π [ ntlmrelay, Ring3API ]
πDismember tool by @liam_galvin - scan memory for secrets and more.
βοΈhttps://t.co/3anDqypiVb
#redteam #BlueTeam #threathunting #DFIR
π https://github.com/liamg/dismember
π₯ [ tweet ]
πDismember tool by @liam_galvin - scan memory for secrets and more.
βοΈhttps://t.co/3anDqypiVb
#redteam #BlueTeam #threathunting #DFIR
π https://github.com/liamg/dismember
π₯ [ tweet ]
π [ DirectoryRanger, DirectoryRanger ]
A Syscall Journey in the Windows Kernel, by @AliceCliment
https://t.co/xlGizX3pEm
π https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
π₯ [ tweet ]
A Syscall Journey in the Windows Kernel, by @AliceCliment
https://t.co/xlGizX3pEm
π https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
π₯ [ tweet ]
π [ tiraniddo, James Forshaw ]
After @clearbluejar's post of using NtObjectManager for RPC I thought I should finish a post about how a few approaches to narrow down the enumeration to individual running processes rather than having to parse all executables on disk. https://t.co/xh22G6Ek80
π https://www.tiraniddo.dev/2022/06/finding-running-rpc-server-information.html
π₯ [ tweet ]
After @clearbluejar's post of using NtObjectManager for RPC I thought I should finish a post about how a few approaches to narrow down the enumeration to individual running processes rather than having to parse all executables on disk. https://t.co/xh22G6Ek80
π https://www.tiraniddo.dev/2022/06/finding-running-rpc-server-information.html
π₯ [ tweet ]
π [ ORCA10K, ORCA ]
after hiding the payload in the thread description, i decided to search for new places for the same purpose, so im releasing a new poc, that hide your payload in nvidia's gpu memory.
https://t.co/06mPPffWIt
π https://gitlab.com/ORCA000/gp
π₯ [ tweet ]
after hiding the payload in the thread description, i decided to search for new places for the same purpose, so im releasing a new poc, that hide your payload in nvidia's gpu memory.
https://t.co/06mPPffWIt
π https://gitlab.com/ORCA000/gp
π₯ [ tweet ]
π [ n00py1, n00py ]
Do you use AADInternals Invoke-AADIntReconAsOutsider by @DrAzureAD? Surer useful when finding related domains when doing an External Penetration Test.
https://t.co/mWGz0YqhDK
π https://o365blog.com/aadinternals/#invoke-aadintreconasoutsider
π₯ [ tweet ]
Do you use AADInternals Invoke-AADIntReconAsOutsider by @DrAzureAD? Surer useful when finding related domains when doing an External Penetration Test.
https://t.co/mWGz0YqhDK
π https://o365blog.com/aadinternals/#invoke-aadintreconasoutsider
π₯ [ tweet ]
π [ S0ufi4n3, Soufiane Tahiri ]
Here is the code of my #Ransomware simulator: https://t.co/iOlPkPL0xx
I ended up replacing AES with simple XOR.
- Exfiltrating Documents (SMTP and/or FTP)
- Creating/Deleting Volume Shadow Copies
- Encrypting documents
- Dropping a ransomware note to the user's desktop
π https://github.com/soufianetahiri/RansomwareSimulator.public
π₯ [ tweet ]
Here is the code of my #Ransomware simulator: https://t.co/iOlPkPL0xx
I ended up replacing AES with simple XOR.
- Exfiltrating Documents (SMTP and/or FTP)
- Creating/Deleting Volume Shadow Copies
- Encrypting documents
- Dropping a ransomware note to the user's desktop
π https://github.com/soufianetahiri/RansomwareSimulator.public
π₯ [ tweet ]
π [ bitsadmin, Arris Huijgen ]
New blog post on my experiences with importing and querying large #BloodHound datasets using Neo4j's Cypher query language: https://t.co/Gux8V1ZJSJ. Utilities for importing large dumps available at https://t.co/n7yrzoIDDO.
π https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets
π https://github.com/bitsadmin/chophound
π₯ [ tweet ]
New blog post on my experiences with importing and querying large #BloodHound datasets using Neo4j's Cypher query language: https://t.co/Gux8V1ZJSJ. Utilities for importing large dumps available at https://t.co/n7yrzoIDDO.
π https://blog.bitsadmin.com/blog/dealing-with-large-bloodhound-datasets
π https://github.com/bitsadmin/chophound
π₯ [ tweet ]
π [ n00py1, n00py ]
LAPSDumper can now export to CSV. Thanks to @NaisuBanana
https://t.co/sc0YJk5ITX
π https://github.com/n00py/LAPSDumper/pull/5
π₯ [ tweet ]
LAPSDumper can now export to CSV. Thanks to @NaisuBanana
https://t.co/sc0YJk5ITX
π https://github.com/n00py/LAPSDumper/pull/5
π₯ [ tweet ]
π [ daem0nc0re, daem0nc0re ]
Released a PoC for SeTrustedCredmanAccessPrivilege.
This PoC tries to get decrypted DPAPI blob for user account who execute it.
As far as I tested, it seems that SYSTEM integrity level is required to use this privilege.
https://t.co/XivEJdZS4Y
π https://github.com/daem0nc0re/PrivFu#privilegedoperations
π₯ [ tweet ]
Released a PoC for SeTrustedCredmanAccessPrivilege.
This PoC tries to get decrypted DPAPI blob for user account who execute it.
As far as I tested, it seems that SYSTEM integrity level is required to use this privilege.
https://t.co/XivEJdZS4Y
π https://github.com/daem0nc0re/PrivFu#privilegedoperations
π₯ [ tweet ]
π [ codewhitesec, Code White GmbH ]
Bypassing .NET Serialization Binders: case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange https://t.co/G90Qg7gQ9m
π https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html
π₯ [ tweet ]
Bypassing .NET Serialization Binders: case studies for DevExpress (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) by @mwulftange https://t.co/G90Qg7gQ9m
π https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html
π₯ [ tweet ]
π [ merill, Merill Fernando β’ π¦πΊ β’ π±π° ]
Trust me. PowerShell is not going to be the same again once you do this.
Update to the latest version of PowerShell and run this command.
Set-PSReadLineOption -PredictionViewStyle ListView
Your entire PowerShell history at your fingertips!
π₯ [ tweet ]
Trust me. PowerShell is not going to be the same again once you do this.
Update to the latest version of PowerShell and run this command.
Set-PSReadLineOption -PredictionViewStyle ListView
Your entire PowerShell history at your fingertips!
π₯ [ tweet ]
π [ splinter_code, Antonio Cocomazzi ]
My blog series "The hidden side of Seclogon" continues with part 3: Racing for LSASS dumps π₯
Enjoy the read :D
https://t.co/awa5i9ZoJE
π https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
π₯ [ tweet ]
My blog series "The hidden side of Seclogon" continues with part 3: Racing for LSASS dumps π₯
Enjoy the read :D
https://t.co/awa5i9ZoJE
π https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
π₯ [ tweet ]
π [ SEKTOR7net, SEKTOR7 Institute ]
"Things that were hard to bear are sweet to remember."
- Seneca Minor
π₯ [ tweet ][ quote ]
"Things that were hard to bear are sweet to remember."
- Seneca Minor
π₯ [ tweet ][ quote ]
π [ metasploit, Metasploit Project ]
EfsPotato-efspotahto
https://t.co/1yskSWb6qD
π https://youtu.be/QVorNIfY5Ow
π₯ [ tweet ]
EfsPotato-efspotahto
https://t.co/1yskSWb6qD
π https://youtu.be/QVorNIfY5Ow
π₯ [ tweet ]
π [ _mohemiv, Arseniy Sharoglazov ]
π£ If you have access to a Windows machine, try to get NAA credentials via Impacket:
1. https://t.co/HfDmnqOOl7 -rpc-auth-level privacy -namespace '//./root/ccm/policy/Machine/ActualConfig' CONTOSO/user:pass@host
2. SELECT * FROM CCM_NetworkAccessAccount
Credits: @subat0mik
π http://wmiquery.py
π₯ [ tweet ][ quote ]
π£ If you have access to a Windows machine, try to get NAA credentials via Impacket:
1. https://t.co/HfDmnqOOl7 -rpc-auth-level privacy -namespace '//./root/ccm/policy/Machine/ActualConfig' CONTOSO/user:pass@host
2. SELECT * FROM CCM_NetworkAccessAccount
Credits: @subat0mik
π http://wmiquery.py
π₯ [ tweet ][ quote ]
π [ JasonFossen, Jason Fossen ]
How to host the PowerShell engine inside of Python and then run PowerShell code inside Python (and not spawn an external process):
https://t.co/kDal7LhP1e
#PowerShell #Python #SEC573 #SEC505 @MarkBaggett
π https://devblogs.microsoft.com/powershell/hosting-powershell-in-a-python-script/
π₯ [ tweet ]
How to host the PowerShell engine inside of Python and then run PowerShell code inside Python (and not spawn an external process):
https://t.co/kDal7LhP1e
#PowerShell #Python #SEC573 #SEC505 @MarkBaggett
π https://devblogs.microsoft.com/powershell/hosting-powershell-in-a-python-script/
π₯ [ tweet ]
π [ Tarlogic, Tarlogic ]
#ZeroTrust is one of the trending concepts in the #cybersecurity world. But the hype around it is perhaps a bit excessive. In this article, we explain why... π
https://t.co/hUiMeq6bnR
π https://www.tarlogic.com/blog/demystifying-zero-trust/
π₯ [ tweet ]
#ZeroTrust is one of the trending concepts in the #cybersecurity world. But the hype around it is perhaps a bit excessive. In this article, we explain why... π
https://t.co/hUiMeq6bnR
π https://www.tarlogic.com/blog/demystifying-zero-trust/
π₯ [ tweet ]
π [ itm4n, ClΓ©ment Labro ]
@splinter_code Yeaaaaaaaah! Love this series! π
Recently, I also tested this technique to evade the LSASS dump detection. cc @k4nfr3
π https://t.co/e0rZHBcWZN
Overriding the first occurrence of "lsass.pdb" seems to be enough but of course there are plenty of ways to achieve the same result.
π https://www.bussink.net/lsass-minidump-file-seen-as-malicious-by-mcafee-av/
π₯ [ tweet ]
@splinter_code Yeaaaaaaaah! Love this series! π
Recently, I also tested this technique to evade the LSASS dump detection. cc @k4nfr3
π https://t.co/e0rZHBcWZN
Overriding the first occurrence of "lsass.pdb" seems to be enough but of course there are plenty of ways to achieve the same result.
π https://www.bussink.net/lsass-minidump-file-seen-as-malicious-by-mcafee-av/
π₯ [ tweet ]
π [ PortSwiggerRes, PortSwigger Research ]
Bypassing Firefox's HTML Sanitizer API by @garethheyes
https://t.co/ePGrxxTVDW
π https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api
π₯ [ tweet ]
Bypassing Firefox's HTML Sanitizer API by @garethheyes
https://t.co/ePGrxxTVDW
π https://portswigger.net/research/bypassing-firefoxs-html-sanitizer-api
π₯ [ tweet ]
π [ __mez0__, πΞ΅δΉοΌ ]
Obfuscating Reflective DLL Memory Regions with Timers: https://t.co/dxLLXjmZui
π https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
π₯ [ tweet ]
Obfuscating Reflective DLL Memory Regions with Timers: https://t.co/dxLLXjmZui
π https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
π₯ [ tweet ]
π€―1