Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Dominic Chell 👻 Profile picture
Dominic Chell 👻
@domchell
Just your friendly neighbourhood red teamer @MDSecLabs | Creator of /r/redteamsec | https://t.co/3k3EBAZqGd | https://t.co/KwO2OwDOkl
Sep 26, 2023 10 tweets 3 min read
Spent some time refreshing my memory on ETW TI tonight. As a red teamer it's really important to get a good understanding of what the defenders/EDRs can see. Using the excellent Havoc as an example, let's have a peak... Image Firstly, to capture the ETW TI telemetry, I used - a neat little project that logs the THREATINT tasks to the system event loggithub.com/pathtofile/Sea…
Mar 15, 2023 11 tweets 6 min read
As auth coercion is blowing up due to #cve-2023-23397, I've put together a quick thread about how we at @MDSecLabs have been leveraging these techniques in our red team engagements for quite some time. Its timely, but I presented much of this at @FiestaCon_RT last week 🧵 Traditionally if you wanted to abuse SMB auth coercion during a red team & over a c2, you were somewhat limited. It was however achievable using a mix of portbender, rportfwd and socks though. The main limitations were admin rights, dropping a driver and opsec of increased c2
Mar 14, 2023 6 tweets 2 min read
Here's some further details on how to exploit CVE-2023-23397 in Outlook; its a pretty interesting one and incredibly easy to exploit... Just confirmed that this works nicely over WebDAV - Microsoft's mitigation of blocking outbound 445 is insufficient, you can exploit this on any port as long as WebClient is running
Mar 22, 2022 5 tweets 2 min read
Good red teams will blend in with the noise. ETW is a sweet resource for finding out what noise looks like. Here I'm using @FuzzySec's SilkETW to hunt for surrogate processes for hosting my AD post-ex... I see you taskhostw.exe & winword.exe Image Wanna know which processes make HTTPS connections for your egress beacons? Microsoft-Windows-WinHttp got your back... Image
Dec 22, 2021 25 tweets 10 min read
I didn’t particularly want to name and shame the infosec person who stole $2k from me so tried to give him one last opp to return the money, instead he took to insulting and threatening me. However, I’m concerned about other ppl being scammed... ...as such it’s only right that anyone who is considering taking @ninjaparanoid’s training know what they might have to deal with. It would be unfair to make such an accusation without proof, so I’ve provided evidence below.