In case you want to see something cool about CrackMapExec and Responder 😌😋 1⃣ cme smb <ip> -u user -p pass --shares 2⃣ Responder -I eth0 3⃣ cme smb <ip> -u user -p pass -M slinky -o ... Harvest ntlmv2/v1 credentials in no time if you have write access to a share 🔥 🪂

Introducing MalSCCM! Today, we are releasing MalSCCM, a .NET tool by Phil K which enhances PowerSCCM functionality and makes it easier to use over command and control channels. labs.nettitude.com/blog/introduci…

Phil K will be presenting this tool, and another one we're releasing tomorrow, at Black Hat Asia on May 13th @ 10:15 SGT.

Introducing SharpWSUS! SharpWSUS is a .NET exploitation tool by Phil K, which allows red teamers to laterally move via Windows updates. It builds on existing tools to allow easy use over C2 channels. labs.nettitude.com/blog/introduci…

Phil K will be presenting SharpWSUS and MalSCCM (below) at Black Hat Asia on May 13th @ 10:15 SGT. x.com/Nettitude_Labs…

Another method to coerce NTLM auth from SCCM: with access to a site's MSSQL database, the sp_CP_GenerateCCRByName stored procedure can be used to force the site's client installation account(s) and machine account to authenticate to the ADMIN$ share on a specified machine.

A reminder of just who he is

The perfect way to draw a self portrait.

.Volexity’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target, while the attacker was halfway around the world. volexity.com/blog/2024/11/2… #dfir

I've just released Eclipse, a PoC of what I call Activation Context Hijack. This technique redirects any application to load an arbitray DLL, allowing to inject code into any trusted process. More info available on Github. github.com/Kudaes/Eclipse

It still surprises me when people use byte patching to bypass AMSI when hardware breakpoints have been around for so long. I wrote a simple standalone C library around 2 years ago (time flies) to make it easy to setup hooks with HWBPs.

I would actually like to release complete UDRL and SleepMask BOFs that implement call stack spoofing and indirect syscalls for all of Beacons supported APIs. I think it would be a fun project to work on.

Fwiw, here are the steps to recreate. I have not omitted any verification texts. Images 1 & 2. Enable SMS MFA (because you should have it disabled!) only for a specific group, add your test user to that group. SMS sucks and don't wanna make your whole tenant insecure, even if

With a process that began two and a half years ago, I'm very excited to announce that I've written a book with No Starch Press! 🎉 "Practical Purple Teaming" tells you all you need to know to get started with collaborative offensive testing. nostarch.com/purple-teaming

Loki C2 blog drop! Thank you for all those who helped and all the support from the community. Big shoutout to Dylan Tran and chompie for all their contributions to Loki C2! IBM IBM Security X-Force securityintelligence.com/x-force/bypass…

A little while ago I tweeted about a potential BOF-PE design. So here it is, a new design that includes a fully linked PE, C++ exceptions and use of the STL template library.

As promised... this is Loki Command & Control! 🧙‍♂️🔮🪄 Thanks to Dylan Tran for his work done on the project and everyone else on the team for making this release happen! github.com/boku7/Loki

Hi Veeam® Software, I tried to disclose a potential vulnerability to the [email protected] address but I am not on the gateways allow list. Is there an alternate email I can use to discuss outside of H1?

The news is slowing down on the Epstein Files reporting. But only because it has been made clear who's in them.