Snyk Tnx for your excellent analysis at snyk.io/blog/npm-depen… and don't worry, the "malicious actor" is one of our interns 😎 who was tasked to research dependency confusion as part of our continuous attack simulations for clients. (1/2)

In this talk, thefLink will outline the state of the art of implementing and hiding #offensive #tools as position independent code and how to apply key-less #polymorphism to evade #signatures. You simply can't miss it! More: x33fcon.com/#!/s/sebastian… See you in #Gdynia 🏖️😎🍹

Added a new technique to nanodump: --duplicate-local It allows you to open a handle to LSASS with nothing but PROCESS_QUERY_LIMITED_INFORMATION Later, you can elevate the handle by duplicating it. github.com/helpsystems/na…

Our powerintern Fabian strikes again, teamed up with thefLink and developed SysmonEnte: a hard to detect attack on Sysmon. Check out our new blogpost: codewhitesec.blogspot.com/2022/09/attack…

If you're into client virtualization with #QubesOS, use #KeePassXC and #rofi, our very own Tobias Neitzel has you covered with a nice frontend which makes your credential usage a little bit easier 😎 github.com/codewhitesec/q…

Only 4 hours left until #CSCG2023 starts. 🔥🔥🔥

Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks. github.com/thefLink/Hunt-…

Here is a little ETW based tool to play with different IOCs by ImageLoad events. I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-) github.com/thefLink/Hunt-…

[RELEASE] EvtPsst a small mute tool developed by me, that abuses exposed SYNCHRONIZE and Token handles in order to get a process handle to the EventLog Process with more access. Blogpost over the techniques will follow in the next days. github.com/nothingspecial… #redteam

[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process. This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog. nothingspecialforu.github.io/EvtPsstBlog/ #redteam

SOAPHound is out for walkies! SOAPHound is a #BloodHound collector to enumerate AD over SOAP instead of LDAP directly. Proud of Nikos for all his hard work! Blog: medium.com/falconforce/so… Tool repo: github.com/FalconForceTea… Detections: github.com/FalconForceTea…

Modern implant design: position independent malware development. A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing. 5pider.net/blog/2024/01/2… Repo: github.com/Cracked5pider/…

The specter of .NET Remoting haunts unsuspecting ASP. NET applications even today, whispering valid ObjRefs to those who dare listen. Dive into our latest post to see how these apparitions can lead to remote code execution: code-white.com/blog/leaking-o…

Introducing a new Windows vulnerability class: False File Immutability. 👉 Bonus: a kernel exploit to load unsigned drivers. elastic.co/security-labs/…

🚀 New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research! 🔍 Blog: mohamed-fakroud.gitbook.io/red-teamings-d… 💻 Code: github.com/T3nb3w/ComDotN…

Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users. nothingspecialforu.github.io/UCgMSAExploita… Micah Van Deusen, Dirk-jan, nice tools :)