๐ [ Alh4zr3d, Alh4zr3d ]
Red Teamers, few Linux tips today:
Disable history (do first) -
"export HISTFILE=/dev/null"
Hide a command by masking it as syslogd -
"(exec -a syslogd nmap -T0 10.0.2.1/24)"
Start a background hidden process as syslogd -
"exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &"
๐ฅ [ tweet ]
Red Teamers, few Linux tips today:
Disable history (do first) -
"export HISTFILE=/dev/null"
Hide a command by masking it as syslogd -
"(exec -a syslogd nmap -T0 10.0.2.1/24)"
Start a background hidden process as syslogd -
"exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &"
๐ฅ [ tweet ]
๐ [ theluemmel, ADCluemmelSec ]
Added a minor flag to the OfficeMemScraper.ps1 from @424f424f so you can dump e.g. msedge.exe with several running processes. The tool would otherwise overwrite the results on each iteration.
Based on the research from @mrd0x
https://t.co/PenD7ywK7X
https://t.co/5D3PMU5skf
๐ https://mrd0x.com/stealing-tokens-from-office-applications/
๐ https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/OfficeMemScraper.ps1
๐ฅ [ tweet ]
Added a minor flag to the OfficeMemScraper.ps1 from @424f424f so you can dump e.g. msedge.exe with several running processes. The tool would otherwise overwrite the results on each iteration.
Based on the research from @mrd0x
https://t.co/PenD7ywK7X
https://t.co/5D3PMU5skf
๐ https://mrd0x.com/stealing-tokens-from-office-applications/
๐ https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/OfficeMemScraper.ps1
๐ฅ [ tweet ]
๐ [ _RastaMouse, Rasta Mouse ]
I made an experimental fork of @_EthicalChaos_'s https://t.co/DxNcYHEY9r project. Basically, just replaced the use of P/Invoke with D/Invoke and Win32 APIs with Nt APIs.
There are lots of untested code paths, so YMMV.
https://t.co/dnmgRborgD
๐ http://MinHook.NET
๐ https://github.com/rasta-mouse/MinHook.NET
๐ฅ [ tweet ]
I made an experimental fork of @_EthicalChaos_'s https://t.co/DxNcYHEY9r project. Basically, just replaced the use of P/Invoke with D/Invoke and Win32 APIs with Nt APIs.
There are lots of untested code paths, so YMMV.
https://t.co/dnmgRborgD
๐ http://MinHook.NET
๐ https://github.com/rasta-mouse/MinHook.NET
๐ฅ [ tweet ]
๐ [ VirtualAllocEx, Daniel Feichter ]
Nice blog post by @Microsoft in cooperation with AV-Comparatives about "Detecting and preventing LSASS credential dumping attacks"
https://t.co/0tML7Heax5
#itsec #itsicherheit #itsecurity #endpointsecurity #antivirus #lsass
๐ https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/
๐ฅ [ tweet ]
Nice blog post by @Microsoft in cooperation with AV-Comparatives about "Detecting and preventing LSASS credential dumping attacks"
https://t.co/0tML7Heax5
#itsec #itsicherheit #itsecurity #endpointsecurity #antivirus #lsass
๐ https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/
๐ฅ [ tweet ]
๐ [ Tw1sm, Matt Creel ]
Created python tooling for the "Roast in the Middle" attack demoed/described by @exploitph in his recent PoC and research. Supports ARP spoofing to targets/gateway - if you can enum usernames and sniff an AS-REQ, basically allows for "unauth kerberoast" ๐คฏ https://t.co/Hdn3wuIx7b
๐ https://github.com/Tw1sm/RITM
๐ฅ [ tweet ]
Created python tooling for the "Roast in the Middle" attack demoed/described by @exploitph in his recent PoC and research. Supports ARP spoofing to targets/gateway - if you can enum usernames and sniff an AS-REQ, basically allows for "unauth kerberoast" ๐คฏ https://t.co/Hdn3wuIx7b
๐ https://github.com/Tw1sm/RITM
๐ฅ [ tweet ]
๐ฅ1
๐น [ snovvcrash, sn๐ฅถvvcr๐ฅsh ]
Woo-hoo, thereโs a new kid in town for initial access credential acquiring! As we know from @mohemiv research, we donโt necessarily need SPNs for Kerberoasting, so itโs time to get ready for RID Cycling with ntlmrelayx[.]py ๐
https://twitter.com/snovvcrash/status/1506286522655461386
๐ฅ [ tweet ][ quote ]
Woo-hoo, thereโs a new kid in town for initial access credential acquiring! As we know from @mohemiv research, we donโt necessarily need SPNs for Kerberoasting, so itโs time to get ready for RID Cycling with ntlmrelayx[.]py ๐
https://twitter.com/snovvcrash/status/1506286522655461386
๐ฅ [ tweet ][ quote ]
๐ [ eversinc33, eversinc33 ]
Had some fun implementing the trampoline technique to make sure all syscalls go through NTDLL into the Nim HellsGate implementation by zimawhit3. Thank you @passthehashbrwn for the blog on hiding syscalls! (https://t.co/YfUqAglams)
https://t.co/IicLY1WkY4
๐ https://passthehashbrowns.github.io/hiding-your-syscalls
๐ https://github.com/eversinc33/HellsGate-Trampoline
๐ฅ [ tweet ]
Had some fun implementing the trampoline technique to make sure all syscalls go through NTDLL into the Nim HellsGate implementation by zimawhit3. Thank you @passthehashbrwn for the blog on hiding syscalls! (https://t.co/YfUqAglams)
https://t.co/IicLY1WkY4
๐ https://passthehashbrowns.github.io/hiding-your-syscalls
๐ https://github.com/eversinc33/HellsGate-Trampoline
๐ฅ [ tweet ]
๐ [ Alh4zr3d, Alh4zr3d ]
Red Teamers, following my previous tweet on hiding procs, now we hide SSH connections:
"ssh -o UserKnownHostsFile=/dev/null -T user@target.com 'bash -i'"
Your user:
- is not added to /var/log/utmp
- won't appear in w or who cmd
- has no .profile or .bash_profile
#redteaming
๐ฅ [ tweet ]
Red Teamers, following my previous tweet on hiding procs, now we hide SSH connections:
"ssh -o UserKnownHostsFile=/dev/null -T user@target.com 'bash -i'"
Your user:
- is not added to /var/log/utmp
- won't appear in w or who cmd
- has no .profile or .bash_profile
#redteaming
๐ฅ [ tweet ]
๐ฅ1
๐ [ HackingLZ, Justin Elze ]
This is awesome Meterpreter Gets BOF loader support for all your offensive needs. https://t.co/01W4UNgD1d
๐ https://www.rapid7.com/blog/post/2022/10/07/metasploit-weekly-wrap-up-179/
๐ฅ [ tweet ]
This is awesome Meterpreter Gets BOF loader support for all your offensive needs. https://t.co/01W4UNgD1d
๐ https://www.rapid7.com/blog/post/2022/10/07/metasploit-weekly-wrap-up-179/
๐ฅ [ tweet ]
๐ [ 0xcsandker, Carsten ]
Needed to find where a certain GPO was applied to during last engagement. Hadn't something ready to grab, so now I have. Inline and readable-friendly wrapped code here: https://t.co/EMJ2rJqvYn
๐ https://gist.github.com/csandker/950d11632534c86012ab9c7cb592b7b5
๐ฅ [ tweet ]
Needed to find where a certain GPO was applied to during last engagement. Hadn't something ready to grab, so now I have. Inline and readable-friendly wrapped code here: https://t.co/EMJ2rJqvYn
๐ https://gist.github.com/csandker/950d11632534c86012ab9c7cb592b7b5
๐ฅ [ tweet ]
๐ [ m3g9tr0n, Spiros Fraganastasis ]
PeNet is a parser for Windows Portable Executable headers. It completely written in C# and does not rely on any native Windows APIs. Furthermore it supports the creation of Import Hashes (ImpHash), which is a feature often used in malware analysis. https://t.co/MPZvqvocfO
๐ https://github.com/secana/PeNet
๐ฅ [ tweet ]
PeNet is a parser for Windows Portable Executable headers. It completely written in C# and does not rely on any native Windows APIs. Furthermore it supports the creation of Import Hashes (ImpHash), which is a feature often used in malware analysis. https://t.co/MPZvqvocfO
๐ https://github.com/secana/PeNet
๐ฅ [ tweet ]
๐ [ KlezVirus, d3adc0de ]
[Video] The 4th episode of my series about Inceptor is out: "Empowering Donut with Direct and Indirect Syscalls".
In this video, we'll show how it is possible to improve the donut loader by intergating it with SW3.
https://t.co/xNK4HNz9qS
๐ https://youtu.be/ypX7N4498xE
๐ฅ [ tweet ]
[Video] The 4th episode of my series about Inceptor is out: "Empowering Donut with Direct and Indirect Syscalls".
In this video, we'll show how it is possible to improve the donut loader by intergating it with SW3.
https://t.co/xNK4HNz9qS
๐ https://youtu.be/ypX7N4498xE
๐ฅ [ tweet ]
๐ [ ippsec, ippsec ]
Starting to play more with Elastic, so just published a video installing v8 it on Ubuntu 22. Really impressed with Fleet so far, the last time I played with Elastic it was a PITA keeping all the agent configs in sync. Fleet's auto update of agents is magic https://t.co/fbQkWgbJKW
๐ https://www.youtube.com/watch?v=Ts-ofIVRMo4
๐ฅ [ tweet ]
Starting to play more with Elastic, so just published a video installing v8 it on Ubuntu 22. Really impressed with Fleet so far, the last time I played with Elastic it was a PITA keeping all the agent configs in sync. Fleet's auto update of agents is magic https://t.co/fbQkWgbJKW
๐ https://www.youtube.com/watch?v=Ts-ofIVRMo4
๐ฅ [ tweet ]
๐ [ dec0ne, Mor Davidovich ]
Introducing ShadowSpray, it's like password spray but with shadow credentials. More info in the repo.
Huge thanks to @elad_shamir for the amazing technique and to @harmj0y (and others) for the implementation in Rubeus from which a lot of code was taken.
https://t.co/nIsnmaitfw
๐ https://github.com/Dec0ne/ShadowSpray/
๐ฅ [ tweet ]
Introducing ShadowSpray, it's like password spray but with shadow credentials. More info in the repo.
Huge thanks to @elad_shamir for the amazing technique and to @harmj0y (and others) for the implementation in Rubeus from which a lot of code was taken.
https://t.co/nIsnmaitfw
๐ https://github.com/Dec0ne/ShadowSpray/
๐ฅ [ tweet ]
Forwarded from Ralf Hacker Channel (Ralf Hacker)
ะะพะฒะพะปัะฝะพ ะธะฝัะตัะตัะฝะฐั ััะฐััั, ะบะฐะบ ะพะฑั
ะพะดะธัั EDR ั ะฟะพะผะพััั python)))
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
#redteam #pentest #bypass
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
#redteam #pentest #bypass