@cookieTheft
Followers
99
Following
618
Media
8
Statuses
592
“So WSUS with HTTPS is secure, you said? 😂” Turns out… not really. According to the excellent research by Alexander Neff and Phil Knüfer in “Using ADCS to Attack HTTPS‑Enabled WSUS Clients,” a misconfigured ADCS environment can completely undermine HTTPS‑protected WSUS.
3
33
173
We did a thing
Using ADCS to Attack HTTPS-Enabled WSUS Clients: @cookieTheft and I have extended the research by @Coontzy1 on WSUS attacks and explored how to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients. 1/2🧵
1
1
4
This key takeaways from this report: - Agentic AI lowers the bar for cyber attacks (we knew this) - Dramatically increases scale (we knew this) - without a human in the loop, success rate is low (we knew this) The report itself leaves a lot to be desired from a technical
We disrupted a highly sophisticated AI-led espionage campaign. The attack targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We assess with high confidence that the threat actor was a Chinese state-sponsored group.
2
13
50
I have released an OpenGraph collector for network shares and my first blogpost at @SpecterOps on the subject! You can now visualize attack paths to network shares in BloodHound 👀 https://t.co/2e2DBIndcU
specterops.io
ShareHound is an OpenGraph collector for BloodHound CE and BloodHound Enterprise helping identify attack paths to network shares automatically.
3
94
226
''Abusing sAMAccountName Hijacking in GPP: Local Users and Groups - Cogiceo'' #infosec #pentest #redteam #blueteam
https://t.co/ZP8e3FTHSZ
0
4
7
Raw NTFS parsing for SAM/SYSTEM/NTDS.dit access? https://t.co/EerQ3lFxlA 400 lines Powershell - easy peasy ❤️🔥
4
87
323
Until now, if you lost or broke your phone, your Signal message history was *gone,* a real challenge for everyone whose most important conversations happen in Signal. So, with careful design and development, we’re rolling out opt-in secure backups. https://t.co/dcSnXEWXXg
signal.org
In the past, if you broke or lost your phone, your Signal message history was gone. This has been a challenge for people whose most important conversations happen on Signal. Think family photos,...
141
329
2K
Opening a new chapter 📖 From tinkering with old systems to giving talks at @BlackHatEvents, it’s been a wild ride. I am thrilled to share that I’m joining @SpecterOps as a Senior Security Researcher! Time to go full-time into deep technical security research🥰
18
12
147
An attacker on your network is indistinctable from IT admins. As long as this is true, attackers win. (Loosely borrowing Lambert’s list/graph quote. Solution: tiering and clean source
That’s essentially my thesis on pentesting and low skill TA behaviors. Using known good/admin/defensive tools.
3
11
43
Releasing a side project of mine: wsuks - automating the WSUS mitm attack🔥 https://t.co/92D4idVy7V TL;DR: If the Windows Server Update Service (WSUS) is configured to use HTTP instead of HTTPS, it's possible to take control of any Windows machine on your local network. 1/4🧵
5
149
483
Use Signal. We promise, no AI clutter, no surveillance ads—whatever the rest of the industry does. We lead we don’t follow❤️
157
638
3K
The feature rundown of the NetExec v1.4.0 release is now live on our wiki: https://t.co/L7r4KOIGev Give them a read, there are so many great new features! Kali has updated NetExec to v1.4.0, so all the new changes are also available via apt🚀
netexec.wiki
NetExec v1.4.0 has been released! 🎉 There is a HUGE number of new features and improvements, including: - backup_operator: Automatic priv esc for backup operators - Certificate authentication - NFS escape to root file system And much more! Full rundown: https://t.co/yjaG8rgzSZ
5
60
181
A new module has been merged into NetExec: change-password🔥 Accounts with STATUS_PASSWORD_EXPIRED aren't a problem anymore, just reset their password. You can also abuse ForceChangePassword to reset another user's password. Made by @kriyosthearcane, @mehmetcanterman and me
3
118
409
You have got a valid NTLM relay but SMB and LDAP are signed, LDAPS has got Channel Binding and ESC8 is not available... What about WinRMS ? :D Blogpost: https://t.co/p2uwj2yKTQ Tool: https://t.co/zMPpwtyFir And also, big thanks to jmk (Joe Mondloch) for the collab' :D!
9
204
599
Together with @pavelfor, we have created the ultimate guide and tooling for configuring host-based firewalls on #ActiveDirectory domain controllers in enterprise environments. Blocks most remote command execution and authentication coercion techniques. https://t.co/85V30HTlMB
7
72
232
This looks off to you? Yeah... In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory! This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow. But it can get even worse 1/4🧵
2
87
290
Smart phish via github - email comes from github - issue is created on repo that suspicious activity was detected and to click link to revoke access. When you click the link its to give full permissions to that repo. If you didn't know it was an issue, might accidentally give
9
114
387