😈 [ Toffy @toffyrak ]

I have just released my first tool: GPOHound 🚀

GPOHound is an offensive tool for dumping and analysing GPOs. It leverages BloodHound data and enriches it with insights extracted from the analysis.

Check it out here:
🔗 https://github.com/cogiceo/GPOHound

🐥 [ tweet ]

Раунд 3
Открыли прием заявок на Pentest award 2025!

💡Каждый год мы зажигаем новые яркие лампочки в гирлянде отечественного рынка кибербезопасности — компетентных специалистов, которые остаются за кадром большой работы по поиску уязвимостей.

Участие все еще бесплатное, а прием заявок продлиться до 30 июня. В этом году появились новые номинации от спонсоров проекта: Совкомбанк Технологии и BI.ZONE Bug Bounty.

🥇Главный приз за победу — стеклянная именная статуэтка и макбук!
🥈🥉За вторые и третьи места призеры получат айфоны и смарт-часы.
🎬OFFZONE подарит финалистам билеты на свою конференцию 2025.
✏️А учебный центр CyberEd гранты на обучения.
Ну и конечно, самая ценная награда за участие — почет и уважение сообщества этичных хакеров.

Отправляйте заявки на сайте, участвуйте и побеждайте!
https://t.me/justsecurity/382
#pentest_awards

😈 [ R.B.C. @G3tSyst3m ]

Discovered a somewhat novel UAC bypass. Had fun learning this one. It takes advantage of machines that have the Intel ShaderCache directory installed in the appdata directory. Also uses junctions + arbitrary write, etc.

🔗 https://g3tsyst3m.github.io/uac%20bypass/Bypass-UAC-via-Intel-ShaderCache/

🐥 [ tweet ]

😈 [ ippsec @ippsec ]

New video in my Hackers for Golang series: Dependency Injection. Covers why it’s crucial for clean code, with Python examples before Go. It’s complex but worth learning early. Check it out and let me know your thoughts!

🔗 https://youtu.be/BhLpqRev80s

🐥 [ tweet ]

😈 [ Mr.Z @zux0x3a ]

Last night, I made myself busy and revisited some older methods for exploiting tokens in Windows applications shared by @mrd0x couple of years ago. However, I realized that the integration of AI into applications like Notepad presents new opportunities for exploitation. This led me to write a blog post and modify a BOF to tackle the issue.
a compromised Cowriter Bearer token could be leveraged to extract potentially sensitive information.

🔗 https://0xsp.com/offensive/the-hidden-risk-compromising-notepad-cowriters-bearer-tokens/

🐥 [ tweet ]

😈 [ hasherezade @hasherezade ]

Centralized resource for listing and organizing known injection techniques and POCs:

🔗 https://github.com/itaymigdal/awesome-injection

🐥 [ tweet ][ quote ]

😈 [ Florian Roth ⚡️ @cyb3rops ]

Everyone knows Russian hackers don’t use VPNs. They just charge in head-first, use Russian IPs, and leave a calling card in Cyrillic.
Classic ‘на авось’ energy.

🐥 [ tweet ][ quote ]

мы?

😈 [ Jord @0xLegacyy ]

Blog post is out, BOF coming tomorrow 🐸

🔗 https://www.legacyy.xyz/defenseevasion/windows/2025/04/16/control-flow-hijacking-via-data-pointers.html

BOF is out now, enjoy! 🐸

🔗 https://github.com/iilegacyyii/DataInject-BOF

🐥 [ tweet ][ quote ]

😈 [ NetSPI @NetSPI ]

Microsoft patched critical vulnerabilities (CVE-2025-21299, CVE-2025-29809) in Q1 2025.

NetSPI research reveals Kerberos canonicalization bypasses Hyper-V isolation of credentials, compromising Windows security.

Read the full article:

🔗 https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2025-21299-cve-2025-29809-unguarding-microsoft-credential-guard/

🐥 [ tweet ]

😈 [ Compass Security @compasssecurity ]

3 milliseconds to admin — Our analyst John Ostrowski turned a DLL hijacking into a reliable local privilege escalation on Windows 11. He chained opportunistic locks, and API hooking to win the race to CVE-2025-24076 & CVE-2025-24994. Read his blog post:

🔗 https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/

🐥 [ tweet ]

😈 [ 0xdf @0xdf_ ]

OS Enumeration CheatSheet! I'll look at using package versions, common ports, and packet TTLs.

🔗 https://0xdf.gitlab.io/cheatsheets/os

🐥 [ tweet ]

😈 [ Check Point Research @_CPResearch_ ]

Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.

Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/

Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking

🐥 [ tweet ]

😈 [ Orange Cyberdefense's SensePost Team @sensepost ]

The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. By @Defte_

Writeup:
🔗 https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./

PR to impacket:
🔗 https://github.com/fortra/impacket/pull/1947/files

Demo:
🔗 https://youtu.be/3mG2Ouu3Umk

🐥 [ tweet ]

😈 [ Alex Neff @al3x_n3ff ]

NetExec v1.4.0 has been released! 🎉

There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system

And much more!
Full rundown:

🔗 https://github.com/Pennyw0rth/NetExec/releases/tag/v1.4.0

🐥 [ tweet ]

😈 [ Vector 35 @vector35 ]

We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI:

🔗 https://scc.binary.ninja/
🔗 https://github.com/Vector35/scc

If you haven't seen it before, it's available under the Edit / Compile dialog.

🐥 [ tweet ]

😈 [ Microsoft Threat Intelligence @MsftSecIntel ]

Microsoft has discovered post-compromise exploitation of CVE 2025-29824, a zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS), against a small number of targets.

🔗 https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

🐥 [ tweet ]

Небольшой пример, как можно использовать Certipy как библиотеку для проведения #ESC1 через нативную веб-форму энрола /certsrv/certrqxt.asp:

🔗 https://ppn.snovvcra.sh/pentest/infrastructure/ad/ad-cs-abuse/esc1 (certrqxt2pfx[.]py)

Недавно был прикольный кейс, когда надо было получить сертификат сквозь Cisco SSL VPN Relay Add-On и легаси Internet Explorer без возможности нормального проксирования в целевую сетку ;)

😈 [ S3cur3Th1sSh1t @ShitSecure ]

As this is public now - an alternative to modifying AppIds to make them use the interactive user via the remote registry you can also use a lot of existing CLSIDs which have the interactive user configured and coerce an incoming RPC authentication from loggedon users 😎

🐥 [ tweet ][ quote ]

😈 [ Elad Shamir @elad_shamir ]

NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs.

Read my detailed post - the most comprehensive guide on NTLM relay & the new edges:

🔗 https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e

🐥 [ tweet ]

😈 [ Andrew Oliveau @AndrewOliveau ]

RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.

Hope you enjoy the blog & tool drop 🤟

Blog:
🔗 https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions

Code:
🔗 https://github.com/xforcered/RemoteMonologue

🐥 [ tweet ]

😈 [ Matt Creel @Tw1sm ]

Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖

🔗 https://medium.com/specter-ops-posts/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4

🐥 [ tweet ]

😈 [ ippsec @ippsec ]

After using Python for so long, I've been trying to switch to GoLang over the last two years just to try something new. I'm finally somewhat confident in being able to write I'd try to create a video series to help others. This is the first video:

🔗 https://youtu.be/uJFW4c4QE0U

🐥 [ tweet ]

😈 [ Bobby Cooke @0xBoku ]

As promised... this is Loki Command & Control! 🧙‍♂️🔮🪄
Thanks to @d_tranman for his work done on the project and everyone else on the team for making this release happen!

🔗 https://github.com/boku7/Loki

🐥 [ tweet ]

😈 [ Yehuda Smirnov @yudasm_ ]

Excited to release a tool I've been working on lately: ShareFiltrator

ShareFiltrator finds credentials exposed in SharePoint/OneDrive via the Search API (_api/search/query) and also automates mass downloading of the discovered items.

Blog:
🔗 https://blog.fndsec.net/2025/04/02/breaking-down-sharepoint-walls/

Code:
🔗 https://github.com/Friends-Security/sharefiltrator

🐥 [ tweet ]

😈 [ Duncan Ogilvie 🍍 @mrexodia ]

Success! Claude 3.7 with my IDA Pro MCP server managed to solve the crackme that was previously failing🦾

The trick was adding a convert_number tool and stress to always use it for conversions. It took ~7 minutes to run and the cost was $1.85. Also includes an analysis report.

🔗 https://github.com/mrexodia/ida-pro-mcp

🐥 [ tweet ]

рип цтфы категории пвн

😈 [ Oddvar Moe @Oddvarmoe ]

Many people wanted my slides from the Windows Client Privilege Escalation webinar yesterday.

Here are links to the slides and the recording of the webinar.

Slides:
🔗 https://www.slideshare.net/slideshow/windows-client-privilege-escalation-shared-pptx/277239036

Recording:
🔗 https://youtu.be/EG2Mbw2DVnU?si=rlx-GG2QMQpIxQYi

🐥 [ tweet ]

😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]

This new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection:

🔗 https://github.com/hackerschoice/bincrypter

I'm going to show you how to detect it with command line tools in this thread:

🔗 https://threadreaderapp.com/thread/1905052948935377402.html

🐥 [ tweet ]

😈 [ bohops @bohops ]

This ended up being a great applied research project with @d_tranman on weaponizing a technique for fileless DCOM lateral movement based on the original work of @tiraniddo. Excellent work, Dylan!

Blog:
🔗 https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects

PoC:
🔗 https://github.com/xforcered/ForsHops

🐥 [ tweet ][ quote ]

😈 [ Wietze @Wietze ]

By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.

My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.

Here’s what I found and why it matters:

🔗 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation

🐥 [ tweet ]

😈 [ Daniel @0x64616e ]

You can relay a user to LDAP that has WriteDacl/GenericAll on a valuable object but you can't use ShadowCredentials? Fear no more! You can now use "gain_fullcontrol" in ntlmrelayx ldapshell to give your account control over that object.

🔗 https://github.com/fortra/impacket/pull/1927

🐥 [ tweet ]

😈 [ NetSPI @NetSPI ]

Beacon Object Files (BOFs) in C2 platforms limit developers.

Read NetSPI's blog post to explore a reference design for a new BOF portable executable (PE) concept that bridges the gap between modern C++ development and memory-executable C2 integration.

🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/the-future-of-beacon-object-files/

🐥 [ tweet ]

FYI, в этом году мы сотрудничаем с тремя фондами — «Подари Жизнь», «Улица Мира» и «Старость в радость» — и все средства, вырученные от продажи билетов, идут на благотворительность.

Проходка на закрытую часть феста 🟰 пожертвование от 1.5к:
🔗 https://phdays.com/ru/

😈 [ Bobby Cooke @0xBoku ]

Loki C2 blog drop! Thank you for all those who helped and all the support from the community. Big shoutout to @d_tranman and @chompie1337 for all their contributions to Loki C2! @IBM @IBMSecurity @XForce

🔗 https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/

🐥 [ tweet ]

😈 [ 5pider @C5pider ]

spend some time rewriting stardust to be more minimalist and easier to use! I needed a generic minimal shellcode template that works for both x86 and x64 out of the box so I rewrote stardust to do so.

It is now written in C++20 and utilizing some of its language features. The template can be used to easily write shellcode fast in a more modern and less painful way.
The project can be compiled in release or debug mode, where as debug mode will just allow the use of DBG_PRINTF, which calls DbgPrint under the hood to print out strings to the currently attached debugger.

There are more things i have added so consider checking it out. I removed global variable access since i no longer use it nor require it (went for diff design heh). If u still need that feature I would recommend to change the branch to "globals-support" where the old version is hosted.

🔗 https://github.com/Cracked5pider/Stardust

🐥 [ tweet ]

😈 [ Thomas Seigneuret @_zblurx ]

Fear no more for LDAP Signing and Channel binding with Impacket based tools 😎

🔗 https://github.com/fortra/impacket/pull/1919

🐥 [ tweet ]

😈 [ Andrea Pierini @decoder_it ]

KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)

🔗 https://github.com/decoder-it/KrbRelayEx-RPC

🐥 [ tweet ]

😈 [ c0rnbread @0xC0rnbread ]

Today I'm releasing Xenon, a custom Mythic agent for Windows targets written in C.

Notable features include:
📁 Modular command/code inclusion
🦠 Malleable C2 Profile support
🪨 Compatible with Cobalt Strike BOFs

🔗 https://github.com/MythicAgents/Xenon

Blog series:
🔗 https://c0rnbread.com/creating-mythic-c2-agent-part1/

🐥 [ tweet ]

😈 [ Oddvar Moe @Oddvarmoe ]

TIL, the attribute userWorkstations is still in play in modern windows 🤯

If you set the attribute on a user to something random the user cannot login to the computers anymore. Need privs to adjust, but I can see potential when you want to lock someone out for a while

🐥 [ tweet ]

😈 [ MrAle98 @MrAle_98 ]

Hey there,

Finally published the article on the exploit for CVE-2025-21333-POC exploit.

Here the link to the article:

🔗 https://medium.com/@ale18109800/cve-2025-21333-windows-heap-based-buffer-overflow-analysis-d1b597ae4bae

🐥 [ tweet ]

😈 [ 📔 Michael Grafnetter @MGrafnetter ]

New Indicator of Compromise (IoC) by the NTLM Relay Attack with Shadow Credentials, thanks to bugs in Impacket, a popular Python implementation. Will probably be fixed in the near future.

🔗 https://www.dsinternals.com/en/indicator-of-compromise-shadow-credentials-ntlm-relay-impacket/

🐥 [ tweet ]

😈 [ TrustedSec @TrustedSec ]

A Red Team engagement is a serious commitment for any org who wants to improve their security posture. In our new blog, @curi0usJack breaks down some goals of a Red Team engagement so that you can better measure its success. Read it now!

🔗 https://trustedsec.com/blog/measuring-the-success-of-your-adversary-simulations

🐥 [ tweet ]

😈 [ Mayfly @M4yFly ]

New Active Directory Mindmap v2025.03! 🚀

📖 Readable version:

🔗 https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg

🔧 Now fully generated from markdown files — way easier to update and maintain!

💡 Got improvements? PRs welcome! 👇

🔗 https://github.com/Orange-Cyberdefense/ocd-mindmaps/tree/main/excalimap/mindmap/ad

🐥 [ tweet ]

😈 [ T3nb3w @T3nb3w ]

🚀 New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection

Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research!

Blog:
🔗 https://mohamed-fakroud.gitbook.io/red-teamings-dojo/abusing-idispatch-for-trapped-com-object-access-and-injecting-into-ppl-processes

Code:
🔗 https://github.com/T3nb3w/ComDotNetExploit

Original:
🔗 https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

🐥 [ tweet ]

😈 [ Synacktiv @Synacktiv ]

In our latest article, @croco_byte and @SScaum demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks!

🔗 https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-multicast-poisoning-to-the-next-level-tricking

🐥 [ tweet ]

😈 [ S3cur3Th1sSh1t @ShitSecure ]

Bypass AMSI in 2025, my newest blog post is published 🥳! A review on what changed over the last years and what's still efficient today.

🔗 https://en.r-tec.net/r-tec-blog-bypass-amsi-in-2025.html

🐥 [ tweet ]

Мир, труд, май и PHDays 2025 (22–24 мая)

Грядущий ПэХэДэйз будет особенным, ведь в довесок ко всем стандартным вкусностям в виде докладов, наливайки и нетворкинга с коллегами вас ждет порция хардкор-стайл материала для Offense-трека, где мы (a.k.a. 🟥SWARM) будем говорить на сложные темы наступательной кибербезопасности. Ответственно разглашенные нолики, непубличные TTP продвинутых атакующих, инструментарий уровня APT, невыдуманные кейсы с проектов, о которых невозможно молчать, и многое другое.

В остальном по классике:

🤖 Форум и фестиваль в кибергороде

🗡 Кибербитва (a.k.a. Standoff 15)

🔭 Научпоп и искусство

👨‍🎓 Практикумы и воркшопы

Ну и, разумеется, самое главное — боевой клич на CFP прямо 🔜 здесь 🔙

😈 [ 0SKR @saab_sec ]

❗ Blog Alert ❗

🔴 Introducing a thread hijacking ttp variant called Phantom call.
🔴 Discussion on effect of stack alignment on SIM instructions/registers.
🔴 In depth analysis of Win32 api RtlRemoteCall
🔴 Weaponizing RtlRemoteCall

🔗 https://sabotagesec.com/thread-hijacking-iceberg-deep-dive-into-phantom-call-rtlremotecall/

🐥 [ tweet ]

😈 [ Rtl Dallas @RtlDallas ]

New update for Draugr! 🙂

Now supports indirect syscalls with a synthetic stack frame. I’ve removed Draugr-Strike and replaced it with Cobalt Strike's process injection kit (Thread Spoof or Early Bird) using indirect syscalls and a synthetic stack frame.

🔗 https://github.com/NtDallas/Draugr

🐥 [ tweet ]

😈 [ Octoberfest7 @Octoberfest73 ]

Really cool repo I came across that reverses/reimplements LoadLibrary. Very useful to have a chart / code depicting what all happens and when

🔗 https://github.com/paskalian/WID_LoadLibrary

🐥 [ tweet ]

DFS Targets & Links

Чтобы не делать так:

🔗 https://ppn.snovvcra.sh/pentest/infrastructure/ad/post-exploitation#locate-dfs-targets

Теперь можно делать так:

🔗 https://github.com/c3c/ADExplorerSnapshot.py/pull/67

😈 [ Orange Cyberdefense Switzerland @orangecyberch ]

💻🛡️In this blog post, Clément Labro explains how he developed a tool that lets you run Powershell without the various system protections.

👉 Discover this article on our blog:

🔗 https://blog.scrt.ch/2025/02/18/reinventing-powershell-in-c-c

🐥 [ tweet ]

😈 [ TrustedSec @TrustedSec ]

In our new #blog, Senior Research Analyst @codewhisperer84 unveils his new tool DIT Explorer which he created after researching NTDS.dit files on Active Directory. Read part one of this series now to find out what this tool can do!

🔗 https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer

🐥 [ tweet ]

😈 [ Synacktiv @Synacktiv ]

In our latest article, @l4x4 revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at .

🔗 https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump

🐥 [ tweet ]

😈 [ RedTeam Pentesting @RedTeamPT ]

🎉 We've just released 🔐 keycred 🎉

A cross-platform tool for handling Active Directory Shadow Credentials/msDS-KeyCredentialLink 🔑.

It supports UnPAC-the-Hash/PKINIT, Pass-the-Cert, Channel Binding and more 💪🚀

🔥 Get it while it's still hot! 🔥

🔗 https://github.com/RedTeamPentesting/keycred

🐥 [ tweet ]

😈 [ Ellis Springe @knavesec ]

Dropping a one-off script to pull arbitrary AD attributes from ADExplorer snapshots. @0xBoku and I used this on a recent op to pull custom attributes that listed Computer objects owned by specific users so we could correlate high-value targets to systems:

🔗 https://github.com/c3c/ADExplorerSnapshot.py/pull/66

🐥 [ tweet ]

😈 [ CICADA8Research @CICADA8Research ]

Hello friends! There is a lot of information about Kerberos Relay out and it is easy to get confused! That's why we have created a small MindMap to help you understand Kerberos Relay

U can find PDF/HTML/PNG version here:

🔗 https://github.com/CICADA8-Research/Penetration/tree/main/KrbRelay%20MindMap

🐥 [ tweet ]

😈 [ CodeX @codex_tf2 ]

Releasing WebcamBOF📸

Webcam capture capability for Cobalt Strike as a BOF, with in-memory download options (as a file or screenshot). USB webcams supported (at least mine is)

Remind me never to use the MF API in BOFs again😭
(god i hate this codebase)

🔗 https://github.com/CodeXTF2/WebcamBOF

🐥 [ tweet ]

😈 [ vx-underground @vxunderground ]

Hi,

Just wrote a keylogger that uses ONLY the Windows COM (Component Object Model). The only WINAPI functions it has is GetModuleHandleW (could be replaced with a custom implemented to remove the function invocation), and GetConsoleWindow (forwards to actual SYSCALLs, can't strip it out).

Everything else is pure suffering. It is an abomination.

I'll be releasing it later once I clean up the code. It's a cool little proof-of-concept.

What should I name this thing?

-smelly smellington

🔗 https://vx-api.gitbook.io/vx-api/my-projects/jeff-com-only-keylogger

🐥 [ tweet ]

😈 [ n00py @n00py1 ]

ESC15 Manual Exploitation

🔗 https://www.mannulinux.org/2025/02/Curious-case-of-AD-CS-ESC15-vulnerable-instance-and-its-manual-exploitation.html

🐥 [ tweet ]

😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]

BOF Development is in full flow at Dark Vortex. Multiple new standalone BOFs have been added and ported from various open source projects to BRC4-BOF-Artillery git-repo. New ones are mentioned in the commits. More crazy updates are on the way...

🔗 https://github.com/paranoidninja/BRC4-BOF-Artillery

🐥 [ tweet ]

😈 [ eversinc33 🤍🔪⋆｡˚ ⋆ @eversinc33 ]

@0xBoku recent unhooking bof reminded of this fun trick on how to unhook any windows DLL without opening a handle to an on disk file - just download it from the MS symbol server and replace in memory :3

🔗 https://gist.github.com/eversinc33/86b4d1d71748a55efceb69a4f18f4d1d

🐥 [ tweet ]

😈 [ Bobby Cooke @0xBoku ]

🔪Open-sourcing 💀StringReaper BOF!
I've had great success in engagements carving credentials out of remote process memory with this BOF

🔗 https://github.com/boku7/StringReaper

🐥 [ tweet ]

😈 [ Daniel @0x64616e ]

My current understanding of Kerberos Relaying

🐥 [ tweet ]

😈 [ CICADA8Research @CICADA8Research ]

Hi friends, Recently @mansk1es presented his research about LPE in AnyDesk (CVE-2024-12754). Our team developed a POC on this vulnerability😀

Check it here:

🔗 https://github.com/CICADA8-Research/Penetration/tree/main/POCs/CVE-2024-12754

🐥 [ tweet ]

😈 [ Wietze @Wietze ]

🚀 Today I'm launching ArgFuscator: an open-source platform documenting command-line obfuscation tricks AND letting you generate your own

🔥 68 executables supported out of the box - use right away, make tweaks, or create your own

👉 Now available at

🔗 http://argfuscator.net

🐥 [ tweet ]

Простая реализация ts::multirdp

https://gist.github.com/S3cur3Th1sSh1t/8294ec59d1ef38cba661697edcfacb9b

#soft #ad #pentest #redteam #dev

😈 [ MANSK1ES @mansk1es ]

Check out my new blog post, "Weaponizing Background Images for Information Disclosure and LPE" where I walk through the AnyDesk vuln I found a few months ago (CVE-2024-12754/ZDI-24-1711):

🔗 https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754

🐥 [ tweet ]

😈 [ RedTeam Pentesting @RedTeamPT ]

The LLMNR response name spoofing pioneered by @tiraniddo and @Synacktiv does not seem to work with mDNS & NetBIOS 😢
But guess what! It works with DNS😯

🥳 Here's the new pretender release supporting Kerberos relaying via DHCPv6-DNS-Takeover: 🎉

🔗 https://github.com/RedTeamPentesting/pretender/releases/tag/v1.3.1

🐥 [ tweet ]

😈 [ ProjectDiscovery @pdiscoveryio ]

Replace request headers from your terminal with Proxify by ProjectDiscovery!

⌨️
proxify -req-mrd "replace_regex(request, 'User-Agent: .*', 'User-Agent: ')"

Check it out 👆

🐥 [ tweet ]

😈 [ serioton @seriotonctf ]

Just updated my NetExec cheatsheet. Added some new commands and tweaks. It includes the commands I use when working on HackTheBox and Vulnlab machines

🔗 https://github.com/seriotonctf/cme-nxc-cheat-sheet

🐥 [ tweet ]

Однажды в голову мне пришла идея разработать немного-немало свой собственный google. Чтоб его можно было запустить в локальной сети и отыскать там любые секреты где нибудь в глубине публичных сетевых дисков, ftp или вебе. И что бы такая система понимала не только текстовые файлы, но и офисные документы, архивы, исполняемые файлы, картинки, звук, словом всё что только может прийти в голову и что нельзя искать простым текстовым поиском.
Интернет сегодня нельзя представить без поисковика, но почему в локальной сети иная картина? Ведь как известно общедоступные ресурсы это вечная головная боль всех админов, а для пентестеров их анализ слишком дорогостоящая по времени работа.
Разработать в одиночку и за умеренное время собственный аналог google непростая задача. К решению данной проблемы я пытался подойти с разных сторон и за всё время два или три раза полностью переписывал всю систему с нуля. Но в итоге мне удалось найти очень простое и элегантное решение, почти не требующее кодинг - создать систему построенную из готовых компонентов (GNU), легко масштабируемую и также легко внедряемую (docker). Да ещё и понимающую google дорки (opensearch).
Такая система может быть одинаково полезна как пентестерам когда перед тобой сотни шар, так и защитникам - ведь систему можно настроить на непрерывный регулярный краулинг всех общедоступных ресурсов.
В статье https://habr.com/ru/companies/ussc/articles/878340/ я детально описываю идею моей системы, её несложную логику работы а так же настройку и примеры использования.

😈 [ Tim Willis @itswillis ]

Two new posts from @tiraniddo today.

On reviving a memory trapping primitive from his 2021 post:

🔗 https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html

Where he shares a bug class and demonstrates how you can get a COM object trapped in a more privileged process:

🔗 https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

Happy Reading! 📚

🐥 [ tweet ]

😈 [ RussianPanda 🐼 @RussianPanda9xx ]

воу воу, палехче 👀

🐥 [ tweet ]

😈 [ silentwarble @silentwarble ]

Stumbled across this. Really nicely organized anti-debugging techniques for malware dev or otherwise.

🔗 https://anti-debug.checkpoint.com/

🐥 [ tweet ]

😈 [ Elastic Security Labs @elasticseclabs ]

We’re adding a new section to @elastic’s HackerOne Bounty Program! Today, we’re opening our SIEM and EDR rules for testing. We’re excited to have another way to thank our community for their efforts on our #detectionengineering. Get more details here:

🔗 https://www.elastic.co/security-labs/behavior-rule-bug-bounty

🐥 [ tweet ]

замануха уровня 500 IQ лол

😈 [ hasherezade @hasherezade ]

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you:

🔗 https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/

🐥 [ tweet ]

😈 [ HackerRalf @hacker_ralf ]

This is C2 I decided to write publicly. If you are interested, I hope for feedback)

🔗 https://adaptix-framework.gitbook.io/adaptix-framework

I am fixing version 0.1 ...

🐥 [ tweet ]

😈 [ Rad @rad9800 ]

Wrote a short blog post on:
- ETW Threat Intelligence generated by SetThreadContext (hardware breakpoints)
- Kernel debugging and reversing
- Setting HWBPs in a more "stealthy" manner (not the same ETW TI events generated - no detections)

Check it out:

🔗 https://www.praetorian.com/blog/etw-threat-intelligence-and-hardware-breakpoints/

🐥 [ tweet ]