https://twitter.com/_nwodtuhs/status/1469770310077620235

https://twitter.com/_nwodtuhs/status/1469770310077620235

Most recents (7)

🧵 (1/) Bypassing IDS DCSync Signature for #secretsdump

I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️

https://twitter.com/_nwodtuhs/status/1469770310077620235

🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️

🧵 (3/) The second series of the SMB requests is related to the RemoteOperations.connectSamr() call in the NTDSHashes class which is only needed to verify that’s out target is actually a DC, so it can be excluded from the attack with no consequences ⬇️

Read 6 tweets

Trend Micro Research

@TrendMicroRSRCH

LATEST NEWS: Cring #ransomware recently made headlines due to a recent attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software. Follow this thread and let’s look at the techniques typically wielded by this ransomware.

👇 👇 👇 [1/5]

[2/5] #Cring ransomware gains initial access through unsecure remote desktop protocol (RDP) or through unpatched vulnerabilities.

[3/5] The threat also abuses tools such as #Mimikatz for credential access and Cobalt Strike for lateral movement. More details on how these tools are abused for ransomware attacks:
research.trendmicro.com/3hYEMkT

Read 5 tweets

🥝 Benjamin Delpy

@gentilkiwi

@jonasLyk

Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?

A: Local Privilege Escalation 🥳

Thank you @jonasLyk for this Read access on default Windows😘

Ho, and this is not only SAM, but also SYSTEM & SECURITY.
So you can find "interesting" data, like:
- default windows install password (can be valid, trust me 👍)
- DPAPI computer keys (decrypt all computer private keys, etc.)
- Computer Machine account (silver ticket)
- ...

Affected versions / Not affected versions on my tests today:

Read 5 tweets

SecurityGuill 🛡️🌐

@SecurityGuill

@SecurityGuill

This thread brings together all my #infographics until today (2years of work).

These are all infographics about #infosec 🔐

Feel free to share this tweet if you think it may be useful for your #community 📚

Follow me ➡ @SecurityGuill fore more about #security #hacking #news

How does an #Antivirus works?

Quick presentation of the different #Bluetooth Hacking Techniques

Read 44 tweets

Tal Be'ery

@TalBeerySec

@WEareTROOPERS

Abusing #ADFS for #GoldenSAML attack, heavily used by #Sunburst attackers.
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)

Slides: slideshare.net/DouglasBiensto…

Decrypting #ADFS #SAML private key
Tools:
github.com/fireeye/ADFSpo…
github.com/fireeye/ADFSDu…

Read 4 tweets

Ophir Harpaz

@OphirHarpaz

@Guardicore

#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆

Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…

Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.

Read 12 tweets

John Lambert

@JohnLaTwC