Crypt0-M3lon

A new blog post just dropped! If you want to know more about malicious code-signing certificate hunt go check it out! A special S/O to @securechicken and @ArielJT for the proofreading! harfanglab.io/insidethelab/h…

@Maitre_Eolas 🗣️ les gens comparent

We published our in-depth analysis of the I-Soon leak. We detail their offerings, victimology and relationships with known APT activities: harfanglab.io/en/insidethela…

🚨Our cloud incident response courses are now live, register at academy.invictus-ir.com 🎉 To celebrate we're giving away three vouchers one for each course, Like & Repost to enter the competition. 🥇 We will announce the winners next Monday

📆 20-24/03/2023 | @HS2Formation SECUSOC - Détection des incidents de sécurité 👉 lnkd.in/exCcKHRx Formateurs : Emeric Laroche - Olivier Caillault - Arthur V. #cybersecurité #CERT #SOC Contact (Tarifs- modalités) / inscription : 📞 09 74 77 43 90 / 📩 Formation@hs2.fr

Writeup for the "Autopsy" challenge of @1ns0mn1h4ck #INS23 teaser CTF Learn how to decrypt DCE/#RPC trafic in #Wireshark when #NTLMSSP authentication is used. With a dirty method, then surprisingly, with a Kerberos keytab file! Author: @Crypt0_M3lon ➡️ tipi-hack.github.io/2023/01/22/ins…

@OBenamram @MetallicHack I still have one MR to propose but works perfectly for most case 👌Thanks for merging!

@MetallicHack I'm not actively working on this any more - but it should be relatively feature complete. I'll try and merge some of these changes as long as they don't regress other usecases :)

Hi @OBenamram, are you still maintaining your Rust EVTX parser ? We made some Pull requests that could resolve some bugs we found while using it. BTW, that's a really cool tool 🙂 github.com/omerbenamram/e…

This @AGFrenchDirect is for us the opportunity to thank you all! 😘 That's why we want to give you the chance to win a Meta Quest 2 headset! To participate in this #giveaway, follow this link: gleam.io/i7PJS/giveaway… Good luck everyone! 🤘🔥

Writeup for the 'Bons baisers de Russie 1 & 2' challenge of the @BreizhCTF Key topics: #ActiveDirectory, #Kerberos, #NTLM, #ADCS, #PKINIT, #cyrillic Authors: @Crypt0_M3lon & @QuentynLemaire Thank you @kaluche_ for this funny 🇷🇺 pentest challenge 🏴‍☠️ ➡️ tipi-hack.github.io/2022/04/01/bzh…

5th place finish after a long night at the @BreizhCTF 🥱 Cheers @BoursierEtienne @cnotin @Crypt0_M3lon @dabi0ne @QuentynLemaire 👏

First CTF since a very long time! Currently @BreizhCTF with @tipi_hack

@hexacon_fr Maisons de la mutualité ?

#OSINT seems pretty in vogue these days, would you be able to find Hexacon's venue from where this picture has been taken? It might get you a special reward... #HEXACON2022

@TomB0FR @cnotin Works well for me on Win 2019, 2GB configured by GPO. Your disk is not full ?

@cnotin I have done the same, but I only miss « Overwrite events as needed » in GPO. This was set already on the eventlog but I will try to add this settings directly in GPO. I have see this limitation in eventlog security log properties: GPO set to 1GB, setting indicate only 200MB

💡 Are you monitoring Active Directory #DCSync attacks using event ID 4662? 👆 Don't forget to ensure that the required SACL on domain root is enabled! It is, by default, but an attacker with privileges high enough for DCSync could also remove it... 🤔

@cnotin 🦛

youtu.be/4P56tqkoP5E Thanks @Crypt0_M3lon

"Microsoft is aware of PetitPotam..." 😅 That name is so cute! For those who skipped their French course: it means "tiny hippo" 🇫🇷

@remiescourrou You can also try KerberosAuthentication template which should be enabled and allow Domain Controllers by default

@Crypt0_M3lon Well... now I have a doubt =D I played a little bit with the certificate templates on this lab a while ago, maybe I broke some stuff... I'll do a fresh installation tomorrow ;)

Finally finished testing it, it's quite brutal! Network access to full AD takeover... I really underestimated the impact of NTLM relay on PKI #ESC8 😱The combo with PetitPotam is awesome ! Everything is already published to quickly exploit it ...

@remiescourrou Plus specifying english template name with a french domain/ADCS works fine

@remiescourrou In our default configuration, Domain Controllers is not allowed to use workstation template, did you change something ?

I'm hiring Security Engineers in Seattle (amazon.jobs/en/jobs/143287…) and Vancouver (amazon.jobs/en/jobs/143292…). We're automating incident response @awscloud. Looking for candidates from all sorts of backgrounds. We have interesting problems and interesting people trying to solve them

I wanted to keep track of this topic and ended up writing my first public article ... if you wanna take a look it's here : link.medium.com/vqANrwrh3cb, i hope you will enjoy it.