Daniel
@0x64616e
Followers
1,355
Following
136
Media
39
Statuses
814
To the monsters we're the monsters.
Germany
Joined September 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
UNRWA
• 219470 Tweets
Kutlu Olsun
• 210355 Tweets
Mustafa Kemal Atatürk
• 173610 Tweets
Yankees
• 147839 Tweets
Maroc
• 76185 Tweets
上垣アナ
• 59736 Tweets
INI THE VIEW
• 58849 Tweets
新シナリオ
• 50991 Tweets
ワイルズ
• 41772 Tweets
Liguria
• 36520 Tweets
Happy Dhanteras
• 33869 Tweets
SB19 IWAGAYWAY ANG WATAWAT
• 31806 Tweets
#SB19ReceivesMurilloVelardeMap
• 31783 Tweets
Atam
• 22665 Tweets
バチカン
• 20488 Tweets
朝ドラヒロイン
• 19793 Tweets
ルーチェ
• 18844 Tweets
HYBE APOLOGIZE TO LISA
• 18571 Tweets
NE MUTLU TÜRKÜM DİYENE
• 18299 Tweets
マイナ免許証
• 16670 Tweets
キャラクリ
• 15894 Tweets
閣議決定
• 15474 Tweets
スライム
• 15130 Tweets
蜘蛛恐怖症対策モード
• 14648 Tweets
JOYSOUND
• 12006 Tweets
Lol, blocking the loading of EDR drivers with WDAC actually works.
@0x64616e
You don’t need physical access, local admin can turn off EDR easily, just make a WDAC policy to block the drivers/user land binaries.
3
29
150
10
246
1K
Lateral movement as unprivileged user via Remote Registry now in Impacket
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe 👇
26
322
1K
3
136
392
Kerberos relaying from SMB to ADCS. Especially great when ESC8 was mitigated by disabling NTLM auth on the ADCS server.
Following up on my earlier tweet () regarding Kerberos relay with SMB server, I've uploaded my quick & dirty version. It's far from perfect, so feel free to improve it!
6
97
239
5
87
313
You dumped TGTs on a Windows 11 laptop and are wondering why PTT is breaks in strange ways? Check if Credential Guard is enabled. If so, dump STs instead, as they are not protected by CG.
6
71
308
Hu, this actually works. Local admin + physical access = bye, bye EDR.
5
34
218
After reading
@C5pider
's blog I got an idea how to implement global shellcode context without NtProtectVirtualMemory: Add magic header to context struct, place context on stack, append its address to peb.ProcessHeaps and retrieve it from there when needed. No syscalls required.
Modern implant design: position independent malware development.
A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing.
Repo:
27
320
1K
1
29
176
Do you like ZSH, SOCKS proxies and Impacket? Then you might want to check this out:
3
43
176
This weeks path to domain admin was quite a ride. Starting from credentials in SCCM task sequences and ending in a golden certificate. BloodHound is such an invaluable tool.
7
23
175
Can anyone explain what the hell is going on with Protected Users here? Why is the user allowed to do NTLM? And how does it even work when the NT hash isn't cached in LSASS? I'm so confused.
9
23
153
Session Takeover via Pass the Challenge powered by
@mcbroom_evan
's lsa-whisperer and
@ly4k_
's impacket fork.
1
49
153
Did you know curl on Windows can authenticate via SSPI? Proxy auth works as well.
2
20
136
Virtualization is the future for AV/EDR evasion. Minimal RX memory, no crappy sleep masking and many new possibilities.
@C5pider
if you haven't already, you'll want to read that.
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
2
171
529
4
14
130
Weighted graphs seem to be the logical next step for BloodHound. The shortest path to Domain Admin isn't necessarily the easiest to exploit. Will definitely use this in my upcoming Active Directory Pentests.
New release of AD Miner () introducing better path calculation with
#Bloodhound
(Smartest vs. Shortest Paths). Also published an article to explain this feature :
2
52
148
3
28
126
You obtained a computer account password and need an AES ticket? Check out
Original source is by
@snovvcrash
0
35
110
Had a shower thought: Instead of searching for RWX sections in other DLLs (Mockingjay) just bring your own RWX section. Not sure if this is actually useful, but it enables syscall-less shellcode loaders.
1
26
105
Just Windows doing Windows things :D
I bet there's plenty software out there that doesn't expect this behavior.
*Reminder*
MagicDot is now live on GitHub -
If you want to manipulate the DOS-to-NT path conversion process in Windows and leverage that for rootkit capabilities, Remote Code Execution, and Elevation of Privilege then check it out!
0
26
74
2
11
74
I did some more testing and must add two constraints:
1. Doesn't work if RemoteRegistry service is explicitly disabled, which seems to be default on desktops since Win 10.
2. Target user must be currently logged in on target computer. Otherwise you get ERROR_FILE_NOT_FOUND.
Lateral movement as unprivileged user via Remote Registry now in Impacket
3
136
392
0
16
65
This talk mentions a pretty funny AD persistence technique that I hadn't heard of before: RBCD to krbtgt. More info at
0
15
65
"Backing up" NTDS.dit with wbadmin.exe is interesting. Will have to test what EDRs think about it :D
Another
#LOLBAS
milestone: 200 entries 💯💯
Recent additions:
🔥wbadmin (NTDS.dit dumping)
🔥winproj/msaccess (INetCache downloaders)
🔥appcert (proxy execution)
🔥tar (to/from ADS)
🔥te (arbitrary DLL loading)
Thanks
@AvihayEldad
, irEasty,
@C_h4ck_0
& others for contributing
2
34
132
0
15
54
Bypassing Windows Memory Integrity aka HVCI by swapping Page Frame Numbers
0
9
52
Genius idea to discourage users from entering credentials on AitM phishing sites! I implemented a PoC as Cloudflare Worker. See
@N805DN
@EricaZelic
So in the MSP space theres a tool that uses the Entra branding custom CSS to dynamically eval the request header referer and if it’s not login.microsoftonline change the backround image to warnings.
3
0
19
1
11
50
Interesting detail: "Using direct syscalls is not always malicious. This action can be performed frequently by legitimate software, such as security products, gaming anti-cheat modules, Chromium-based applications and more."
1
16
45
If you haven't heard of the SaaS attack matrix I highly recommend this great talk by
@jukelennings
0
8
42
My friend
@mojeda_101
and I had the funny idea to leverage GPO item-level targeting for domain persistence.
0
13
33
@ShitSecure
@m3g9tr0n
Lateral movement in certain edge cases. For example if you found credentials of a regular domain user on a SMB share you can create a malicious Run key on his/her workstation.
4
5
32
Entra roles that have an actual path to Tier 0:
Same for MS Graph:
Nice work
@emiliensocchi
!
New blog post 📢
𝗧𝗶𝗲𝗿𝗶𝗻𝗴 Entra roles and application permissions based on 𝗸𝗻𝗼𝘄𝗻 𝗮𝘁𝘁𝗮𝗰𝗸 𝗽𝗮𝘁𝗵𝘀 🌩
This is a humble approach to understand the security implications of administrative cloud assets in terms of privilege escalation🪜
2
16
57
1
7
30
Interesting talk how sleep obfuscation can be detected
0
15
30
Cool Entra PRT cookie shenanigans
Thank you very much for joining my session at
#BHASIA
! I think the slide will be published tomorrow. So, in the meantime, I'm releasing the PoC tool, BAADTokenBroker. You can pivot to the cloud, interacting with the secret keys in TPM. Enjoy!
2
20
49
0
5
28
0
12
26
Code to trigger EFS without GUI interaction:
0
7
24
I had multiple engagements where WebDAV relaying provided a straight path onto an admin workstation. With this HTTP.sys trick it's even better.
As ntlm leaking is still a thing, made a showcase for elevating via ldap relaying with some little tricks.
Relaying is done with a Win Client without admin privs and an active Windows firewall (default config), by using HTTP.SYS and SSH.
Details here:
4
66
142
0
4
23
Wrote a small script for better integration between ZSH and Proxychains
0
5
16
I noticed at the beginning of this year that "certipy find" as regular domain user doesn't always identify ESC11. Since then I'm rerunning certipy after I got Domain Admin another way and found two additional cases of ESC11 this way.
I don't think orgs realize how lucky they are that ransomware groups didn't automate ADCS vulns into their malware. These vulnerabilities were everywhere last year. EVERYWHERE
12
5
84
1
1
15
@EricaZelic
@NathanMcNulty
Read a comment recently that was basically: If your IT isn't doing SSO your users are (by reusing passwords).
Pretty on point I think :D
2
0
14
Highly recommend this series and all his other videos. Really good stuff.
Third video of "Understanding a Payload's Life" is now available
This one focuses on how MSF and other frameworks generate payload executables (EXEs, DLLs...). We will see their different approaches, and how to create custom templates for Metasploit!
Links in my site🙏
1
81
204
1
1
14
Wait, what?
We can relay back to the same machine using Kerberos relay instead of NTLM relay. I discovered this attack vector more than a year ago. I will describe it in detail in upcoming Black Hat Asia 2024 and introduce more interesting attacks.
18
182
569
0
0
12
Nice trick to escalate MSSQL guest access with xp_dirtree to search backup files in the webroot.
The most fun part of Manager from
@hackthebox_eu
is exploiting the ESC7 vulnerability in the ADCS. To get there, I'll do a password spray, get access to MSSQL, and use xp_dirtree access to find creds.
0
25
122
0
3
10
After seeing a YouTube video where a malware analyst used a sandbox to triage samples, I got interested in stealthy sandbox evasion. This is the result:
0
2
10
With
@buck_steffen
we found the solution: All this is a narrow edge case:
1. Logon local interactive
2. Logon remote interactive via RDP, prev session is taken over
-> NT hash is cached, NTLM auth works
Without step 1 hash is not cached and uncrackable NTLM response is produced.
2
1
9
1
0
9
JuicyPotatoNG still works on Win 11 22H2 with CLSID {A9819296-
E5B3-4E67-8226-5E72CE9E1FB7}
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at
#POC2023
are out!
👉
cc
@decoder_it
4
149
382
0
3
8
@_RastaMouse
Don't think it's worth it. You end up rewriting a lot of libraries for no real benefit. Projects like and are probably more worthwhile.
1
0
8
I've never heard of this persistence technique before. Thanks
@sreevatsa
for telling be about this.
In this week's blog post, we discuss a technique often employed by red teamers and threat actors during the lateral movement stage of the cyber kill chain, known as RID hijacking.
#RedTeam
#RIDHijacking
#Cybersecurity
1
6
12
0
0
6
And that's why you need a TPM PIN.
Lenovo X1 Carbon Bitlocker Key Sniffing any% Speedrun
(42.9 seconds)
65
897
5K
0
0
6
@lowercase_drm
Thanks. I hope the PR in ldap3 is merged soon. This would make adoption in Impacket and other tools even easier.
1
0
5
"Jumpboxes/bastion hosts are a relic from the network segmentation days and are an inadequate solution for mitigating identity-driven offensive tradecraft."
Check out my latest blog post, "The Security Principle Every Attacker Needs to Follow", in which I lay the foundation for a framework for discovering attack paths, including those that BloodHound can't find yet.
5
37
100
0
0
5
@tedixh1
@Rhynorater
curl hxxps://apps.db.ripe.net/db-web-ui/api/rest/fulltextsearch/select -H 'accept: application/json' -G --data-urlencode q='(RIPE NCC) AND (object-type:inetnum)'
0
0
4
Using systemd-generators as persistence is a cool technique that I haven't heard of before.
Series by
@__pberba__
about persistence in Linux environments
Map:
Auditd:
Accounts:
Systemd:
Scripts:
Generators:
#Linux
1
119
406
0
0
4
@jmpsecurity
@n00py1
I dumped and decrypted the NAA, task sequences and collection variables as local admin on a SCCM-managed notebook with PowerShell.
1
0
4
2
0
4
I have a hard time understanding the difference between "User consent to apps" in and "User consent for applications" in
Does somebody know more? Maybe
@EricaZelic
or
@NathanMcNulty
?
1
0
4
According to this Microsoft presentation the Active Directory functional level 2025 will enforce LDAP Signing, but not LDAPS Channel Binding. The docs at mention neither.
0
1
3
@Octoberfest73
I recommend to create a list with all people you follow. This gets you a chronological timeline, no ads, no algorithm.
0
0
3
@EricaZelic
Like SSLv3 and most other findings related to outdated crypto it's medium at best, because in the real world it'll never get exploited. NTLMv1 and SMB Signing are much more important.
0
0
3
Cool trick to hide a process.
0
1
3
For sake of completeness: This can be easily bypassed. You should use phishing resistant authentication like Fido or WHFB.
0
0
3
Good idea. Should also work well with ADIDNS Spoofing.
How to combine Responder w/ Evilgnx2 for privilege escalation and lateral movement in Passwordless, MFA and/or Zero Trust Environments:
(Technique discovered by
@nevadaromsdahl
in 2023))
0
54
105
0
0
3
@decoder_it
@EricaZelic
Until a few months ago I myself thought that disabling NTLM on the server is sufficient.
1
0
2
@ewbysec
@Cyb3rC3lt
As stated in the original tweet, I'm not sure if this has any real world use case. It's definitely useless for remote process injection. The only interesting aspect is probably that you can load code at runtime and execute it from backed memory without invoking any syscall.
1
0
2
@pfiatde
I should've taken another look at your post. I'm so used to coercing the computer account via RPC that I overlooked that you were coercing the user with an LNK. The former works fine on Win10, but doesn't seem to work on Win11, while the latter works exactly as you described.
0
0
2
@sapientflow
@C5pider
Yes, that's a weak point. But it could be addressed with virtualization. For example a RISC-V VM without address translation like
The only disadvantage of the railgun idea is the open connection to the C2 for the runtime of the payload.
1
0
2
@JimSycurity
@bugch3ck
I think the mystery is solved. See
With
@buck_steffen
we found the solution: All this is a narrow edge case:
1. Logon local interactive
2. Logon remote interactive via RDP, prev session is taken over
-> NT hash is cached, NTLM auth works
Without step 1 hash is not cached and uncrackable NTLM response is produced.
2
1
9
0
0
2
@bugch3ck
@buck_steffen
No, at least not in the general case. Only if you login locally, don't close the session and then login remotely, then suddenly NTLM auth is allowed.
1
0
2
@Gridironsec
@EricaZelic
@NathanMcNulty
If you're thinking dev vs prod, then I probably agree, but otherwise I don't see what network separation has to do with SSO.
And you can't really prevent password reuse. PasswordDev2024! vs. PasswordProd2024!
0
0
2
@_RastaMouse
I assume most (all?) of it can be implemented in a library and doesn't require direct compiler support. Features that do should be solvable with a LLVM plugin. But that's all theoretical I've no practical experience with LLVM :D
0
0
1
I did some more testing and must add two constraints:
1. Doesn't work if RemoteRegistry service is explicitly disabled, which seems to be default on desktops since Win 10.
2. Target user must be currently logged in on target computer. Otherwise you get ERROR_FILE_NOT_FOUND.
0
16
65
0
0
2
@shubakki
@C5pider
a) Yes, of course the interpreter is plain. That's why the blog mentions polymorphism and recommends to keep the interpreter small.
b) There's no need for sleep masking in a VM. The payload is never decrypted in the first place. Except the instruction that is currently executed.
1
0
2
Nice ZIP exploitation tricks at the end.
To exploit Zipping from
@hackthebox_eu
, I'll use symlinks in Zips to read files, bypass a gnarly regex filter with newline injection to get SQL injection and write a webshell. I'll make a malicious shared object. In Beyond Root, two unintended footholds.
1
12
86
0
0
1