Octoberfest7

After over a year of work my second course with @_ZeroPointSec is now available! In it students will apply low level windows tradecraft in the writing of Cobalt Strike’s UDRL and Sleepmask components. To celebrate, the BOF course is 25% off thru Jan 12th! zeropointsecurity.co.uk/course/udrl-sl…

@vxunderground Jeez smelly when did you become such a woke libtard, CLEARLY they accounted for this and all of the other implications before hitting the send button

United States President Donald J. Trump posted this message on social media today. Personal grievances the Trump administration it asserts it has with other countries and political theatrics aside, the notion that the United States even hints are exiting NATO is a PROFOUND cybersecurity issue. Yes, NATO deals with traditional military stuff (land, sea, air, space), NATO also deals with things in the digital domain (cyberspace). NATO (non-United States) has historically shared a great deal of intelligence with each other regarding state-sponsored threats to the United States. Likewise, the United States has shared intelligence on state-sponsored with our NATO allies. It makes me incredibly nervous that this idea of exiting NATO is floated or threatened. NATO cybersecurity space deals a lot with ICS/SCADA (Industrial Control Systems, which is things like water treatments plants, nuclear energy facilities, telecommunication systems, etc) and anything else which possesses a military threat to the United States and it's citizens. I am unsure of the impact leaving NATO would have on our cybersecurity intelligence. The idea makes me very nervous. The United States is constantly under siege from foreign adversaries (notably China, Russia, North Korea, Iran). Additionally, I have great concern that if we left NATO it would damage our relationship with European allies which have been of significant importance apprehending Threat Actors who have done extreme damage to the United States. Part of the FBI's success in apprehending ransomware actors have been our strong relationship with EUROPOL, and European allies apprehending individuals residing outside the United States. Chat, this unironically makes me very nervous.

[RELEASE] Better late than never! Part 3 is out! Fantastic unwind information and where to find them. We went digging through .pdata, RTF Lookups, and a few ntdll internals that probably weren't meant to be touched. BYOUD dropping alongside. Enjoy 😉 klezvirus.github.io/posts/Byoud/

Built an evasive CS RL with Crystal Palace that bypasses Elastic EDR. The evasion lives inside the blob. Not in how it got there. Blog: lorenzomeacci.com/bypassing-edr-… Source: github.com/kapla0011/Kapl…

@HackingLZ “Hey Dave, did we interview any ransomware affiliates? Legal is asking”

@Octoberfest73 Free licenses?? For crime???

Companies be wildin yo. Just sat an interview where the candidate said “I don’t have a ton of experience with Cobalt Strike, but another company I interviewed with yesterday gave me one of their license keys so I could get it and do a CTF they set up”.

@_RastaMouse Thoughts?

Finally got around to playing with the Cobalt Strike REST API.

@jamieantisocial Bonus points when commenting out the print line leads the program to crash

@techspence Granted I’m out of my depth here as I’ve never submitted for one, but my perception is that AI agents are spitting out slop reports / issues and that controls around assigning CVEs have degraded. Wonder how many are legit vs just noise

Onward and upward! 😅

Cloudflare acaba de resucitar un codigo HTTP que llevaba 26 anos olvidado. El 402 "Payment Required" existe desde 1999. Nunca tuvo un caso de uso real. Hasta ahora. 🧵

@domchell @GigelV41464 Very cool. Keep pushing that envelope 😉

@Octoberfest73 @GigelV41464 The next release includes full implant call configurable stacks, CET compat, amongst other things 😉 At the moment the loader uses iat hooks to apply CET stack spoofing to any PE outputting sRDI’d

We sneaked CET compat stack spoofing in to Nighthawk last year 😜

@GigelV41464 @domchell So the technique extends beyond the example call stack shown / can be customized more? If so that’s awesome!

@Octoberfest73 @domchell Much appreciated! That type of call stack does happen, although I wouldn’t say it’s very common. Since the stage 0 loader is more exposed than the main implant and only does a few API calls, I decided expose as little of the “juice” as possible

@__invictus_ Same 😂

@Octoberfest73 yeh been there, done the 5 day web app consultancy life, definitely not for me lol

I'm just going to come out and say it, it's not a popular opinion and I'll probably regret it. I actually really enjoy reporting. There's something cathartic about getting 3+ months of notes from a RT out of my head and watch it take shape in a doc.

@I_Am_Jakoby Thanks for your explanations. Can you help me understand how the binary is not an autoelevate and the chain doesn’t touch UAC, but this can still be used as a UAC bypass?

Ok sometimes I forget im talking to people that know their shit I misspoke on the UAC/admin part it's not an auto elevate. The chain never touches UAC because it doesn't need elevation at all. Everything runs at medium IL as a standard user. No admin token involved. The MDE angle is definitely worth looking at. It can be used as a UAC bypass, which is why i said it Apologies, im used to playing down the language to make it more understandable to less technical people While I obviously dont need to be doing that with you

idk i just shine at 4am 😌 just turned in another critical to microsoft [Feb 15th, 4:42am] - top banner Hunt lasted about 10 hours DLL Sideloading via ✨Signed Binaries✨ Defender Real-Time Write Monitoring Bypass Security Event Log Path Normalization Bypass Process Enumeration API Blindspot BAM Activity Tracking Failure UAC Bypass No Administrator Privileges Required Start Menu Search Hijacking Credential Manager Access (NO ADMIN/NO UAC)

@I_Am_Jakoby So it’s an auto-elevate binary that will run with the admin token (still requires user be an admin) without uac prompt and its location seems to interfere with telem gathering? Would be very interested in whether MDE’s “known DLL loaded from non-system32 dir” alert sees it

So its where its put I found a place that Microsoft essentially ignores completely The file path makes it look like its really in system32 so basically invisible Event logs and forensics gets corrupted Real time monitoring means nothing Eicar files survive here even So its free hidden staging that also bypasses UAC and gives admin perms Its fuckin wild No exclusion paths or anything like that

@I_Am_Jakoby I’m feel like I’m missing something still, you can copy all kinds of sys32 executables to other places and get them to side load DLLs that aren’t ref’d by full path. What exactly is the vuln here that makes this instance of what I described above different/worse/an actual bug

@Octoberfest73 Accurate. There is somewhere you can copy them too "essentially" That allows you to use real signed binaries for side loading So you can do things like credential harvesting without admin or triggering UAC

@I_Am_Jakoby Looking at the screenshot again I see that both the DLL and the exe are residing in c:\users\…\system32, so it looks more like a signed windows binary was copied out of the real system32 elsewhere?

@I_Am_Jakoby I’m confused, what is the bug or exploit here? Low priv write into sys32 enabling side load? Or what

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-me-…