Tholgrim

90 posts

Tholgrim banner
Tholgrim

Tholgrim

@Tholgrim

Katılım Eylül 2015
265 Takip Edilen9 Takipçiler
Two Seven One Three
Two Seven One Three@TwoSevenOneT·
@0xedgerunnr I don't have the Cortex license on hand right now 🙂‍↕️. Let's wait for the results from the other nice guys.
English
1
0
1
758
Two Seven One Three
Two Seven One Three@TwoSevenOneT·
New #redteam tool for blocking EDRs: EDRChoker Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events #pentest #cybersecurity Github: TwoSevenOneT/EDRChoker
Two Seven One Three tweet mediaTwo Seven One Three tweet mediaTwo Seven One Three tweet media
English
24
180
759
116.2K
Tholgrim retweetledi
Nebula Security
Nebula Security@nebusecurity·
Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0. nginx-rift has been patched, but our security agent Vega has found a new 0 day. We will release the full technical writeup with ASLR bypass 30 days after the patch on nebusec.ai.
English
28
257
1.4K
484.2K
Tholgrim retweetledi
blackorbird
blackorbird@blackorbird·
PhantomRPC: A new privilege escalation technique in Windows RPC Below are the five distinct local privilege escalation paths demonstrated in the research, all exploiting the Windows RPC architectural flaw that allows malicious RPC servers to impersonate high-privilege clients: 1. Coerced Group Policy Service (gpsvc) → SYSTEM 2. User Interaction: Microsoft Edge → Administrator 3. Background Service: WdiSystemHost → SYSTEM 4. Local Service: ipconfig.exe → Administrator 5. Abusing Time Service: w32tm.exe → Administrator securelist.com/phantomrpc-rpc…
blackorbird tweet mediablackorbird tweet media
English
0
18
69
5.1K
Tholgrim retweetledi
Haidar
Haidar@haider_kabibo·
Another COM object for RedSun can be used to execute commands through arbitrary file write. Most COM objects that have executables as servers run as the interactive user. This means that if another COM object is used in RedSun, the shell you get will run as the low-privilege user who starts the exploit. The Storage Tiers Management Engine COM server is used in RedSun. As far as I found, it is the only COM object that runs as SYSTEM. Using it is very clever, but I think most SOCs already use it as IOC. However, I found another COM object that can be used with RedSun. It does not give SYSTEM, but it gives LOCAL SERVICE. From there, you can move to SYSTEM by abusing SeImpersonatePrivilege. The COM CLSID is: d54378cd-91d8-4e10-a00b-819f9a9efcb1, and the executable name is printfilterpipelinesvc.exe. But it needs some tricks to make it work. I will try to write a blog post soon when I will be free with all the details. For now, just keep this in mind.
Haidar tweet media
English
4
50
209
14.1K
Tholgrim retweetledi
vx-underground
vx-underground@vxunderground·
Another zero day exploit released by some nerd (can't remember name right now) because they're annoyed with Microsoft. It's been confirmed by other nerds. It is yet another legit zero day. Whew. github.com/Nightmare-Ecli…
English
86
509
4.6K
317.8K
Tholgrim retweetledi
Gi7w0rm
Gi7w0rm@Gi7w0rm·
Quck analysis of new #ToolShell payload observed by @leak_ix: Paylaod is a .dll executed in memory. Sha-256: 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 It collects System Info and the sensitive machine key. Sends back in response. Single Request takeover.
Gi7w0rm tweet media
Gi7w0rm@Gi7w0rm

⚠️ New payload in the relation to #ToolShell . Attackers now don't need the static file anymore, leaking keys from memory without leaving the file. This means the existence of a file is not a reliable IoC anymore.

English
4
47
149
25.3K
Tholgrim retweetledi
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
Follow-up on CVE-2025-53770 (“ToolShell”) detection: The attackers used a dropper that wrote the web shell to spinstall0.aspx, but that filename isn’t required. It’s just what we’ve seen in this particular campaign. The same payload could’ve been dropped under a different name. The rules I published recently focus on traces of this specific wave of exploitation and include more tightly scoped indicators. Some parts may also match similar activity, but they’re primarily designed for high-confidence detection with minimal noise. Why that matters: With a specific rule match, you know the system is compromised. But worth pointing out: This web shell was already detectable by a generic rule written in 2021, long before any advisory was published. The rule is named: WEBSHELL_ASP_Runtime_Compile So even without any CVE-specific detection logic, systems would’ve triggered on this payload—weeks ahead of the public disclosure. Another reminder why running regular scans with up-to-date detection rules makes a real difference, even for threats no one’s named yet. #YARA #ThreatDetection #CVE202553770 #SharePoint #DFIR #ThreatIntel #WebShell
KoifSec@KoifSec

@cyb3rops @cyb3rops Do attackers MUST use the file name "spinstall0" or theoretically any name is ok?

English
4
34
142
20.8K
Tholgrim retweetledi
Unit 42
Unit 42@Unit42_Intel·
Analyzing LNK malware? Unit 42 details the structure of LNK files, then dissects overlay content execution techniques and more. Learn how attackers exploit the flexibility of this file type. bit.ly/3InIu7C
Unit 42 tweet media
English
2
49
150
9.9K
Tholgrim retweetledi
The Hacker News
The Hacker News@TheHackersNews·
🚨 New ransomware “Anubis” can encrypt your files—and then erase them forever. Even if you pay, recovery is impossible. Victims span healthcare, hospitality & more. This rare dual-threat ups the pressure to pay. Details here → thehackernews.com/2025/06/anubis…
English
10
78
192
24.7K
Tholgrim retweetledi
hasherezade
hasherezade@hasherezade·
"Going Native - Malicious Native Applications" - by Protexity: protexity.com/post/going-nat… - interesting read about using applications with Subsystem: Native for offense
English
2
55
192
13.4K
Tholgrim retweetledi
Mohit Mishra
Mohit Mishra@chessMan786·
All the sections with the explanations
Mohit Mishra tweet media
English
0
44
309
12.3K