🧶 So I decide to come up with a quick Dockerfile for PCredz. Feel free to use the snovvcrash/pcredz image (available on Docker Hub) if you find yourself in a similar situation!
https://t.co/rTf6PDiykA
🔗 https://github.com/snovvcrash/PCredz
🐥 [ tweet ]
😈 [ icyguider, icyguider ]
MEGA TOOL UPDATE! I've added a ton of new features to my C++ shellcode loader. These include GetSyscallStub integration, OLLVM support, Module Stomping, DLL Proxy generation, new sandbox evasion options, and storing your shellcode as an English word list!
https://t.co/XZUXwvfYk8
🔗 https://github.com/icyguider/Shhhloader
🐥 [ tweet ]
MEGA TOOL UPDATE! I've added a ton of new features to my C++ shellcode loader. These include GetSyscallStub integration, OLLVM support, Module Stomping, DLL Proxy generation, new sandbox evasion options, and storing your shellcode as an English word list!
https://t.co/XZUXwvfYk8
🔗 https://github.com/icyguider/Shhhloader
🐥 [ tweet ]
🔥1
😈 [ ORCA10K, ORCA ]
after some struggling, it was done, a 217 bytes custom dynamic shellcode, that can download and run your payload from a webpage : https://t.co/cSXEHDLBif
🔗 https://gitlab.com/ORCA000/d.rdynamicshellcode
🐥 [ tweet ]
after some struggling, it was done, a 217 bytes custom dynamic shellcode, that can download and run your payload from a webpage : https://t.co/cSXEHDLBif
🔗 https://gitlab.com/ORCA000/d.rdynamicshellcode
🐥 [ tweet ]
😈 [ Haus3c, Ryan ]
Pushed an update to PowerZure for some bug fixes but more importantly to remove the AzureAD PS Module requirement. It's all Graph API requests now for AAD functions. https://t.co/d7sGB1PO0K
🔗 https://github.com/hausec/PowerZure/commit/ff52222a1cfa6f756f384d53df6609f04e316a9a
🐥 [ tweet ]
Pushed an update to PowerZure for some bug fixes but more importantly to remove the AzureAD PS Module requirement. It's all Graph API requests now for AAD functions. https://t.co/d7sGB1PO0K
🔗 https://github.com/hausec/PowerZure/commit/ff52222a1cfa6f756f384d53df6609f04e316a9a
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ x86matthew, x86matthew ]
ClipboardInject - Abusing the clipboard to inject code into remote processes
This PoC uses the clipboard to copy a payload into a remote process, eliminating the need for VirtualAllocEx / WriteProcessMemory.
https://t.co/eELCUgAg80
🔗 https://www.x86matthew.com/view_post?id=clipboard_inject
🐥 [ tweet ]
ClipboardInject - Abusing the clipboard to inject code into remote processes
This PoC uses the clipboard to copy a payload into a remote process, eliminating the need for VirtualAllocEx / WriteProcessMemory.
https://t.co/eELCUgAg80
🔗 https://www.x86matthew.com/view_post?id=clipboard_inject
🐥 [ tweet ]
😈 [ bohops, bohops ]
Sometimes, you just gotta
rundll32.exe -sta {clsid}
https://t.co/eaNSgO1sFy
🔗 https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
🐥 [ tweet ]
Sometimes, you just gotta
rundll32.exe -sta {clsid}
https://t.co/eaNSgO1sFy
🔗 https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ bohops, bohops ]
Other great 'rundll32' resources:
- https://t.co/IWbd6yMonw
- https://t.co/mtpH4mRkfX
- https://t.co/eaNSgO1sFy
🔗 https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
🔗 https://redcanary.com/threat-detection-report/techniques/rundll32/
🔗 https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
🐥 [ tweet ][ quote ]
Other great 'rundll32' resources:
- https://t.co/IWbd6yMonw
- https://t.co/mtpH4mRkfX
- https://t.co/eaNSgO1sFy
🔗 https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
🔗 https://redcanary.com/threat-detection-report/techniques/rundll32/
🔗 https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
🐥 [ tweet ][ quote ]
😈 [ dr4k0nia, dr4k0nia ]
New blog post for HInvoke. It allows calling .NET runtime functions or accessing properties using only hashes as identifiers. Reducing obvious identifiers for analysts. Post also includes a little trick to avoid using PInvoke.
https://t.co/thYuk3NoQ5
🔗 https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html
🐥 [ tweet ]
New blog post for HInvoke. It allows calling .NET runtime functions or accessing properties using only hashes as identifiers. Reducing obvious identifiers for analysts. Post also includes a little trick to avoid using PInvoke.
https://t.co/thYuk3NoQ5
🔗 https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avoiding-PInvoke.html
🐥 [ tweet ]