π [ _Kudaes_, Kurosh Dabbagh ]
Unwinder, another approach to Thread Stack Spoofing by walking PE's unwind information. This technique allows to automatically create "any" desired call stack by parsing .pdata structures.
It took me a little bit longer than expected, but worth the effort!
https://t.co/9gUEanOHeC
π https://github.com/Kudaes/Unwinder
π₯ [ tweet ]
Unwinder, another approach to Thread Stack Spoofing by walking PE's unwind information. This technique allows to automatically create "any" desired call stack by parsing .pdata structures.
It took me a little bit longer than expected, but worth the effort!
https://t.co/9gUEanOHeC
π https://github.com/Kudaes/Unwinder
π₯ [ tweet ]
π [ theluemmel, ADCluemmelSec ]
Always good to have some NotCovenant running on a fully fledged Defender EDR system ^^
Thx @assume_breach for his cool writeups lately:
https://t.co/jAyRonr2sF
π https://assume-breach.medium.com/
π₯ [ tweet ]
Always good to have some NotCovenant running on a fully fledged Defender EDR system ^^
Thx @assume_breach for his cool writeups lately:
https://t.co/jAyRonr2sF
π https://assume-breach.medium.com/
π₯ [ tweet ]
π [ _dirkjan, Dirk-jan ]
The video recording of my Black Hat talk this summer "Backdooring and Hijacking Azure AD Accounts by Abusing External Identities" made it to YouTube: https://t.co/yOwxDB8reo
π https://www.youtube.com/watch?v=uKDS2t9_KsA
π₯ [ tweet ]
The video recording of my Black Hat talk this summer "Backdooring and Hijacking Azure AD Accounts by Abusing External Identities" made it to YouTube: https://t.co/yOwxDB8reo
π https://www.youtube.com/watch?v=uKDS2t9_KsA
π₯ [ tweet ]
π [ gladiatx0r, Maximus ]
Just a reminder that if LDAP(S) signing/binding is not enforced then you can still LPE on any Windows workstation. Awesome video demo by @vendetce shows you how. Alternatively start Webclient programmatically https://t.co/TCanM8C6Ai or switch out P.P. for https://t.co/3i83NdpQzc
π https://gist.github.com/klezVirus/af004842a73779e1d03d47e041115797
π https://github.com/nccgroup/Change-Lockscreen
π₯ [ tweet ][ quote ]
Just a reminder that if LDAP(S) signing/binding is not enforced then you can still LPE on any Windows workstation. Awesome video demo by @vendetce shows you how. Alternatively start Webclient programmatically https://t.co/TCanM8C6Ai or switch out P.P. for https://t.co/3i83NdpQzc
π https://gist.github.com/klezVirus/af004842a73779e1d03d47e041115797
π https://github.com/nccgroup/Change-Lockscreen
π₯ [ tweet ][ quote ]
π [ pdiscoveryio, ProjectDiscovery.io ]
Proxify - A portable CLI-based HTTP/Socks proxy written in Golang https://t.co/6M9dHWGtWo
#hackwithautomation #proxy #security #opensource
π https://blog.projectdiscovery.io/proxify-portable-cli-based-proxy/
π₯ [ tweet ]
Proxify - A portable CLI-based HTTP/Socks proxy written in Golang https://t.co/6M9dHWGtWo
#hackwithautomation #proxy #security #opensource
π https://blog.projectdiscovery.io/proxify-portable-cli-based-proxy/
π₯ [ tweet ]
π [ Synacktiv, Synacktiv ]
Our ninjas @yaumn_ and @mickaelweb recently assessed Microsoft Defender for Identity detection capabilities. In their recent blogpost, they describe the product's architecture, present some bypasses and give general Red Team advices. https://t.co/tuBoWYEVQ9
π https://www.synacktiv.com/publications/a-dive-into-microsoft-defender-for-identity.html
π₯ [ tweet ]
Our ninjas @yaumn_ and @mickaelweb recently assessed Microsoft Defender for Identity detection capabilities. In their recent blogpost, they describe the product's architecture, present some bypasses and give general Red Team advices. https://t.co/tuBoWYEVQ9
π https://www.synacktiv.com/publications/a-dive-into-microsoft-defender-for-identity.html
π₯ [ tweet ]
π [ _EthicalChaos_, Ceri π΄σ §σ ’σ ·σ ¬σ ³σ Ώ ]
@_RastaMouse Python via choco is great, all fluid and just works. A Hyper-V VM with Windows 11 on + choco is awesome attacking machine. I have WSL on there as backup but rarely use, even for relaying
π₯ [ tweet ]
@_RastaMouse Python via choco is great, all fluid and just works. A Hyper-V VM with Windows 11 on + choco is awesome attacking machine. I have WSL on there as backup but rarely use, even for relaying
π₯ [ tweet ]
Ρ
ΠΎΡΠΎΡΠΈΠΉ ΡΠΎΠ²Π΅Ρ Π΄Π»Ρ Π²ΠΈΠ½Π΄ΠΎΡΠ΅ΡΠ°ΠΏΠ° ΠΎΡ ΡΡΠΈΠΊΠ°Π» Ρ
Π°ΠΎΡΠ°X (formerly Twitter)
CCobπ΄σ §σ ’σ ·σ ¬σ ³σ Ώ (@_EthicalChaos_) on X
Ceri Coburn: Hacker | RΜ·uΜ·nΜ·nΜ·eΜ·rΜ· DIYer| Vizsla Fanboy and a Little Welsh Bull apparently π΄σ §σ ’σ ·σ ¬σ ³σ Ώ
Author of poorly coded tools: https://t.co/P6tT2qQksC
Author of poorly coded tools: https://t.co/P6tT2qQksC
π₯2
ΠΡΠ»ΡΡΠΎΡΠΈ ΠΏΡΠΎ SPN-less RBCD Ρ ΠΠΈΠ½ΡΠΊΡΠ° Π±Π΅Π· Rubeus ππ»
https://threadreaderapp.com/thread/1595814518558543874.html
(Ρ Rubeus ΡΡΠΎ Π²ΠΎΡ ΡΠ°ΠΊ)
https://threadreaderapp.com/thread/1595814518558543874.html
(Ρ Rubeus ΡΡΠΎ Π²ΠΎΡ ΡΠ°ΠΊ)
Threadreaderapp
Thread by @snovvcrash on Thread Reader App
@snovvcrash: 𧡠(1/x) I know you love #pentest stories, so hereβs one of those β¬οΈ Thereβs a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient...β¦
π€―2π₯1
π [ i_bo0om, Bo0oM ]
Defending against automatization using nginx
https://t.co/MTsVPFxDsJ
π https://speakerdeck.com/bo0om/defending-against-automatization-using-nginx
π₯ [ tweet ]
Defending against automatization using nginx
https://t.co/MTsVPFxDsJ
π https://speakerdeck.com/bo0om/defending-against-automatization-using-nginx
π₯ [ tweet ]
π€―1
π [ OutflankNL, Outflank ]
KerberosAsk is the latest addition to our OST offering. It is a fully inline BOF implementation of some of the core Kerberos commands from Rubeus/Kekeo.
Ask a TGT, a service ticket or exploit CVE-2022-33679. Also works with certs to support your ADCS magic.
Demo below. β¬οΈ (1/3)
π₯ [ tweet ]
KerberosAsk is the latest addition to our OST offering. It is a fully inline BOF implementation of some of the core Kerberos commands from Rubeus/Kekeo.
Ask a TGT, a service ticket or exploit CVE-2022-33679. Also works with certs to support your ADCS magic.
Demo below. β¬οΈ (1/3)
π₯ [ tweet ]
π [ an0n_r0, an0n ]
ntfsDump: just found this from @3gstudent (and used successfully for reading ntds.dit on a DC):
https://t.co/hFGhEg2eYH
similar to the powershell version Invoke-Ninjacopy, but this time it is a c++ binary. sometimes it is better to have a binary than a PS (for opsec reasons).
π https://github.com/3gstudent/ntfsDump
π₯ [ tweet ]
ntfsDump: just found this from @3gstudent (and used successfully for reading ntds.dit on a DC):
https://t.co/hFGhEg2eYH
similar to the powershell version Invoke-Ninjacopy, but this time it is a c++ binary. sometimes it is better to have a binary than a PS (for opsec reasons).
π https://github.com/3gstudent/ntfsDump
π₯ [ tweet ]
π [ SkelSec, SkelSec ]
minikerberos got a public update v0.3.5(pip+github):
Supports RC4_MD4 auth
CVE2022-33647 added
CVE2022-33679 added
RC4-TGS-REP ticket decryptor with NT hashes added (read: no need to know password)
Thx for @porchetta_ind supporters!
https://t.co/VdSkb0DEkv
π https://github.com/skelsec/minikerberos/
π₯ [ tweet ]
minikerberos got a public update v0.3.5(pip+github):
Supports RC4_MD4 auth
CVE2022-33647 added
CVE2022-33679 added
RC4-TGS-REP ticket decryptor with NT hashes added (read: no need to know password)
Thx for @porchetta_ind supporters!
https://t.co/VdSkb0DEkv
π https://github.com/skelsec/minikerberos/
π₯ [ tweet ]
π [ EmpireC2Project, Empire ]
Interested in all the features that #EmpireC2Project has to offer? Check out our docs to stay up-to-date!
https://t.co/rR7JV1C55s
π http://empirec2project.com
π₯ [ tweet ]
Interested in all the features that #EmpireC2Project has to offer? Check out our docs to stay up-to-date!
https://t.co/rR7JV1C55s
π http://empirec2project.com
π₯ [ tweet ]
π [ t3l3machus, Panagiotis Chartas ]
New & simple tool for quickly and easily locating, web hosting and transferring resources (e.g., exploits/enumeration scripts) from your filesystem to a victim machine during privilege escalation.
Also supports PUT requests so you can transfer files from victim to attacker box.
π https://github.com/t3l3machus/wwwtree
π₯ [ tweet ]
New & simple tool for quickly and easily locating, web hosting and transferring resources (e.g., exploits/enumeration scripts) from your filesystem to a victim machine during privilege escalation.
Also supports PUT requests so you can transfer files from victim to attacker box.
π https://github.com/t3l3machus/wwwtree
π₯ [ tweet ]
π₯3
π [ sadreck, Pavel ]
Fresh out the oven, Spartacus DLL Hijacking Discovery all-in-one!
πUtilises SysInternals ProcMon
πBuilt-in ProcMon raw config/log parser/generator
πAuto-generate DLL proxies including their Exports
πAbility to process huge ProcMon outputs
https://t.co/GfVRULiE0R
π https://github.com/Accenture/Spartacus
π₯ [ tweet ]
Fresh out the oven, Spartacus DLL Hijacking Discovery all-in-one!
πUtilises SysInternals ProcMon
πBuilt-in ProcMon raw config/log parser/generator
πAuto-generate DLL proxies including their Exports
πAbility to process huge ProcMon outputs
https://t.co/GfVRULiE0R
π https://github.com/Accenture/Spartacus
π₯ [ tweet ]
π [ jdu2600, John U ]
@_xpn_ π Published a blog with an updated script that should detect each (known) class of bypass.
https://t.co/TmkBL2oWlE
π https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
π₯ [ tweet ]
@_xpn_ π Published a blog with an updated script that should detect each (known) class of bypass.
https://t.co/TmkBL2oWlE
π https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
π₯ [ tweet ]
Π² ΠΏΡΠΎΠ΄ΠΎΠ»ΠΆΠ΅Π½ΠΈΠ΅ https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/π [ aceb0nd, Acebond (acebond@infosec.exchange) ]
@an0n_r0 @3gstudent https://t.co/nTA2o87ies I made this and it works with execute-assembly to stay in memory.
π https://github.com/RedCursorSecurityConsulting/NTFSCopy
π₯ [ tweet ]
@an0n_r0 @3gstudent https://t.co/nTA2o87ies I made this and it works with execute-assembly to stay in memory.
π https://github.com/RedCursorSecurityConsulting/NTFSCopy
π₯ [ tweet ]
π [ ustayready, Mike Felch ]
Want to create great phishing links using an open-redirect on https://t.co/PMEpjfi11c? While they don't last forever, they are a great way to trick unsuspecting victims into clicking a legit looking URL before expiring! https://t.co/au1tGZgHQ1 Follow the π§΅for how it works..
π http://www.google.com
π https://gist.github.com/ustayready/3ba2e4b1a4ec3cdad188f0f7d0dc4b73
π₯ [ tweet ]
Want to create great phishing links using an open-redirect on https://t.co/PMEpjfi11c? While they don't last forever, they are a great way to trick unsuspecting victims into clicking a legit looking URL before expiring! https://t.co/au1tGZgHQ1 Follow the π§΅for how it works..
π http://www.google.com
π https://gist.github.com/ustayready/3ba2e4b1a4ec3cdad188f0f7d0dc4b73
π₯ [ tweet ]
π [ _choisec, Sunggwan Choi ]
Finished the RTO2 course and passed the CRTL exam the during Thanksgiving break. Wrote a review blog post on the course, lab, and the exam.
https://t.co/hkxthto8wL
Thank you @_RastaMouse for yet another great course. Wonder when the "RTO3 when" meme will start.
π https://blog.sunggwanchoi.com/red-team-ops-2-review/
π₯ [ tweet ]
Finished the RTO2 course and passed the CRTL exam the during Thanksgiving break. Wrote a review blog post on the course, lab, and the exam.
https://t.co/hkxthto8wL
Thank you @_RastaMouse for yet another great course. Wonder when the "RTO3 when" meme will start.
π https://blog.sunggwanchoi.com/red-team-ops-2-review/
π₯ [ tweet ]
π [ ShitSecure, S3cur3Th1sSh1t ]
Found an vhdx/vmdk/vhd file in a network share? Volumiser from @_EthicalChaos_ gets you covered to exfiltrate e.G. SAM/SYSTEM to compromise the system via Administrator Pass-The-Hash:
https://t.co/OMiWBOVaS8
Really easy and intuitive to use π
π https://github.com/CCob/Volumiser
π₯ [ tweet ]
Found an vhdx/vmdk/vhd file in a network share? Volumiser from @_EthicalChaos_ gets you covered to exfiltrate e.G. SAM/SYSTEM to compromise the system via Administrator Pass-The-Hash:
https://t.co/OMiWBOVaS8
Really easy and intuitive to use π
π https://github.com/CCob/Volumiser
π₯ [ tweet ]