😈 [ harmj0y, Will Schroeder ]
After an awesome back and forth with @cnotin and @SteveSyfuhs on the effects of "TokenLeakDetectDelaySecs" and "Protected Users" for mitigating token theft, I've updated the Koh README to reflect this (and updated the post to point to the README as well) https://t.co/AGViEV0stq
🔗 https://github.com/GhostPack/Koh/blob/main/README.md#mitigations
🐥 [ tweet ]
After an awesome back and forth with @cnotin and @SteveSyfuhs on the effects of "TokenLeakDetectDelaySecs" and "Protected Users" for mitigating token theft, I've updated the Koh README to reflect this (and updated the post to point to the README as well) https://t.co/AGViEV0stq
🔗 https://github.com/GhostPack/Koh/blob/main/README.md#mitigations
🐥 [ tweet ]
😈 [ ptswarm, PT SWARM ]
💥 New attack! Our researcher Arseniy Sharoglazov discovered a PHP's Arbitrary Object Instantiation with no user-defined classes. It was turned to RCE!
Read the research: https://t.co/PJZHLRM8xq
🔗 https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
🐥 [ tweet ]
💥 New attack! Our researcher Arseniy Sharoglazov discovered a PHP's Arbitrary Object Instantiation with no user-defined classes. It was turned to RCE!
Read the research: https://t.co/PJZHLRM8xq
🔗 https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
🐥 [ tweet ]
😈 [ 404death, sailay(valen) ]
I just recently found out the way
XSS <a> tag without user action
<a/autofocus/onfocus=alert(0) href>valen</a>
<a/href="#"/autofocus/onfocus=alert`valen`>you don't need user action on a tag</a>
Tested on:
https://t.co/RkGdfpNWli
https://t.co/bPvMeBlba1
🔗 https://xss-game.appspot.com/level1/frame
🔗 http://testphp.vulnweb.com/search.php?test=query
🐥 [ tweet ]
I just recently found out the way
XSS <a> tag without user action
<a/autofocus/onfocus=alert(0) href>valen</a>
<a/href="#"/autofocus/onfocus=alert`valen`>you don't need user action on a tag</a>
Tested on:
https://t.co/RkGdfpNWli
https://t.co/bPvMeBlba1
🔗 https://xss-game.appspot.com/level1/frame
🔗 http://testphp.vulnweb.com/search.php?test=query
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
Final LSA bug from last month is now open. An interesting one which breaks common assumptions of impersonation security over the LSA's RPC interface. Me and @monoxgas will describe a way of abusing the bug at BH next month to get SYSTEM privileges. https://t.co/v523Q1EXLD
🔗 https://bugs.chromium.org/p/project-zero/issues/detail?id=2278
🐥 [ tweet ]
Final LSA bug from last month is now open. An interesting one which breaks common assumptions of impersonation security over the LSA's RPC interface. Me and @monoxgas will describe a way of abusing the bug at BH next month to get SYSTEM privileges. https://t.co/v523Q1EXLD
🔗 https://bugs.chromium.org/p/project-zero/issues/detail?id=2278
🐥 [ tweet ]
😈 [ aniqfakhrul, Aniq Fakhrul ]
Our version of PywerView is now publicly available. Python version or PowerView, remotely interacts with ldap server. Also included with mini interactive console with auto completion. Yeet! @h0j3n @imnirfn
https://t.co/c0cdk2fGPr
🔗 https://github.com/aniqfakhrul/PywerView
🐥 [ tweet ]
Our version of PywerView is now publicly available. Python version or PowerView, remotely interacts with ldap server. Also included with mini interactive console with auto completion. Yeet! @h0j3n @imnirfn
https://t.co/c0cdk2fGPr
🔗 https://github.com/aniqfakhrul/PywerView
🐥 [ tweet ]
😈 [ eric_capuano, Eric Capuano ⬡ ]
Interesting API details on how a process is launched in Windows
Specifically dig the part on Protected Processes
https://t.co/V5lWrEqKaT
🔗 https://fourcore.io/blogs/how-a-windows-process-is-created-part-1
🐥 [ tweet ]
Interesting API details on how a process is launched in Windows
Specifically dig the part on Protected Processes
https://t.co/V5lWrEqKaT
🔗 https://fourcore.io/blogs/how-a-windows-process-is-created-part-1
🐥 [ tweet ]
😈 [ aniqfakhrul, Aniq Fakhrul ]
TIL: If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
🐥 [ tweet ]
TIL: If ldap/ldaps ports are blocked by firewall but gc port (3268) is accessible. In my case, kerberoasting with impacket can't be achieved. Simply switch ldap:// protocol to gc:// in impacket and win!
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ citronneur, Sylvain Peyrefitte ]
Disable SSL certificate verification using #eBPF :
https://t.co/UBsT4TU43H
🔗 https://github.com/citronneur/blindssl
🐥 [ tweet ]
Disable SSL certificate verification using #eBPF :
https://t.co/UBsT4TU43H
🔗 https://github.com/citronneur/blindssl
🐥 [ tweet ]
😈 [ 0xdf_, 0xdf ]
Acute from @hackthebox_eu was just a hard pure Windows box. I'll pivot between two hosts largely relying on credentials and enumeration to get domain admin.
https://t.co/p0Fhgak2dI
🔗 https://0xdf.gitlab.io/2022/07/16/htb-acute.html
🐥 [ tweet ]
Acute from @hackthebox_eu was just a hard pure Windows box. I'll pivot between two hosts largely relying on credentials and enumeration to get domain admin.
https://t.co/p0Fhgak2dI
🔗 https://0xdf.gitlab.io/2022/07/16/htb-acute.html
🐥 [ tweet ]
😈 [ ippsec, ippsec ]
#HackTheBox Acute video is now up! This was a tough Windows box with all the pivots between users. I decided to try out ConPtyShell to get a full PTY on Windows, had to do some light modifications to bypass Defender. https://t.co/hey5QSjGDr
🔗 https://youtu.be/jDYte7xNY1g
🐥 [ tweet ]
#HackTheBox Acute video is now up! This was a tough Windows box with all the pivots between users. I decided to try out ConPtyShell to get a full PTY on Windows, had to do some light modifications to bypass Defender. https://t.co/hey5QSjGDr
🔗 https://youtu.be/jDYte7xNY1g
🐥 [ tweet ]
😈 [ HuskyHacksMK, Matt | HuskyHacks ]
📝New note is up on https://t.co/DIZF98zvlm
Threat emulation for Windows Installer (MSI) -> DLL malware. Learn how to make a malicious MSI like all the cool kids!
https://t.co/6vWFQckIWE
🔗 http://notes.huskyhacks.dev
🔗 https://notes.huskyhacks.dev/notes/ms-interloper-on-the-subject-of-malicious-msis
🐥 [ tweet ]
📝New note is up on https://t.co/DIZF98zvlm
Threat emulation for Windows Installer (MSI) -> DLL malware. Learn how to make a malicious MSI like all the cool kids!
https://t.co/6vWFQckIWE
🔗 http://notes.huskyhacks.dev
🔗 https://notes.huskyhacks.dev/notes/ms-interloper-on-the-subject-of-malicious-msis
🐥 [ tweet ]
😈 [ an0n_r0, an0n ]
may be obsolete, because impacket has already included this in its examples, but added Kerberos auth support for writing msDS-AllowedToActOnBehalfOfOtherIdentity property. https://t.co/UGjU3Rt357
🔗 https://github.com/tothi/rbcd-attack
🐥 [ tweet ]
may be obsolete, because impacket has already included this in its examples, but added Kerberos auth support for writing msDS-AllowedToActOnBehalfOfOtherIdentity property. https://t.co/UGjU3Rt357
🔗 https://github.com/tothi/rbcd-attack
🐥 [ tweet ]
😈 [ campuscodi, Catalin Cimpanu ]
Pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks
Blog: https://t.co/RS2REMMeA1
GitHub: https://t.co/GCXEgBsOPF
🔗 https://blog.redteam-pentesting.de/2022/introducing-pretender/
🔗 https://github.com/RedTeamPentesting/pretender
🐥 [ tweet ]
Pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks
Blog: https://t.co/RS2REMMeA1
GitHub: https://t.co/GCXEgBsOPF
🔗 https://blog.redteam-pentesting.de/2022/introducing-pretender/
🔗 https://github.com/RedTeamPentesting/pretender
🐥 [ tweet ]
😈 [ LittleJoeTables, Moloch ]
For anyone that wants wants to follow along with the Sliver GUI development I've open sourced what I've completed so far. However, it's not a priority and no timeline on feature-complete: https://t.co/YcKmTL0nRi
PRs welcome :)
🔗 https://github.com/BishopFox/sliver-gui
🐥 [ tweet ]
For anyone that wants wants to follow along with the Sliver GUI development I've open sourced what I've completed so far. However, it's not a priority and no timeline on feature-complete: https://t.co/YcKmTL0nRi
PRs welcome :)
🔗 https://github.com/BishopFox/sliver-gui
🐥 [ tweet ]
😈 [ tiraniddo, James Forshaw ]
I recommended to @_dirkjan to try my NtObjectManager PS module to do an AD access check, but of course I provided no guidance. Therefore, here's a quick blog post with an overview of the checking process and how to use the Get-AccessibleDsObject command. https://t.co/ZOoJe6DHAS
🔗 https://www.tiraniddo.dev/2022/07/access-checking-active-directory.html
🐥 [ tweet ]
I recommended to @_dirkjan to try my NtObjectManager PS module to do an AD access check, but of course I provided no guidance. Therefore, here's a quick blog post with an overview of the checking process and how to use the Get-AccessibleDsObject command. https://t.co/ZOoJe6DHAS
🔗 https://www.tiraniddo.dev/2022/07/access-checking-active-directory.html
🐥 [ tweet ]
😈 [ 0gtweet, Grzegorz Tworek ]
Didn't described it precisely so far:
If you put 'mpnotify' value into the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, your exe will be launched by winlogon.exe when user logs on. After 30s the process will be terminated.
https://t.co/36luTJ3vqB
🔗 https://persistence-info.github.io/Data/mpnotify.html
🐥 [ tweet ]
Didn't described it precisely so far:
If you put 'mpnotify' value into the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, your exe will be launched by winlogon.exe when user logs on. After 30s the process will be terminated.
https://t.co/36luTJ3vqB
🔗 https://persistence-info.github.io/Data/mpnotify.html
🐥 [ tweet ]
😈 [ m3g9tr0n, Spiros Fraganastasis ]
Malware Mutation Using Reinforcement Learning and Generative Adversarial Networks https://t.co/WxPdaOEkhj
🔗 https://github.com/CyberForce/Pesidious
🐥 [ tweet ]
Malware Mutation Using Reinforcement Learning and Generative Adversarial Networks https://t.co/WxPdaOEkhj
🔗 https://github.com/CyberForce/Pesidious
🐥 [ tweet ]
👹 [ snovvcrash, sn🥶vvcr💥sh ]
[#Tooling ⚔️] Inspired by @s4ntiago_p and NanoDump I’ve fully switched to API Hashing for Windows API and syscalls resolution in DInjector. A quick re-hashing can be performed before compilation with a Python script.
🐥 [ tweet ]
[#Tooling ⚔️] Inspired by @s4ntiago_p and NanoDump I’ve fully switched to API Hashing for Windows API and syscalls resolution in DInjector. A quick re-hashing can be performed before compilation with a Python script.
🐥 [ tweet ]