Mohamed El Azaar

Releasing a tool(s) for patching/injecting shellcode into MS-Authenticode signed PE files without breaking the signature, used for; * Bit/Sig Flipping PEs (EXE, DLL, Sys ..etc) * Encrypt/Inject shellcode into PEs * Decrypt/Load shell code from modified but still signed PE files.

Someone's first CS beacon reaction :p

@bohops @XForce Congrats 😁

Last week, I joined the IBM @XForce Adversary Simulation team. I am excited and grateful to work with such an incredibly talented group. Cheers to new adventures!

@vxunderground Can I get it ? How to pay for it ? (Ur website states it is sold out)

@r00t0v3rr1d3 Well, a NuC then, but it is only the payload part anyway, and it is usually a matter of preference, sticking with Intel Macs has a lot of downsides these days…

@med0x2e I didn’t include the “cloud” in my previous statement, but again, you are using another “computer” as a solution. And I’m certainly not putting payloads of mine that need testing in an Azure VM.

Anyone (Red Team) managed to fully migrate to Mac M1/2/3 and figured workarounds for all the x86 stuff needed to run tools or test malware targeted for x86 (ex; x86 emulation on win11 arm), wondering how often one needs to switch to intel devices if needed and what to account for

@r00t0v3rr1d3 Not all VMs need to be on Intel devices, did some initial testing with ARM VMs and are good enough for most of RT work, I found win11 (arm) x86 emulation surprisingly good, the exception here is x86/64 payload testing.., an azure Win VM should cover that..

@med0x2e I love how everyone’s solution is to use another computer or separate server hardware. Don’t get me wrong, love the home lab scene, but I’m also not going to spend “Apple money” on something to browse the web or console into the VMs on a server. If it MUST be a Mac, Intel only.

I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context. github.com/0x36/Pixel_GPU…

“Revolutionary” is abused to the extent it has become meaningless these days. any app is dubbed as revolutionary by marketing/sales, lies upon lies, seriously !! I hate stupid Ads.. If you hear “Revolutionary”, expect BS.

@C5pider Great work Paul :), Also switched to PIC instead of PE loaders 2 years ago and have been wondering ever since if it is only me or I’m doing something wrong…

Modern implant design: position independent malware development. A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing. 5pider.net/blog/2024/01/2… Repo: github.com/Cracked5pider/…

👀

@vxunderground @Donorbox I hope they can reconsider that decision, any alternatives?

@UK_Daniel_Card They are “Advanced” still, otherwise threat intel report wouldn’t sell well.

APT 41 / BARIUM Known to run: "whoami.exe" also launched via wmiexec (HOW DARE THEY!) Better tell them they would be fired from a red team , I'm sure they will cry about that.... /S Our industry is very odd.....

@domchell Little Snitch, my favorite app

It's mental how MS legitimately use domains that they allow their Azure customers to register hosts on... how is anyone supposed to spot whats malicious c2/phishing and not? 🤯

@dazzyddos Farming 😜

Hey my infosec pals! Just wondering, if cybersecurity wasn’t a thing, or if you had to bounce from it someday, what other gig do you think you’d be rocking?

@rad9800 Real APTs have Time & Resources on their side, they are not bound to 4/8 weeks of time for both preparation and execution.., as long as that is true, Imo their Tools will be always more advanced (ex; doublepulsar)

It seems MS decided to just fix/patch all the `Forced/Coerced` Auth primitives on Windows 11, Anyone else ended up with a similar conclusion ? obviously after trying all the tools/methods.

@an0n_r0 Nice work, I remember making it work few years back when Dinvoke was released, I can’t seem to find that piece of code though.., but I remember it was messy, ur approach is much cleaner (ILmerge)

Built a special JS stager for Cobalt Strike (or for anything else). Actually it is based on C# .NET, and it is super simple (full source is on the screenshot) because it uses the PE mapper from DInvoke. Currently managed to bypass Defender. Sharing some details in this thread.

What worked for me after a long trial and error process: used ILMerge for linking the SimpleStager.exe and DInvoke.dll assemblies together. github.com/dotnet/ILMerge Other solutions (Costura Fody or ConfuserEx compressor) were failing in the GadgetToJScript deserialization phase.

@dec0ne Good stuff, A less-automated version of it, if you were not aware; github.com/med0x2e/NTLMRe…

Introducing DavRelayUp - A port of #KrbRelayUp with modifications to allow for NTLM relay from WebDAV to LDAP and abuse #RBCD in order achieve #LPE in domain-joined windows workstations where LDAP signing is not enforced. Demo in second tweet. github.com/Dec0ne/DavRela…

@dazzyddos @darkt3rr0r_ Lol, already did

Yo @med0x2e @darkt3rr0r_ , watch this out Can't believe it's a fan animation. Zenitsu vs Kaigaku #demonslayerfanart youtube.com/watch?v=uNvaio…