Marcello @ BH/DC 4th-12th
@byt3bl33d3r
Followers
29,275
Following
532
Media
721
Statuses
9,324
CyBeRsEcUrItY | Not afraid to put down with some THICC malware on disk | securing and breaking AI @ProtectAICorp | Ex @spacex
Error: Unable to resolve
Joined December 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#ปิ่นภักดิ์EP1
• 1062357 Tweets
THE LOYAL PIN THAI GL NO1
• 998624 Tweets
Djokovic
• 455725 Tweets
Rotherham
• 178449 Tweets
ヒロアカ
• 140543 Tweets
Middlesbrough
• 99414 Tweets
Francisca Crovetto
• 73580 Tweets
Nole
• 64875 Tweets
堀越先生
• 50433 Tweets
Byron
• 45445 Tweets
フワちゃん
• 43667 Tweets
BEST WISHES FOR YIBO BIRTHDAY
• 40576 Tweets
Fabiola
• 40286 Tweets
L1485 FOR LIFE
• 35953 Tweets
Scottie
• 31956 Tweets
松山英樹
• 27959 Tweets
Onyeka
• 26695 Tweets
Thompson
• 22471 Tweets
Noah Lyles
• 21442 Tweets
松山選手
• 19370 Tweets
Omanyala
• 17705 Tweets
Federer
• 15833 Tweets
ジョコビッチ
• 14175 Tweets
Seville
• 13470 Tweets
最高の最終回
• 11082 Tweets
やす子さん
• 10753 Tweets
Feyenoord
• 10693 Tweets
Pinned Tweet
The demos and slides of my Defcon 31 talk are now publicly available.. 🧵 1/3
This first video demonstrates impersonating Satan (spoofing an email from satan
@churchofsatan
.com). This was the inspiration for the title of the talk 😛
8
66
239
Wrote a scanner for PrintNightmare (CVE-2021-34527). Allows you to scan entire subnets and gives you a CSV report. Supports both MS-RPRN and MS-PAR checks. Haven't tested in a prod environment yet (just my lab). Feel free to send a PR if you see FPs.
4
295
728
Had no clue about this, as of Python 3.5 you can bundle an entire application into a ZipFile (with a .pyz extension) and execute it directly. This is the equivalent of Java .jar files for Python
Python zipapp
Python zipapp. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
9
241
698
Need a quick way to find hosts on your network that support SMBv1 connections?
Run: cme smb <CIDR>
Done.
9
343
682
Just open-sourced the SprayingToolkit!
A collection of Python scripts to take the headache out of performing password spraying attacks against OWA & S4B/Lync. Ever wanted to perform real time sprays while scraping LinkedIn profiles from Google? ;)
6
315
648
Automating the Empire with the Death Star: getting Domain Admin with a push of a button
23
380
586
Fucking priceless. Do an image search on google for “MITRE EDR evaluation results”. You’ll find a graph which links to a blog post on *EVERY* single EDR vendors website saying “we’re the best EDR”.
37
148
589
Just made the OffensiveNim repository public. This is a couple of weeks worth of notes and research into using Nim for general offensive operations. If you don't want to write your implants in C/C++, Nim is the way to go IMHO. Feedback welcom
14
204
508
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)
8
349
505
I made a bunch of Ansible playbooks the other day in order to streamline/automate my workflow during engagements. Specifically i wanted to install a bunch of tools from Git and have them all setup in separate Python virtualenvs.
4
178
493
Code of SILENTTRINITY is live ! Big thanks to everyone who enjoyed the talk. Hope this is useful !
16
231
478
Sydney Sweeney reveals in an interview that she has strong opinions about the EDR industry.
“I think EDRs all fucking pieces of shit”
She adds, “CrowdStrike needs to stop smoking crack and making action figures out of APTs. it’s cringe af”
15
48
472
W00t! CrackMapExec now has binaries! You don't need to install it anymore! Just grab the binaries under the latest build under the action tab! Go forth and pwn!
10
197
470
This is honestly really cool, can be probably used for vuln research as well ?🤔 allows you to “diff” Windows before and after installing software.
4
134
444
Thank you everyone for coming to my
@Derbycon
talk!
Just released v0.4.0 of SILENTTRINITY! Biggest update yet, ton of new modules thanks to
@nicolas_dbresse
, upload/download functionality and the new and improved minidump module which integrates pypykatz!
7
163
428
Made an *extremely* naive Python script to detect if an HTTP server is potentially vulnerable to the Log4j RCE 0day
6
146
424
Hot off the presses: part 2 of making C2 less painful. Modernizing the CIA's approach to offensive Infrastructure by using mesh VPN networks, micro-services and hybrid-cloud deployments. Get your buzzword bingo cards ready.
#seo
9
151
400
Just noticed that apparently Win Defender just alerts on any PowerShell process touching lsass. The SILENTTRINITY Mimikatz module runs just fine if executed from cmd.exe. However, If running from Powershell it runs but Defender kills the process
7
123
389
Super excited to finally release SILENTTRINITY v0.3.0 which has been in the works for a long time: The tool now supports multi-user collaboration and has a client/server architecture. Check out the readme for a list of the new features, hope its useful!
3
161
376
CrackMapExec v4.1 (ҪФԠЯДDЄ ԐDЇҐЇФЍ) is almost done! Will be making the changes public after my
@BlackHatEvents
Asia Arsenal demo next week! The entire C2/plugin system has been overhauled, details soon 😎
10
125
354
Just uploaded my slides for the Red Team Level over 9000 keynote at
@ConvergeDetroit
! Thanks to everyone for coming!
3
120
330
I'm excited to be releasing the new DeathStar. Complete re-write of the original script, supports AD networks with multiple domains/forests, has a plugin system and "Active Monitoring": so adapts it's attack path based on real-time changes in the network.
9
130
331
Haven't blogged in a while but here's the first of a series of post exploring modern tech stacks making C2 infrastructure creation less painful
8
135
331
Really glad to finally get a blogpost out about this. Hopefully this is useful and gives Red Teamers ideas on how to use the BYOI concept in their own payloads. If anyone is interested in a few more follow up posts about this will gladly oblige :)
3
171
316
For anyone wondering, yes it’s written in C# and yes I will be totally adding it as a SILENTTRINITY module if I can get the source code (a few changes need to be made in order for it to run in memory).
#makemalwarefunagain
I made a goose that destroys your computer
Download it free here:
3K
93K
255K
5
66
306
...computers used by water plant personnel ... used the 32-bit version of the Windows 7... all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection... 🤷🏻♂️
25
120
291
Just pushed a somewhat big update to SILENTTRINITY with a lot of forward compatibility fixes for Python 3.8 and made the PowerShell "stageless" stager public. Plus more modules and bug fixes
5
127
294
CrackMapExec now supports Powershell script and launcher obfuscation using
@danielhbohannon
's Invoke-Obfuscation! :D
2
178
284
Bloodhound on an ultra wide curved monitor makes you feel like you’re hacking Hollywood Style.
15
43
288
Pssst! Hey you! SEP got you down during a pentest ? TIL of smc -stop and smc -disable -ntp. Works like a charm, the latter doesn't even require admin rights
7
106
284
Just published the slides of my "IronPython OMFG v2.0" talk yesterday at
@hackinparis
on github here
2
108
274
Just released my slides for my talk at
@hackinparis
2018 The Past, Present & Future of Enterprise Security the 'Golden Age' of Attack Automation
#HIP18
3
130
276
Just migrated CrackMapExec away from PyCrypto, you should have a *lot* less dependency woes when installing the bleeding edge version from git
8
73
267
Xmas came early for me. Load .NET assemblies from memory using x-compiled Nim executable in 5 lines:
import winim/clr
var myassembly: array[4608, byte] = [ byte 0x4d, 0x5a... ]
var loadedasm = load(myassembly)
var instance = loadedasm .new("MyNamespace.Program")
instance.Main()
4
77
270
CrackMapExec v5.1.1 is now available on Pypi. Thanks to
@mpgn_x64
its stable enough for me to finally get rid of the old version. You can now install the latest version of CME with a `pip install crackmapexec`.
Happy Pwnage.
4
94
255
omg.... I did it! Win32 Syscalls from Nim!!! 😍
8
46
254
Holy shit, this actually solves an incredible amount of packaging problems, you can put all dependencies into a single portable zip file! No more virtualenvs! All the end user needs is the python interpreter and everything else is self contained!
Had no clue about this, as of Python 3.5 you can bundle an entire application into a ZipFile (with a .pyz extension) and execute it directly. This is the equivalent of Java .jar files for Python
9
241
698
3
76
250
PSA: Executing an EXE from an SMB server is still an extremely valid way of bypassing a lot of “next-gen” EDR products 🤷🏻♂️
6
73
250
Pro tip: don't just look for public S3 buckets when doing OSINT. Remember to look for DigitalOcean spaces and Azure Containers as well
2
102
249
Just pushed a pretty huge update to WitnessMe. It now supports parsing .Nessus files, URL files, has a database search CLI tool and a lot more. Still a WIP but its getting there slowly.
10
87
245
We should ban PsExec, net.exe, group policy and most of the features in windows as they’re being used by ransomware gangs. Also we need to ban teamviewer and any remote administration tool as they have the potential of being abused. Also need to ban the internet
21
32
244
Just FYI, the python3 branch of CrackMapExec was merged into master as of a few minutes ago. Also
@mpgn_x64
(the mad man who ported it over to Python 3) is now an official collaborator.
6
86
244
Why do I need an EDR bypass if I can just download process hacker ? 🧐
11
19
235
On today’s episode of weird windows shit, apparently if you rename a .exe to a .pif windows will still execute it just fine. On top of that, the file icon and type in explorer changes to “Shortcut to MS-DOS program”. Looks a lot less evil.
7
89
235
Here’s a recent discovery that changed my life: tired of manually creating Python virtual environments for every single Python tool ? Turns out Pipx is the solution
9
77
232
Bonus: ever wanted to actually exploit those Java deserialization bugs you find ? Check out
@coalfirelabs
awesome exploit collection ! Pushed an exploit for JBoss just last night!
1
116
227
The "code" for my Defcon 31 talk is live! Enjoy! 😈
4
80
229
Status update after 3-4 months of basically not writing a single line of code for any my open source tools: my health has improved, I’ve never been this well rested in my entire life and i don’t feel like a zombie every day. Question now is, why should I even go back to OSS dev?
32
7
226
📣 Ok peeps, have an announcement: all future tools and updates I release will be Sponsorware. Only people who have sponsored me on Github at a specific tier will get access to them initially. Finally, they will be made publicly available only after I reach a target n of sponsors
27
46
226
Just because you’re paying a lot of money for an EDR does not mean it actually works against the basic stuff.
8
42
219
well this is cool! HTA payload encryption \o/
6
119
219
We’re hiring interns at
@BHinfoSecurity
for a bunch of R&D projects! (All internships are payed & remote). Applicants must of some basic C# and Python knowledge. If you’re interested send me your resume and we’ll talk! (DMs are open)
20
141
211
I’ll tell you a secret :) giving me a tip on Patreon will automatically trigger a CI/CD pipeline which will push a freshly compiled & *obfuscated* SILENTTRINITY C# exe/dll stager to the public repository. For when you really need bypass all the things.
13
39
210
Shellcode execution via inline assembly through Nim works!
5
39
211
I've released the new WitnessMe update early in order to help people identify F5 BIG-IP devices vulnerable to CVE-2020-5902. Updated the Readme with a quick start for this specific use case, less then 5 min install and start scanning.
6
91
207
Excited to announce the release of Kukulkan to the OffensiveDLR repo!
This is essentially a slimmed down version of SILENTTRINITY! Also the C2 comms (including the initial stage) are completely encrypted! And you can use it with CobaltStrike 🐍😈
0
103
206
Just pushed a Internal Monologue module for SILENTTRINITY! Cause touching LSASS is overrated ;)
If you're not familiar with this attack it's pretty dope, check it out here
1
91
205
Just pushed an enormous update to Red Baron! Highlights include Ansible support and dynamic SSH autocompletion of created infrastructure! If you find bugs (which you probably will) let me know !
0
69
201
Was playing with Impacket yesterday and accidently (re)discovered a bug that allows you to silently crash the Event Log Service over RPC. Apparently this was already reported to MSRC but didn't meet the bar to be serviced cause it requires Admin privs
5
74
198
Just pushed another snippet to OffensiveNim implementing the token sandboxing technique discovered by
@gabriellandau
. gr33tz to
@0xpwnisher
for the C++ PoC.
4
67
199
I’m starting to get really sick of this industry. I feel like no progress is being made and everything that’s applauded as progress is smoke and mirrors and doesn’t have any actual value outside of making a few people wealthy.
13
13
195
In other news, I managed to embed Python (CPython) within Nim. Few things to work out to make it 100% OPSEC safe but it works. You can think of it as a mini PyInstaller Bootloader written in Nim. Can even pull down Python directly from the Python[.]org website :)
5
50
195
Quick preview, probably blog post coming soon ;)
7
90
194
Working on a new project 🤟 i think this might be a game changer for red teams. It's the best of both worlds and more. Ever wanted a postex agent that can access all of .NET and dynamically compile C# without going through powershell ?
7
64
194
Just FYI, since I don't work for Coalfire anymore all future updates to Red Baron will be pushed to my fork here
1
73
191
CrackMapExec V4 is out! More features, modules, and ownage! Feedback welcome! (Blogpost coming soon)
3
139
186
CrackMapExec has a new home at
0
41
184
Happy to announce
@coalfirelabs
just released Red Baron: a red team infrastructure automation tool! Ever wanted to create a C2 server and redirector with 8 lines of code? I got you covered.
The Coalfire Labs R&D team on it's one week anniversary is open-sourcing Red Baron: Automate creating resilient, disposable, secure and agile infrastructure for Red Teams!
0
31
49
6
122
184
"Injecting .Net Assemblies Into Unmanaged Processes"
This is pretty amazing!
5
91
183
As of today, I'm humbled and honored to be joining the awesome team over at
@BHinfoSecurity
! Exciting times ahead! \o/
27
7
184
Every time I speak with anyone in the Infosec community I'm just constantly blown away by how passionate and smart people are. I think a lot of us take this for granted. This is an extremely unique and privileged job.
2
30
176
CME now supports command execution via WinRM (PS Remoting), and parsing NMap XML / .Nessus files for targets! :D
4
110
176
Added 2 more PoC scripts to the OffensiveDLR repo. One of which embeds the SSharp Compiler within a Posh script (Can be easily embedded from within any .NET language.)
SSharp code compilation does not call csc.exe :)
1
62
173
This is really cool, surprised it isn't more popular. Does a bunch of OPSEC checks on PE files and allows you to "taint" various attributes.
1
56
173
I just had an EDR vendor straight up tell my client they had to “re-calibrate their AI engine” to detect a Python Reverse HTTPS meterpreter....... PORCA MADONNA.
14
16
169
Will be dropping the new SILENTTRINITY update later today or tomorrow just in time for my BlackHat Arsenal and Defcon Demo Labs presentations. This is a big one. Stay tuned :)
2
42
167
Been working on some PoC C# code which would allow you to dynamically invoke native Win32 API's from JScript using ClearScript's ExtendedHosts functions ()
Creds to
@subTee
for the Emit code
2
73
166
If you're running Windows 7, 10 or IOS 10.3.1 you're not affected by the Krack Attack unless you're using WPA2-GCMP.
7
165
156
Yo this might sound crazy but turns out if you don’t look at your computer screen and go outside there’s stuff that doesn’t involve computers
18
16
165
Who’s got one of those cool mind maps for AD attacks that’s updated with all the shit that came out the past few years ?
10
23
157
Just published some research and scripts that allow you to do DLL sideloading/proxy loading with Nim DLLs.
Also, by accident figured out how to remove the NimMain function from the export table :)
4
69
164
CrackMapExec hit 4k stars over the weekend on Github... Guess I really should start concentrating efforts on v6 huh 😬
4
17
162
Trump drops 0day
Donald Trump on computer hacking: "Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password."
[video]
79
364
770
9
33
154
Yearly reminder to remove PowerShell V2 EVERYWHERE. Doesn’t matter what EDR , logging, witchcraft you have in place. If an attacker has access to the Posh V2 runtime, they can automatically bypass it all.
3
52
162
Apperently the
@CIA
released most of the files that were on Osama Bin Laden’s computer / in his compound 🧐
7
65
158
If every major pentest/RT shop gave something back to the Responder project as supposed to just leeching off of it for profit, we wouldn’t have to rely on 1 goddamn person to maintain a tool that EVERYONE fucking uses. The entire system is broken.
8
31
161
uhmm.... wow
4
46
158