π [ n00py @n00py1 ]
The craziest BloodHound art I've made yet (password sharing clusters)
π₯ [ tweet ]
ΠΏΠ»Π°Π³ΠΈΠ°Ρ - ΠΎΡΠ΅Π²ΠΈΠ΄Π½ΠΎ ΠΆΠ΅, ΡΡΠΎ ΡΡΠΎ ΠΠΎΠ»ΠΎΡΠ°ΡΡΠΉ Π±ΡΠ±Π»ΠΈΠΊ
The craziest BloodHound art I've made yet (password sharing clusters)
π₯ [ tweet ]
ΠΏΠ»Π°Π³ΠΈΠ°Ρ - ΠΎΡΠ΅Π²ΠΈΠ΄Π½ΠΎ ΠΆΠ΅, ΡΡΠΎ ΡΡΠΎ ΠΠΎΠ»ΠΎΡΠ°ΡΡΠΉ Π±ΡΠ±Π»ΠΈΠΊ
π₯6
Offensive Xwitter
π [ Elliot @ElliotKillick ] Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecuteβ¦
π [ Elliot @ElliotKillick ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
π https://github.com/ElliotKillick/LdrLockLiberator
π₯ [ tweet ]
The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator
π https://github.com/ElliotKillick/LdrLockLiberator
π₯ [ tweet ]
π₯2
π [ Almond OffSec @AlmondOffSec ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
π https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
π₯ [ tweet ]
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by @lowercase_drm introduces them through the lens of Python libraries.
π https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
π₯ [ tweet ]
π₯2
π [ sinusoid @the_bit_diddler ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? βοΈ
Ability to revert said changes? βοΈ
Support processes, paths, and extensions? βοΈ
BOF? βοΈ
C# βοΈ
Code is public:
π https://github.com/EspressoCake/DefenderPathExclusions
π https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
π₯ [ tweet ]
Ever wanted to create Defender exclusions non-interactively?
Support for local and remote systems? βοΈ
Ability to revert said changes? βοΈ
Support processes, paths, and extensions? βοΈ
BOF? βοΈ
C# βοΈ
Code is public:
π https://github.com/EspressoCake/DefenderPathExclusions
π https://github.com/EspressoCake/Defender-Exclusions-Creator-BOF
π₯ [ tweet ]
π₯6
π [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
Daily Linux whoami:
π₯ [ tweet ]
Daily Linux whoami:
$(echo -e "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69")
π₯ [ tweet ]
π5π₯1
Offensive Xwitter
π [ Antonio Cocomazzi @splinter_code ] Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe π π₯ [ tweet ]
π [ Geiseric @Geiseric4 ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This script could help:
It works from low privileged user π
π https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
π₯ [ tweet ]
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This script could help:
It works from low privileged user π
π https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0
π₯ [ tweet ]
π₯4
π [ Thomas Seigneuret @_zblurx ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities π₯
For example with RBCD ππ»
π₯ [ tweet ]
New feature in #NetExec : S4U2Self and S4U2Proxy support and automation with --delegate and --self
It allows you to abuse KCD with protocol transition and RBCD automatically in NetExec, and use directly all the postex functionalities π₯
For example with RBCD ππ»
π₯ [ tweet ]
π₯8π1
π [ Antonio Cocomazzi @splinter_code ]
The slides of our joint research talk β10 Years of Windows Privilege Escalation with Potatoesβ at #POC2023 are out!
cc @decoder_it
π https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
π₯ [ tweet ]
The slides of our joint research talk β10 Years of Windows Privilege Escalation with Potatoesβ at #POC2023 are out!
cc @decoder_it
π https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
π₯ [ tweet ]
π₯7
Offensive Xwitter
π [ Antonio Cocomazzi @splinter_code ] The slides of our joint research talk β10 Years of Windows Privilege Escalation with Potatoesβ at #POC2023 are out! cc @decoder_it π https://github.com/antonioCoco/infosec-talks/blob/main/10_years_of_Windows_Privβ¦
10_years_of_Windows_Privilege_Escalation_with_Potatoes.pdf
1.6 MB
π₯4
π [ ΡΟ
Ξ·g ΥΞΠΞ€ @yunginnanet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
π https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
π₯ [ tweet ]
this was meant to be a simple debugging tool, but ended up being a full barebones, concurrent RFC1928 (SOCKS5) server. unnecessarily fast, very simple.
gophers that are interested in learning SOCKS5 protocol may find this useful (hopefully someone does)
π https://gist.github.com/yunginnanet/c84f831a4ac39eada5609ce0319f8d54
π₯ [ tweet ]
π₯6
π [ 5pider @C5pider ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
π https://github.com/Cracked5pider/LdrLibraryEx
π₯ [ tweet ]
LdrLibraryEx.
A small x64 library to load PEs into memory.
π https://github.com/Cracked5pider/LdrLibraryEx
π₯ [ tweet ]
π₯3
π [ Charlie Clark @exploitph ]
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
π https://github.com/0xe7/RoastInTheMiddle/pull/1
π₯ [ tweet ]
ΡΠΏΠ°ΡΠΈΠ±ΠΎ @Michaelzhm, ΡΡΠΎ ΠΏΠ½ΡΠ» π
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
The attack is described in detail in my DES post (currently pinned to my profile).
π https://github.com/0xe7/RoastInTheMiddle/pull/1
π₯ [ tweet ]
ΡΠΏΠ°ΡΠΈΠ±ΠΎ @Michaelzhm, ΡΡΠΎ ΠΏΠ½ΡΠ» π
π₯4π1π1
π [ S4ntiagoP @s4ntiago_p ]
π₯ New blogpost π₯
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
π https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
π₯ [ tweet ]
π₯ New blogpost π₯
Running PEs inline without a console.
You now can, for example, run PowerShell in CobaltStrike and obtain its output without spawning any process (including conhost.exe)
π https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console
π₯ [ tweet ]
π₯4
π [ S3cur3Th1sSh1t @ShitSecure ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
π https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
π₯ [ tweet ]
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
π https://github.com/S3cur3Th1sSh1t/SharpVeeamDecryptor
π₯ [ tweet ]
π3π₯1
π [ RΓ©mi GASCOU (Podalirius) @podalirius_ ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ‡οΈ
π https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
π₯ [ tweet ]
In my latest article, discover the depth of the msDS-KeyCredentialLink attribute used in ShadowCredentials attacks and how to parse it. Plus, discover a Python library, pydsinternals, that simplifies the parsing process.
Check it out ‡οΈ
π https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/
π₯ [ tweet ]
π2
π [ an0n @an0n_r0 ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
π₯ [ tweet ]
playing against an #AV/#EDR: when almost everything failed, finally, loaded @chvancooten's #NimPlant using my custom stager based on @hasherezade's libPeConv and managed to execute what I wanted, #Rubeus with built-in execute-assembly (#AMSI bypass + #ETW block). never give up :)
π₯ [ tweet ]
Π° ΠΊΡΠΎ ΡΠ΄Π΅Π»Π°Π»-ΡΠΎ execute-assembly Π° Π° Π°π7π€1
π [ Matt Creel @Tw1sm ]
New post π
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
π https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
π₯ [ tweet ]
New post π
Taking a look at compromising Slack access on both Windows and macOS. New BOF included!
π https://posts.specterops.io/abusing-slack-for-offensive-operations-part-2-19fef38cc967
π₯ [ tweet ]
π₯2
Offensive Xwitter
π [ S3cur3Th1sSh1t @ShitSecure ] Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job: π https://github.com/S3curβ¦
π [ an0n @an0n_r0 ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
π https://www.veeam.com/kb4349
π₯ [ tweet ]
super useful, thanks ;) actually, the best manual post-exploitation decryption howto is provided by Veeam itself: :)
π https://www.veeam.com/kb4349
π₯ [ tweet ]
π₯3