Reposted by Daniel
New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...
x.com/safe/status/...
Safe.eth on X: "Investigation Updates and Community Call to Action" / X
Investigation Updates and Community Call to Action
x.com
March 6, 2025 at 5:21 PM
New details on the ByBit/Safe{Wallet} breach, and uhhh wow, some really silly blunders on the DPRK side. They still succeeded which is the most upsetting part of all of this. Let's bully some threat actor tradecraft! A🧵
x.com/safe/status/...
x.com/safe/status/...
Reposted by Daniel
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
ghst.ly
March 6, 2025 at 8:34 PM
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Reposted by Daniel
Another simple standalone tool for creating machine accounts with custom password in Windows AD
github.com/decoder-it/N...
github.com/decoder-it/N...
GitHub - decoder-it/NewMachineAccount
Contribute to decoder-it/NewMachineAccount development by creating an account on GitHub.
github.com
February 25, 2025 at 8:27 PM
Another simple standalone tool for creating machine accounts with custom password in Windows AD
github.com/decoder-it/N...
github.com/decoder-it/N...
Reposted by Daniel
We're almost at 20 years of celebrating web hacking techniques.
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318
YouTube video by Security Weekly - A CRA Resource
youtu.be
February 25, 2025 at 11:45 PM
We're almost at 20 years of celebrating web hacking techniques.
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
@jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights.
List at portswigger.net/research/top...
youtu.be/8XEK3NkbKOA?...
Reposted by Daniel
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
February 19, 2025 at 9:13 AM
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
Reposted by Daniel
In our latest article, our ninja laxa revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at www.synacktiv.com/publications....
LSA Secrets: revisiting secretsdump
www.synacktiv.com
February 20, 2025 at 10:55 AM
In our latest article, our ninja laxa revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at www.synacktiv.com/publications....
Reposted by Daniel
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
February 20, 2025 at 11:08 AM
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
Reposted by Daniel
Check out my latest blog post on how the NTDS.dit file is used by Active Directory, and my accompanying tool, DIT Explorer, for browing the data contained within NTDS.dit.
Blog post: trustedsec.com/blog/explori...
DIT Explorer on Github: github.com/trustedsec/D...
Blog post: trustedsec.com/blog/explori...
DIT Explorer on Github: github.com/trustedsec/D...
Exploring NTDS.dit – Part 1: Cracking the Surface with DIT Explorer
trustedsec.com
February 20, 2025 at 2:47 PM
Check out my latest blog post on how the NTDS.dit file is used by Active Directory, and my accompanying tool, DIT Explorer, for browing the data contained within NTDS.dit.
Blog post: trustedsec.com/blog/explori...
DIT Explorer on Github: github.com/trustedsec/D...
Blog post: trustedsec.com/blog/explori...
DIT Explorer on Github: github.com/trustedsec/D...
Reposted by Daniel
How are defenders leveraging SACLs to detect unauthorized access attempts? Check out our latest blog post from Alexander DeMine which dives into SACLs and introduces a new tool, SACL_Scanner, which allows you to adapt your tradecraft accordingly. ghst.ly/3D3kvbD
Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops - SpecterOps
During red team operations, stealth is a critical component. We spend a great deal of time ensuring our payloads will evade any endpoint detection and response (EDR) solution, our traffic is obfuscate...
ghst.ly
February 20, 2025 at 8:39 PM
How are defenders leveraging SACLs to detect unauthorized access attempts? Check out our latest blog post from Alexander DeMine which dives into SACLs and introduces a new tool, SACL_Scanner, which allows you to adapt your tradecraft accordingly. ghst.ly/3D3kvbD
Reposted by Daniel
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
February 18, 2025 at 1:12 PM
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
Reposted by Daniel
Following the release of IPSpinner last week, now is the time to unveil CaptainCredz! Perform advanced, fine-grained password spraying while remaining under the radar for your next Red Team engagement 🔥
github.com/synacktiv/ca...
github.com/synacktiv/ca...
GitHub - synacktiv/captaincredz: CaptainCredz is a modular and discreet password-spraying tool.
CaptainCredz is a modular and discreet password-spraying tool. - synacktiv/captaincredz
github.com
February 14, 2025 at 12:42 PM
Following the release of IPSpinner last week, now is the time to unveil CaptainCredz! Perform advanced, fine-grained password spraying while remaining under the radar for your next Red Team engagement 🔥
github.com/synacktiv/ca...
github.com/synacktiv/ca...
Reposted by Daniel
🚀 New Tool Release: DescribeNTSecurityDescriptor 🚀
Analyzing Windows NT Security Descriptors can be a headache. I built DescribeNTSecurityDescriptor, a cross-platform tool to decode, parse & visualize them easily!
🔗 GitHub: github.com/p0dalirius/DescribeNTSecurityDescriptor
Analyzing Windows NT Security Descriptors can be a headache. I built DescribeNTSecurityDescriptor, a cross-platform tool to decode, parse & visualize them easily!
🔗 GitHub: github.com/p0dalirius/DescribeNTSecurityDescriptor
Sponsor @p0dalirius on GitHub Sponsors
Support Podalirius's open source work in cybersecurity. He is regularly publishing opensource security tools to test for vulnerabilities on many environments, as well as wikis and defense techniques.
github.com
February 10, 2025 at 4:06 PM
🚀 New Tool Release: DescribeNTSecurityDescriptor 🚀
Analyzing Windows NT Security Descriptors can be a headache. I built DescribeNTSecurityDescriptor, a cross-platform tool to decode, parse & visualize them easily!
🔗 GitHub: github.com/p0dalirius/DescribeNTSecurityDescriptor
Analyzing Windows NT Security Descriptors can be a headache. I built DescribeNTSecurityDescriptor, a cross-platform tool to decode, parse & visualize them easily!
🔗 GitHub: github.com/p0dalirius/DescribeNTSecurityDescriptor
Reposted by Daniel
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
February 10, 2025 at 5:57 PM
I'm very happy to finally share the second part of my DOMPurify security research 🔥
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)!
Link 👇
mizu.re/post/explori...
1/2
Reposted by Daniel
MagicGardens from hackthebox has a ton in it! There's a bank trick and XSS via QRcode. There's a buffer overflow via large IPv6 packet. Docker Registry, Django deserialization, and a malicious kernel module as well.
0xdf.gitlab.io/2025/02/08/h...
0xdf.gitlab.io/2025/02/08/h...
HTB: MagicGardens
MagicGardens starts by exploiting a Django website, tricking it into approving a purchase for a premium subscription. With this subscription, I am able to include a cross-site scripting payload in a Q...
0xdf.gitlab.io
February 8, 2025 at 3:06 PM
MagicGardens from hackthebox has a ton in it! There's a bank trick and XSS via QRcode. There's a buffer overflow via large IPv6 packet. Docker Registry, Django deserialization, and a malicious kernel module as well.
0xdf.gitlab.io/2025/02/08/h...
0xdf.gitlab.io/2025/02/08/h...
Reposted by Daniel
February 7, 2025 at 3:48 PM
Reposted by Daniel
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀
February 7, 2025 at 2:50 PM
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀
Reposted by Daniel
#DYK: CMPivot queries can be used to coerce SMB authentication from #SCCM client hosts. Check out Diego Lomellini's latest blog post, which shares a simple, yet effective way to execute this. ghst.ly/4hnsA9W
Further Adventures With CMPivot — Client Coercion
TL:DR
ghst.ly
February 3, 2025 at 7:32 PM
#DYK: CMPivot queries can be used to coerce SMB authentication from #SCCM client hosts. Check out Diego Lomellini's latest blog post, which shares a simple, yet effective way to execute this. ghst.ly/4hnsA9W
Reposted by Daniel
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Reposted by Daniel
Many in the Mythic Community have asked for a way to standardize BOF/.NET execution within Mythic Agents. Today I'm releasing Forge, a new Mythic container to do just that: posts.specterops.io/forging-a-be...
We're starting off with default support for Apollo and Athena. Check it out! :)
We're starting off with default support for Apollo and Athena. Check it out! :)
dwight schrute from the office is holding a business card in his hand .
ALT: dwight schrute from the office is holding a business card in his hand .
media.tenor.com
February 5, 2025 at 3:10 PM
Many in the Mythic Community have asked for a way to standardize BOF/.NET execution within Mythic Agents. Today I'm releasing Forge, a new Mythic container to do just that: posts.specterops.io/forging-a-be...
We're starting off with default support for Apollo and Athena. Check it out! :)
We're starting off with default support for Apollo and Athena. Check it out! :)
Reposted by Daniel
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Reposted by Daniel
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack
TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a…
ghst.ly
January 31, 2025 at 4:27 PM
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
Reposted by Daniel
I got Linux running in a PDF file using a RISC-V emulator.
PDFs support Javascript, so Emscripten is used to compile the TinyEMU emulator to asm.js, which runs in the PDF. It boots in about 30 seconds and emulates a riscv32 buildroot system.
linux.doompdf.dev/linux.pdf
github.com/ading2210/li...
PDFs support Javascript, so Emscripten is used to compile the TinyEMU emulator to asm.js, which runs in the PDF. It boots in about 30 seconds and emulates a riscv32 buildroot system.
linux.doompdf.dev/linux.pdf
github.com/ading2210/li...
January 31, 2025 at 8:02 PM
I got Linux running in a PDF file using a RISC-V emulator.
PDFs support Javascript, so Emscripten is used to compile the TinyEMU emulator to asm.js, which runs in the PDF. It boots in about 30 seconds and emulates a riscv32 buildroot system.
linux.doompdf.dev/linux.pdf
github.com/ading2210/li...
PDFs support Javascript, so Emscripten is used to compile the TinyEMU emulator to asm.js, which runs in the PDF. It boots in about 30 seconds and emulates a riscv32 buildroot system.
linux.doompdf.dev/linux.pdf
github.com/ading2210/li...
Reposted by Daniel
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
hshrzd.wordpress.com
January 26, 2025 at 11:55 PM
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Reposted by Daniel
Very interesting post by Microsoft about the internals of the new Admin Protection feature
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
Evolving the Windows User Model – Introducing Administrator Protection | Microsoft Community Hub
Previously, in part one, we outlined the history of the multi-user model in Windows, how Microsoft introduced features to secure it, and in what ways we got...
techcommunity.microsoft.com
January 29, 2025 at 11:38 AM
Very interesting post by Microsoft about the internals of the new Admin Protection feature
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
Reposted by Daniel
Part 2 of @hotnops.bsky.social's blog series on Entra Connect attacker tradecraft has dropped! 🙌 Check out this installment to learn more fundamentals of the Entra sync engine & how to interpret the sync rules. ghst.ly/3WqAQO4
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:
ghst.ly
January 22, 2025 at 7:39 PM
Part 2 of @hotnops.bsky.social's blog series on Entra Connect attacker tradecraft has dropped! 🙌 Check out this installment to learn more fundamentals of the Entra sync engine & how to interpret the sync rules. ghst.ly/3WqAQO4