π [ Renzon @r3nzsec ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actorβs custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
π https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
π₯ [ tweet ]
I recently co-authored a @Unit42_Intel blog about a unique IR case in which a threat actorβs custom EDR bypass (using #BYOVD) exposed their toolkit, methods, and even identity. Check out how we unmasked them through an opsec slip-up! #dfir
π https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
π₯ [ tweet ]
π4π2
π [ Cerbersec @cerbersec ]
π₯ [ tweet ]
nc -lvnp 4444
python -c 'import pty; pty.spawn("/bin/bash")'
π₯ [ tweet ]
ΡΠΏΠ°ΡΡ, ΡΠ΅ΠΆΠΈΠΌπ₯17π₯±8π3π3
π [ Clement Rouault @hakril ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
π https://blog.exatrack.com/STUBborn/
π₯ [ tweet ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
π https://blog.exatrack.com/STUBborn/
π₯ [ tweet ]
π3π₯1
π [ eversinc33 π€πͺβο½‘Λ β @eversinc33 ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
π https://eversinc33.com/posts/unxorstringsnet.html
π₯ [ tweet ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
π https://eversinc33.com/posts/unxorstringsnet.html
π₯ [ tweet ]
π5
π [ ap @decoder_it ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! π
π https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
π₯ [ tweet ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! π
π https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
π₯ [ tweet ]
π₯6
π [ Octoberfest7 @Octoberfest73 ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
π https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
π₯ [ tweet ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
π https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
π₯ [ tweet ]
π8π€2
Offensive Xwitter
π [ Outflank @OutflankNL ] New Blog Alert! π¨ Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs. Learn how it combines Early Bird APC Injectionβ¦
π [ 5pider @C5pider ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
π https://github.com/Cracked5pider/earlycascade-injection
π₯ [ tweet ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
π https://github.com/Cracked5pider/earlycascade-injection
π₯ [ tweet ]
π₯4π₯±3π2
π [ Usman Sikander @UsmanSikander13 ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
π https://github.com/Offensive-Panda/ShadowDumper
π₯ [ tweet ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
π https://github.com/Offensive-Panda/ShadowDumper
π₯ [ tweet ]
π7π₯±2π₯1π1
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Rtl Dallas @RtlDallas ]
KrakenMask is back with more opsec
π https://github.com/NtDallas/KrakenMask
π₯ [ tweet ]
KrakenMask is back with more opsec
π https://github.com/NtDallas/KrakenMask
π₯ [ tweet ]
π₯7
π [ 7eRoM @7eRoM ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
π https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
π₯ [ tweet ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
π https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
π₯ [ tweet ]
π4π₯±1
π [ Steven @0xthirteen ]
Iβve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
π https://github.com/0xthirteen/Carseat
π₯ [ tweet ]
Iβve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
π https://github.com/0xthirteen/Carseat
π₯ [ tweet ]
π₯3
π [ mpgn @mpgn_x64 ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! π©Έ
I've added a special flag
π₯ [ tweet ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! π©Έ
I've added a special flag
--generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible π₯π₯ [ tweet ]
π7π₯4π4
π [ drm @lowercase_drm ]
TIL you can ask the DC to resolve a foreign security principal by querying the
π₯ [ tweet ]
TIL you can ask the DC to resolve a foreign security principal by querying the
msds-principalname (hidden) attribute. The DC will use the trust secret to perform authentication against the foreign domain and then call LsarLookupSids3 (so it even works with selective auth).π₯ [ tweet ]
π3
π [ Octoberfest7 @Octoberfest73 ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
π https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
π₯ [ tweet ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
π https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
π₯ [ tweet ]
π₯4
π [ Zerotistic @gegrgtezrze ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? π
π https://zerotistic.blog/posts/cff-remover/
π₯ [ tweet ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? π
π https://zerotistic.blog/posts/cff-remover/
π₯ [ tweet ]
π€―2π1
π [ Binni Shah @binitamshah ]
x64 Assembly & Shellcoding 101
Part 1:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
π₯ [ tweet ]
#Π΄Π»Ρ_ΡΠ°ΠΌΡΡ _ΠΌΠ°Π»Π΅Π½ΡΠΊΠΈΡ
x64 Assembly & Shellcoding 101
Part 1:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
π₯ [ tweet ]
#Π΄Π»Ρ_ΡΠ°ΠΌΡΡ _ΠΌΠ°Π»Π΅Π½ΡΠΊΠΈΡ
π₯11π5
This media is not supported in your browser
VIEW IN TELEGRAM
π [ NetSPI @NetSPI ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
π https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
π₯ [ tweet ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
π https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
π₯ [ tweet ]
π₯5π₯±3π1
π [ John Hammond @_JohnHammond ]
Supply chain malware from an infected game mod π€―π± Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
π https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
π₯ [ tweet ]
Supply chain malware from an infected game mod π€―π± Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
π https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
π₯ [ tweet ]
π₯11π5
π [ Lefteris Panos @lefterispan ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
π https://github.com/nettitude/TokenCert
π₯ [ tweet ][ quote ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
π https://github.com/nettitude/TokenCert
π₯ [ tweet ][ quote ]
π₯7π₯±2
π [ NCV @nickvourd ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it π
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
π https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
π₯ [ tweet ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it π
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
π https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
π₯ [ tweet ]
π4