π [ DirectoryRanger, DirectoryRanger ]
SharpWSUS. CSharp tool for lateral movement through WSUS
https://t.co/0hDHe6ePZs
π https://github.com/nettitude/SharpWSUS
π₯ [ tweet ]
SharpWSUS. CSharp tool for lateral movement through WSUS
https://t.co/0hDHe6ePZs
π https://github.com/nettitude/SharpWSUS
π₯ [ tweet ]
π [ clearbluejar, clearbluejar ]
Cheers to @itm4n for inspiration, @topotam77 for PetitPotam, and @tiraniddo for NtObjectManager.
New post detailing #RPC auditing with NtObjectManager
https://t.co/7brWus4LoV
π https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
π₯ [ tweet ]
Cheers to @itm4n for inspiration, @topotam77 for PetitPotam, and @tiraniddo for NtObjectManager.
New post detailing #RPC auditing with NtObjectManager
https://t.co/7brWus4LoV
π https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
π₯ [ tweet ]
π [ vxunderground, vx-underground ]
We've update the VXUG Windows Malware paper collection
-Studying Next Generation Malware: NightHawks attempt as Sleep obfuscation
-About: Remote Library Injection
-KCTHIJACK - KernelCallbackTableInjection
-Sleep Obfuscation: Ekko
-Gargoyle x64: DeepSleep
https://t.co/cLyIwMexhc
π https://www.vx-underground.org/windows.html
π₯ [ tweet ]
We've update the VXUG Windows Malware paper collection
-Studying Next Generation Malware: NightHawks attempt as Sleep obfuscation
-About: Remote Library Injection
-KCTHIJACK - KernelCallbackTableInjection
-Sleep Obfuscation: Ekko
-Gargoyle x64: DeepSleep
https://t.co/cLyIwMexhc
π https://www.vx-underground.org/windows.html
π₯ [ tweet ]
π [ jsecurity101, Jonny Johnson ]
See a scheduled task using <ComHandler> in the actions tag where the principal is SYSTEM but can't modify the CLSID in HKLM?
Impersonate TrustedInstaller, change the registry value to point to your DLL and send it.
π₯ [ tweet ]
See a scheduled task using <ComHandler> in the actions tag where the principal is SYSTEM but can't modify the CLSID in HKLM?
Impersonate TrustedInstaller, change the registry value to point to your DLL and send it.
π₯ [ tweet ]
π [ BushidoToken, Will ]
π»The feeling all IT workers dread: "After spending Tuesday evening drinking at a restaurant, he realised on his way home that the bag containing the drive was missing". cc @TheBeerFarmers
https://t.co/YJBHalD6L0
π https://www.theguardian.com/world/2022/jun/24/japanese-city-worker-loses-usb-containing-personal-details-of-every-resident
π₯ [ tweet ]
π»The feeling all IT workers dread: "After spending Tuesday evening drinking at a restaurant, he realised on his way home that the bag containing the drive was missing". cc @TheBeerFarmers
https://t.co/YJBHalD6L0
π https://www.theguardian.com/world/2022/jun/24/japanese-city-worker-loses-usb-containing-personal-details-of-every-resident
π₯ [ tweet ]
π [ 0gtweet, Grzegorz Tworek ]
Want to disable the Security Event Log? Almost two years after my original research I finally had a moment to wrap it into a short video. Enjoy :) https://t.co/WnazgfXcPK
π https://youtu.be/Wx7gIO71HBg
π₯ [ tweet ][ quote ]
Want to disable the Security Event Log? Almost two years after my original research I finally had a moment to wrap it into a short video. Enjoy :) https://t.co/WnazgfXcPK
π https://youtu.be/Wx7gIO71HBg
π₯ [ tweet ][ quote ]
π [ _Wra7h, Christian W ]
Add shellcode as a bitmap to the .rsrc section using UpdateResource before spawning as suspended. Parse the header down to the sections, skip past the bitmap shenannigans and then you get your shellcode address.
https://t.co/AoZV4CINip
π https://github.com/Wra7h/PEResourceInject
π₯ [ tweet ]
Add shellcode as a bitmap to the .rsrc section using UpdateResource before spawning as suspended. Parse the header down to the sections, skip past the bitmap shenannigans and then you get your shellcode address.
https://t.co/AoZV4CINip
π https://github.com/Wra7h/PEResourceInject
π₯ [ tweet ]
π [ eloypgz, Eloy ]
I've playing with AWS security, and found the resources/perms enumeration tools quite limited, so developed https://t.co/D0QLCgTsvu with service filtering and recursion (e.g, automatically check S3 buckets you have access). It is still incomplete, but hope you find it useful.
π https://github.com/zer1t0/awsenum
π₯ [ tweet ]
I've playing with AWS security, and found the resources/perms enumeration tools quite limited, so developed https://t.co/D0QLCgTsvu with service filtering and recursion (e.g, automatically check S3 buckets you have access). It is still incomplete, but hope you find it useful.
π https://github.com/zer1t0/awsenum
π₯ [ tweet ]
π₯1
π [ 0xdf_, 0xdf ]
Phoenix from @hackthebox_eu involved working around a really slow SQL injection. I'll do some reverse engineering of a WordPress plugin to figure out just the data I need. There's also compiled shell scripts, pam modules config, and wildcard injection.
https://t.co/oAU8XOof2I
π https://0xdf.gitlab.io/2022/06/25/htb-phoenix.html
π₯ [ tweet ]
Phoenix from @hackthebox_eu involved working around a really slow SQL injection. I'll do some reverse engineering of a WordPress plugin to figure out just the data I need. There's also compiled shell scripts, pam modules config, and wildcard injection.
https://t.co/oAU8XOof2I
π https://0xdf.gitlab.io/2022/06/25/htb-phoenix.html
π₯ [ tweet ]
π [ mariuszbit, Mariusz Banach ]
β’οΈ I'm so excited - just issued my first blog postβ’οΈ
As promised - sharing my @WarConPL slides deck on:
https://t.co/mynQW0aXsF
Power of positive feedback made me publish them during my first day of holidays (β'β‘'β)
Let me know if you like it π₯
π https://mgeeky.tech/warcon-2022-modern-initial-access-and-evasion-tactics/
π₯ [ tweet ]
β’οΈ I'm so excited - just issued my first blog postβ’οΈ
As promised - sharing my @WarConPL slides deck on:
https://t.co/mynQW0aXsF
Power of positive feedback made me publish them during my first day of holidays (β'β‘'β)
Let me know if you like it π₯
π https://mgeeky.tech/warcon-2022-modern-initial-access-and-evasion-tactics/
π₯ [ tweet ]
π1
π [ NorthwaveLabs, Northwave Labs. ]
Cobalt Strike BOF foundation for kernel exploitation using CVE-2021-21551. In its current state, as a PoC, it overwrites the beacon token with the system token (privesc).
https://t.co/JR1Vao7t9c
π https://github.com/NorthwaveSecurity/kernel-mii
π₯ [ tweet ]
Cobalt Strike BOF foundation for kernel exploitation using CVE-2021-21551. In its current state, as a PoC, it overwrites the beacon token with the system token (privesc).
https://t.co/JR1Vao7t9c
π https://github.com/NorthwaveSecurity/kernel-mii
π₯ [ tweet ]
π [ theluemmel, S4U2LuemmelSec ]
Oh holy NimikΓ€tz / custom invoke-mimikatz
If you want the l33t shit for your next engagement you should:
Read -> https://t.co/ZCP5OP1M9e
Read -> https://t.co/8ulbUEyZJY
Use -> https://t.co/WNRJrDGGIz from @danielhbohannon
Use -> private tools from @ShitSecure by sponsoring him
π https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
π https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
π https://github.com/danielbohannon/Invoke-Obfuscation
π₯ [ tweet ]
Oh holy NimikΓ€tz / custom invoke-mimikatz
If you want the l33t shit for your next engagement you should:
Read -> https://t.co/ZCP5OP1M9e
Read -> https://t.co/8ulbUEyZJY
Use -> https://t.co/WNRJrDGGIz from @danielhbohannon
Use -> private tools from @ShitSecure by sponsoring him
π https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
π https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
π https://github.com/danielbohannon/Invoke-Obfuscation
π₯ [ tweet ]
π [ mcohmi, Ohm-I (Oh My) ]
New tool drop. Introducing Dumpscan, a wrapper around volatility3 and some other stuff to make dumping certificates way easier. You can read about it here.
https://t.co/CAK4Y2QSJm
π https://daddycocoaman.dev/posts/introducing-dumpscan/
π https://github.com/daddycocoaman/dumpscan
π₯ [ tweet ]
New tool drop. Introducing Dumpscan, a wrapper around volatility3 and some other stuff to make dumping certificates way easier. You can read about it here.
https://t.co/CAK4Y2QSJm
π https://daddycocoaman.dev/posts/introducing-dumpscan/
π https://github.com/daddycocoaman/dumpscan
π₯ [ tweet ]
π [ bmcder02, Blake ]
Recently I got asked to do an overview on ETW. I tried to cover everything useful for #DFIR, including multiple ways to capture ETW, useful providers and finding existing trace sessions.
#cybersecurity
https://t.co/3IWn9w6JuQ
π http://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
π₯ [ tweet ]
Recently I got asked to do an overview on ETW. I tried to cover everything useful for #DFIR, including multiple ways to capture ETW, useful providers and finding existing trace sessions.
#cybersecurity
https://t.co/3IWn9w6JuQ
π http://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
π₯ [ tweet ]
π [ DirectoryRanger, DirectoryRanger ]
Detect and block Credential Dumps with Defender for Endpoint & Attack Surface Reduction #DFIR
https://t.co/8BZPvX83Ij
π https://jeffreyappel.nl/detect-and-block-credential-dumps-with-defender-for-endpoint-attack-surface-reduction/
π₯ [ tweet ]
Detect and block Credential Dumps with Defender for Endpoint & Attack Surface Reduction #DFIR
https://t.co/8BZPvX83Ij
π https://jeffreyappel.nl/detect-and-block-credential-dumps-with-defender-for-endpoint-attack-surface-reduction/
π₯ [ tweet ]
π [ DirectoryRanger, DirectoryRanger ]
Scheduled Task Tampering
https://t.co/eJvDt166kV
π https://labs.f-secure.com/blog/scheduled-task-tampering/
π₯ [ tweet ]
Scheduled Task Tampering
https://t.co/eJvDt166kV
π https://labs.f-secure.com/blog/scheduled-task-tampering/
π₯ [ tweet ]
π [ daem0nc0re, daem0nc0re ]
Added a small PoC to PrivilegedOperations project.
This PoC is to test SeShutdownPrivilege and tries to cause BSOD.
https://t.co/TYcXE9wUte
π https://github.com/daem0nc0re/PrivFu/blob/main/PrivilegedOperations/SeShutdownPrivilegePoC/SeShutdownPrivilegePoC.cs
π₯ [ tweet ]
Added a small PoC to PrivilegedOperations project.
This PoC is to test SeShutdownPrivilege and tries to cause BSOD.
https://t.co/TYcXE9wUte
π https://github.com/daem0nc0re/PrivFu/blob/main/PrivilegedOperations/SeShutdownPrivilegePoC/SeShutdownPrivilegePoC.cs
π₯ [ tweet ]