π [ Diego Capriotti @naksyn ]
Here's Process Stomping injection and how you can use it in a Mockingjay-ish way to load a Beacon on a exe's RWX section using sRDI. Check it out!
Blog:
π https://www.naksyn.com/edr%20evasion/2023/11/18/mockingjay-revisited-process-stomping-srdi-beacon.html
Tool:
π https://github.com/naksyn/ProcessStomping
Thanks to @hasherezade and @monoxgas for their awesome work
π₯ [ tweet ]
Here's Process Stomping injection and how you can use it in a Mockingjay-ish way to load a Beacon on a exe's RWX section using sRDI. Check it out!
Blog:
π https://www.naksyn.com/edr%20evasion/2023/11/18/mockingjay-revisited-process-stomping-srdi-beacon.html
Tool:
π https://github.com/naksyn/ProcessStomping
Thanks to @hasherezade and @monoxgas for their awesome work
π₯ [ tweet ]
π₯3
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Arris Huijgen @bitsadmin ]
#LOFLCAB highlight: Ssms.exe
Using SQL Server Management Studio with Kerberos authentication to obtain command execution on the SQL server using the xp_cmdshell stored procedure.
Details:
π https://lofl-project.github.io/loflcab/Binaries/Ssms/
Full quality video:
π https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3#sql-server
π₯ [ tweet ][ quote ]
#LOFLCAB highlight: Ssms.exe
Using SQL Server Management Studio with Kerberos authentication to obtain command execution on the SQL server using the xp_cmdshell stored procedure.
Details:
π https://lofl-project.github.io/loflcab/Binaries/Ssms/
Full quality video:
π https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3#sql-server
π₯ [ tweet ][ quote ]
π₯3
π [ Adam Svoboda @adamsvoboda ]
Ever find yourself on an endpoint with SentinelOne and have Local Admin? Just ask SentinelAgent.exe nicely, and it will dump a process for you, including itself!
It bombs out on LSASS, but most other processes work.
π https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e
Unable to dump LSASS using the previous script? No problem, just ask S1 for a Live Kernel Dump instead! You can open this in windbg (and use mimilib.dll) and go from there.
π https://gist.github.com/adamsvoboda/8f29e09d74b73e1dec3f9049c4358e80
π₯ [ tweet ][ quote ]
Ever find yourself on an endpoint with SentinelOne and have Local Admin? Just ask SentinelAgent.exe nicely, and it will dump a process for you, including itself!
It bombs out on LSASS, but most other processes work.
π https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e
Unable to dump LSASS using the previous script? No problem, just ask S1 for a Live Kernel Dump instead! You can open this in windbg (and use mimilib.dll) and go from there.
π https://gist.github.com/adamsvoboda/8f29e09d74b73e1dec3f9049c4358e80
π₯ [ tweet ][ quote ]
π4
Offensive Xwitter
π [ Adam Svoboda @adamsvoboda ] Ever find yourself on an endpoint with SentinelOne and have Local Admin? Just ask SentinelAgent.exe nicely, and it will dump a process for you, including itself! It bombs out on LSASS, but most other processes work. π htβ¦
π [ D4rthMaulCop @D4rthMaulCop ]
@adamsvoboda Awesome! I wrote a quick C# port too!
π https://github.com/D4rthMaulCop/DumpKernel-S1
π₯ [ tweet ]
@adamsvoboda Awesome! I wrote a quick C# port too!
π https://github.com/D4rthMaulCop/DumpKernel-S1
π₯ [ tweet ]
π3
π [ HackerRalf @hacker_ralf ]
Everyone takes a lot from the community... it's time to give something back yourself.
Kerbeus - BOF implementation of Rubeus (not all).
π https://github.com/RalfHacker/Kerbeus-BOF
P. S. PM me about all bugs
#redteam #kerberos #havoc #cobaltstrike #bof
π₯ [ tweet ]
Everyone takes a lot from the community... it's time to give something back yourself.
Kerbeus - BOF implementation of Rubeus (not all).
π https://github.com/RalfHacker/Kerbeus-BOF
P. S. PM me about all bugs
#redteam #kerberos #havoc #cobaltstrike #bof
π₯ [ tweet ]
π10
π [ hermit @ackmage ]
hi, check out this tool for easy Linux kernel building and debugging - easylkb
worked on it together with @netspooky! π
writeup:
π http://tmpout.sh/3/20.html
repo:
π http://github.com/deepseagirl/easylkb
π₯ [ tweet ]
hi, check out this tool for easy Linux kernel building and debugging - easylkb
worked on it together with @netspooky! π
writeup:
π http://tmpout.sh/3/20.html
repo:
π http://github.com/deepseagirl/easylkb
π₯ [ tweet ]
π4
π [ Synacktiv @Synacktiv ]
Unlock the Global Admin access π on Azure with this pentesting mindmap made by @alexisdanizan!
π https://github.com/synacktiv/Mindmaps
π₯ [ tweet ]
Unlock the Global Admin access π on Azure with this pentesting mindmap made by @alexisdanizan!
π https://github.com/synacktiv/Mindmaps
π₯ [ tweet ]
π₯1
π [ OtterHacker @OtterHacker ]
Finally π€© I got a PIC code for my #beacon! It was a really nice journey and a lot of things have been learnt on the way. If you want to try it too, I found this blog by @winternl_t really interesting:
π https://winternl.com/shellcodestdio/
And as usual, the @C5pider #Havoc β€οΈ
π₯ [ tweet ]
Finally π€© I got a PIC code for my #beacon! It was a really nice journey and a lot of things have been learnt on the way. If you want to try it too, I found this blog by @winternl_t really interesting:
π https://winternl.com/shellcodestdio/
And as usual, the @C5pider #Havoc β€οΈ
π₯ [ tweet ]
π₯2
π [ soka @pentest_soka ]
I just released a blogpost where I describe how two open source tools can be easily converted to Reflective DLL to be loaded in memory with Cobalt Strike.
This post comes along with which exists thanks to @Prepouce_ work
π https://sokarepo.github.io/redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html
π https://github.com/sokaRepo/CoercedPotatoRDLL
π₯ [ tweet ]
I just released a blogpost where I describe how two open source tools can be easily converted to Reflective DLL to be loaded in memory with Cobalt Strike.
This post comes along with which exists thanks to @Prepouce_ work
π https://sokarepo.github.io/redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html
π https://github.com/sokaRepo/CoercedPotatoRDLL
π₯ [ tweet ]
π₯3
π [ π π π π π π @felixm_pw ]
Indisputable C2 tier list
π₯ [ tweet ]
Indisputable C2 tier list
π₯ [ tweet ]
ΠΊΡΠΈΠ½ΠΆ ΠΈΠ»ΠΈ ΡΠΎΡΠ»?π15
π [ SAINTCON @SAINTCON ]
Lee Christensen, Will Schroeder, and Maxwell Harley - Fighting Data With Data
Detailing the various red team challenges regarding data, leading into how this influenced Nemesisβ architectural decisions and design.
π https://youtu.be/0q9u2hDcpIo
π₯ [ tweet ]
Lee Christensen, Will Schroeder, and Maxwell Harley - Fighting Data With Data
Detailing the various red team challenges regarding data, leading into how this influenced Nemesisβ architectural decisions and design.
π https://youtu.be/0q9u2hDcpIo
π₯ [ tweet ]
π₯1
Offensive Xwitter
π [ Antonio Cocomazzi @splinter_code ] Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe π π₯ [ tweet ]
π [ an0n @an0n_r0 ]
just found that SharpHound used this RemoteRegistry trigger already earlier for session enumeration, like nmap smb-enum-sessions script and Sysinternals PsLoggedOn also. here is a nice summary about it from Sven Defatsch (@compasssecurity) in 2022:
π https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/
π₯ [ tweet ][ quote ]
just found that SharpHound used this RemoteRegistry trigger already earlier for session enumeration, like nmap smb-enum-sessions script and Sysinternals PsLoggedOn also. here is a nice summary about it from Sven Defatsch (@compasssecurity) in 2022:
π https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/
π₯ [ tweet ][ quote ]
π1π₯1
Forwarded from vx-underground
Media is too big
VIEW IN TELEGRAM
Some nerd on Twitter named Bjorn Staal is programming out of his mind.
11/10. Solid programming skills (designed to demonstrate quantum entanglement)
11/10. Solid programming skills (designed to demonstrate quantum entanglement)
π€―9π1π₯1
vx-underground
Some nerd on Twitter named Bjorn Staal is programming out of his mind. 11/10. Solid programming skills (designed to demonstrate quantum entanglement)
π [ ππΓΈππ πΎππππ @_nonfigurativ_ ]
Ok, so a lot of people have been asking me for code/writeup of this so I made a stripped down example (works with an infinite amount of windows) so that you can look at to get the basic gist of it (that's all I have time for now, sorry!).
π https://bgstaal.github.io/multipleWindow3dScene/
π https://github.com/bgstaal/multipleWindow3dScene
π₯ [ tweet ][ quote ]
Ok, so a lot of people have been asking me for code/writeup of this so I made a stripped down example (works with an infinite amount of windows) so that you can look at to get the basic gist of it (that's all I have time for now, sorry!).
π https://bgstaal.github.io/multipleWindow3dScene/
π https://github.com/bgstaal/multipleWindow3dScene
π₯ [ tweet ][ quote ]
π5
π [ Ido Veltzman @Idov31 ]
Weekly Nidhogg update
Driver hiding feature is also finished and live in the dev branch: :)
On the photos you can see the before and after in DriverView (From Nirsoft's tools)
π https://github.com/Idov31/Nidhogg/tree/dev
#infosec #CyberSecurity
π₯ [ tweet ]
Weekly Nidhogg update
Driver hiding feature is also finished and live in the dev branch: :)
On the photos you can see the before and after in DriverView (From Nirsoft's tools)
π https://github.com/Idov31/Nidhogg/tree/dev
#infosec #CyberSecurity
π₯ [ tweet ]
π4
π [ WHOAMI @wh0amitz ]
To audit the security of read-only domain controllers, I created the SharpRODC project, a simple .NET tool for RODC-related misconfigurations.
π https://github.com/wh0amitz/SharpRODC
#infosec #redteam #cybersecurity #pentesting
π₯ [ tweet ]
To audit the security of read-only domain controllers, I created the SharpRODC project, a simple .NET tool for RODC-related misconfigurations.
π https://github.com/wh0amitz/SharpRODC
#infosec #redteam #cybersecurity #pentesting
π₯ [ tweet ]
π₯3