'Hello: I'm your Domain Administrator and I want to authenticate against you'. My #SilverPotato is out, check the blog post: decoder.cloud/2024/04/24/hel… 😃

🪲And the 2023 Year in Review of Zero-Days Exploited In-the-Wild is out!

This year I teamed up with Jared Semrau & James from Mandiant to write a joint report combining our expertise and providing a more holistic view on in-the-wild 0-days in 2023 🔥🧐

blog.google/technology/saf…

New blog post is up... Identity Providers for RedTeamers. This follows my #SOCON2024 talk, and provides the technicals behind the presentation, looking at other IdP's and what techniques are effective beyond Okta. blog.xpnsec.com/identity-provi…

SEO Poisoning to Domain Control: The Gootloader Saga Continues

🌟Analysis and reporting completed by Pete, mal forsec & Renzon

🎵Audio: Available on Spotify, Apple, YouTube and more!

🏹Services: thedfirreport.com/services/

📚Report: thedfirreport.com/2024/02/26/seo…

Interested in sharpening your red team AD recon? Check out our latest post by Dominic Chell 👻, 'Active Directory Enumeration for Red Teams' mdsec.co.uk/2024/02/active…

A Beginners Guide to Tracking Malware Infrastructure

New post with 11 Examples (Including Cobalt Strike and Qakbot) that you can use to query and track C2’s, Open Directories and More🔥

(Special thanks to Censys 🥳)

censys.com/a-beginners-gu…

#threatintel #malware

Attack and defend active directory using modern post exploitation adversary tradecraft activity

github.com/infosecn1nja/A…

SOAPHound is out for walkies!

SOAPHound is a #BloodHound collector to enumerate AD over SOAP instead of LDAP directly.

Proud of Nikos for all his hard work!

Blog: medium.com/falconforce/so…

Tool repo: github.com/FalconForceTea…

Detections:
github.com/FalconForceTea…

I'm exited to release GraphStrike, a project I completed during my internship at Red Siege Information Security. Route all of your Cobalt Strike HTTPS traffic through graph.microsoft.com.

Tool: github.com/RedSiege/Graph…
Dev blog: redsiege.com/blog/2024/01/g…

#redteam #infosec #Malware #Microsoft

Ok, pinvoke.dev is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.

Introducing YARA-Forge ⚡️
- Streamlined Public YARA Rule Collection

Excited to share my latest project with the community just in time for Christmas! After weeks of hard work, it's finally ready 🎄🎁

Blog Post
cyb3rops.medium.com/introducing-ya…

Project Page
yarahq.github.io

Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity

➡️Initial Access: sqlmap, ghauri, metasploit, exploits
➡️Persistence: weevely, SharPersist
➡️C2: Sliver, Meterpreter
➡️PrivEsc: Schtasks, LinPEAS, Metasploit

and more!

thedfirreport.com/2023/12/18/let…

Today I am releasing a whitepaper and new tool (ADOKit) as part of my X-Force research I will be presenting at Black Hat #BHEU on Wednesday. Links are below 🔗

Whitepaper:
ibm.com/downloads/cas/…

Tool:
github.com/xforcered/ADOK…

[Blog] Abusing .NET Core CLR Diagnostic Features (+ CVE-2023-33127)

- Analysis of .NET diagnostic features and tradecraft
- Walkthrough of a .NET Cross-Session Local Priv Esc (LPE)
- Defensive Recommendations

bohops.com/2023/11/27/abu…

Just released perhaps the world's most comprehensive research about Asian APT groups’ tactics, techniques and procedures.

A must read for all #infosec experts👉 kas.pr/gf1t

With initial access to a M365 account, Red Teamers can potentially find a treasure trove of sensitive information. Melvin langvik goes over three tools (and one script) that he believes to be the modern-day Triforce for initial access. Read it now on our blog! hubs.la/Q0281CvN0

I've just released the next edition of the On Detection series. I investigate why detection rules based on Process Creation are often brittle or easily bypassed. I also provide a framework for discerning when it is appropriate and when it isn't.
posts.specterops.io/on-detection-t…

Get the scoop on a lateral movement technique within the distributed component object model (DCOM) Excel application. Raj Patel details the method in our latest blog post. ghst.ly/47esv39

Happy Monday! Today Darkoperator | 🇺🇦 and I are releasing a blog on adversarial LDAP tradecraft.

In this write-up we show:
- Normal LDAP queries you might see
- Common LDAP queries adversaries and red teams use
- Telemetry you can use to see these LDAP queries
- A way to get

NetSupport Intrusion Results in Domain Compromise

➡️Initial Access: Zip in Email
➡️Execution: Batch scripts, NetSupport
➡️Credential Access: NTDS.dit dump, LSASS Dump
➡️Lateral Movement: RDP, SMB, wmiexec/atexec
➡️C2: NetSupport RAT, SSH Tunnel

thedfirreport.com/2023/10/30/net…