Microsoft Threat Intelligence Python Security Tools.
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to:
query log data from multiple sources
enrich the data with Threat Intelligence, geolocations and Azure resource data
extract Indicators of Activity (IoA) from logs and unpack encoded data
perform sophisticated analysis such as anomalous session detection and time series decomposition
visualize data using interactive timelines, process trees and multi-dimensional Morph Charts
It also includes some time-saving notebook tools such as widgets to set query time boundaries, select and display items from lists, and configure the notebook environment.
https://github.com/microsoft/msticpy
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to:
query log data from multiple sources
enrich the data with Threat Intelligence, geolocations and Azure resource data
extract Indicators of Activity (IoA) from logs and unpack encoded data
perform sophisticated analysis such as anomalous session detection and time series decomposition
visualize data using interactive timelines, process trees and multi-dimensional Morph Charts
It also includes some time-saving notebook tools such as widgets to set query time boundaries, select and display items from lists, and configure the notebook environment.
https://github.com/microsoft/msticpy
GitHub
GitHub - microsoft/msticpy: Microsoft Threat Intelligence Security Tools
Microsoft Threat Intelligence Security Tools. Contribute to microsoft/msticpy development by creating an account on GitHub.
Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.
https://github.com/netero1010/RDPHijack-BOF
https://github.com/netero1010/RDPHijack-BOF
GitHub
GitHub - netero1010/RDPHijack-BOF: Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote…
Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. - netero1010/RDPHijack-BOF
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
https://github.com/h3xduck/TripleCross
https://github.com/h3xduck/TripleCross
GitHub
GitHub - h3xduck/TripleCross: A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and…
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
BokuLoader : Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities
Stomp MZ Magic Bytes
Find-Self EggHunter
Direct NT Syscalls via HellsGate & HalosGate
PE Header Obfuscation
PE String Replacement
NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
XGetProcAddress for resolving symbols
100k UDRL Size
Caesar Cipher for string obfuscation
Prepend ASM Instructions
https://github.com/xforcered/BokuLoader
Stomp MZ Magic Bytes
Find-Self EggHunter
Direct NT Syscalls via HellsGate & HalosGate
PE Header Obfuscation
PE String Replacement
NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
XGetProcAddress for resolving symbols
100k UDRL Size
Caesar Cipher for string obfuscation
Prepend ASM Instructions
https://github.com/xforcered/BokuLoader
GitHub
GitHub - xforcered/BokuLoader: A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance…
A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features! - xforcered/BokuLoader
SeBackupPrivilegePoC
https://github.com/daem0nc0re/PrivFu/blob/main/PrivilegedOperations/SeBackupPrivilegePoC/SeBackupPrivilegePoC.cs
https://github.com/daem0nc0re/PrivFu/blob/main/PrivilegedOperations/SeBackupPrivilegePoC/SeBackupPrivilegePoC.cs
GitHub
PrivFu/PrivilegedOperations/SeBackupPrivilegePoC/SeBackupPrivilegePoC.cs at main · daem0nc0re/PrivFu
Kernel mode WinDbg extension and PoCs for token privilege investigation. - daem0nc0re/PrivFu
All About Bug Bounty
Collection of notes about on the most important BugBounty-related topics.
https://github.com/daffainfo/AllAboutBugBounty
#bugbounty
Collection of notes about on the most important BugBounty-related topics.
https://github.com/daffainfo/AllAboutBugBounty
#bugbounty
GitHub
GitHub - daffainfo/AllAboutBugBounty: All about bug bounty (bypasses, payloads, and etc)
All about bug bounty (bypasses, payloads, and etc) - daffainfo/AllAboutBugBounty
RDLL (requires SeDebugPrivilege privilege) will automatically locate sysmon process and patch its EtwEventWrite API, causing sysmon malfunctioning while the process and its threads are still running.
https://github.com/ScriptIdiot/SysmonQuiet
#redteam
https://github.com/ScriptIdiot/SysmonQuiet
#redteam
GitHub
GitHub - ScriptIdiot/SysmonQuiet: RDLL for Cobalt Strike beacon to silence sysmon process
RDLL for Cobalt Strike beacon to silence sysmon process - ScriptIdiot/SysmonQuiet
hijagger
This tool checks every maintainer from every package in the NPM and Python Pypi registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled. This enables you to hijack a package and do whatever you want with it.
https://github.com/firefart/hijagger
This tool checks every maintainer from every package in the NPM and Python Pypi registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled. This enables you to hijack a package and do whatever you want with it.
https://github.com/firefart/hijagger
GitHub
GitHub - firefart/hijagger: Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration
Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration - firefart/hijagger
tor_ip_switcher is useful for making any DoS attack look like a DDoS attack. Works with toriptables2.
https://github.com/ruped24/tor_ip_switcher
https://github.com/ruped24/tor_ip_switcher
GitHub
GitHub - ruped24/tor_ip_switcher: tor_ip_switcher is useful for making any DoS attack look like a DDoS attack. Works with toriptables2.
tor_ip_switcher is useful for making any DoS attack look like a DDoS attack. Works with toriptables2. - ruped24/tor_ip_switcher
Abusing forgotten permissions on computer objects in Active Directory for lateral movement :
tl;dr:
first should run BloodHound and use ACL noscript to find the misconfigured Computer accounts in Active Directory and then use Resource-Based Constrained Delegation Attack for dumping credentials (use impacket tool).
https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
#redteam #activedirectory
tl;dr:
first should run BloodHound and use ACL noscript to find the misconfigured Computer accounts in Active Directory and then use Resource-Based Constrained Delegation Attack for dumping credentials (use impacket tool).
https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
#redteam #activedirectory
dirkjanm.io
Abusing forgotten permissions on computer objects in Active Directory
A while back, I read an interesting blog by Oddvar Moe about Pre-created computer accounts in Active Directory. In the blog, Oddvar also describes the option to configure who can join the computer to the domain after the object is created. This sets an interesting…
Decompiler Explorer! Compare tools on the forefront of static analysis, now in your web browser! :
https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html
https://dogbolt.org/
https://github.com/decompiler-explorer/decompiler-explorer
https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html
https://dogbolt.org/
https://github.com/decompiler-explorer/decompiler-explorer
Binary Ninja
Binary Ninja - Introducing Decompiler Explorer
Binary Ninja is a modern reverse engineering platform with a noscriptable and extensible decompiler.
The iscsicpl.exe binary is vulnerable to a DLL Search Order hijacking vulnerability when running 32bit Microsoft binary on a 64bit host via SysWOW64. The 32bit binary, will perform a search within user %Path% for the DLL iscsiexe.dll. This can be exploited using a Proxy DLL to execute code via "iscsicpl.exe" as autoelevate is enabled.
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
#UACbypass #redteaming
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
#UACbypass #redteaming
GitHub
GitHub - hackerhouse-opensource/iscsicpl_bypassUAC: UAC bypass for x64 Windows 7 - 11
UAC bypass for x64 Windows 7 - 11. Contribute to hackerhouse-opensource/iscsicpl_bypassUAC development by creating an account on GitHub.
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
https://github.com/optiv/Mangle
https://github.com/optiv/Mangle
GitHub
GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from…
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - optiv/Mangle
pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks in the spirit of Responder and mitm6.https://blog.redteam-pentesting.de/2022/introducing-pretender/
https://github.com/RedTeamPentesting/pretender
GitHub
GitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication…
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat...
Randy
This is a pre-authenticated RCE exploit for Inductive Automation Ignition that impacts versions <= 8.1.16. We failed to exploit the bugs at Pwn2Own Miami 2022 because we had a sloppy exploit and no debug environment, but since then we have found the time and energy to improve it!
https://github.com/sourceincite/randy
This is a pre-authenticated RCE exploit for Inductive Automation Ignition that impacts versions <= 8.1.16. We failed to exploit the bugs at Pwn2Own Miami 2022 because we had a sloppy exploit and no debug environment, but since then we have found the time and energy to improve it!
https://github.com/sourceincite/randy
Intercepter-NG 1.2
* SSL MiTM rewritten (SNI support)
* SSL Strip updated
* X-Scan updated
+ Forced capturing on PPP interfaces
********
+ Captive Portal test template
- eXtreme mode, iOS killer
- Heartbleed exploit
- DHCP\RAW Mode
* WayBack Mode (restores hidden modes)
* OUI db updated
* Fixes, improvements, optimizations
********
http://sniff.su/download.html
* SSL MiTM rewritten (SNI support)
* SSL Strip updated
* X-Scan updated
+ Forced capturing on PPP interfaces
********
+ Captive Portal test template
- eXtreme mode, iOS killer
- Heartbleed exploit
- DHCP\RAW Mode
* WayBack Mode (restores hidden modes)
* OUI db updated
* Fixes, improvements, optimizations
********
http://sniff.su/download.html
PowerView.py is an alternative for the awesome original PowerView.ps1 noscript. Most of the modules used in PowerView are available in this project ( some of the flags are changed ).
Interesting Features
Embedded user session
Mini PowerView.py console to make you feel at home when using PowerView in Powershell
Auto-completer, so no more memorizing commands
Cross-Domain interactions
https://github.com/aniqfakhrul/powerview.py
#powerview
Interesting Features
Embedded user session
Mini PowerView.py console to make you feel at home when using PowerView in Powershell
Auto-completer, so no more memorizing commands
Cross-Domain interactions
https://github.com/aniqfakhrul/powerview.py
#powerview
GitHub
GitHub - aniqfakhrul/powerview.py: Just another Powerview alternative but on steroids
Just another Powerview alternative but on steroids - aniqfakhrul/powerview.py
LPE exploit for CVE-2022-34918. This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic
Blog:
https://www.randorisec.fr/crack-linux-firewall/
POC:
https://github.com/randorisec/CVE-2022-34918-LPE-PoC
#Linux #LPE
Blog:
https://www.randorisec.fr/crack-linux-firewall/
POC:
https://github.com/randorisec/CVE-2022-34918-LPE-PoC
#Linux #LPE