I found out "C:\Windows\System32\WorkFolders.exe" (signed by MS) can be used to run arbitrary executables in the current working directory with the name control.exe. It's like a new rundll32.exe #lolbin but for EXEs!

Pain like no other

THC RELEASE: 🔐SSH public keys can be infected 💉and backdoored.🚪 blog.thc.org/infecting-ssh-… #lulz #ssh #hacking

Pentest/Red-Team tip: Never trust in BH-Information if you didn't enumerate them with an administrative user. Session infos are not complete, Local Group information may be missing. Low priv users cannot enumerate that anymore for updated systems. 🧐

The optional redirect_url 😭❤️

Created this for a talk and it’s too good not to share… incident response and M365 is painful.

Oh my

🚨Backdoored 'UAC bypass repo' going hot on LinkedIn 🤡Extension spoofing + simple .scr C# loader dropping payload. Credit's to SV1 for the finding, don't run random shit!🥵

Today I needed to decrypt Veeam stored credentials. As existing toolings failed and/or manual decryption for a lot of passwords was too much effort I wrote a small assembly to do the whole job: github.com/S3cur3Th1sSh1t…

.net app can be used to load dll using .config file. Here is a list of signed Microsoft exe that can be used to get your code executed within a signed binary. github.com/Mr-Un1k0d3r/.N… Nothing new but quite useful against EDRs. #redteam

Hear, hear!

How does MS Exchange on-premises compromise Active Directory? Check out Jonas Bülow Knudsen's latest blog to learn what permissions Exchange has in AD that an attacker can abuse to compromise the domain & what organizations can do to prevent that. ghst.ly/3x551kd

I've been looking into how the xz backdoor works and drew this sketch to make it easier to understand. I'll update it as new information comes to light ✨

Just finished recording the videos for the newest Constructing Defense modules - the course initially launched with 6 hours of video which is now at about 9 hours. Also, since launch, I've added Terraform support and 8 new modules. Damn good deal for $150. Seriously thinking

Well the cat is out of the bag. If you are interested in all things authentication and passkeys, my talk on Okta Verify might be of interest pretalx.com/bsides-cymru-2…

The Todos and basically everything can also be done later on from home or work as code snippets and descriptions are now publicly available here: github.com/rtecCyberSec/P… 🙌🔥

This upcoming Sunday stream, Olaf Hartong will be joining me to showcase the FalconHound project! Tips and tricks, live demo, and maybe even leak some upcoming features? 👀 Tune in at 5PM UTC 👏 twitch.tv/flangvik/

I wrote a blog post on the many defense mechanisms phishing kits are using to avoid discovery and analysis now. I used a recent instance of NakedPages and cover 9 different techniques, including Cloudflare Workers and Turnstile abuse. IOCs included. pushsecurity.com/blog/how-aitm-…

| where IsInitiatingProcessRemoteSession == "True"  This is really helpful for detections and of course to track an adversary. #XDR #MDE techcommunity.microsoft.com/t5/microsoft-d…

While SigmaHQ had rules for Outlook Today/Home pages abuse (persistence related). The recent Specula blog from TrustedSec revealed some new information that helped us update those rules. Thanks to David Bertho & SV1 contribution, we've updated the rule to increase the coverage.