wallfacer
@simplylurking2
Followers
974
Following
1,008
Media
847
Statuses
4,643
Explore trending content on Musk Viewer
Elon
• 931256 Tweets
#गल_काटे_सो_कुफर_कसाई
• 170666 Tweets
Michigan
• 161554 Tweets
#UFC307
• 127040 Tweets
Vandy
• 120254 Tweets
Watch Sant RampalJi YouTube
• 119253 Tweets
Tennessee
• 112383 Tweets
Dodgers
• 107418 Tweets
Vanderbilt
• 84022 Tweets
Dark MAGA
• 81758 Tweets
トッキュウジャー
• 80796 Tweets
#BUS_KnockKnockKnock_Korat
• 74482 Tweets
Nico
• 73472 Tweets
Pereira
• 71472 Tweets
Bama
• 71222 Tweets
Ohtani
• 70989 Tweets
ドジャース
• 66207 Tweets
プリキュア
• 49368 Tweets
Khalil
• 47556 Tweets
Arkansas
• 37667 Tweets
DONBELLE ASAP RESURGENCE
• 36863 Tweets
Aldo
• 33358 Tweets
ポストシーズン
• 30748 Tweets
Bautista
• 26629 Tweets
Save Sanatan Dharma
• 26347 Tweets
Pennington
• 22963 Tweets
Ifigenia Martínez
• 18954 Tweets
Machado
• 18888 Tweets
京都大賞典
• 17903 Tweets
Poatan
• 14451 Tweets
大谷さん
• 14355 Tweets
山本由伸
• 11684 Tweets
Think of the amount of effort that went into this.
Now gaze upon the sheer number of nameless developers contributing to countless OSS projects every day.
Happy hunting
6
22
398
Guide to defeating EDR:
1. Have private methods
2. Don't blog about them
2
39
200
Holy shit. 🤣
This new article from
@dez_
reveals 4 attack techniques linked to SmartScreen and SmartAppControl. Check it out:
Will you be at
#BHUSA
? Stop by
@elastic
booth
#2350
to chat with Joe or catch his lightning talk!
#ElasticSecurityLabs
#threattechnique
0
54
165
2
35
187
I-S00N drop obliterated my Sunday evening plans, and im not even mad. there is.. so much to unpack here. fantastic work translating from
@AzakaSekai_
i like this part and the raw CDR logs left me speechless. CDR aren't easy to obtain inside telcos:
4
36
170
By far, one of the most interesting honeypots I've ever seen!
Payload URL was a html smuggled zip file reflected from the honeypot's simulated cmd injection output. Had to wiggle around restrictive CSP with a right click lure. A quick🧵 for anyone curious..
code[.]microsoft[.]com became pretty interesting to the community over the weekend.
Blog post about what we use it for and what we’ve been seeing. Crucially why it had to say goodbye.
6
63
230
2
18
116
A red teamer is also a full stack developer, just 10x more cracked.
Backend, front-end, thick clients (on host malware, multiple OS), network, AAA, humint, infra, reporting.
Give yourself a pat on the back or something.
2
4
91
The more you understand the architecture of an environment, the more options become available to you for mischief.
Read docs, code, configs, notes, tickets, chats, logs, diagrams, monitoring systems, metadata.
Don't just look for creds; comprehend the whole.
Aim for omniscience.
3
11
90
This is your regular reminder you can only read about malware, ttp, and campaigns that were caught.
2
16
85
Chromium bug payout of 100k on a medium with a very vague description. Can't wait to read this ticket.
3
14
77
And with that, my shitposting quota is complete for the week. Probably
3
9
73
I'm going to release a realistic red teaming course where we just read Confluence, wikis, shares, and git repos all day and write reports for several hours at the end.
3
6
51
Flipping Recall on by setting these reg keys remotely, SCM to restart the service, and then collecting the goodies over C$ would be a fileless (but a bit noisy) means of lateral recon. 🙃
1
18
49
The vicious cycle continues.
This platform is useful for each 😂
0
11
49
@mncoppola
It's a slippery slope when vendors' threat tracking groups start giving a pass to certain entities tho.
How was TAG supposed to coordinate with whichever agency was running that campaign? If the targets are domestic and not foreign where does a vendor draw the line?
1
0
45
Oh fuck, call the SOC/IR/SWAT. Shit's going down.
A
@ResortsWorldLV
security staff member just came by to check the room. I asked her what they’re looking for, and she said “we’re just making sure you’re not hacking our stuff”. Took a look around the room briefly and left.
#defcon32
51
42
300
3
7
44
K, one last shitpost.
Commit time is the new compile time.
4
6
40
@d0rkph0enix
@defcon
@ResortsWorldLV
They also prohibited a few of my friends from entering the Eight cigar lounge inside that same casino.
The reason given was "no bags allowed", a special rule just for defcon week apparently.. 🫤
2
0
41
0
4
36
OK maybe just one more shitpost
Our latest blog post details
@Volexity
's identification & incident response associated with the Palo Alto Networks GlobalProtect
#0day
vuln, assigned CVE-2024-3400, that the team found being exploited in the wild.
Read more here:
#DFIR
#ThreatIntel
2
96
193
0
5
36
Protip: put Equation Group signatures in your campaign so infosec vendors have a patriotic moral conundrum to deal with while triaging.
6
4
33
If you could rewrite xz backdoor based off what we know now, what would you do differently?
Shellcode instead of system()?
Setting the env vars right as Craig pointed out?
Flip sftp channel open for root r/w?
Avoid slowdowns with faster lookups?
Entirely different trigger?
Looking at the xz backdoor, it has one particular trait for spawned processes in the environment that is unusual. Linux command line forensics like so:
strings /proc/<PID>/environ
The RUNTIME_DIRECTORY and SSHD_OPTS are odd...thread.
3
58
331
4
5
33
fyi: ESX, PanOS, and many other devices have gdb installed by default. There are always sneakier ways to stage..
2
7
30
.bat just runs cscript with hello world. I'm not all that creative.
Thanks again to
@therealshodan
for the playground and to
@h4x0r_dz
and
@HackingLZ
for originally finding this domain.
0
0
28
Me 4 months in @ internal red:
"Just give me a card and a budget please"
6
0
28
What fascinates me is there's a sub industry of CNO dev around repurposing foreign malware for false flagging and yet we've seen it reported on so few times.
They must be pretty good. 😅
Or CTI is... well ya know.
0
3
28
I would personally like to thank the top EDRs in this industry for making red teaming more difficult and upping the ante, forcing me to evolve tradecraft.
Necessity is the mother of all invention after all.
Surf the edge of that baseline friends.
2
2
27
Submitted my resignation.
I'll miss my team - ninjas, every last one of them. Nearly 8 years across two stints of some of the craziest hacks and wildest objectives.
But it's time to leave the consulting world and dive down even deeper rabbit holes.
Excited for the new mission :)
0
1
26
In red teaming, the paths to an objective are nearly limitless. Eventually RT ops distill down to:
1. Knowing the core paths
2. Exploring paths safely
3. Choosing paths with the least amount of friction (detection/chance of error)
4. Prioritizing time
5. Methodical execution
🤏🧵
2
4
26
Is it reaaallly "research" if you're just rehashing course material and public blogs into a loader tho?
One could argue that's just "development" until you start finding novel methods. 🕺
8
1
24
Shit happens, not the end of the world, but as adsim operator, you can capitalize on the situation:
1. Take note of which orgs are using Crowdstrike based off who's experiencing outages. (Future or existing clients)
2. IT remediation phishing pretexts
3. IT/SOCs are busy today
1
0
24
No.. you can't really run an EDR from userland only 🤦♂️. Otherwise TA would simply unhook, stomp, and completely gut detections.
Microsoft has come a long way to make this more stable, DAE remember how often AVs used to crash eachother trying to hook the same 0xFFFFF800+ address?
1
0
22
the term has become diluted over the past decade, I should honestly just give up the argument entirely. Each approach undoubtedly has its merits, you do you. I personally just enjoy end to end gigs; industry zeitgeist/ROI be damned. it's the only way i can scratch that 'itch'.
2
1
22
On "luck" in red teaming. Many years ago, I had a coworker find a pretty crazy obscure vuln on a web app during a gig.
One of my other coworkers said it was luck, I told him it only seems like luck because he didn't see the guy grind 16hrs+ on this app leading up to the finding.
2
2
21
I am expecting a multitude of printer experts to come out the woodwork any moment now.
3
5
21
Let's say you captured an interesting piece of malware, RE'd the C2 config and managed to modify it correctly.
What steps would you take to reverse engineer the C2 (half) blindly to create your own listener?
Shitpost and real answers welcomed.
7
3
19
if you've scouted the env beforehand you can use JS vs the FQDN to check port 80 on the DC to determine if the target is on a corp box before you deliver your payload as an effective guardrail. im sure there are better ways. cheers
@_xpn_
@domchell
for the brainstorm 🍻
Question, the NK attacks show a very effective method of sending LinkedIn messages to target employee machines. With effective guardrails in place to avoid C2 on personal machines, would you do similar even with the risk that a personal machine may still be targeted?
12
3
12
1
7
19
Code a minimal custom C2 to get the job done or fight EDR tooth and nail getting a bigboi loaded safely?
1 person team, no dedicated devs, I choose a tailored approach until things can get flushed out more here.
Get shit done. 🫡
2
0
18
@HackingLZ
a good boss will be open to letting an individual contributor who is running hot take extended sabbaticals.
ive had 2 employers (inc. current, to their credit) that understood this well. you can only burn the candle at both ends for so long. billable % doesnt matter if they pop
1
1
18
🧐 for Chromium cookie files now that they're locked
Not enough people realize how poorly EDRs monitor NTFS 😅 nothing stops you from directly reading the MFT & extracting files from NTFS. Just read raw data from sectors, parse MTF for non-resident files, reconstruct files w/ NTFS structure on disk, extract the file contents 🙂
9
25
187
0
2
17
Test envs can still be dangerous...
Zscaler confirmed Wednesday that they've been breached. They state they can confirm it was one of their test environments that was compromised.
They state no customer information was stolen and no businesses have been affected
10
45
272
2
1
16
In DC, it's common for people to ask what you do for a living in the first few minutes of meeting.🤦♂️
What they're rarely prepared for is an hour long explanation about internet architecture and offsec.
Job? No, this is an obsession 💞🕺
2
0
17
lets talk re(a)d team🧵
- vary accounts/src IP to avoid creating an IR treasure map
- record and then quickly re-search their recent queries so the user wont get sus
- some shops monitor queries, it's always better to manually browse tasty spaces/sections vs "password" search...
2
5
17
@cyb3rops
Timestamps mean nothing. This person/group worked for 2 years on this, do we really think they didn't plan on eventually getting combed over by the community? They can't programmatically schedule commits or messages given their skill level? Didn't work the graveyard shift?
3
0
17
Any ideas as to what you can do after achieving RCE on a proxy like this? 🫠. We were all focusing on Curl/Confluence this week but
@MegaManSec
dropped something arguably crazier that'll likely get much less attention:
1
5
15
@techspence
Like most things tho, you learn way more from an uncomfortable failure than a straightforward win.
1
2
15
This is straight up genius.
Do you need thousands of free VMs running your code? It requires some work, but it’s relatively simple if your code seems to be interesting. AV sandboxes around the world are offering a lot of computing power for you and the only thing you need to do is to feed them with
5
33
194
1
2
16
@cyb3rops
They're using the fuzzy glob feature of the gcm command to get a reference to a specific global function to call, there by avoiding the static sigs. Probably can do something similar with aliases
0
0
16
Alright. I think I'm done shit posting xz for the weekend.
I'll just leave it with:
‐ It's amazing this didn't use any OST!
‐ I wonder how they pulled this off without reading a red team r&d blog first.
- commit time zones and a Chinese name seems a pretty heavy false flag.
0
3
15
Research requires iteration. Sometimes bad or impractical ideas, need tweaking, or a tangent can produce a better line of research.
Find something fun and play with it til it falls apart, make something else, and repeat until it's usable in the field.
0
4
15
Snuck Cleo into the sushi bar, she's helping us finish the boat
1
1
15
The offensive security training industry is downright hilarious. 🍿
It's highly competitive and reactive/critical to each other's offerings. Personally, I'd love to see them duke it out with pool noodles.
4
0
15
How many times have you been at the end of a red team, owned loads, got the objective but there were so many other interesting avenues to explore you didn't have time for?
That's one of the main reasons I went for internal RT role, I essentially onboarded with my favorite target
3
0
14
Have you ever read threat reports from real APT spanning years and think red teaming is just fast food for hackers?
Lately I realize this industry barely satiates me anymore. It's like trying to scratch an itch with a balloon.
I just lie to myself for a stable paycheck .🎈💥
2
0
15
90 days is up
@GoogleVRP
.
I've tried reaching out again, tried backchanneling twice, and tried here. Drafting the blog now; it's dumb it came down to this.
Sorry about your ClusterFuzz VMs exfiling to my domain despite repro steps telling you to change it I guess?
Day 85 with this trivial to exploit info disclosure vuln in Chromium.
If you WONTFIX or pay out then at least open the issue and let the downstream browser vendors (
@msftsecresponse
, et al) decide to accept the risk.
Being ghosted by
@googlechrome
team, I'm out of options..
1
2
7
4
2
15
Two of the most dangerous times are during:
Initial access: failed attempts likely to tip SOC. Also, that first week on the beachhead is surgery.
Very close to the goal: controls/detections can be crazier here than the perimeter. Exhaustion comes into play, as does excitement.
1
1
15
Simple backdoor just updates the mod time on a single file to let me know it's still there periodically (days), waiting for mischief.
File-based "C2"s are fun.
2
0
15
Strategy for initial access?
Same as always, turn legitimate features into malware/connectivity.
2
0
12
People may be surprised about Lazarus getting sophisticated, but you have to know they're highly "motivated." They've operated for years with no repercussions, have access to all the same online resources we do, and have nothing but time.
Never underestimate 9-9-6. Maybe 7.
4
2
14
very sexy tradecraft.
can you daisy chain relay that indefinitely down the line if N+1 user has LA to N+2 box? and so on and so on..
would take some planning but sounds possible...?
@elad_shamir
3
1
14
Fantastic work.
Your new stage 1 should incorporate this. Just ship fresh VPN cookies over a minimal, safe transport every day in lieu of loading a full C2.
1
5
14
I rarely ever go into the office.
Peak performance for me is rolling out of bed into the kitchen for coffee and slowly coming back to life in my sweat pants as the monitors scorch my retinas.
Clothes, driving, face2face interaction? That's overhead. Mostly wfh for 11 years.
1
1
14
Lets give Crowdstrike a break for a minute. Name some spots where faulty updates would have more catastrophic results.
I'll go first:
- patch Tuesday
- SCADA for electric grid
- DNS root zone
10
1
14
Come to infosec- where you'll be put down for your differing view points, have your work criticized, participate in meaningless witch hunts, battle obvious trolls, stranger rivalries, promote Western exceptionalism, and search for 5% interesting content that isnt just for clout🙃
3
0
14
C2 is just a means of remotely loading additional code dynamically. Virtually every other feature is just a nice
to have. we're so used to beaconing, bind, connect but really: *any* way to facilitate a transport PDU works. send/recv dont even have to be on the same transport 🫶
@simplylurking2
Everyone seems to add tons of complexity at this point what do you need a few windows apis, BoF loading, and socks :)
3
0
8
0
2
14
How to hit it off with IT while starting an internal red team role
1
0
14
Kaspersky vs Huawei vs US network vendors.
Who's had more publicly documented backdoors?
You hate it because it's true.
2
3
13
Old TTP burn Sunday! no '/FORMAT', no 'xsl' in cmdline args. xsl will save to cache and often picked up by Defender, so adjust your stage accordingly.
1
2
13
I'm a sucker for esoteric, weird, novel means of C2 transport/staging.
It nerdsnipes me every time 😵
3
0
13
My new red team reporting format is just going to be structured memes.
I post specific memes in a certain order and they have to guess how bad it is.
5
0
13
@_JohnHammond
Fortunately for them, CrowdStrike has *never* failed to evict a threat actor or missed a trail... right? 🙃
Timeline and more details required, it's great to hear
#3
though if it can be believed..
1
1
11
You can simultaneously dislike your employer and love your work, but eventually that shit eats you alive.
I'm red team shopping now in earnest starting today. 🤚
0
0
7
Hacking phases:
- No idea what I'm doing, play around with everything
- Some idea, tool dependent, focused studying
- competent-ish, hobby/work line blurred
- "the professional", this is biz, less fun
- fuck this shit, get the objective with a TI calc and a paperclip for lulz
0
1
12
Friend at Mandiant has assured me they've reserved APT69 for me (don't be a pervert, it's about that symmetry 😂).
Downside is I'll have to get caught more.
@ImposeCost
how many UNC# are needed to make an APTease?
2
0
12
Love this post, I didn't know the prctl method!
If you are doing this on a remote proc (assuming you've got the rights), you can fetch arg_start address from /proc/pid/stat and set it with either ptrace or /proc/pid/mem directly with seek()/write()
0
2
12
Same day reservation at a place that typically requires a month+. Didn't mention it was our anniversary, just got lucky somehow.. again.
The most dangerous game.
0
0
12
@d0rkph0enix
@defcon
@ResortsWorldLV
Yea, it was insane. Total bullshit. Plenty of better options: Monte Cristo, Casa Fuentes, etc. 🫠 our business goes elsewhere
0
0
12
24hr slow cooked lamb with the bone in, added some mushrooms, scraped the bones and put in fresh noodles. 🤤
The slow cooker makes me seem like I'm competent at cooking.
This lamb is 🤌. My only regret is not getting a larger slow cooker so I can have the broth for days.
1
0
4
0
0
11