😈 [ HackAndDo, Pixis ]

Check out new lsassy release!
🔸New dump modules
🔸Usable TGT are displayed alongside credentials
🔸DPAPI Masterkeys are retrieved

For more details you can check release 3.1.2 description
https://t.co/SgnyAW6sWN

🔗 https://github.com/Hackndo/lsassy/releases/tag/v3.1.2

🐥 [ tweet ]

😈 [ ShitSecure, S3cur3Th1sSh1t ]

An relatively easy way to use stack encryption for your implant?

@SolomonSklash‘s SleepyCrypt can easily be used from any language:

https://t.co/IiMHZSLXY5

This for example is how to do it with Nim:

https://t.co/Pjr6MJT8hC

Can also be used for Nim C2 implants as Sleep 🔥😎

🔗 https://github.com/SolomonSklash/SleepyCrypt
🔗 https://gist.github.com/S3cur3Th1sSh1t/6022dc2050bb1b21be2105b8b0dc077d

🐥 [ tweet ]

😈 [ theluemmel, S4U2LuemmelSec ]

Wrote a small tool to check if RBCD can be abused by checking both ms-ds-machineaccountquota & SeMachineAccountPrivilege

https://t.co/1iYoI8bTCr

Happy pentesting / defending

🔗 https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/RBCD_Abuse_Checker.ps1

🐥 [ tweet ]

😈 [ chvancooten, Cas van Cooten ]

Kicked off my "MalDev for Dummies" workshop successfully yesterday, which means the repo is now public! Slides, exercises, example code and resources to get you started on your malware development journey. C# and Nim supported for now. Enjoy!!
https://t.co/Z8aQ41QvHQ

🔗 https://github.com/chvancooten/maldev-for-dummies

🐥 [ tweet ]

😈 [ _wald0, Andy Robbins ]

Today is Friday, which means it's #BloodHoundBasics day.

Too many nodes on the screen? Press space bar to bring up the spotlight, which lists all drawn nodes. Click a node to highlight and zoom into it. You can also search for drawn nodes in the spotlight:

🐥 [ tweet ]

😈 [ podalirius_, Podalirius ]

I published a tool to #bruteforce the key of @CodeIgniter's session #cookies, in order to sign arbitrary attacker-controlled cookies🍪

I wrote this tool for a use case encountered in #bugbounty recently, but we can find this in #pentest too.

https://t.co/7JIiYQskoG

🔗 https://github.com/p0dalirius/CodeIgniter-session-unsign

🐥 [ tweet ]

😈 [ 0gtweet, Grzegorz Tworek ]

Is #SysInternals Sysmon good for discovering the full historical process tree? Of course! Bored with manual process, I have create simple (but fully working) PowerShell script, displaying the tree in a nicely walkable form. Enjoy: https://t.co/eZFIDBT2lN

🔗 https://github.com/gtworek/PSBits/blob/master/DFIR/GetSysmonTree.ps1

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

[#HackStory 🧵] (1/4) Here’s a generic case of reaching a locked-down PC from a firewalled segment in AD. The background is: 172.16.66.6 (the target) can talk to 192.168.1.11 (a PWNed server) but not vice versa and to no one else in the foreseeable network 👀

#ad #pentest

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

(2/4) Being a DA an adversary can create an evil GPO that will coerce Immediate Scheduled Task execution on the target. The task downloads and executes a PS cradle pointing to the PWNed server. Sure, there’re fancy (py|Sharp)GPOAbuse, etc… But when it’s a pentest, who cares 😒

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

(3/4) Meanwhile, some v4tov4 port proxies are configured on the pivot point by the adversary via netsh 😈

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

(4/4) After 90 to 120 minutes the GPO gets applied and the adversary receives a reverse shell / C2 agent on his box with a further ability to spawn a reverse SOCKS proxy 🎉

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

(5/4) Not the last to be mentioned that GPOs are not the only way to coerce job execution on a group of targets. There’re also some lovely control centers that some commercial AV/EDR developers gently provide pentesters with 🤫

🐥 [ tweet ]

😈 [ mariuszbit, Mariusz Banach ]

💎 Can't count in how many Active Directory audits this monstrous Cypher query helped me swiftly collect stats of a #BloodHound collection!⚡

Simply Find & Replace "contoso.com" w/ your target domain aaaand you have it

https://t.co/2ChJ1n7Qzo

Helpful? Lemme know!💀

🔗 https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md

🐥 [ tweet ]

😈 [ 0xdf_, 0xdf ]

Undetected from @hackthebox_eu has me following in the steps of a previous attacker. There's an insecure PHP module, reversing a malicious kernel exploit and a backdoored sshd. Lots of Ghidra and understanding the attackers steps and reusing them.

https://t.co/ItYsl66OVM

🔗 https://0xdf.gitlab.io/2022/07/02/htb-undetected.html

🐥 [ tweet ]

😈 [ HuskyHacksMK, Matt | HuskyHacks ]

the user said it looked safe🤦‍♂️ New PMAT bonus binary sample is up!

Difficulty: 🟨(med)

Available here (the labs are free and always will be):

https://t.co/YvMIe2D0DR

https://t.co/H9OaPt1XtJ

🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/X-X.BonusBinaries/Dropper.installer.msi.malz
🔗 https://github.com/HuskyHacks/PMAT-labs

🐥 [ tweet ]

😈 [ cry__pto, Ammar Amer🇸🇾 ]

AMSI Unchained: Review of Known AMSI Bypass Techniques and Introducing a New One
https://t.co/uGpsIOkplP

🔗 https://www.blackhat.com/asia-22/briefings/schedule/#amsi-unchained-review-of-known-amsi-bypass-techniques-and-introducing-a-new-one-26120

🐥 [ tweet ]

😈 [ _nwodtuhs, Charlie Bromberg (Shutdown) ]

So apparently Microsoft ninja-patched two things lately in KB5014692 (06/14/2022)
1. ShadowCoerce (auth coercion abusing MS-FSRVP)
2. Self-RBCD trick to bypass limitations of Kerberos Constrained Delegation without Protocol Transition
Identified this with @Geiseric4 and @mkolsek

🐥 [ tweet ]

😈 [ mpgn_x64, mpgn ]

CrackMapExec version 5.3.0 "OPERATION C01NS 🪙" is now public 🎉🎉🎉

Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)🚀

https://t.co/ozLmJNyUmn

🔗 https://github.com/Porchetta-Industries/CrackMapExec/releases/tag/v5.3.0
🔗 https://mpgn.gitbook.io/crackmapexec/news-2022/operation-c01ns

🐥 [ tweet ]