an0n
@an0n_r0
Followers
11,893
Following
722
Media
301
Statuses
1,646
CRT(E|O|L) | OSCP | @RingZer0_CTF 1st (for 2yrs) | HackTheBox Top10 | RPISEC MBE | Flare-On completer | GoogleCTF writeup winner | SSD research | Math MSc |🇭🇺
Joined October 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Brazil
• 1180576 Tweets
Elon Musk
• 721961 Tweets
Meu Twitter
• 483724 Tweets
Alexandre de Moraes
• 471351 Tweets
Bluesky
• 214134 Tweets
Adeus Twitter
• 183091 Tweets
Politico
• 160259 Tweets
Xandão
• 158295 Tweets
#BUS1stFANCON_KnockKnockKnock
• 142808 Tweets
Wisconsin
• 122381 Tweets
Tchau
• 95672 Tweets
Caitlin Clark
• 67630 Tweets
Temple
• 59620 Tweets
ブラジル
• 41051 Tweets
Angel Reese
• 34390 Tweets
#プレイバックガチャ
• 33552 Tweets
Michigan State
• 23195 Tweets
#INZM_30Mviews
• 21988 Tweets
Janta Kee Awaaz
• 20278 Tweets
野菜の日
• 18524 Tweets
#GiftOfEducation
• 17048 Tweets
Djokovic
• 13593 Tweets
Stanford
• 12119 Tweets
カネゴン
• 11431 Tweets
#TheLastDriveIn
• 10770 Tweets
台風一過
• 10188 Tweets
Have read about caller ID spoofing several times, but I always doubted it would work in 2023 until I set it up on my own. It is not a piece of cake, but it can be done with a suitable VoIP provider (with SIP trunk), a customized PBX (e.g. Asterisk) and a softphone (e.g. ZoiPer).
72
279
2K
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
28
364
1K
Symantec Endpoint Protection is bypassed super easily using my dusty DLL refresh PoC. After refreshing in-mem DLLs with the on-disk orig versions, userland hooks got removed completely, making the EDR blind, and allowing us to execute Meterpreter shellcode by simple API calls.
31
340
1K
Played with Outlook CVE-2023-23397. Made a simple PoC email builder & sender featuring malicious reminder (just a Msg, no need to use a Task or Cal. Ev.).
Critical 0-click account takeover on internal networks even after MS patch, no need to open the message on the victim side.
16
375
1K
1. remove disk from target laptop
2. virtualize system (VBoxManage convertfromraw)
3. abuse local admin (chntpw using alt booted system)
4. run mimikatz by reflective loading (bypass ESET :) )
5. extract machine cert / secrets
NEVER deploy company laptop without BitLocker.
17
273
1K
Reproduced the MS-MSDT Office RCE (on up-to-date Win10 and up-to-date Office 2019). Had some troubles with building the appropriate docx with external HTML reference, so quickly made some notes how to do it, step-by-step:
6
327
912
OST cannot be stopped. Here is a technique we tested internally 9 months ago: blocking EDR telemetry by leveraging the Windows Filtering Platform. Considered it so evil that we didn't publish it that time. It was pointless, now here it is by
@netero_1010
:
15
285
904
detecting EDR services remotely without admin privs.
indicators:
- installed services: [MS-LSAT] LsarLookupNames()
- running processes: named pipes (there are some characteristic to EDRs)
needs some more testing and cleanup before release, but looks like promising.
22
232
825
#windows11
Defender bypass (worked for
#meterpreter
):
- basic sandbox evasion
- decrypt encrypted shellcode to memory
- create process in suspended state
- copy shellcode into allocated mem in remote process
- create remote thread
that's all. no need for special arsenal. :)
11
270
790
Meterpreter + Metasploit is absolutely awesome. And anyway, it is not even certain that Defender will catch it: add the stageless payload using basic encoding into a template exe (thread exec), disable autoload of stdapi (you can load it later after callback), and that's all. 💥
It's insane that Meterpreter + the Metasploit backend is a jawdroppingly complex piece of malware that many of us could (and do) learn so much from, but people call it shit because the default artifacts are sigged by Defender
13
70
531
12
165
730
CVE-2022-26923 ("Certifried") combined with KrbRelayUp: domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment:
8
263
711
If NetNTLMv1 is disabled but LDAP signing is not enforced on DC, and there is WebClient service enabled on the target, pwn is similar (~RBCD abuse). NTLM relay should be HTTP->LDAP instead of SMB->LDAP (WebClient does not set signature requirement on the client side).
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
28
364
1K
11
198
593
from
@BlackHatEvents
USA 2016:
A Journey From
#JNDI
/LDAP Manipulation to Remote Code Execution Dream Land by
@pwntester
and
@olekmirosh
now the exploit vector presented in 2016 is the
#log4jRCE
.
attached slide
#11
from the presentation below. :)
8
216
586
super easy Defender bypass in 2022 on Win11 for using a default (encoded) Meterpreter stager shellcode for getting and launching a Sliver beacon: XOR encode and do a dumb sandbox evasion (here I used computer name check).
10
165
581
great find! 😁
☝ triggered the exploit without owning a Razer mouse device! with a (rooted) Android device (using configfs) it was possible to construct the required usb gadget.
👉 so just plug in an Android phone and elevate to local admin immediately 💥🔥💥
Need local admin and have physical access?
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting
@Razer
, but no answers. So here's a freebie
248
4K
13K
8
172
570
remote controlling windows services (useful for rce/lateral movement) is possible not only by interacting with SMB (445) but by calling MSRPC (135+49679) also. added (fixed?) the MSRPC version in the services[.]py example for impacket, here it is:
2
153
427
super hot technique for preventing EDR dll loaded into the process from Marcus Hutchins (malwaretech): just tested it successfully ;)
5
113
387
sometimes in hardened AD env they disable (actually remove) SeDebugPrivilege globally (via GPO) in order to prevent malicious things targeting process memory (like token stealing, etc.) even as local admin. good (or bad) news is that the bypass is easy:
5
123
354
unauthenticated
#petitpotam
everywhere (not only for DCs)!
- petitpotam to DC, target it to attacker host
- ntlmrelay (using socks) to target
- petitpotam again to target through socks (without supplying any passwords) using the relayed DC creds.
better quality video below.
9
127
324
Just recreated this awesome
@SpecterOps
(
@zyn3rgy
,
@0xthirteen
) technique for initial access by
#backdooring
a random
#ClickOnce
application with a Cobalt Strike stager. While I became a ClickOnce addict🙃, compiled a short writeup about my journey:
Nick Powers (
@zyn3rgy
) and Steven Flores (
@0xthirteen
) uncover a mechanism of weaponizing legitimate ClickOnce and .NET applications for initial access, presenting new opportunities.
Read their blog:
0
54
176
2
123
323
For activating
#Win10
guest in
#VirtualBox
on Linux host simply extract the hardcoded unique OEM product key from the host BIOS (if the host is Win10 licensed) and use it in the Win10 guest. Look for the unique key in the ACPI table MSDM (saying goodbye to SLIC based licensing).
0
60
303
this is how I run mimikatz today on a (default config) Defender for Endpoint protected host. just reused my recent stager with a basic custom socket server. this libpeconv stuff is more powerful than I first thought :)
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by
@hasherezade
:
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
2
56
204
6
70
306
playing against an
#AV
/
#EDR
: when almost everything failed, finally, loaded
@chvancooten
's
#NimPlant
using my custom stager based on
@hasherezade
's libPeConv and managed to execute what I wanted,
#Rubeus
with built-in execute-assembly (
#AMSI
bypass +
#ETW
block). never give up :)
4
69
299
probably something similar... made a custom stager (this time for Sliver) useful for EDR bypass:
1.) unhook DLLs (by refreshing them, code stolen from
@armitagehacker
)
2.) instead of classical reflective DLL loading, used the DarkLoadLibrary custom loader by
@_batsec_
🧵▼
The stager which I converted from 8kb to 3.5 kb, is now back to 9kb, but it now unhooks every DLL hooked by the EDR before downloading the encrypted stage and executing it. Tested it against most top notch EDRs in prevent mode and this time added Palo Alto to the tests.
#BRc4
13
47
210
3
80
282
another episode of my Sliver C2 testing. off-the-shelf bypass techniques like the unhook-bof in the official Armory seems to be useful and performs well against some modern EDR/AV products. seems like it is less painful than with Cobalt Strike. :)
2
80
276
here is the public release of the serviceDetector script (featuring [MS-LSAT] LsarLookupNames() for detecting the installed state and named pipe enumeration for detecting the running state of a service):
detecting EDR services remotely without admin privs.
indicators:
- installed services: [MS-LSAT] LsarLookupNames()
- running processes: named pipes (there are some characteristic to EDRs)
needs some more testing and cleanup before release, but looks like promising.
22
232
825
7
99
277
Sharing my
@snaplabsio
#SCCM
Lab template:
By importing this you'll have a working SCCM environment immediately without any effort.
Specific extra configuration might be needed for various exploitation techniques, but hopefully it'll help as a template.
After several hours (days?) of heavy struggling, finally managed to install
#SCCM
in my AD lab. When everything is fine and ready to pwn, going to share the
@snaplabsio
(now
@immersivelabs
) template.
Huge thanks to
@PrajwalDesai
for his comprehensive guides about SCCM setup.
2
7
95
5
101
272
Here is how the
@Confluence
CVE-2023-22515 - Broken Access Control Vulnerability can be leveraged to unauthenticated RCE, already in
@metasploit
by
@stephenfewer
This weeks
@metasploit
release has our unauthenticated RCE exploit module for CVE-2023-22515, affecting Atlassian Confluence. Get all the release details here:
2
81
212
1
89
267
#windows11
setup hardware requirements bypass (e.g. for VirtualBox):
add reg dwords
- BypassSecureBootCheck=1 and
- BypassTPMCheck=1
in HKLM\SYSTEM\Setup\LabConfig key.
run cmd.exe during install: Shift+F10.
(just a reminder for me, now this can be read in a lot of places)
4
85
265
Implemented Kerberos Resource-Based Constrained Delegation Attack from outside of the Active Directory Domain using pure Impacket.
Scripting and short writeup:
3
142
261
just tested hoaxshell by
@t3l3machus
(actually a beaconing reverse shell over http) against up-to-date Defender (with also Defender for Endpoint included). no alerts on callback, awesome. :) 🔥🔥🔥
5
65
250
Although MS Defender is getting a really better job for mitigating malicious tasks like
#CobaltStrike
#C2
beacons, it is still (almost) possible to run it on an up-to-date Windows using basic WinAPI (remote process) injection technique (remarks ⬇️). Merry Xmas for everyone! 🎄
5
64
242
hey, this is really serious!!! thanks to the work of
@alefburzmali
(kpasswd protocol in impacket), managed to exploit this easily on a Samba AD Domain.
🔥with a normal user, successfully changed the Administrator password.🔥
(sorry for the blanking, this is a prod domain :) )
2
86
238
While the recent all-in-one
#KrbRelayUp
is an awesome work, I like to look under the hood, that's why I put together a short step-by-step writeup about how to do the
#LPE
with
#KrbRelay
+
#RBCD
on a domain-joined machine using KrbRelay +
#Rubeus
+ others:
Let me introduce you to KrbRelay, the only public tool for relaying Kerberos tickets and the only relaying framework written in C#.
No-fix LPE + No-fix Cross-Session, VDI deployments has never been more broken.
Demo at Images/demo.mp4 !
16
450
1K
4
98
234
No surprise. Recently bypassed an EDR/AV for the PS assembly loader of
#SharpHound
only by:
1.) renaming the function
2.) removing comments
3.) splitting some essential strings
The orig version was mitigated, the modified bypassed using in-mem exec by iex+iwr. It is 2021. :)
My new currently undetectable Powershell Reverse Shell based on the original Nishang Framework written by
@nikhil_mitt
. NO need AMSI bypass.
Changed the ASCII encoding to UTF8 and 65535 integer to (2-shl15) to reach 100% AV bypass ratio.
10
213
585
4
70
234
storing creds for a runas-like utility in a saved config file is a security mistake, even if the tool offers "seriously obfuscated encrypted" files. all we need is just hooking CreateProcessWithLogonW (hello to
@fridadotre
) and no worries about reversing proprietary encryptions.
6
47
222
Added Kerberos authentication support for
@cube0x0
's awesome
#printnightmare
attack tool (for both attack types: MS-PAR and MS-RPRN).
P.S. defender bypass for meterpreter is just a kickshaw in the screenshot :)
1
104
219
alternate but similar for domain initial access:
1.) unauth
#PetitPotam
against (unpatched) DC
2.) ntlmrelay it (with socks) to any SMB with no sign enforced (using
#impacket
)
3.) RID cycle through the socks using the relayed session: profit = userlist
4.) pw spray
6
61
224
reproduced, awesome! from owned (or just freshly created) computer account to domain admin in couple of steps using ADCS by exploiting CVE-2022-26923 reported and documented by
@ly4k_
. patch DCs ASAP! :)
The first blog post is here. This one covers the technical details of CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability).
The vulnerability was patched as part of the May 2022 Security Updates from Microsoft.
26
379
792
1
88
215
Built a special JS stager for Cobalt Strike (or for anything else).
Actually it is based on C# .NET, and it is super simple (full source is on the screenshot) because it uses the PE mapper from DInvoke.
Currently managed to bypass Defender.
Sharing some details in this thread.
7
50
213
here is a basic meterpreter protocol stager for PE stages using the libpeconv project by
@hasherezade
:
no evasion included, using this only as a template. but already able to run it with a Sliver EXE beacon as a stage against Defender for Endpoint.
2
56
204
let's do something more interesting. imagine a malware drops a version.dll into %APPDATA%\Zoom\bin, then user runs Zoom (drop+exec separated). it can be done without any alerts, and the stager shellcode included in the version.dll (proxy dll) launches the Sliver beacon silently.
super easy Defender bypass in 2022 on Win11 for using a default (encoded) Meterpreter stager shellcode for getting and launching a Sliver beacon: XOR encode and do a dumb sandbox evasion (here I used computer name check).
10
165
581
5
48
200
all you need to know about offensive
#SCCM
condensed into an awesome presentation including hands-on demos by
@vendetce
from
@BHinfoSecurity
:
3
85
200
just found that SharpHound used this RemoteRegistry trigger already earlier for session enumeration, like nmap smb-enum-sessions script and Sysinternals PsLoggedOn also. here is a nice summary about it from Sven Defatsch (
@compasssecurity
) in 2022:
Do you want to start the RemoteRegistry service without Admin privileges?
Just write into the "winreg" named pipe 👇
26
325
1K
2
56
198
while PPLdump was killed, one of my favorite (but not too stealthy) LSASS dumping technique is still working against RunAsPPL: share the physical mem through network using a signed driver and search & dump lsass remotely (physmem2profit by
@TimoHirvonen
):
The July 2022 update of Windows 10/11 killed PPLdump 💀😢
Find out how in this blog post...
👉
13
267
685
1
71
184
ntfsDump: just found this from
@3gstudent
(and used successfully for reading ntds.dit on a DC):
similar to the powershell version Invoke-Ninjacopy, but this time it is a c++ binary. sometimes it is better to have a binary than a PS (for opsec reasons).
4
75
180
added PrintProcessor Persistence/LPE for
@0xthirteen
's SharpStay project:
have stolen the original idea from here:
2
58
180
while still waiting for the full tech details of this RCE, started reading protocol specs and quickly built a dumb service detector for MSMQ on remote 1801/tcp.
🚨 We discovered 3 vulnerabilities in Microsoft Message Queuing (MSMQ) service, including
#QueueJumper
(CVE-2023-21554), a Critical vulnerability that could allow unauthorized attackers to remotely execute code.
More details in our blog 👉
#PatchNow
4
111
283
2
52
175
RDP logon with certificate:
@_EthicalChaos_
is releasing a dedicated tool for this soon!
Until that, here is how I did this before (from Linux): simulating PIV applet on an emulated smartcard device locally and pass it through RDP. 🧵/1 👇
Want to authenticate to RDP/Citrix using your abused ADCS certificate and live of the land? PIVert has got your back. Will be releasing soon!
13
150
599
2
66
178
Nice. About the current
#Citrix
unauth
#RCE
: it is a simple stack overflow, the affected binary was compiled without PIE, has executable stack, and also there are no stack canaries (on some versions). Back (at least) 10+ yrs in time. :)
Bishop Fox Team X Research Alert ⚠
We've created an
#exploit
for the critical
#vulnerability
#CVE
-2023-3519, which allows for
#RCE
. There are 61,000 affected appliances exposed on the internet, and roughly 53% of them are unpatched. Patch yours now.
4
92
223
5
58
177
Disabling DSE (at least without VBS), loading our offensive driver, zeroing out EDR process callbacks: no more EDR dlls and hooks in user processes. :) We can learn such cool stuff from
@_RastaMouse
's awesome Offensive Driver Development course:
1
43
172
0 privs to DA in a tweet: (found a pw in an anon ftp, ldapdomaindump by ntlmrelay to ldap) → found svc account by pw spray (pw was reused), svc account had genericwrite on all desktops ;) → own computers by rbcd attack → basic lateral movement following bloodhound path → DA.
3
42
171
yes, and it works as 0-click in the Preview Pane with RTF format. :)
Reproduced the MS-MSDT Office RCE (on up-to-date Win10 and up-to-date Office 2019). Had some troubles with building the appropriate docx with external HTML reference, so quickly made some notes how to do it, step-by-step:
6
327
912
7
44
172
Just compiled a mini HOWTO for DLL Hijacking by DLL Proxying super easily: extract the full export list from the legitimate DLL using Python pefile and cross-compile+link the proxy DLL by mingw-w64 using module-definition (.def) file.
0
81
168
pentest/redteam tip: enumerating subnet ranges in an AD from Linux by querying LDAP directly (SASL GSSAPI is meant for Kerberos authentication):
ldapsearch -H ldap://dc -Y GSSAPI -b 'CN=Sites,CN=Configuration,DC=evil,DC=corp' -o ldif-wrap=no '(objectClass=Site)' siteObjectBL
1
30
163
awesome! tested: word docm drops dll to (user) zoom folder by vba (bypassing defender). dll is a proxy dll and also contains a stager. later user opens zoom, dll sideloads without making attention (defender bypassed this time also), stager pulls 2nd stage and c2 implant is up. :)
2
42
164
elevated CVE-2022-30166 EoP to SYSTEM. the work was done by
@tiraniddo
, here I just modified their PoC for getting TGT dump, did some custom ticket conversion stuff then RBCD attack with the machine Kerberos TGT. works only if AllowTgtSessionKey (non-default) is enabled.
CVE-2022-30166: an awesome EoP by
@tiraniddo
! PoC also included in the report, quickly tried, it is working nicely on unpatched systems. looking forward for the BH presentation. :)
0
41
143
1
35
161
found Mimikatz dpapi::chrome (for decrypting chrome/msedge secrets) fails with No Alg/Key handle error now. seems to be the encrypted_key parser from the Local State file is broken. no worries, it is possible to feed it with the encrypted_key directly, here is what I mean.👇
4
53
153
if the default NTLM auth (what is actually ~PtH in impacket) is not appropriate for some (opsec) reason, added Kerberos auth support for the awesome
#PetitPotam
Python exploit PoC script by
@topotam77
:
0
38
148
Delivered the payload using my current favorite payload server: attachment[.]outlook[.]live[.]net :)
Just upload any file as an attachment while composing an email in Outlook, it gets uploaded and it is temporarily available using a GET request from the Outlook servers.
5
35
146
instead of compulsively bypassing av/edr, sometimes using "legit" tools is the best opsec consideration. for pivoting, instead of chisel or other flagged tools, plink reverse tunnel + Socks5Server by
@xoreipeip
live together nicely with av/edr products. :)
0
46
144
CVE-2022-30166: an awesome EoP by
@tiraniddo
! PoC also included in the report, quickly tried, it is working nicely on unpatched systems. looking forward for the BH presentation. :)
Final LSA bug from last month is now open. An interesting one which breaks common assumptions of impersonation security over the LSA's RPC interface. Me and
@monoxgas
will describe a way of abusing the bug at BH next month to get SYSTEM privileges.
1
65
197
0
41
143
never thought that this query would ever result >0 items. telling the truth, found the plaintext userpassword attributes accidentally (while enumerating bloodhound data), and took this note for myself for later assessments.
6
34
137
Win Update LPE: after
@Razer
now here is
@SteelSeries
.
👆And we can do it using our Android phone without any custom hardware.
🎉 Here is my Android gadget creator mini-tool:
@Razer
and
@SteelSeries
included, and it is super easy to add the next ones:
it is not only about
@Razer
.. it is possible for all.. just another priv_escalation with
@SteelSeries
15
201
532
4
43
132
had to fix couple of bugs of the sideload cmd in Sliver, but now it loads Mimikatz DLL (using Donut behind the scenes) and even bypasses Defender without much effort. it is still not perfect, output fetching is not working for some reason, but it is almost functional.
4
27
129
created a minimal
#log4shell
vulnerable Java web app, building, running & modifying is straightforward.
RCE exploit path is tested and included using the JNDI Injection Exploit tool by
@welk1n1
(on up-to-date Java with trustURLCodebase set to false).
0
33
125
Recently completed the OPSEC and defence bypass focused RTO2 from
@zeropointsecltd
and
@_RastaMouse
. No doubt, awesome course, superb quality materials, exciting lab time and exam challenges. If you liked RTO, don't miss this.
6
15
124
just updated my Magisk installer script (ramdisk patcher) for Android Emulator to support recent Android API and Magisk versions:
2
36
119
nothing novel, just playing with screenshot capture in PowerShell: get the screenshot to clipboard by sending PrtSc key using PS, send the image in an HTTP POST body, receive it with least effort using a CGI handler ran by Python http[.]server.
1
18
120
but what seems to be totally new, someone posted the source code of the XP activator (used for offline phone activating: installation id → confirmation id) couple of hrs ago.
the file (xp_activate32.exe) this article references (and the whole hype about this "hot" and fresh XP activation crack today) has been first seen on virustotal in 2020. 🤣
0
4
26
2
34
117
#RedTeam
TIP: bypass basic AV for
@BCSecurity1
#Empire
PS stager with HTTP listener in 3 steps:
1) replace the built-in AmsiBypass (use )
2) modify DefaultProfile in the HTTP listener.
3) change the function name Invoke-Empire in the stager.
that's all :)
1
55
118
started to build my custom shellcode loader generator for experimenting with EDR/AV evasion. only a few techniques implemented so far, but already able to bypass defender and some $$$ EDRs. :)
trying to include a better quality stream (for this defender demo) below.
6
24
115
While the Outlook fix for Outlook CVE 2023-23397 is insufficient (blocking only external attackers), the Exchange March 2023 SU patch seems to be fine by removing the exploitable PidLidReminderFileParameter extended property.
Install 2023 SU on Exchange ASAP!
thx
@thecyberlama
!
Played with Outlook CVE-2023-23397. Made a simple PoC email builder & sender featuring malicious reminder (just a Msg, no need to use a Task or Cal. Ev.).
Critical 0-click account takeover on internal networks even after MS patch, no need to open the message on the victim side.
16
375
1K
2
41
119
just started to play with the Mythic C2 from Cody Thomas aka
@its_a_feature_
. architecture, design, customization capabilities, features seems like super impressive at first sight! (not to mention that the
@merlin_c2
agent builds with Garble obfuscator and bypasses Defender :) )
2
16
114
here is why putting a wildcard file mask (or anything else) to Defender exclusion list is a super bad idea. extension does not matter, it can be executed. so even if it is domain controlled (meaning Defender cannot be modified locally), as a local admin it is trivial to bypass.
2
20
119
🐟
#phishing
tip: using a *[.]azurewebsites[.]net domain could make a campaign really successful.
setup: azure function ⟶ nginx redirector ⟶
#gophish
(from
@jw_sec
) + ms365 business for send profile
phishing infra is supported by
@microsoft
🙃
config:
4
39
115
just wanted to see how difficult it is to run CS BOF inside Sliver (tested NoteThief BOF by
@trainr3kt
). it is super easy! the coff-loader extension in the Sliver armory provides the compatibility layer (code is unchanged), only had to add an ext json: .
0
35
114
Windows Kernel Debugging using two VirtualBox VMs: connecting the VMs through virtual null modem cable (client-server host pipe mode COM ports), attaching WinDbg to the local COM port on the debugger host, enabling kernel debug serial mode (to local COM port) on the debugee host.
6
23
107
Sliver setup is effortless. Just tried it, currently the default config (without customization) works well against simple Defender. I think it's worth further playing. I don't think we should say goodbye to CS, but as an alternative, (not just because of this) it is promising.
Man I’m calling it, bye bye Cobalt Strike, hello Sliver! Not had to use CS on an engagement for a while but when you don’t wanna burn your internal stuff and need to use public tools, the pain involved around evasion for simple tasks in CS is horrible… time for something new.
22
52
383
2
17
106
added a remote injection (spawn & inject) shellcode template for
@MrUn1k0d3r
's awesome PowerLessShell project. this is useful for user-level persistence if there is strong app whitelisting (and msbuild.exe bypass is working). console popup is <1sec, making less attention. (1/2)
1
27
102
Updated
@gentilkiwi
#Mimikatz
in
@rapid7
@metasploit
Meterpreter Kiwi extension to play with some recent features like RDP plaintext credential dumping ;) Short HOWTO is here:
1
45
103
Mini-HOWTO about setting up Full Disk Encryption with unattended auto-unlock using TPM2 w/ Secure Boot on Kali.
Useful for rogue devices (auto-connecting to C2), headless pentest boxes, etc. storing confidential information but lacking physical security.
1
21
99
nothing shows better how useful is
@nikhil_mitt
's
#CRTE
course from
@AlteredSecurity
than the fact that I just reused one of the techniques in a real life assessment a few days after completing the 8 hour hands-on cert renewal multi-forest lab exam.
0
14
97
awesome recap of
#PrintNightmare
(from 2021) in 2024 by
@itm4n
(unfortunately not active on Twitter anymore). let me highlight his great group policy flowchart as a key takeaway👇
0
30
100