👹 [ snovvcrash, sn🥶vvcr💥sh ]

🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

🧵 (4/x) And now *tada* I can get my machine account certificate on a fully patched Windows 10 ⏬

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

🧵 (5/x) Check out @Flangvik’s stream to know more about ADCSPwn usage: https://t.co/nG8gRKo3rn

🔗 https://youtu.be/W9pUCVxe59Q

🐥 [ tweet ]

😈 [ _dirkjan, Dirk-jan ]

Working on some tooling, and managed to get PRT injection during browser sign-in working with Selenium. If you steal a PRT from a hybrid/compliant device, you can use this to "upgrade" the sign-in of other users, to comply with conditional access policies requiring this status.

🐥 [ tweet ]

😈 [ m3g9tr0n, Spiros Fraganastasis ]

Similar to Petitpotam, the netdfs service is enabled in Windows Server and AD environments, and the abused RPC method allows privileged processes to access malicious pipes for exploitation https://t.co/DtcR08PDTN

🔗 https://github.com/crisprss/magicNetdefs

🐥 [ tweet ]

😈 [ vxunderground, vx-underground ]

Modern day cyber security explained

🐥 [ tweet ]

😈 [ d4rckh, d4rckh ]

btw, i made a very simple http redirector (also in nim) which can be used with probably any c2 you can imagine
https://t.co/GMfRMpXrSV #redteam

🔗 https://github.com/d4rckh/http-redirector

🐥 [ tweet ]

😈 [ tifkin_, Lee Christensen ]

Users password/doc syncing in corporate environments is dangerous. I've seen many corporate users - particularly IT admins - with Chrome Password sync enabled or Last/pass/1pass installed.

The home computer the DA password is synced to that their kids use doesn't have <FancyEDR>

🐥 [ tweet ]

😈 [ vinopaljiri, Jiří Vinopal ]

Using #Powershell based on .NET >= 5 or .NET Core (so also latest Powershell Linux/Windows) you can easily natively manipulate with PE and do things like in the picture below (ML processing of .data section strings using #StringSifter) 🙃🙌👍

🐥 [ tweet ]

😈 [ an0n_r0, an0n ]

had to fix couple of bugs of the sideload cmd in Sliver, but now it loads Mimikatz DLL (using Donut behind the scenes) and even bypasses Defender without much effort. it is still not perfect, output fetching is not working for some reason, but it is almost functional.

🐥 [ tweet ]

😈 [ NinjaParanoid, Chetan Nayak (Brute Ratel C4) ]

Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!

https://t.co/WdS0z4PSyD

🔗 https://www.youtube.com/watch?v=qakZwswi5Jw

🐥 [ tweet ]

😈 [ ORCA10K, ORCA ]

Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls

https://t.co/y3LKQrwOJL

🔗 https://gitlab.com/ORCA000/perunsfart

🐥 [ tweet ]

😈 [ BlWasp_, BlackWasp ]

PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket script in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA

🔗 https://github.com/Porchetta-Industries/CrackMapExec/pull/610

🐥 [ tweet ]

😈 [ HuskyHacksMK, Matt | HuskyHacks ]

🔬A new section has been added to PMAT and it's available for everyone!

I've added a new sample to teach simple x86 binary patching methodology.

📚Lesson: https://t.co/cIuqUKd4Fw

🦠Lab Repo: https://t.co/apbskSMBkY

🔗 https://notes.huskyhacks.dev/notes/on-patching-binaries
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe

🐥 [ tweet ]

😈 [ httpyxel, yxel ]

DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8

🔗 https://github.com/janoglezcampos/DeathSleep

🐥 [ tweet ]

😈 [ DirectoryRanger, DirectoryRanger ]

Good series by @martinsohndk:

🔗 https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted

🐥 [ tweet ]

😈 [ ShitSecure, S3cur3Th1sSh1t ]

Really like the “Malware Dev” posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics 👌🔥

https://t.co/iRl72r4yz9

🔗 https://0xpat.github.io/

🐥 [ tweet ]

😈 [ podalirius_, Podalirius ]

[#thread 🧵] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! 🎉

https://t.co/EOWfTbFCRh

🔗 https://github.com/p0dalirius/ApacheTomcatScanner/

🐥 [ tweet ]

😈 [ mariuszbit, mgeeky | Mariusz Banach ]

Can confirm - a nice DLL side-loading against Defender's executable.

Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public

Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp

Step 3:
"%WinDir%\Users\Public\NisSrv.exe"

Tasty Initial Access 🔥

🐥 [ tweet ][ quote ]