Offensive Xwitter
π [ Lefteris Panos @lefterispan ] Wrote a small C# tool that is able to make a network token using a certificate. Comes handy in RTs ;) π https://github.com/nettitude/TokenCert π₯ [ tweet ][ quote ]
π [ freefirex @freefirex2 ]
Saw some other folks realize its actually really easy to use certificates to authenticate as other users on windows if you have access to the API.
We're now releasing our previously internal make_token_cert bof to auth using only a .pfx file :)
π https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/bc0cdd7997ebbf37a1cfee26be97eb3faa06ab50/src/Remote/make_token_cert/entry.c#L69
π₯ [ tweet ]
Saw some other folks realize its actually really easy to use certificates to authenticate as other users on windows if you have access to the API.
We're now releasing our previously internal make_token_cert bof to auth using only a .pfx file :)
π https://github.com/trustedsec/CS-Remote-OPs-BOF/blob/bc0cdd7997ebbf37a1cfee26be97eb3faa06ab50/src/Remote/make_token_cert/entry.c#L69
π₯ [ tweet ]
π9
π [ Daniel @0x64616e ]
Hash-based driver blocklists are insecure, because of how Authenticode signatures are computed. Nothing new, but not as well known as it should be.
π https://github.com/akkuman/gSigFlip
π₯ [ tweet ]
Hash-based driver blocklists are insecure, because of how Authenticode signatures are computed. Nothing new, but not as well known as it should be.
π https://github.com/akkuman/gSigFlip
π₯ [ tweet ]
π₯10
π [ Synacktiv @Synacktiv ]
Oh, you didn't know? Cool kids are now relaying Kerberos over SMB π
Check out our latest blogpost by @hugow_vincent to discover how to perform this attack:
π https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
π₯ [ tweet ]
Oh, you didn't know? Cool kids are now relaying Kerberos over SMB π
Check out our latest blogpost by @hugow_vincent to discover how to perform this attack:
π https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
π₯ [ tweet ]
π₯3π2
π [ silentwarble @silentwarble ]
Something Emerges:
π https://github.com/MythicAgents/Hannibal
π₯ [ tweet ]
Something Emerges:
π https://github.com/MythicAgents/Hannibal
π₯ [ tweet ]
ΠΊΡΠ°ΡΠΈΠ²ΠΎΠ΅π€―4
π [ Matt Ehrnschwender @M_alphaaa ]
I'm trying to get better at keeping up with and publishing more on my blog. Here's a new post I just released on "Writing Beacon Object Files Without DFR"
π https://blog.cybershenanigans.space/posts/writing-bofs-without-dfr/
π₯ [ tweet ]
I'm trying to get better at keeping up with and publishing more on my blog. Here's a new post I just released on "Writing Beacon Object Files Without DFR"
π https://blog.cybershenanigans.space/posts/writing-bofs-without-dfr/
π₯ [ tweet ]
π1
π [ @ChrisTruncer@infosec.exchange @christruncer ]
Itβs always awesome when we (@CISAGov) gets to release a red team report that we worked on, and today is another one of those days!
Go check out our latest report and hopefully you can apply some of the same lessons to your environment!
π https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
π₯ [ tweet ]
Itβs always awesome when we (@CISAGov) gets to release a red team report that we worked on, and today is another one of those days!
Go check out our latest report and hopefully you can apply some of the same lessons to your environment!
π https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
π₯ [ tweet ]
π₯5π2
π [ Gigel Vrancea @GigelV41464 ]
Someone on my team asked me if there was a way I could prevent in-proc tools like a BOF from crashing the process
After some research, I came to the conclusion that using RtlSetUnhandledExceptionFilter is the most elegant way to achieve this
Read here:
π https://luci4.net/blog/2024/11/13/EternalLife/
π₯ [ tweet ]
Someone on my team asked me if there was a way I could prevent in-proc tools like a BOF from crashing the process
After some research, I came to the conclusion that using RtlSetUnhandledExceptionFilter is the most elegant way to achieve this
Read here:
π https://luci4.net/blog/2024/11/13/EternalLife/
π₯ [ tweet ]
π3
π [ Volexity @Volexity ]
@Volexityβs latest blog post describes in detail how a Russian APT used a new attack technique, the βNearest Neighbor Attackβ, to leverage Wi-Fi networks in close proximity to the intended target, while the attacker was halfway around the world.
π https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
π₯ [ tweet ]
@Volexityβs latest blog post describes in detail how a Russian APT used a new attack technique, the βNearest Neighbor Attackβ, to leverage Wi-Fi networks in close proximity to the intended target, while the attacker was halfway around the world.
π https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
π₯ [ tweet ]
ΠΏΠΎΠ·Π½Π°Π²Π°ΡΠ΅Π»ΡΠ½ΠΎπ5π₯3
π [ Yehuda Smirnov @yudasm_ ]
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them:
Blog:
π https://blog.fndsec.net/2024/11/25/shadowhound/
Code:
π https://github.com/Friends-Security/ShadowHound
π₯ [ tweet ]
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them:
Blog:
π https://blog.fndsec.net/2024/11/25/shadowhound/
Code:
π https://github.com/Friends-Security/ShadowHound
π₯ [ tweet ]
π8
π [ PT SWARM @ptswarm ]
π€β¨ Our security researcher, Konstantin Polishin, presented βRed Team Social Engineering 2024: Initial Access TTP and Project Experience of Our Teamβ at #ROOTCON18 π
Recording:
π https://youtube.com/watch?v=6nnZJiL0Tgk
π₯ [ tweet ]
π€β¨ Our security researcher, Konstantin Polishin, presented βRed Team Social Engineering 2024: Initial Access TTP and Project Experience of Our Teamβ at #ROOTCON18 π
Recording:
π https://youtube.com/watch?v=6nnZJiL0Tgk
π₯ [ tweet ]
π₯8
π [ ap @decoder_it ]
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
π https://github.com/decoder-it/KrbRelayEx
π₯ [ tweet ]
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub:
π https://github.com/decoder-it/KrbRelayEx
π₯ [ tweet ]
π11
π [ RedTeam Pentesting @RedTeamPT ]
So we implemented parsing the security descriptors of shares and files in the beautiful β¨smbclient-ng β¨ by @podalirius_
Here is our PR:
π https://github.com/p0dalirius/smbclient-ng/pull/118
π₯ [ tweet ][ reply ]
So we implemented parsing the security descriptors of shares and files in the beautiful β¨smbclient-ng β¨ by @podalirius_
Here is our PR:
π https://github.com/p0dalirius/smbclient-ng/pull/118
π₯ [ tweet ][ reply ]
π9π₯3
π [ Check Point Research @_CPResearch_ ]
π¨ New Discovery! We uncovered an undocumented technique for executing commands through the #Godot #GameEngine. Exploited by #GodLoader, this method successfully bypassed most #antivirus software since June 2024, affecting over 17,000 potential victims.
π https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
π₯ [ tweet ]
π¨ New Discovery! We uncovered an undocumented technique for executing commands through the #Godot #GameEngine. Exploited by #GodLoader, this method successfully bypassed most #antivirus software since June 2024, affecting over 17,000 potential victims.
π https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
π₯ [ tweet ]
π3π₯1
π [ S3cur3Th1sSh1t @ShitSecure ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
π https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
π https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
π₯ [ tweet ]
Seven days ago @prac_sec released a blog post about Patching CLR memory to bypass AMSI. This is now added to the AMSI Bypass Powershell repo as well:
π https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell/tree/master?tab=readme-ov-file#Patching-Clr
π https://practicalsecurityanalytics.com/new-amsi-bypss-technique-modifying-clr-dll-in-memory/
π₯ [ tweet ]
π9π₯3
π [ Layle @layle_ctf ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
π https://github.com/ioncodes/SilentLoad
π₯ [ tweet ]
In a somewhat recent project we used a vulnerable driver, which worked fine...
Except: The customer had a custom rule that caused an alert when a service is created!
Decided to write a tool that creates the registry keys and calls into NtLoadDriver:
π https://github.com/ioncodes/SilentLoad
π₯ [ tweet ]
π1
π [ drm @lowercase_drm ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
π»
π https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
π₯ [ tweet ]
Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?"
99% impacket atexec + 1% "for loop" = 100% prod ready
(silent command only)
h/t @saerxcit
π»
π https://gist.github.com/ThePirateWhoSmellsOfSunflowers/3673746454aef7d55a5efed4dc4e1a61
π₯ [ tweet ]
π₯3
π [ Mayfly @M4yFly ]
Goad v3 merged into the main branch π₯³
GitHub:
π https://github.com/Orange-Cyberdefense/GOAD
Doc:
π https://orange-cyberdefense.github.io/GOAD/
π₯ [ tweet ]
Goad v3 merged into the main branch π₯³
GitHub:
π https://github.com/Orange-Cyberdefense/GOAD
Doc:
π https://orange-cyberdefense.github.io/GOAD/
π₯ [ tweet ]
π8π’1
π [ blueblue @piedpiper1616 ]
GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis
π https://github.com/TheN00bBuilder/cve-2024-11477-writeup
π₯ [ tweet ]
GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis
π https://github.com/TheN00bBuilder/cve-2024-11477-writeup
π₯ [ tweet ]
π4
π [ Rasta Mouse @_RastaMouse ]
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
π https://rastamouse.me/udrl-sleepmask-and-beacongate/
π₯ [ tweet ]
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
π https://rastamouse.me/udrl-sleepmask-and-beacongate/
π₯ [ tweet ]
π€1
π [ Fabian Bader @fabian_bader ]
π‘οΈWindows Firewall and WFP are only two ways to silence an #EDR agent.
π’In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
π https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
And if you want even more, checkout part 2 released by @Cyb3rMonk
π₯ [ tweet ]
π‘οΈWindows Firewall and WFP are only two ways to silence an #EDR agent.
π’In my latest blog post I discuss another network based technique to prevent data ingest and ways to detect it.
π https://cloudbrothers.info/en/edr-silencers-exploring-methods-block-edr-communication-part-1/
And if you want even more, checkout part 2 released by @Cyb3rMonk
π₯ [ tweet ]
π₯4π1
π [ Check Point Research @_CPResearch_ ]
A ransomware gang's Rust experiment naturally produced the kind of binary you "reverse-engineer" by staring at the strings and saying, "mm hm." Join us as we break through this technical barrier and gain some insight into ransomware author psychology.
π https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
π₯ [ tweet ]
A ransomware gang's Rust experiment naturally produced the kind of binary you "reverse-engineer" by staring at the strings and saying, "mm hm." Join us as we break through this technical barrier and gain some insight into ransomware author psychology.
π https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
π₯ [ tweet ]
π2