I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager that can be run with Read-only Analyst privileges or higher in SCCM. Please share with your IT admins, defenders, clients, assessors, and friends in infosec!
posts.specterops.io/rooting-out-ri…

🔥Please enjoy and share my personal blog post discussing why personal/commercial VPN services are the homeopathic medicines of the tech industry
…wardslashwwwdotzoltanbalazsdotcom.com/2024/03/01/VPN…

Feel free to comment here

the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n

Hey hacker family,

I'm looking for a Hack The Box 'er who wants a pentesting role (to start), who likes exploiting Active Directory configurations, and wants to learn MS Cloud. This is to backfill my current role at Polito and provide coverage for my skills specialties.

If…

New Google Chrome Blog: blog.chromium.org/2024/04/fighti…

Windows 11 VBS and TPM defaults are used by Chrome to prevent cookie theft.

'Chrome will use facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for…

This deck from Black Hills Information Security is an absolute legendary treasure even till today.

blackhillsinfosec.com/wp-content/upl…

🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information 'as is' while the analysis…

I think it is safe to say that this backdoor has been discovered totally by chance.

Now the question is straightforward:

What's else out there we haven't caught yet and for how long?

The xz situation is absolutely insane and almost certainly state sponsored.

This is an excellent example of a widely used software being maintained by basically one person.

Read this web article and then frown and become sad.

boehs.org/node/everythin…

New lab 🏰 for the GOAD project 🥳: SCCM
You can now test the SCCM/MECM attacks locally on Virtualbox or Vmware.

More information here:
mayfly277.github.io/posts/SCCM-LAB…

Repository here : github.com/Orange-Cyberde…

Thx again Kenji Endo for your help to building this !

Cool use case for NTLM relay from SO-CON 2024.
github.com/SpecterOps/pre…

List is complete😂 Thanks to all who joined live! I had a blast, and I hope you all did too🥳 Next week, same time, I'm apparently doing an EDR tier list... 🤡If u missed it, VOD is here: youtu.be/iYKItfBbPoY

Duane Michael Garrett github.com/subat0mik/Misc…

I'm pumped to announce the release of Misconfiguration Manager, a knowledge base and how-to for both offensive and defensive SCCM attack path management, that Duane Michael, Garrett, and I have been working on! Check it out and let us know what you think! posts.specterops.io/misconfigurati…

here is why putting a wildcard file mask (or anything else) to Defender exclusion list is a super bad idea. extension does not matter, it can be executed. so even if it is domain controlled (meaning Defender cannot be modified locally), as a local admin it is trivial to bypass.

here is my successful fight against Defender tonight in one screenshot. not going to comment it, let's see how long does it survive. :) cc Melvin langvik

Wondering what telemetry an EDR collects?

Wonder no more! Kostas and Alex Teixeira run an EDR Telemetry Project, covering all major EDRs:

'The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide'.

Blog:…

Eliminate huge part of lateral movement scenarios with one command: 'reg.exe add HKLM\SYSTEM\CurrentControlSet\Control /v DisableRemoteScmEndpoints /t REG_DWORD /d 1'
It will make Service Control Manager deaf to remote management. Everything else works properly.