S3cur3Th1sSh1t
@ShitSecure
Followers
22,169
Following
307
Media
238
Statuses
2,322
Pentesting, scripting, pwning!
127.0.0.1
Joined January 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Telegram
• 1269029 Tweets
#خلصوا_صفقات_الهلال1
• 1206855 Tweets
Brazil
• 718721 Tweets
O Brasil
• 620310 Tweets
Elon Musk
• 608585 Tweets
Alexandre de Moraes
• 463515 Tweets
ラピュタ
• 425521 Tweets
Atatürk
• 385239 Tweets
Osimhen
• 247952 Tweets
Sancho
• 217070 Tweets
Sterling
• 145216 Tweets
Xandão
• 143861 Tweets
Napoli
• 122279 Tweets
Threads
• 90277 Tweets
Ditadura
• 90208 Tweets
Adeus Twitter
• 89924 Tweets
Labor Day
• 60166 Tweets
Anatel
• 58595 Tweets
Tchau
• 56847 Tweets
#قفلوا_احتياجات_النصر
• 51025 Tweets
Multa de 50
• 50825 Tweets
Manuel Ugarte
• 44571 Tweets
Arteta
• 43811 Tweets
Nelson
• 40462 Tweets
Javier Acosta
• 33354 Tweets
#مولد_ولي_العهد
• 29598 Tweets
Benfica
• 26884 Tweets
Tadic
• 26338 Tweets
Bluesky
• 26234 Tweets
Derrubaram o X
• 23840 Tweets
Coreia do Norte
• 23262 Tweets
Dzeko
• 20242 Tweets
VPNs
• 19525 Tweets
Fatih Tekke
• 12503 Tweets
Alanya
• 11449 Tweets
Schmidt
• 11313 Tweets
Pinned Tweet
This year it happened. What started as a spare time hobby and fun project became a commercial product for the Offensive Security community. I founded a company,
@MSecOps
. And this company will sell a Packer to Red Teams or Pentesters. (1/x) 🔥
🔥 Introducing RustPack 🔥 . RustPack is an evasive Packer/Loader, that is capable of bypassing common AV/EDR vendors.
It accepts user-provided known malicious input payloads, such as shellcode, C# assemblies or portable executables (PE).
Those inputs are encrypted, and
2
62
251
16
48
265
OffensiveVBA is published. Take a look. PR's are very welcome as I'm 100% sure it's missing many things.🍻
10
360
804
A tale of EDR bypass methods -
Special thanks to
@_EthicalChaos_
and
@_RastaMouse
for answering all my questions! 🍻
8
275
565
Searching for DLL Sideloading binaries? A short Powershell Script in combination with Siofra will give you thousands of possible combinations.
Either try to replace any Windows DLL Import with your payload DLL or search for Phantom DLLs.
7
175
570
My team mate
@m_fielenbach
recently created a python script to automate the process of discovering and exploiting ESC1 & ESC8 ADCS vulnerabilities: 🙌
So if you want to save some minutes of time in your next projects feel free to test it out. 🔥
6
199
531
Encrypting .NET assemblies and decrypting them at runtime patching AMSI and blocking ETW before execution via Nim works like a charm! 🙂
6
137
514
I really like DeepL for translations. But I also like the fact, that when using the Desktop APP is makes use of an signed executable named CreateDump.exe in %APPDATA%, which can dump e.g. LSASS 🧐🤩
15
145
500
My latest blog post about avoiding kernel triggered EDR memory scans via Caro-Kann PoC is now released: 🔥
4
173
473
Just added the two new AMSI bypass PoC's via Provider Patching into my Amsi-Bypass-Powershell repo. Plus one PoC in Nim as pull request for OffensiveNim:
Tested both, works perfectly fine. 👌
(1/2)
6
174
462
PrintNightmare added to WinPwn, random DriverName and random Username. Credit goes to
@_johnhammond
for the Powershell implementation:
-
2
155
445
The last two weekends plus some evenings I spend my time writing a Nim Packer/Loader, which will be provided to Sponsors only via private repo. It's capable of packing C# Assemblies, Shellcode or PE-Files. (1/3)
17
124
426
Just updated Rubeus, Seatbelt, Certify, Invoke-Privesccheck in PowersharpPack and WinPwn. It was time again.
Also WinPwn now uses the C# Inveigh version with way more features enabled.👌
6
93
417
New blog post & tool release, Named Pipe PTH - this would have never happened without
@decoder_it
@tiraniddo
@splinter_code
@kevin_robertson
@_EthicalChaos_
@n00py1
🥳😎
14
223
414
Bypass conditional access policies for Azure? Try changing the user agent to mobile devices. 🙈 didn’t know that one before today - one colleague found this 🙌
15
71
411
We just confirmed this and got instant DA via NTLMv1 downgrade -> Cracking -> PTH to the seccond DC. Easy peasy without ADCS ESC8. 🤠
If the following misonfigurations exit:
- SMB/LDAP signing is disabled.
- The usage of NetNTLMv1.
2/2
2
21
74
5
117
405
Today I built a custom Mimikatz Version with "only" the misc modules embedded (less AV signatures). Created a Invoke-Mimikatz like Powershell script for
@topotam77
's Petitpotam afterwards:
Easy in memory execution is possible now 🍻
7
163
397
Wrote something on how to bypass Google Safe Browsing for Phishing campaigns🧐
12
123
394
Added to Amsi Bypass Powershell! :-)
Plus another one from
@cybersectroll
, wich uses reflection to update the ScanContent method with a self defined function.
1
133
389
Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now:
That's huge news from my perspective🔥
5
144
385
Public tool release: SharpImpersonation - big credit to
@0xbadjuju
for the code base via Tokenvator!
7
174
376
Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job:
4
109
376
Did you ever want to build your own Invoke-Mimikatz not flagged by AMSI? Just published part II of "Bypass AMSI by manual modification" 🤘🥳
4
180
366
Another long stream for AV Evasion 101 - C#. Upload on YouTube is finished as well:
3
129
364
Proof of Concept for userland hook evasion - Ruy Lopez is released. The talk at
@x33fcon
was awesome :-)
7
146
345
The third blog post is complete. Building a custom Mimikatz binary by source code modification:
6
170
346
Sweet reminder. If you already compromised one inbox (OWA or O365) you can use Office Macro documents for internal phishing, as MOTW is not applied for internal E-Mails 😇
7
77
345
The difference between signature-based and behavioural detections. As well as a little philosophy. 😎
8
135
337
Super cool post from my teammate
@WolfieMcFly
about NetNTLMv1 Downgrade attacks! 🙌
Also includes the lesser known exploitation for any other vulnerable server/client via Silver Ticket instead of exploitation for DC's only 🔥🔥
9
135
330
Found a JWT-Token on the target Web application? This saves you A LOT of time:
0
106
321
Just finished the talk "Playing Chess as Red-Teams"
@MCTTP_Con
! 🔥 Time to release my PoC to avoid Kernel Callback / ETWti triggered memory scans for process injection - Caro-Kann:
6
106
306
Now fake wsus updates is easily exploitable again 😊can’t wait to test this.
0
134
311
Defender in memory scan -
Hasta la vista, baby! 🥳
DInvoke Syscalls to avoid hooking + Sleeps for the DLL imports. Both trigger a scan, so doing only one won´t help. Only needs an amsi.dll patch bypass before.
Let´s see how long this will last 😬
7
112
301
Just finished my very first PIC C-Project, which is Shellcode blocking any DLL, e.G. amsi.dll from being loaded in the process in which it's injected into. That took several days but I learned a lot and am proud about it 🥳🤓
No amsi.dll Patching, no Hardware Breakpoints.🔥
9
55
299
New weakpass wordlist released for more and more cracked credentials 😬😬
2
94
294
I'm proud, that the latest Packer release 2.1 now includes:
1) Module Stomping (remote&local)
2) ThreadlessInject
3) Caro-Kann
The combination of these three leads to no more alert for remote injection by (I guess) most EDRs. 🔥🤓
4
74
291
You want to check all Processes for an AV/EDR DLL not being loaded? Maybe a good process to inject into or force Load your implant into?
Maybe there are even exclusions for some Processes due to false positive rates?
Here's a Script for it:
1
90
290
Found an vhdx/vmdk/vhd file in a network share? Volumiser from
@_EthicalChaos_
gets you covered to exfiltrate e.G. SAM/SYSTEM to compromise the system via Administrator Pass-The-Hash:
Really easy and intuitive to use 👏
5
104
291
Just added to the Amsi-Bypass-Powershell repo:
2
111
284
Last year we did analyse malware from a group targeting malware devs and or offensive security people. Here’s the story, which is also our first technical blog post - more to follow 🙌:
9
99
277
SharpNamedPipePTH is released and also has a shellcode execution option for the impersonated user 😎
2
147
274
Hours of troubleshooting and some more evenings went into a Nim port of reflective PE loading. Learned a lot porting that one, special thanks to
@am0nsec
and
@_EthicalChaos_
for answering all my questions regarding to issues! 🤓
7
85
267
I´m happy to announce that i just published my very first blog post - "Bypass AMSI by manual modification"
#infosec
4
101
269
After holding the talks at
@x33fcon
and
@WEareTROOPERS
done, I also finally managed to write down my latest research about userland hook evasion:
4
112
257
In addition NanoDump is now integrated into PowerSharpPack & WinPwn, Credit to
@s4ntiago_p
for the tool and hints for memory loading! Easy peasy LSASS dumping from memory. 🔥
Source code for the Assembly + instructions in the comments can be found here (1/2):
1
102
255
TokenManipulation got flagged by AV/EDR? Most public tools don't use Syscalls here. The last days I therefore ported SharpImpersonation (mainly) to Syscalls 🔥😎
Thanks to
@tiraniddo
and
@_EthicalChaos_
for helping me out.
This should cover detections!
6
101
254
I recently asked ChatGPT wheather it can provide me a Powershell Script to dump cleartext Credential-Manager Creds. It at some point hinted me to a Module named CredentialManager, which can do that in a very few lines of code:
3
72
248
Just made PowerSharpPack public:
Many offensive C# binaries now usable from within powershell.
If some important are missing just tell me and i´ll take a look at it.
2
128
248
NimGetSyscallStub is now public, the first public fully working (didn't find another myself) Nim imlementation + PoC to grab fresh Syscalls from disk on runtime:
@chvancooten
even with a yara rule (with your template 🤓)
5
101
248
Still searching for .NET obfuscators? This looks promising:
0
116
245
I dont add Exploits to PowerSharppack but this exploit by
@exploitph
, automated by
@cube0x0
deserves to be easily exploitable from memory via Powershell so here is a gist for it:
Enjoy responsibly 👌
2
83
236
Cross Session code execution via COM:
👍
0
86
239
Well explained post for different techniques to retrieve Syscalls:
1
99
234
Another loader using Stomping + Threadlessinject as feature combination plus some bonus like encryption and module unlinking 🔥by
@BlackSnufkin42
👍
4
80
230
Wooho, just got local PTH for an interactive shell working! All other PTH tools can only be used for network auth. as far as I can tell. I used a modified Invoke-SMBExec from
@kevin_robertson
and a modified RoguePotato from
@splinter_code
and
@decoder_it
. Blog post will follow!
6
79
233
Pentest/Red-Team tip: Never trust in BH-Information if you didn't enumerate them with an administrative user. Session infos are not complete, Local Group information may be missing. Low priv users cannot enumerate that anymore for updated systems. 🧐
6
47
230
Just pushed SharpRDP, SharpMove and SharpStay from
@0xthirteen
to PowerSharpPack:
More useful stuff available from Powershell! 😌
3
98
227
Really like the “Malware Dev” posts from
@0xPat
, good read for everyone interested in that topic. Especially good for the basics 👌🔥
3
65
227
An relatively easy way to use stack encryption for your implant?
@SolomonSklash
‘s SleepyCrypt can easily be used from any language:
This for example is how to do it with Nim:
Can also be used for Nim C2 implants as Sleep 🔥😎
2
79
226
Fun fact: some AV/EDR vendors don’t inject their AMSI provider into Powershell.exe when it’s reflectively loaded.
So reflective Powershell.exe -> unprotected
At least I verified this for one vendor yesterday. Most likely this won’t apply to that many, but who knows. 🤷♂️
7
50
226
Reversing a legitimate signed binary to (ab)use it for process injection without alerts was a nice small project today with
@eversinc33
🙃Always good to have alternatives.
5
33
221
Responder does not catch NTLMv1 Hashes for "reasons"?
Try " -ntlmchallenge 1122334455667788 -of hashes.txt" instead.
5
56
213
Hardware Breakpoint AMSI bypass via Nim -> Check 🤓
Thanks again
@_EthicalChaos_
for troubleshoot tips🍻!
4
45
216
Another AMSI bypass alternative, usable from for example C++/C/Nim binaries as amsi.dll is not loaded there by default:
2
86
217
Just added an ADCS ESC8 check to WinPwn + recon for certificate servers and templates in use. Also updated Mimikatz to the PrintNightmare version.
0
88
214
I applied for two conferences with an AV/EDR Evasion topic for this year 😬Whish me luck. :)
9
6
210
Alternative use cases for SystemFunction032, what do other people think about at night? 🤓😅
4
58
206
In preparation for my next VBA AV Evasion stream I had the idea to create a new repo. Work in progress 😅
This will be released after the stream.👌
3
37
201
A small post about the difference between Powershell only & process specific AMSI bypasses:
2
103
200
I did not test it but this looks bad for missing June patches:
CVE-2021-1675 - Exploit released.
4
75
197
Thanks to
@cube0x0
for the PrintNightmare C# RCE support via MS-PAR. This also makes RCE via Powershell easy:
2
89
198
It has been outstanding for some time but now Impersonation by TokenManipulation is also a part of WinPwn. 🥳
TokenManipulation got flagged by AV/EDR? Most public tools don't use Syscalls here. The last days I therefore ported SharpImpersonation (mainly) to Syscalls 🔥😎
Thanks to
@tiraniddo
and
@_EthicalChaos_
for helping me out.
This should cover detections!
6
101
254
5
62
197
Some corona creativity from home:
Load and execute encrypted C# files from remote URL or disk. Inspired by
@Cneelis
p0wnedLoader.
0
94
194
Decrypt DPAPI secrets remotely? This one looks really useful for it:
Credits to:
@LoginSecurite
0
77
194
Some more EDR Evasion and a PoC for another idea I had - this time to bypass kernel based (ETWti or Kernel Callback) shellcode detections - will be presented and released 🙂🔥
#mcttp
.
4
63
189
This time something more Blue Team focused:
Hope it helps some of you! 🙂😎
2
79
187
There already is one functional ldap signing scanner. 🤔 missed that one when I tried to write my own.
2
44
184
I'm releasing a Powershell + C# LDAP Signing state scanner:
Testing and feedback is very welcome, had only a few environments to test so far.
2
68
186
Blog post time: About some common reflective PE-Loading "problems" and ways to solve them on a high level / examples with
@itm4n
's PPlDump,
@s4ntiago_p
's nanodump and
@codewhitesec
's Handlekatz.
6
103
185
So Saturday 2 pm CET I’m gonna show my approach and tools for Powershell AV Evasion. The videos will be uploaded afterwards, so if you don’t find the time - no problem👌 let’s see how this goes 🤘
Shell I start a Twitch (series?) for AV Evasion 101? I’m thinking about Powershell, C#, VBS and Nim for example 🤔
6
7
77
7
44
175
Wasn't able to add all my new stars yet but it's a lot for the moment. The same amount will follow in the next days, too many good new tools in the last 7 months.
3
54
172
Integrated 🙌
I was tired of manually creating wordlists or having to rely on python for pre2k sprays, so did some small adjustments to
@dafthack
's DomainPasswordSpray to run pre2k password spraying on all computer objects of a domain.
1
47
193
1
33
172
Just copy&paste integrated into WinPwn. 🙂
I created this quick and dirty Powershell script to check your current system drivers against the awesome list from
@M_haggis
@_josehelps
@nas_bench
Hope you find it useful
14
138
409
3
49
169
May LPE 🙌
0
38
172
Finallly. Got D/Invoke in Nim working 😎 Hell of an effort for me but I learned a lot about the PEB structure and the export of DLL functions without GetProcAddress 🔥
This will be made public in 1-2 months and is Sponsorware from today on. 🍻
3
41
172
WinPwn now checks all domain controllers of the current domain for zerologon - CVE-2020-1472 🥳
So easy to exploit and so many companies don´t patch. Forget one DC and the domain is compromised.
4
67
171
The second blog post is released,
@lsecqt
wrote about Resource based Constrained Delegation and common scenarios we typically exploit/face:
0
72
170
This inspired me to make it Powershell Add-Type compatible:
Easy Hardware Breakpoint AMSI bypass for everyone 🤓
I think I did the patchless/breakpoint in process amsi bypass thingy with C#
6
67
240
5
58
164
Just did a small video on how to find suitable targets for ThreadlessInject technique by
@_EthicalChaos_
- plus some recommendations on how to even improve it with Module Stomping && Caro-Kann:
4
59
164
For those of you, who also want to test the AmsiScanBuffer Patch in D/Invoke: here you are 🤓
3
50
155
Awesome talk by
@thefLinkk
for all those interested in malware dev 👏:
Plus the tool release Lastenzug/SpiderPIC, used that just today and it works like a charm. No socks module in your C2? This can be used as burnable standalone shellcode 🔥 really cool!
2
54
154
My DInvoke implementation in Nim is now also public:
Feel free with testing and have fun! 🍻👌
Challenge: who modifies the Nim compiler for DInvoke usage?🤓
2
50
154
