π [ Clement Rouault @hakril ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
π https://blog.exatrack.com/STUBborn/
π₯ [ tweet ]
In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals.
This one is about COM and interacting with remote objects using a custom python LRPC Client.
STUBborn: Activate and call DCOM objects without proxy:
π https://blog.exatrack.com/STUBborn/
π₯ [ tweet ]
π3π₯1
π [ eversinc33 π€πͺβο½‘Λ β @eversinc33 ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
π https://eversinc33.com/posts/unxorstringsnet.html
π₯ [ tweet ]
Wanted to learn a bit about the .NET Common Intermediate Language (CIL) and programmatically modifying assemblies, so I wrote a quick automated deobfuscator for @dr4k0nia's XorStringsNet string obfuscator and a mini blog post:
π https://eversinc33.com/posts/unxorstringsnet.html
π₯ [ tweet ]
π5
π [ ap @decoder_it ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! π
π https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
π₯ [ tweet ]
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! π
π https://decoder.cloud/2024/11/08/group-policy-security-nightmares-pt-1/
π₯ [ tweet ]
π₯6
π [ Octoberfest7 @Octoberfest73 ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
π https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
π₯ [ tweet ]
There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT.
π https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
π₯ [ tweet ]
π8π€2
Offensive Xwitter
π [ Outflank @OutflankNL ] New Blog Alert! π¨ Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs. Learn how it combines Early Bird APC Injectionβ¦
π [ 5pider @C5pider ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
π https://github.com/Cracked5pider/earlycascade-injection
π₯ [ tweet ]
Reimplemented the Early Cascade Injection technique documented by the @OutflankNL team
The code is boring but the blog post was very interesting to read, especially when it came to how the process is initialized and how LdrInitializeThunk works. Cheers
π https://github.com/Cracked5pider/earlycascade-injection
π₯ [ tweet ]
π₯4π₯±3π2
π [ Usman Sikander @UsmanSikander13 ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
π https://github.com/Offensive-Panda/ShadowDumper
π₯ [ tweet ]
7 Methods to dump lsass memory. This is a powerful tool provide users an option to extract data from lsass memory.
π https://github.com/Offensive-Panda/ShadowDumper
π₯ [ tweet ]
π7π₯±2π₯1π1
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Rtl Dallas @RtlDallas ]
KrakenMask is back with more opsec
π https://github.com/NtDallas/KrakenMask
π₯ [ tweet ]
KrakenMask is back with more opsec
π https://github.com/NtDallas/KrakenMask
π₯ [ tweet ]
π₯7
π [ 7eRoM @7eRoM ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
π https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
π₯ [ tweet ]
While verifying the PE digital signature in Windows kernel, I encountered several new terms and concepts, such as PKCS7, ASN.1, calculating the thumbprint, and verifying signatures.
π https://github.com/7eRoM/tutorials/tree/main/Verifying%20Embedded%20PE%20Signature
π₯ [ tweet ]
π4π₯±1
π [ Steven @0xthirteen ]
Iβve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
π https://github.com/0xthirteen/Carseat
π₯ [ tweet ]
Iβve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful.
π https://github.com/0xthirteen/Carseat
π₯ [ tweet ]
π₯3
π [ mpgn @mpgn_x64 ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! π©Έ
I've added a special flag
π₯ [ tweet ]
If you want to first blood a windows box in @hackthebox_eu every minute counts ! π©Έ
I've added a special flag
--generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible π₯π₯ [ tweet ]
π7π₯4π4
π [ drm @lowercase_drm ]
TIL you can ask the DC to resolve a foreign security principal by querying the
π₯ [ tweet ]
TIL you can ask the DC to resolve a foreign security principal by querying the
msds-principalname (hidden) attribute. The DC will use the trust secret to perform authentication against the foreign domain and then call LsarLookupSids3 (so it even works with selective auth).π₯ [ tweet ]
π3
π [ Octoberfest7 @Octoberfest73 ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
π https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
π₯ [ tweet ]
This is a neat blog post on some of the new features in the 4.10 release of Cobalt Strike from @RWXstoned
π https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
π₯ [ tweet ]
π₯4
π [ Zerotistic @gegrgtezrze ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? π
π https://zerotistic.blog/posts/cff-remover/
π₯ [ tweet ]
Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis"
I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things !
Might make it a talk...? π
π https://zerotistic.blog/posts/cff-remover/
π₯ [ tweet ]
π€―2π1
π [ Binni Shah @binitamshah ]
x64 Assembly & Shellcoding 101
Part 1:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
π₯ [ tweet ]
#Π΄Π»Ρ_ΡΠ°ΠΌΡΡ _ΠΌΠ°Π»Π΅Π½ΡΠΊΠΈΡ
x64 Assembly & Shellcoding 101
Part 1:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101/
Part 2:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-2/
Part 3:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-3/
Part 4:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-4/
Part 5:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-5/
Part 6:
π https://g3tsyst3m.github.io/shellcoding/assembly/debugging/x64-Assembly-&-Shellcoding-101-Part-6/
credits @G3tSyst3m
π₯ [ tweet ]
#Π΄Π»Ρ_ΡΠ°ΠΌΡΡ _ΠΌΠ°Π»Π΅Π½ΡΠΊΠΈΡ
π₯11π5
This media is not supported in your browser
VIEW IN TELEGRAM
π [ NetSPI @NetSPI ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
π https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
π₯ [ tweet ]
Introducing PowerHuntShares 2.0 Release!
NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares:
π https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/
π₯ [ tweet ]
π₯5π₯±3π1
π [ John Hammond @_JohnHammond ]
Supply chain malware from an infected game mod π€―π± Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
π https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
π₯ [ tweet ]
Supply chain malware from an infected game mod π€―π± Long-form reverse engineering and a WILD ride: Binary Ninja, x64dbg, 010 Editor, PEB walking, reworking API function hashing in Python, DLL search-order hijacking, hooked functions & more. MASSIVE video:
π https://youtu.be/bvyklJ5Wie0?si=c0TSvALbx1ch21rZ
π₯ [ tweet ]
π₯11π5
π [ Lefteris Panos @lefterispan ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
π https://github.com/nettitude/TokenCert
π₯ [ tweet ][ quote ]
Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;)
π https://github.com/nettitude/TokenCert
π₯ [ tweet ][ quote ]
π₯7π₯±2
π [ NCV @nickvourd ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it π
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
π https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
π₯ [ tweet ]
I just published Local Admin In Less Than 60 Seconds (Part 1)
In this post, I present Part 1 of my latest @BSidesAth presentation. I hope you enjoy it π
PS: There are Easter eggs inside for @taso_x, @tkalahan, and of course, @S1ckB0y1337.
π https://medium.com/@nickvourd/local-admin-in-less-than-60-seconds-part-1-e2a0c0102b99
π₯ [ tweet ]
π4
Offensive Xwitter
π [ Lefteris Panos @lefterispan ] Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;) π https://github.com/nettitude/TokenCert π₯ [ tweet ][ quote ]
π [ freefirex @freefirex2 ]
Saw some other folks realize its actually really easy to use certificates to authenticate as other users on windows if you have access to the API.
We're now releasing our previously internal make_token_cert bof to auth using only a .pfx file :)
π https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/bc0cdd7997ebbf37a1cfee26be97eb3faa06ab50/src/Remote/make_token_cert/entry.c#L69
π₯ [ tweet ]
Saw some other folks realize its actually really easy to use certificates to authenticate as other users on windows if you have access to the API.
We're now releasing our previously internal make_token_cert bof to auth using only a .pfx file :)
π https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/bc0cdd7997ebbf37a1cfee26be97eb3faa06ab50/src/Remote/make_token_cert/entry.c#L69
π₯ [ tweet ]
π9
π [ Daniel @0x64616e ]
Hash-based driver blocklists are insecure, because of how Authenticode signatures are computed. Nothing new, but not as well known as it should be.
π https://github.com/akkuman/gSigFlip
π₯ [ tweet ]
Hash-based driver blocklists are insecure, because of how Authenticode signatures are computed. Nothing new, but not as well known as it should be.
π https://github.com/akkuman/gSigFlip
π₯ [ tweet ]
π₯10