Unmanaged .NET Patching
#outflank
To execute .NET post-exploitation tools safely, operators may want to modify certain managed functions. For example, some C# tools use the .NET standard library to terminate their process after execution. This may not be an issue for fork&run implementations that spawn a sacrificial process, but executing in-process will terminate an implant. One could write a small .NET program that resolves and patches these functions, but we were interested in an unmanaged approach (i.e. a unmanaged implant executing managed code in-process). While our example targets
In January 2022, I uploaded a functional example of this approach to my personal GitHub. However, the implementation was a part of a larger project, and I’ve received a few questions about the technique, so I created this standalone example and writeup.
via Outflank Blog (author: Kyle Avery)
#outflank
To execute .NET post-exploitation tools safely, operators may want to modify certain managed functions. For example, some C# tools use the .NET standard library to terminate their process after execution. This may not be an issue for fork&run implementations that spawn a sacrificial process, but executing in-process will terminate an implant. One could write a small .NET program that resolves and patches these functions, but we were interested in an unmanaged approach (i.e. a unmanaged implant executing managed code in-process). While our example targets
System.Environment.Exit, a similar technique should work for any managed function.In January 2022, I uploaded a functional example of this approach to my personal GitHub. However, the implementation was a part of a larger project, and I’ve received a few questions about the technique, so I created this standalone example and writeup.
via Outflank Blog (author: Kyle Avery)
Introducing custom scan checks to Burp Suite Enterprise Edition
#portswigger
BChecks, in a nutshell, are easy to use custom-created scan checks that enable you to extend the capabilities of Burp Scanner in a quick and simple way. We recently released BChecks to Burp Suite Prof
via PortSwigger Blog
#portswigger
BChecks, in a nutshell, are easy to use custom-created scan checks that enable you to extend the capabilities of Burp Scanner in a quick and simple way. We recently released BChecks to Burp Suite Prof
via PortSwigger Blog
Microsoft Breach — What Happened? What Should Azure Admins Do?
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
Medium
Microsoft Breach — What Happened? What Should Azure Admins Do?
On January 25, 2024, Microsoft published a blog post that detailed their recent breach at the hands of “Midnight Blizzard”. In this blog…
Microsoft Breach — How Can I See This In BloodHound?
#specterops
via SpecterOps Team Medium (author: Stephen Hinck)
#specterops
via SpecterOps Team Medium (author: Stephen Hinck)
Medium
Microsoft Breach — How Can I See This In BloodHound?
Mapping Attack Paths from Foreign Principals in BloodHound
PPID Spoofing & BlockDLLs with NtCreateUserProcess
#rastamouse
This week, Capt. Meelo released a great blog post on how to call the NtCreateUserProcess API as a substitue for the typical Win32 CreateProcess API. This post will build upon Meelo’s, so I highly encourage you to read it first. TL;DR, this code (not counting ntdll.h) is the bare minimum to spawn mmc.exe: #include <Windows.h> #include "ntdll.h" #pragma comment(lib, "ntdll") int main() { UNICODE_STRING NtImagePath; RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\mmc.exe"); PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL; RtlCreateProcessParametersEx(&ProcessParameters, &NtImagePath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED); PS_CREATE_INFO CreateInfo = { 0 }; CreateInfo.
via Offensive Defence Blog
#rastamouse
This week, Capt. Meelo released a great blog post on how to call the NtCreateUserProcess API as a substitue for the typical Win32 CreateProcess API. This post will build upon Meelo’s, so I highly encourage you to read it first. TL;DR, this code (not counting ntdll.h) is the bare minimum to spawn mmc.exe: #include <Windows.h> #include "ntdll.h" #pragma comment(lib, "ntdll") int main() { UNICODE_STRING NtImagePath; RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\mmc.exe"); PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL; RtlCreateProcessParametersEx(&ProcessParameters, &NtImagePath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED); PS_CREATE_INFO CreateInfo = { 0 }; CreateInfo.
via Offensive Defence Blog
Nt Token Theft
#rastamouse
Intro Grzegorz Tworek recently published some C code demonstrating how to steal and impersonate Windows tokens from a process. The standard way to do this is with the OpenProcess, OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser APIs. Grzegorz shows how to achieve the same using Nt* APIs, specifically NtOpenProcess, NtOpenProcessToken, NtDuplicateToken, and NtSetInformationThread. Because I’m a C# junky, I ported part of his code. This post will serve as a short walkthough on how to “getsystem” by stealing and impersonating the token of a SYSTEM process.
via Offensive Defence Blog
#rastamouse
Intro Grzegorz Tworek recently published some C code demonstrating how to steal and impersonate Windows tokens from a process. The standard way to do this is with the OpenProcess, OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser APIs. Grzegorz shows how to achieve the same using Nt* APIs, specifically NtOpenProcess, NtOpenProcessToken, NtDuplicateToken, and NtSetInformationThread. Because I’m a C# junky, I ported part of his code. This post will serve as a short walkthough on how to “getsystem” by stealing and impersonating the token of a SYSTEM process.
via Offensive Defence Blog
Spinning Webs — Unveiling Arachne for Web Shell C2
#specterops
via SpecterOps Team Medium (author: Cody Thomas)
#specterops
via SpecterOps Team Medium (author: Cody Thomas)
Medium
Spinning Webs — Unveiling Arachne for Web Shell C2
Web Shell Agent for Mythic C2
What's new with BChecks?
#portswigger
Earlier this year, we released BChecks, a powerful yet simple noscripting language that allows you to quickly build and create custom scan checks for anything you want to secure or test.
via PortSwigger Blog
#portswigger
Earlier this year, we released BChecks, a powerful yet simple noscripting language that allows you to quickly build and create custom scan checks for anything you want to secure or test.
via PortSwigger Blog
Content Security Policy: Mitigating Web Vulnerabilities by Controlling the Rules of the Game
#trustedsec
Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a significant component of CSP hardening, but CSP can protect…
via TrustedSec Blog (author: Drew Kirkpatrick)
#trustedsec
Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a significant component of CSP hardening, but CSP can protect…
via TrustedSec Blog (author: Drew Kirkpatrick)
Using Veeam metadata for efficient extraction of Backup artefacts (1/3)
#synacktiv
via Synacktiv Blog (author: Webmaster)
#synacktiv
via Synacktiv Blog (author: Webmaster)
Active Directory Enumeration for Red Teams
#mdsec
The Directory Service is the heart and soul of many organisations, and whether its Active Directory, OpenLDAP or something more exotic, as a source of much knowledge it often acts...
via MDSec Blog (author: Admin)
#mdsec
The Directory Service is the heart and soul of many organisations, and whether its Active Directory, OpenLDAP or something more exotic, as a source of much knowledge it often acts...
via MDSec Blog (author: Admin)
Directory.ReadWrite.All Is Not As Powerful As You Might Think
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
Medium
Directory.ReadWrite.All Is Not As Powerful As You Might Think
Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the…
Offensive Lab Environments (Without the Suck)
#trustedsec
WhatHave you ever been in an engagement where you need to test an evasive payload or technique, but you lack the time or resources to spin up a replica lab environment quickly? This blog will help clear that hurdle for…
via TrustedSec Blog (author: Travis Kaun)
#trustedsec
WhatHave you ever been in an engagement where you need to test an evasive payload or technique, but you lack the time or resources to spin up a replica lab environment quickly? This blog will help clear that hurdle for…
via TrustedSec Blog (author: Travis Kaun)
Hello Lucee! Let us hack Apple again?
#projectdiscovery
Last year we conducted an in-depth analysis of multiple vulnerabilities within Adobe ColdFusion, we derived valuable insights, one of which revolved around CFM and CFC handling, parsing and execution. We wondered if there are any other CFML Servers. Does this ring a bell? Allow us to introduce Lucee.
via ProjectDiscovery Blog (author: Harsh Jaiswal)
#projectdiscovery
Last year we conducted an in-depth analysis of multiple vulnerabilities within Adobe ColdFusion, we derived valuable insights, one of which revolved around CFM and CFC handling, parsing and execution. We wondered if there are any other CFML Servers. Does this ring a bell? Allow us to introduce Lucee.
via ProjectDiscovery Blog (author: Harsh Jaiswal)
❤1
Hardware Hacking: Plunder With a Bus Pirate
#trustedsec
For this blog, I'm going to assume you have a Bus Pirate, you are able to access its terminal, and you are ready to use it—but what are you going to use it on? Grab a digital multimeter (you can get something for around…
via TrustedSec Blog (author: Brian Berg)
#trustedsec
For this blog, I'm going to assume you have a Bus Pirate, you are able to access its terminal, and you are ready to use it—but what are you going to use it on? Grab a digital multimeter (you can get something for around…
via TrustedSec Blog (author: Brian Berg)
Better Living Through OpenSSH Config Files
#redsiege
SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring…
via RedSiege Blog (author: Justin Connors)
#redsiege
SSH is an incredibly valuable tool for penetration testing. It provides us with a secure channel for administering machines, remotely executing tools, transferring…
via RedSiege Blog (author: Justin Connors)
Delegated NT DLL
#odzhan
Introduction redplait and Adam/Hexacorn already documented this in 2017 and 2018 respectively, so it’s not a new discovery. Available since RedStone 2 released in April 2017. redplait states it was introduced with insider build 15007 that appeared in January 2017.
via modexp Blog (author: odzhan)
#odzhan
Introduction redplait and Adam/Hexacorn already documented this in 2017 and 2018 respectively, so it’s not a new discovery. Available since RedStone 2 released in April 2017. redplait states it was introduced with insider build 15007 that appeared in January 2017.
via modexp Blog (author: odzhan)
The Most Dangerous Entra Role You’ve (Probably) Never Heard Of
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
Medium
The Most Dangerous Entra Role You’ve (Probably) Never Heard Of
Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but this role is hidden from view in…
Top 10 web hacking techniques of 2023
#portswigger
Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
via PortSwigger Research
#portswigger
Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
via PortSwigger Research
🛠 HTMLSmuggler
#tool
Added smart bot detection to my HTMLSmuggler. Now it can detect headless bots and crawlers (e.g. secure mail gateways) and skip them.
#tool
Added smart bot detection to my HTMLSmuggler. Now it can detect headless bots and crawlers (e.g. secure mail gateways) and skip them.
🔥4