😈 [ nikhil_mitt, Nikhil Mittal ]

TIL that it is possible to exclude Account Operators, Server Operators, Print Operators and Backup Operators from SDProp/AdminSDHolder! #ActiveDirectory #RedTeam
https://t.co/kzatGP3RfD

🔗 https://petri.com/active-directory-security-understanding-adminsdholder-object/

🐥 [ tweet ]

😈 [ DirectoryRanger, DirectoryRanger ]

Silhouette. POC that mitigates the use of physical memory to dump credentials from LSASS, by @GabrielLandau
https://t.co/0z7P3olqyf

🔗 https://github.com/elastic/Silhouette

🐥 [ tweet ]

😈 [ NUL0x4C, NULL ]

since "bringing your own version of ntdll" is a thing now, try downloading it from https://t.co/rGLjvyccIl instead of manually setting up a server to host ntdll's versions

🔗 https://winbindex.m417z.com/?file=ntdll.dll

🐥 [ tweet ]

😈 [ Octoberfest73, Octoberfest7 ]

I’m pleased to release Inline-Execute-PE, a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time. https://t.co/1byTo7uCV1
#redteam #cybersecurity #malware

🔗 https://github.com/Octoberfest7/Inline-Execute-PE

🐥 [ tweet ]

😈 [ BoreanJordan, Jordan Borean ]

Fresh new PowerShell module called ctypes https://t.co/Mtgfey0kLX. This makes it easier to prototype PInvoke calls in PowerShell. As an example, to call GetCurrentProcess(), it's simply:

$k32 = New-CtypesLib Kernel32.dll
$k32.GetCurrentProcess[IntPtr]()

🔗 https://www.powershellgallery.com/packages/Ctypes/0.1.0

🐥 [ tweet ]

😈 [ 424f424f, rvrsh3ll ]

Guess I'm a miscreant. Check out my tool to create "HotKey" .lnk files. https://t.co/iWqIf3FjNJ

🔗 https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Create-HotKeyLNK.ps1

🐥 [ tweet ][ quote ]

😈 [ TrustedSec, TrustedSec ]

In this guide from @GuhnooPlusLinux, you'll learn how the new #BOFLoader extension allows BOFs to be used from a #Meterpreter session. Discover new attacks made possible in Meterpreter and avoid common errors. https://t.co/THThviAluo

🔗 https://hubs.la/Q01z2t0t0

🐥 [ tweet ]

😈 [ c2_matrix, C2 Matrix | #C2Matrix ]

Excellent post on understanding how Sliver C2 works from both attack and defense perspective. Dare we say... #purpleteam #C2Matrix #redteam #blueteam

https://t.co/HfAgxwrv6C

🔗 https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors

🐥 [ tweet ]

😈 [ AnubisOnSec, anubis ]

The very first Red Team based article officially published by @nvidia is out now!

Honored to have my write up be the first one, but there will be many more coming out from my team this year.

https://t.co/y62teiMpi5

🔗 https://developer.nvidia.com/blog/exploiting-and-securing-jenkins-instances-at-scale-with-groovywaiter/

🐥 [ tweet ]

😈 [ elad_shamir, Elad Shamir ]

Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation?

The answers are in my new post:
At the Edge of Tier Zero: The Curious Case of the RODC

https://t.co/GeNn1cxxhX

🔗 https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06

🐥 [ tweet ]

😈 [ bohops, bohops ]

PyBOF: In-memory loading and execution of Beacon Object Files (BOFs) through Python

https://t.co/Qu499zWNAn

cc: @kakt1s2015

🔗 https://github.com/rkbennett/pybof

🐥 [ tweet ]

😈 [ eversinc33, eversinc33 ]

I am probably just tripping, but I didnt find any C# implementation of the StartWebclient BOF from @OutflankNL on github (?) so I did a quick copy paste port to C# to make that windows privesc even more straightforward https://t.co/LJgDB8Bd7E

🔗 https://github.com/eversinc33/SharpStartWebclient

🐥 [ tweet ]

😈 [ an0n_r0, an0n ]

somehow CVE-2023-24055 has been assigned on #KeePass for an attack path published by @harmj0y and @tifkin_ 7 years ago in 2016: https://t.co/kmWcoLBReo (look at the section Exfiltration Without Malware – KeePass’ Trigger System). awesome!🙃

🔗 https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/

🐥 [ tweet ][ quote ]

😈 [ _nwodtuhs, Charlie Bromberg “Shutdown” ]

Big up to @Fransosiche and @Wlayzz for the new "HTTP Request Smuggling" page on The Hacker Recipes 🧑‍🍳

https://t.co/9k8aKrAIjz

🔗 https://www.thehacker.recipes/web/config/http-request-smuggling

🐥 [ tweet ]

😈 [ NinjaParanoid, Chetan Nayak (Brute Ratel C4 Author) ]

Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster 🔥

https://t.co/AKFW8hthXZ

🔗 https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/

🐥 [ tweet ]

😈 [ _dirkjan, Dirk-jan ]

TIL about git add -p which allows you to choose which lines from a file to include in a commit 🤯. Super useful to pick smaller fixes and leave out large new things that are still a work in progress.

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

Keep in mind when scraping usernames from a #Cisco #CUCM server with @n00py1’s cucme[.]sh or @TrustedSec’s SeeYouCM-Thief: the names can be not only within the <userName> tag but also within the <firstName> and <lastName> tags. Worth checking!

https://t.co/GGX5OeKQ3Q

🔗 https://ppn.snovvcrash.rocks/pentest/infrastructure/networks/sip-voip#cisco-ip-phones

🐥 [ tweet ]

😈 [ _ZakSec, Zak ]

New Masky release (v0.2.0). Nothing crazy but you can now easily pack the agent to avoid basic EDR detections (look at the -e & -fa parameters). Some bug fixes have also been applied on the PKINIT part, thanks @mpgn_x64 !
Here is an example with the awesome NimCrypt2 loader 👌

🐥 [ tweet ]

😈 [ _Wra7h, Christian W ]

70 shellcode execution methods to pop calc and chill to

https://t.co/YdvfxlkFRJ

🔗 https://github.com/Wra7h/FlavorTown/tree/main/C

🐥 [ tweet ]