π [ NUL0x4C, NULL ]
its been a long time since I last uploaded something, but earlier this day I had some time to drop this:
https://t.co/InVe1Nrr8F
π https://github.com/NUL0x4C/APCLdr
π₯ [ tweet ]
its been a long time since I last uploaded something, but earlier this day I had some time to drop this:
https://t.co/InVe1Nrr8F
π https://github.com/NUL0x4C/APCLdr
π₯ [ tweet ]
π [ theart42, Advanced Persistent Dread ]
As a project to learn some C# coding on Windows I ported the awesome netcat for Windows from C, so you can now load it reflectively. You can find the github repo here: https://t.co/WN84PoKioN
π https://github.com/theart42/Sharpcat
π₯ [ tweet ]
As a project to learn some C# coding on Windows I ported the awesome netcat for Windows from C, so you can now load it reflectively. You can find the github repo here: https://t.co/WN84PoKioN
π https://github.com/theart42/Sharpcat
π₯ [ tweet ]
π [ tijme, Tijme Gommers ]
Cobalt Strike BOF that utilises AMD's Ryzen Master kernel driver to read and write physical memory. It currently escalates privileges from administrator to SYSTEM. Future goal is to add features such as disabling EDR, disabling ETW TI or dumping LSASS.
https://t.co/vErevstmwd
π https://github.com/tijme/amd-ryzen-master-driver-v17-exploit
π₯ [ tweet ]
Cobalt Strike BOF that utilises AMD's Ryzen Master kernel driver to read and write physical memory. It currently escalates privileges from administrator to SYSTEM. Future goal is to add features such as disabling EDR, disabling ETW TI or dumping LSASS.
https://t.co/vErevstmwd
π https://github.com/tijme/amd-ryzen-master-driver-v17-exploit
π₯ [ tweet ]
π [ nikhil_mitt, Nikhil Mittal ]
TIL that it is possible to exclude Account Operators, Server Operators, Print Operators and Backup Operators from SDProp/AdminSDHolder! #ActiveDirectory #RedTeam
https://t.co/kzatGP3RfD
π https://petri.com/active-directory-security-understanding-adminsdholder-object/
π₯ [ tweet ]
TIL that it is possible to exclude Account Operators, Server Operators, Print Operators and Backup Operators from SDProp/AdminSDHolder! #ActiveDirectory #RedTeam
https://t.co/kzatGP3RfD
π https://petri.com/active-directory-security-understanding-adminsdholder-object/
π₯ [ tweet ]
π [ DirectoryRanger, DirectoryRanger ]
Silhouette. POC that mitigates the use of physical memory to dump credentials from LSASS, by @GabrielLandau
https://t.co/0z7P3olqyf
π https://github.com/elastic/Silhouette
π₯ [ tweet ]
Silhouette. POC that mitigates the use of physical memory to dump credentials from LSASS, by @GabrielLandau
https://t.co/0z7P3olqyf
π https://github.com/elastic/Silhouette
π₯ [ tweet ]
π [ NUL0x4C, NULL ]
since "bringing your own version of ntdll" is a thing now, try downloading it from https://t.co/rGLjvyccIl instead of manually setting up a server to host ntdll's versions
π https://winbindex.m417z.com/?file=ntdll.dll
π₯ [ tweet ]
since "bringing your own version of ntdll" is a thing now, try downloading it from https://t.co/rGLjvyccIl instead of manually setting up a server to host ntdll's versions
π https://winbindex.m417z.com/?file=ntdll.dll
π₯ [ tweet ]
π [ Octoberfest73, Octoberfest7 ]
Iβm pleased to release Inline-Execute-PE, a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exeβs in Beacon memory without dropping to disk or creating a new process each time. https://t.co/1byTo7uCV1
#redteam #cybersecurity #malware
π https://github.com/Octoberfest7/Inline-Execute-PE
π₯ [ tweet ]
Iβm pleased to release Inline-Execute-PE, a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exeβs in Beacon memory without dropping to disk or creating a new process each time. https://t.co/1byTo7uCV1
#redteam #cybersecurity #malware
π https://github.com/Octoberfest7/Inline-Execute-PE
π₯ [ tweet ]
π [ BoreanJordan, Jordan Borean ]
Fresh new PowerShell module called ctypes https://t.co/Mtgfey0kLX. This makes it easier to prototype PInvoke calls in PowerShell. As an example, to call
π https://www.powershellgallery.com/packages/Ctypes/0.1.0
π₯ [ tweet ]
Fresh new PowerShell module called ctypes https://t.co/Mtgfey0kLX. This makes it easier to prototype PInvoke calls in PowerShell. As an example, to call
GetCurrentProcess(), it's simply:$k32 = New-CtypesLib Kernel32.dll
$k32.GetCurrentProcess[IntPtr]()π https://www.powershellgallery.com/packages/Ctypes/0.1.0
π₯ [ tweet ]
π₯6
π [ 424f424f, rvrsh3ll ]
Guess I'm a miscreant. Check out my tool to create "HotKey" .lnk files. https://t.co/iWqIf3FjNJ
π https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Create-HotKeyLNK.ps1
π₯ [ tweet ][ quote ]
Guess I'm a miscreant. Check out my tool to create "HotKey" .lnk files. https://t.co/iWqIf3FjNJ
π https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Create-HotKeyLNK.ps1
π₯ [ tweet ][ quote ]
π [ TrustedSec, TrustedSec ]
In this guide from @GuhnooPlusLinux, you'll learn how the new #BOFLoader extension allows BOFs to be used from a #Meterpreter session. Discover new attacks made possible in Meterpreter and avoid common errors. https://t.co/THThviAluo
π https://hubs.la/Q01z2t0t0
π₯ [ tweet ]
In this guide from @GuhnooPlusLinux, you'll learn how the new #BOFLoader extension allows BOFs to be used from a #Meterpreter session. Discover new attacks made possible in Meterpreter and avoid common errors. https://t.co/THThviAluo
π https://hubs.la/Q01z2t0t0
π₯ [ tweet ]
π [ c2_matrix, C2 Matrix | #C2Matrix ]
Excellent post on understanding how Sliver C2 works from both attack and defense perspective. Dare we say... #purpleteam #C2Matrix #redteam #blueteam
https://t.co/HfAgxwrv6C
π https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
π₯ [ tweet ]
Excellent post on understanding how Sliver C2 works from both attack and defense perspective. Dare we say... #purpleteam #C2Matrix #redteam #blueteam
https://t.co/HfAgxwrv6C
π https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
π₯ [ tweet ]
π [ AnubisOnSec, anubis ]
The very first Red Team based article officially published by @nvidia is out now!
Honored to have my write up be the first one, but there will be many more coming out from my team this year.
https://t.co/y62teiMpi5
π https://developer.nvidia.com/blog/exploiting-and-securing-jenkins-instances-at-scale-with-groovywaiter/
π₯ [ tweet ]
The very first Red Team based article officially published by @nvidia is out now!
Honored to have my write up be the first one, but there will be many more coming out from my team this year.
https://t.co/y62teiMpi5
π https://developer.nvidia.com/blog/exploiting-and-securing-jenkins-instances-at-scale-with-groovywaiter/
π₯ [ tweet ]
π [ elad_shamir, Elad Shamir ]
Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation?
The answers are in my new post:
At the Edge of Tier Zero: The Curious Case of the RODC
https://t.co/GeNn1cxxhX
π https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06
π₯ [ tweet ]
Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation?
The answers are in my new post:
At the Edge of Tier Zero: The Curious Case of the RODC
https://t.co/GeNn1cxxhX
π https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06
π₯ [ tweet ]
π [ bohops, bohops ]
PyBOF: In-memory loading and execution of Beacon Object Files (BOFs) through Python
https://t.co/Qu499zWNAn
cc: @kakt1s2015
π https://github.com/rkbennett/pybof
π₯ [ tweet ]
PyBOF: In-memory loading and execution of Beacon Object Files (BOFs) through Python
https://t.co/Qu499zWNAn
cc: @kakt1s2015
π https://github.com/rkbennett/pybof
π₯ [ tweet ]
π [ eversinc33, eversinc33 ]
I am probably just tripping, but I didnt find any C# implementation of the StartWebclient BOF from @OutflankNL on github (?) so I did a quick copy paste port to C# to make that windows privesc even more straightforward https://t.co/LJgDB8Bd7E
π https://github.com/eversinc33/SharpStartWebclient
π₯ [ tweet ]
I am probably just tripping, but I didnt find any C# implementation of the StartWebclient BOF from @OutflankNL on github (?) so I did a quick copy paste port to C# to make that windows privesc even more straightforward https://t.co/LJgDB8Bd7E
π https://github.com/eversinc33/SharpStartWebclient
π₯ [ tweet ]
Offensive Xwitter
π ΠΠ½Π΅ ΠΎΡΠ΅Π½Ρ Π½ΡΠ°Π²ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ Π½Π° #KeePass, ΠΏΠΎΡΡΠΎΠΌΡ Π΄Π΅ΡΠΆΠΈΡΠ΅ ΠΏΠΎΠ΄Π±ΠΎΡΠΊΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠΎΠ² ΠΈ ΡΠ΅ΡΠ΅ΡΡΠ΅ΠΉ Π½Π° ΡΠ΅ΠΌΡ: - https://blog.harmj0y.net/redteaming/a-case-study-in-attacking-keepass/ - https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-partβ¦
π [ an0n_r0, an0n ]
somehow CVE-2023-24055 has been assigned on #KeePass for an attack path published by @harmj0y and @tifkin_ 7 years ago in 2016: https://t.co/kmWcoLBReo (look at the section Exfiltration Without Malware β KeePassβ Trigger System). awesome!π
π https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
π₯ [ tweet ][ quote ]
somehow CVE-2023-24055 has been assigned on #KeePass for an attack path published by @harmj0y and @tifkin_ 7 years ago in 2016: https://t.co/kmWcoLBReo (look at the section Exfiltration Without Malware β KeePassβ Trigger System). awesome!π
π https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
π₯ [ tweet ][ quote ]
π [ _nwodtuhs, Charlie Bromberg βShutdownβ ]
Big up to @Fransosiche and @Wlayzz for the new "HTTP Request Smuggling" page on The Hacker Recipes π§βπ³
https://t.co/9k8aKrAIjz
π https://www.thehacker.recipes/web/config/http-request-smuggling
π₯ [ tweet ]
Big up to @Fransosiche and @Wlayzz for the new "HTTP Request Smuggling" page on The Hacker Recipes π§βπ³
https://t.co/9k8aKrAIjz
π https://www.thehacker.recipes/web/config/http-request-smuggling
π₯ [ tweet ]
π [ NinjaParanoid, Chetan Nayak (Brute Ratel C4 Author) ]
Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster π₯
https://t.co/AKFW8hthXZ
π https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
π₯ [ tweet ]
Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster π₯
https://t.co/AKFW8hthXZ
π https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
π₯ [ tweet ]
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
Keep in mind when scraping usernames from a #Cisco #CUCM server with @n00py1βs cucme[.]sh or @TrustedSecβs SeeYouCM-Thief: the names can be not only within the <userName> tag but also within the <firstName> and <lastName> tags. Worth checking!
https://t.co/GGX5OeKQ3Q
π https://ppn.snovvcrash.rocks/pentest/infrastructure/networks/sip-voip#cisco-ip-phones
π₯ [ tweet ]
Keep in mind when scraping usernames from a #Cisco #CUCM server with @n00py1βs cucme[.]sh or @TrustedSecβs SeeYouCM-Thief: the names can be not only within the <userName> tag but also within the <firstName> and <lastName> tags. Worth checking!
https://t.co/GGX5OeKQ3Q
π https://ppn.snovvcrash.rocks/pentest/infrastructure/networks/sip-voip#cisco-ip-phones
π₯ [ tweet ]