NativeBypassCredGuard - Bypassing Credential Guard in 2024 ricardojoserf.github.io/nativebypasscr…

Today I made public NativeBypassCredGuard, a tool to bypass Credential Guard by patching WDigest.dll using only NTAPI functions: github.com/ricardojoserf/… #redteam #blueteam #offsec

After reading Rasta Mouse's blog post about Crystal (rastamouse.me/crystal-malwar…) I created CrystalDump, a port of NativeDump written entirely in Crystal, designed to dump lsass using only NTAPI functions - github.com/ricardojoserf/… #redteam #offsec #cybersecurity

''GitHub - ricardojoserf/NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functions'' #infosec #pentest #redteam #blueteam github.com/ricardojoserf/…

CrystalDump: una herramienta de volcado de LSASS en Crystal hackplayers.com/2025/01/crysta…

''GitHub - ricardojoserf/NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functions'' #infosec #pentest #redteam #blueteam github.com/ricardojoserf/…

Last week I made public NativeTokenImpersonate, a tool to impersonate users by stealing their tokens using only NTAPI functions. Check it out here: github.com/ricardojoserf/… #redteam #blueteam #offsec

NativeTokenImpersonate: Impersonate Tokens using only NTAPI functions github.com/ricardojoserf/…

NativeTokenImpersonate - a tool to impersonate users by stealing their tokens using only NTAPI functions : ricardojoserf.github.io/nativetokenimp… Impersonate Tokens using only NTAPI functions : github.com/ricardojoserf/… credits Ricardo Ruiz

Playing with malicious Network Providers ricardojoserf.github.io/networkprovide…

Locate dll base addresses without PEB Walk: github.com/Teach2Breach/m…

NimDump is a port of NativeDump written in Nim, designed to dump the LSASS process using only NTAPI functions github.com/ricardojoserf/…

NimDump - Stealthy LSASS Dumping Using Only NTAPIs in Nim ricardojoserf.github.io/nimdump/

This is sweet, nimdump - dumping LSASS using only NTAPI functions (written in nim): NtOpenProcessToken, NtAdjustPrivilegesToken, NtGetNextProcess, NtQueryInformationProcess, RtlGetVersion, NtReadVirtualMemory, NtQueryInformationProcess,NtQueryVirtualMemory,

I wrote a short post about how you only need the NtReadVirtualMemory address for dynamic API resolution, plus how you could use a vulnerable binary to leak its address (and you would not have GetProcAddress, GetModuleHandle or LoadLibrary in the IAT) - github.com/ricardojoserf/…

I got RCE in AWS! Amazon MWAA was offering 8 versions of Apache Airflow, of which 6 were vulnerable to CVE-2024-39877 (SSTI leading to RCE). Writeup and PoC: github.com/ricardojoserf/…

RCE in Amazon MWAA reddit.com/r/blueteamsec/…