Peter Gabaldon
@PedroGabaldon
Followers
433
Following
8K
Statuses
864
Joined September 2010
Sapphire Tickets (And Diamond Tickets, briefly) Credits to @_nwodtuhs who invented it and extended ticketer #hacking #kerberos #ad #cybersecurity
1
31
54
Just seen phishing campaign using htm attachment that contain the following script to dynamically load a fake Microsoft login. Any subdomain and any parameter name is valid to generate the render the phishing site. @banthisguy9349
0
0
0
Some time ago I implemented a new method in secretsdump using Shadow Snapshots. We have developed a PoC to show how it can be detected using ETW: Impacket’s PR:
0
14
88
RT @elmejordelresto: Escucha como suena esa bestia mientras desliza por el hielo de Montecarlo 🤤 #WRC #RallyeMonteCarlo
0
475
0
RT @0x64616e: How to WebDAV Relay LPE on Windows 11: 1-3. Trigger start of EFS service trough Explorer 4-11. Continue like on Windows 10 Th…
0
78
0
RT @slowerzs: Ever wondered how CryptProtectMemory with the CRYPTPROTECTMEMORY_SAME_PROCESS flag worked, or if encrypted blobs could be dec…
0
59
0
RT @re_and_more: RE tip of the day: Here is classic position-independent code commonly seen in shellcodes and during manual unpacking. The…
0
30
0
RT @al3x_n3ff: NetExec has a new Module: Timeroast🔥 In AD environments, the DC hashes NTP responses with the computer account NT hash. Tha…
0
285
0
RT @CICADA8Research: Hello everyone! Our team loves everything related to LPE exploits. However, there is no publicly available list on the…
0
151
0
RT @watchtowrcyber: Oh, and our full PoC inc device certs (read the blog to see how this works on fully patched FortiManager’s) https://t.…
0
18
0
RT @watchtowrcyber: hop skip jump over to our latest blog post - analysing Fortinet's FortiJump CVE-2024-47575, FortiJump-Higher (we love t…
0
74
0
RT @NinjaParanoid: #PROTIP: If you can't listen on port 80 during a bind shell, try adding the URI '/Temporary_Listen_Address/' to ur liste…
0
518
0
@rnmx123 @0x64616e @nyxgeek Also Shadow Snapshots. In our case “The Eagle” catched us when using Extract To because spawned a new process that contained in the Command Line the string “Windows\System32\SAM” and thus. Using “Copy To” no alert was generared.
I can't believe the presumably top EDR has let us dumping SAM with 7z. It is possible to create a Shadow Snapshot and open it with 7z, copying SAM/SYSTEM/SECURITY from Windows\System32\Config Important note: you have to use "Copy To" not "Extract To" #infosec #cybersecuritytips
0
4
22
@m0lto_bene Nice, so this appears to be another way. We have been using the SharePoint application but this appears to be also valid. If you agree I will add it to my blog post and give credits to you
1
0
0