😈 [ Two Seven One Three @TwoSevenOneT ]
"clipup.exe" in System32 is very powerful. It can destroy the executable file of the EDR service 😉 Experimenting with overwriting the MsMpEng.exe file.
Proactively creating processes with Protected Process Light (PPL) protection will give you more opportunities to abuse these processes. Detailed article:
🔗 https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
🐥 [ tweet ]
"clipup.exe" in System32 is very powerful. It can destroy the executable file of the EDR service 😉 Experimenting with overwriting the MsMpEng.exe file.
Proactively creating processes with Protected Process Light (PPL) protection will give you more opportunities to abuse these processes. Detailed article:
🔗 https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
🐥 [ tweet ]
🔥12😁1
😈 [ spencer @techspence ]
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following:
🐥 [ tweet ]
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following:
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName🐥 [ tweet ]
👍19🍌7
😈 [ SpecterOps @SpecterOps ]
Cookie theft has evolved 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.
🔗 https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/
🐥 [ tweet ]
Cookie theft has evolved 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.
🔗 https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/
🐥 [ tweet ]
🔥11
😈 [ Yuval Gordon @YuG0rd ]
BadSuccessor is dead… or is it?
The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios.
Defenders should be aware of it.
Details:
🔗 https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch
🐥 [ tweet ]
BadSuccessor is dead… or is it?
The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios.
Defenders should be aware of it.
Details:
🔗 https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch
🐥 [ tweet ]
👍2🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Tijme Gommers @tijme ]
Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl !
Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode.
🔗 https://github.com/tijme/dittobytes
🐥 [ tweet ]
Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl !
Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode.
🔗 https://github.com/tijme/dittobytes
🐥 [ tweet ]
🔥13👍2
😈 [ Kurosh Dabbagh @_Kudaes_ ]
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
Although direct access to disk is not new at all, especially when it comes to forensics, I think this approach could be useful in a number of contexts during a RT engagement.
🔗 https://github.com/Kudaes/MFTool
🐥 [ tweet ]
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
Although direct access to disk is not new at all, especially when it comes to forensics, I think this approach could be useful in a number of contexts during a RT engagement.
🔗 https://github.com/Kudaes/MFTool
🐥 [ tweet ]
🔥12👍2
😈 [ Unit 42 @Unit42_Intel ]
We discuss an uptick in use of the relatively unknown AdaptixC2, an open-source C2 framework, by attackers. Our research details its functionality, configuration as well as observed deployment techniques, including novel AI-assisted methods.
🔗 https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
🐥 [ tweet ]
We discuss an uptick in use of the relatively unknown AdaptixC2, an open-source C2 framework, by attackers. Our research details its functionality, configuration as well as observed deployment techniques, including novel AI-assisted methods.
🔗 https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
🐥 [ tweet ]
🔥8😁3
😈 [ @zephrfish.yxz.red @ZephrFish ]
Made a thing, mucking about with python and a LDAP browser concept to ingest straight into BloodHound, simple LDAP browser using PyQt as a GUI and neo4j-driver to ingest into BH.
🔗 https://github.com/ZephrFish/pyLDAPGui
🐥 [ tweet ]
Made a thing, mucking about with python and a LDAP browser concept to ingest straight into BloodHound, simple LDAP browser using PyQt as a GUI and neo4j-driver to ingest into BH.
🔗 https://github.com/ZephrFish/pyLDAPGui
🐥 [ tweet ]
👍11
😈 [ kr0tt @_kr0tt ]
Wrote a blog about creating an early exception handler for hooking and threadless process injection without relying on VEH or SEH.
You can definitely use it for more than what is described in the post, enjoy :)
🔗 https://kr0tt.github.io/posts/early-exception-handling/
🐥 [ tweet ]
Wrote a blog about creating an early exception handler for hooking and threadless process injection without relying on VEH or SEH.
You can definitely use it for more than what is described in the post, enjoy :)
🔗 https://kr0tt.github.io/posts/early-exception-handling/
🐥 [ tweet ]
🔥6
😈 [ Dirk-jan @_dirkjan ]
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
🔗 https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
🐥 [ tweet ]
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
🔗 https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
🐥 [ tweet ]
🔥12👍2😁1
😈 [ dis0rder @dis0rder_0x00 ]
New tool drop! Let me show you Obex:
🔗 https://github.com/dis0rder0x00/obex
Spawn a process and block unwanted DLLs from loading (in user mode).
Example: spawn powershell without "amsi.dll" for an easy amsi-less experience :)
🐥 [ tweet ]
New tool drop! Let me show you Obex:
🔗 https://github.com/dis0rder0x00/obex
Spawn a process and block unwanted DLLs from loading (in user mode).
Example: spawn powershell without "amsi.dll" for an easy amsi-less experience :)
🐥 [ tweet ]
🔥11😁5
Forwarded from Standoff 365
Успей заявить о себе на Standoff Talks 16 октября 🔥
Call for papers все еще открыт. Если у тебя есть крутые кейсы по OSINT, багбаунти, пентесту, редтиму или на темы TI, threat hunting, работе SOC, то это твой шанс поделиться опытом с элитой практической безопасности. Выбирай удобный формат — 40 или 10 минут — и присылай заявку!
⁉️ Важно! Мы ждем твоих докладов до 26 сентября. То есть, у тебя осталась неделя, чтобы подать заявку и стать спикером ивента.
И напоминаем, что на митап нужно не забыть зарегистрироваться. Тем, кто уже зарегистрировался мы начнем рассылать подтверждения со следующей недели!
Не упусти шанс поучаствовать в таком крутом ивенте!
Call for papers все еще открыт. Если у тебя есть крутые кейсы по OSINT, багбаунти, пентесту, редтиму или на темы TI, threat hunting, работе SOC, то это твой шанс поделиться опытом с элитой практической безопасности. Выбирай удобный формат — 40 или 10 минут — и присылай заявку!
И напоминаем, что на митап нужно не забыть зарегистрироваться. Тем, кто уже зарегистрировался мы начнем рассылать подтверждения со следующей недели!
Не упусти шанс поучаствовать в таком крутом ивенте!
Please open Telegram to view this post
VIEW IN TELEGRAM
👍4
😈 [ codewhisperer84 @codewhisperer84 ]
Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM.
🔗 https://github.com/trustedsec/Titanis/
🐥 [ tweet ]
Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM.
🔗 https://github.com/trustedsec/Titanis/
🐥 [ tweet ]
🔥8👍1
😈 [ r0BIT @0xr0BIT ]
TL;DR: Semi-automate Remote SchedTask Parsing and look for privileged tasks by feeding bloodhound high-value targets. Noisy AF because impacket.
🔗 https://github.com/1r0BIT/TaskHound.git
This is my first feeble attempt at maybe providing something somewhat useful for the Community :)
🐥 [ tweet ]
TL;DR: Semi-automate Remote SchedTask Parsing and look for privileged tasks by feeding bloodhound high-value targets. Noisy AF because impacket.
🔗 https://github.com/1r0BIT/TaskHound.git
This is my first feeble attempt at maybe providing something somewhat useful for the Community :)
🐥 [ tweet ]
👍4😁1
Forwarded from Pentest Notes
Подготовил для вас подробное руководство по тестированию на проникновение Outlook Web Access (OWA). 😈
➡️ В статье я разобрал все основные атаки и уязвимости OWA. Собрал и структурировал самое полезное в одном месте.
➡️ Также материал идеально подойдет для тех, кто все еще путает между собой OWA, Outlook и MS Exchange :)
Даже если вы раньше не сталкивались с почтовыми сервисами Microsoft, после прочтения смело можете бежать проверять их на безопасность.🥤
Ссылка на статью
💫 @pentestnotes | #pentest #OWA #Exchange
Даже если вы раньше не сталкивались с почтовыми сервисами Microsoft, после прочтения смело можете бежать проверять их на безопасность.
Ссылка на статью
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5😁2🍌1
😈 [ quarkslab @quarkslab ]
Finding a buggy driver is one thing, abusing it is another.
In his latest blog post, Luis Casvella shows you how BYOVD can be used as a Reflective Rootkit Loader! 🚀
🔗 https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html
🔗 https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061_part2.html
🐥 [ tweet ]
Finding a buggy driver is one thing, abusing it is another.
In his latest blog post, Luis Casvella shows you how BYOVD can be used as a Reflective Rootkit Loader! 🚀
🔗 https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html
🔗 https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061_part2.html
🐥 [ tweet ]
🔥6
😈 [ Daniel @VirtualAllocEx ]
New blog post in a while — this one covers "executing" shellcode from non-executable memory and "bypassing" DEP/NX.
Since I didn’t have a proofreader this time, I’d really appreciate it if you could let me know about any errors or misinterpretations you spot in the article.
Blog:
🔗 https://redops.at/en/blog/the-emulators-gambit-executing-code-from-non-executable-memory
Code:
🔗 https://github.com/VirtualAlllocEx/HWBP-DEP-Bypass
🐥 [ tweet ]
New blog post in a while — this one covers "executing" shellcode from non-executable memory and "bypassing" DEP/NX.
Since I didn’t have a proofreader this time, I’d really appreciate it if you could let me know about any errors or misinterpretations you spot in the article.
Blog:
🔗 https://redops.at/en/blog/the-emulators-gambit-executing-code-from-non-executable-memory
Code:
🔗 https://github.com/VirtualAlllocEx/HWBP-DEP-Bypass
🐥 [ tweet ]
🔥8👍2