Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking
#cobaltstrike
This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging of custom loaders and introduced the User-Defined Reflective Loader Visual Studio (UDRL-VS) template. In this installment, we’ll build upon the original UDRL-VS loader and explore how to apply our own [...]
via Cobalt Strike Blog (author: Robert Bearsby)
#cobaltstrike
This is the second installment in a series revisiting the User-Defined Reflective Loader (UDRL). In part one, we aimed to simplify the development and debugging of custom loaders and introduced the User-Defined Reflective Loader Visual Studio (UDRL-VS) template. In this installment, we’ll build upon the original UDRL-VS loader and explore how to apply our own [...]
via Cobalt Strike Blog (author: Robert Bearsby)
Finding a POP chain on a common Symfony bundle : part 1
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
New learning paths, from the Web Security Academy
#portswigger
When you're starting out in the world of web security, it can be overwhelming trying to work out where to begin. There are dozens of vulnerability classes, and numerous exploit techniques to learn abo
via PortSwigger Blog
#portswigger
When you're starting out in the world of web security, it can be overwhelming trying to work out where to begin. There are dozens of vulnerability classes, and numerous exploit techniques to learn abo
via PortSwigger Blog
Forwarded from r0 Crew (Channel)
Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.
https://www.loldrivers.io/
#redteam #loldrivers #windows
https://www.loldrivers.io/
#redteam #loldrivers #windows
🏆1
Forwarded from r0 Crew (Channel)
Finding and exploiting process killer drivers with LOL for 3000$
In this article, I will introduce some kernel driver/internals theory and explain how to use the data in LOLDrivers to find interesting drivers. Finally, I will present 2 examples of vulnerable drivers and explain how to quickly reverse them and create a PoC to exploit them.
https://alice.climent-pommeret.red/posts/process-killer-driver/
#redteam #loldrivers #windows
In this article, I will introduce some kernel driver/internals theory and explain how to use the data in LOLDrivers to find interesting drivers. Finally, I will present 2 examples of vulnerable drivers and explain how to quickly reverse them and create a PoC to exploit them.
https://alice.climent-pommeret.red/posts/process-killer-driver/
#redteam #loldrivers #windows
Okta for Red Teamers
#trustedsec
For a long time, Red Teamers have been preaching the mantra “Don’t make Domain Admin the goal of the assessment” and it appears that customers are listening. Now, you’re much more likely to see objectives focused on services critical to an organization, with many being hosted in the cloud. With this shift in delegating some...
via TrustedSec Blog (author: Roza Maille)
#trustedsec
For a long time, Red Teamers have been preaching the mantra “Don’t make Domain Admin the goal of the assessment” and it appears that customers are listening. Now, you’re much more likely to see objectives focused on services critical to an organization, with many being hosted in the cloud. With this shift in delegating some...
via TrustedSec Blog (author: Roza Maille)
TrustedSec
Okta for Red Teamers
Okta Delegated Authentication We’ll start with a technology offered to users deploying their Okta tenant alongside traditional on-prem Active Directory…
The Not So Pleasant Password Manager
#mdsec
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were asked to investigate the organisation’s Password Manager solution, with the key objective of compromising stored credentials, ideally from...
via MDSec Blog (author: Admin)
#mdsec
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were asked to investigate the organisation’s Password Manager solution, with the key objective of compromising stored credentials, ideally from...
via MDSec Blog (author: Admin)
Cobalt Strike 4.9: Take Me To Your Loader
#cobaltstrike
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and [...]
via Cobalt Strike Blog (author: Greg Darwin)
#cobaltstrike
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and [...]
via Cobalt Strike Blog (author: Greg Darwin)
Reactive Progress and Tradecraft Innovation
#specterops
via SpecterOps Team Medium (author: Michael Barclay)
#specterops
via SpecterOps Team Medium (author: Michael Barclay)
Medium
Reactive Progress and Tradecraft Innovation
Detection as Prediction
Ghostwriter v4: 2FA, RBAC, and Logging, Oh My!
#specterops
via SpecterOps Team Medium (author: Christopher Maddalena)
#specterops
via SpecterOps Team Medium (author: Christopher Maddalena)
Medium
Ghostwriter v4: 2FA, RBAC, and Logging, Oh My!
Ghostwriter v4 is officially here! Technically, it’s been available as a release candidate for a while, but we have arrived at its final…
Basic Authentication Versus CSRF
#trustedsec
I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request Forgery (CSRF) vulnerability. The client was unsure of the best approach to prevent CSRF in the context of using Basic Authentication. In this blog post, I will examine the security...
via TrustedSec Blog (author: Roza Maille)
#trustedsec
I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request Forgery (CSRF) vulnerability. The client was unsure of the best approach to prevent CSRF in the context of using Basic Authentication. In this blog post, I will examine the security...
via TrustedSec Blog (author: Roza Maille)
DOM Invader and the case of direct eval vs indirect eval
#portswigger
What is DOM Invader? DOM Invader is a browser extension that makes it easy to find DOM based XSS by instrumenting various JavaScript functions. You can find out more about DOM Invader here: Introducin
via PortSwigger Blog
#portswigger
What is DOM Invader? DOM Invader is a browser extension that makes it easy to find DOM based XSS by instrumenting various JavaScript functions. You can find out more about DOM Invader here: Introducin
via PortSwigger Blog
Introducing ntdissector, a swiss army knife for your NTDS.dit files
#synacktiv
via Synacktiv Blog (author: Julien Legras)
#synacktiv
via Synacktiv Blog (author: Julien Legras)
Legitimate exfiltration tools : summary and detection for incident response and threat hunting
#synacktiv
via Synacktiv Blog (author: Nathanael Ndong)
#synacktiv
via Synacktiv Blog (author: Nathanael Ndong)
Evilginx Pro - The Future of Phishing
#kgretzky
I've teased the idea of Evilginx Pro long enough and I think it is finally time to make a proper reveal of what it exactly is.
Evilginx Pro will be a paid professional version of Evilginx, with extra features and added advanced reverse proxy anti-detection techniques, available only
via BREAKDEV Blog (author: Kuba Gretzky)
#kgretzky
I've teased the idea of Evilginx Pro long enough and I think it is finally time to make a proper reveal of what it exactly is.
Evilginx Pro will be a paid professional version of Evilginx, with extra features and added advanced reverse proxy anti-detection techniques, available only
via BREAKDEV Blog (author: Kuba Gretzky)
Nighthawk 0.2.6 – Three Wise Monkeys
#mdsec
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and...
via MDSec Blog (author: Admin)
#mdsec
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and...
via MDSec Blog (author: Admin)
#tool #conference
📣 For those who have not seen the DEF CON 31 records yet
I prepared a brief descriptions and links to my favorite ones 👇
👉 Spooky Authentication at a Distance by SkelSec - SSPI authentication (Kerberos or NTLM) proxy through VICTIM machine.
Tools:
🔧 wsnet - SSPI authentication and TCP traffic proxy server and client in Python 3.
🔧 wsnet-dotnet - same as wsnet, but only agent written in C#.
The speaker also demonstrated integration with msldap, aiosmb and octopwn, but these changes are not open source (for now, I hope).
👉 A Broken Marriage Abusing Mixed Vendor Kerberos Stacks by CCob - userPrincipalName abuse to authenticate to non-Microsoft Kerberos services (e.g. GSSAPI+Kerberos services like SSH, Postgres, etc.) integrated with Active Directory.
👉 SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan by byt3bl33d3r - how to spoof a lot of domains using MailChannels to send phishing. Also the speaker talks about SPF, DKIM, DMARC and ARC.
Tools:
🔧 SpamChannel - CloudFlare worker to exploit this vulnerability.
⚠️ WARNING: This tool doesn't work anymore, because MailChannels now require a Domain Lockdown Record in order to send emails from Cloudflare Workers. However, relay may be exploited with paid MailChannels account.
👉 ELECTRONizing MacOS Privacy - A New Weapon in Your Red Teaming Armory by _r3ggi - How to abuse Electron application to bypass Transparency, Consent and Control (TCC) restriction on macOS.
Tools:
🔧 electroniz3r - tool to enumerate and takeover macOS Electron apps to bypass TCC.
👉 StackMoonwalk by KlezVirus, waldoirc and trickster012 - explanation of stack spoofing and presentation of a new technique, StackMoonwalk - fully dynamic call stack spoofing. The technique is implemented to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
Tools:
🔧 SilentMoonwalk - call stack spoofing PoC.
Did I miss something interesting? If you think so, feel free to share in the comments below 👇
📣 For those who have not seen the DEF CON 31 records yet
I prepared a brief descriptions and links to my favorite ones 👇
👉 Spooky Authentication at a Distance by SkelSec - SSPI authentication (Kerberos or NTLM) proxy through VICTIM machine.
Tools:
🔧 wsnet - SSPI authentication and TCP traffic proxy server and client in Python 3.
🔧 wsnet-dotnet - same as wsnet, but only agent written in C#.
The speaker also demonstrated integration with msldap, aiosmb and octopwn, but these changes are not open source (for now, I hope).
👉 A Broken Marriage Abusing Mixed Vendor Kerberos Stacks by CCob - userPrincipalName abuse to authenticate to non-Microsoft Kerberos services (e.g. GSSAPI+Kerberos services like SSH, Postgres, etc.) integrated with Active Directory.
👉 SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan by byt3bl33d3r - how to spoof a lot of domains using MailChannels to send phishing. Also the speaker talks about SPF, DKIM, DMARC and ARC.
Tools:
🔧 SpamChannel - CloudFlare worker to exploit this vulnerability.
⚠️ WARNING: This tool doesn't work anymore, because MailChannels now require a Domain Lockdown Record in order to send emails from Cloudflare Workers. However, relay may be exploited with paid MailChannels account.
👉 ELECTRONizing MacOS Privacy - A New Weapon in Your Red Teaming Armory by _r3ggi - How to abuse Electron application to bypass Transparency, Consent and Control (TCC) restriction on macOS.
Tools:
🔧 electroniz3r - tool to enumerate and takeover macOS Electron apps to bypass TCC.
👉 StackMoonwalk by KlezVirus, waldoirc and trickster012 - explanation of stack spoofing and presentation of a new technique, StackMoonwalk - fully dynamic call stack spoofing. The technique is implemented to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
Tools:
🔧 SilentMoonwalk - call stack spoofing PoC.
Did I miss something interesting? If you think so, feel free to share in the comments below 👇
A Thousand Sails, One Harbor - C2 Infra on Azure
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)