From 43aab42c3b137cd3991dd5e0317af7e3785b9b82 Mon Sep 17 00:00:00 2001 From: r1cksec <77610058+r1cksec@users.noreply.github.com> Date: Fri, 23 Feb 2024 23:03:43 +0100 Subject: [PATCH] More cheatsheets --- api/censys.md | 5 ++++ linux/dig.md | 5 ++++ linux/dnsx.md | 2 +- linux/droopescan.md | 5 ++++ linux/fish.md | 10 ++++++++ linux/git.md | 9 ++++--- linux/gitfive.md | 5 ++++ linux/guestfist.md | 12 +++++++++ linux/guestmount.md | 12 ++++++++- linux/hashcat.md | 1 + linux/john.md | 16 ++++++------ linux/jq.md | 31 +++-------------------- linux/openssl.md | 5 ++++ linux/qubes.md | 45 +++++++++++++++++++++++++++++++++ linux/sed.md | 4 +-- {linux => other}/pivot.md | 7 +++++- other/pivoting.md | 37 --------------------------- theorie/recon-methodology.md | 8 +----- url/git-tools | 33 +++++++++++++++++++++++++ url/osint.md | 2 +- url/services.md | 8 ++++-- url/tagged-urls.md | 48 +++++++++++++++++++----------------- 22 files changed, 197 insertions(+), 113 deletions(-) create mode 100644 linux/guestfist.md create mode 100644 linux/qubes.md rename {linux => other}/pivot.md (84%) delete mode 100644 other/pivoting.md diff --git a/api/censys.md b/api/censys.md index 60bad14..38a0873 100644 --- a/api/censys.md +++ b/api/censys.md @@ -2,6 +2,11 @@ https://search.censys.io/api https://search.censys.io/search/definitions +### API key +``` +echo "ApiId:Secret" | base64 +``` + ### Return details about current subscription ``` curl -s "https://search.censys.io/api/v1/account" -H "accept: application/json" -H "Authorization: Basic " diff --git a/linux/dig.md b/linux/dig.md index 639abd2..568c953 100644 --- a/linux/dig.md +++ b/linux/dig.md @@ -1,3 +1,8 @@ +### Resolve domain using specific DNS server and TCP +``` +dig +tcp @ +``` + ### Get nameserver ``` dig +short NS diff --git a/linux/dnsx.md b/linux/dnsx.md index 1a6d590..20e0241 100644 --- a/linux/dnsx.md +++ b/linux/dnsx.md @@ -3,7 +3,7 @@ https://github.com/projectdiscovery/dnsx ### Resolve domains to ipv4 from file ``` -dnsx -a -l +dnsx -silent -a -resp -l ``` ### Get asn of domain diff --git a/linux/droopescan.md b/linux/droopescan.md index a096f43..0e49d0f 100644 --- a/linux/droopescan.md +++ b/linux/droopescan.md @@ -1,6 +1,11 @@ ### Source https://github.com/SamJoan/droopescan +### Install +``` +pipx install droopescan +``` + ### Scan drupal plugins (alternative joomla or moodle), -t threads ``` droopescan scan drupal -u http:// -t diff --git a/linux/fish.md b/linux/fish.md index c601846..016ba75 100644 --- a/linux/fish.md +++ b/linux/fish.md @@ -18,3 +18,13 @@ history -t -R set -x varName "content" ``` +### Delete word to the right +``` +Alt + d +``` + +### Delete word to the left +``` +CTRL + w +``` + diff --git a/linux/git.md b/linux/git.md index 0b2d7ff..245fa2a 100644 --- a/linux/git.md +++ b/linux/git.md @@ -4,14 +4,14 @@ git config user.name "r1cksec" git config user.email "77610058+r1cksec@users.noreply.github.com" ``` -### Sign files with given key +### List config of current repository ``` -git config --global commit.gpgsign true +git config --list --local ``` -### List config of current repository +### Sign files with given key ``` -git config --list --local +git config --global commit.gpgsign true ``` ### Show available tags @@ -89,3 +89,4 @@ git config --global --unset http.proxy ### Generate access token * https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token + diff --git a/linux/gitfive.md b/linux/gitfive.md index 313ab10..982fec1 100644 --- a/linux/gitfive.md +++ b/linux/gitfive.md @@ -6,3 +6,8 @@ https://github.com/mxrch/gitfive gitfive emails ``` +### Grep github account names from results +``` +cat | grep "@" | grep -v "@@\|@mxrchreborn" | cut -d "@" -f 3 | cut -d " " -f 1 +``` + diff --git a/linux/guestfist.md b/linux/guestfist.md new file mode 100644 index 0000000..43f502f --- /dev/null +++ b/linux/guestfist.md @@ -0,0 +1,12 @@ +### Install +``` +apt install guestfish +``` + +### Get filesystem +``` +guestfish --ro -a .vhdx +> run +> list-filesystems +``` + diff --git a/linux/guestmount.md b/linux/guestmount.md index a3b2446..e1a8c59 100644 --- a/linux/guestmount.md +++ b/linux/guestmount.md @@ -1,7 +1,17 @@ ### Source https://github.com/libguestfs/libguestfs/blob/master/fuse/guestmount -### Mount vhdx format +### Install +``` +apt install guestmount +``` + +### Mount vhdx +``` +guestmount --add .vhdx -m /mnt/ +``` + +### Mount vhdx os ``` guestmount --add .vhdx --inspector --ro /mnt/ ``` diff --git a/linux/hashcat.md b/linux/hashcat.md index 88dcd9a..761159e 100644 --- a/linux/hashcat.md +++ b/linux/hashcat.md @@ -43,6 +43,7 @@ hashcat -o -m -a 3 -1 ?l?u?d ?1?1?1?1?1?1 -m 1400 = SHA256 1410 = sha256($pass.$salt) 1420 = sha256($salt.$pass) +1800 = sha512crypt $6$, SHA512 (Unix) 2100 = Domain Cached Credentials (DCC), MS Cache - format: $DCC2$10240## 2500 = WPA/WPA2 5600 = NetNTLMv2 diff --git a/linux/john.md b/linux/john.md index 28c0274..a21d119 100644 --- a/linux/john.md +++ b/linux/john.md @@ -3,8 +3,8 @@ https://github.com/openwall/john ### Install ``` -wget https://www.openwall.com/john/k/john-currentNumber-jumbo-1.tar.xz -tar -xf +git clone https://github.com/openwall/john +apt install libssl-dev -y cd /src ./configure && make ../run/john @@ -35,19 +35,19 @@ wpapsk (wpa2) john --loopback --fork=4 ``` -### File containing cracked passwords +### List all formats ``` -~/.john/john.pot +john --list=formats ``` -### List all formats +### Using korelogic rules ``` -john --list=formats +john --wordlist= --rules=korelogic --format=NT ``` -### Example +### Using specific session and pot ``` -john --wordlist= --rules=korelogic --format=NT +john --session= --pot= ``` ### Convert file for john diff --git a/linux/jq.md b/linux/jq.md index 761ade2..2752390 100644 --- a/linux/jq.md +++ b/linux/jq.md @@ -1,36 +1,13 @@ ### Source https://github.com/stedolan/jq -### Print one line json file as multiple lines +### Print distinguishedname of bloodhound users ``` -jq .json +cat .json | jq '.data[].Properties.distinguishedname ``` -### Retrieve values from key +### Print attributes of bloodhound user ``` -{ - "pos1": { - "key1": "val1", - "key2": "val2" - }, - "key3": "val3" -} - -jq ".pos1 .key1" .json -``` - -### Retrieve multiple values from key -``` -cat .json | jq -r ".pos1 .key1, .key3" -``` - -### Retrieve values from array (example: name of computer from bloodhound json result) -``` -cat .json | jq -r ".data[] .Properties .name" -``` - -### Retrieve multiple values from array -``` -jq ".data[] .Properties | .name, .distinguishedname, .operatingsystem, .serviceprincipalnames" .json +cat .json | jq '.data[].Properties | select(.name | ascii_downcase == "")' ``` diff --git a/linux/openssl.md b/linux/openssl.md index 635e2b0..a52d5a7 100644 --- a/linux/openssl.md +++ b/linux/openssl.md @@ -16,3 +16,8 @@ openssl enc -aes-256-cbc -pbkdf2 -k > openssl enc -d -aes-256-cbc -pbkdf2 -k > ``` +### Print information +``` +openssl x509 -in .pem -text -noout +``` + diff --git a/linux/qubes.md b/linux/qubes.md new file mode 100644 index 0000000..296e85e --- /dev/null +++ b/linux/qubes.md @@ -0,0 +1,45 @@ +### Install software in dom0 +``` +sudo qubes-dom0-update +``` + +### Run command on another qube +``` +qvm-run --pass-io '' +``` + +### Copy file to dom0 +``` +qvm-run --pass-io 'cat > ' +``` + +### Copy file to qube +``` +qvm-copy-to-vm +``` + +### List network information of qube +``` +qvm-ls -n +``` + +### Extend disk space of standalone qube to 30GB +``` +qvm-volume extend 30g +``` + +### Extend initial memory of qube to 8GB +``` +qvm-prefs memory 8000 +``` + +### Extend maximal memory of qube to 8GB +``` +qvm-prefs maxmem 8000 +``` + +### Watch memory usage +``` +xentop +``` + diff --git a/linux/sed.md b/linux/sed.md index e5a0945..02e356a 100644 --- a/linux/sed.md +++ b/linux/sed.md @@ -38,8 +38,8 @@ echo "00123" | sed 's/^0*//' echo " some string" | sed -e 's/^[[:space:]]*//' ``` -# Edit file in place +### Replace german umlaute ``` -sed -i 's/replaceThis/replaceWith/g' +sed 's/ä/ae/g; s/Ä/Ae/g; s/ö/oe/g; s/Ö/Oe/g; s/ü/ue/g; s/Ü/Ue/g; s/ß/ss/g' ``` diff --git a/linux/pivot.md b/other/pivot.md similarity index 84% rename from linux/pivot.md rename to other/pivot.md index 7ba4721..41a58ad 100644 --- a/linux/pivot.md +++ b/other/pivot.md @@ -1,4 +1,4 @@ -### Start ssh connection from compromised client to ssh server +### Start ssh connection on compromised client ``` Start-Process -FilePath "powershell" -ArgumentList " -w hidden -c ssh -p 22 -o 'StrictHostKeyChecking=no' -i $HOME\.ssh\ -N -R 9050 @" ``` @@ -28,3 +28,8 @@ sed -i 's/ 9050/ 9051/g' /etc/proxychains4.conf proxychains firefox ``` +### Add DNS resolver to proxy +``` +/usr/lib/proxychains3/proxyresolv +``` + diff --git a/other/pivoting.md b/other/pivoting.md deleted file mode 100644 index 30c9229..0000000 --- a/other/pivoting.md +++ /dev/null @@ -1,37 +0,0 @@ -### Pivot using ssh and proxychains -``` -The use of a VPN ensures that no third party can use the proxychains port. -It may be necessary to set port forwarding on the SSH server from port 9051 to port 9050. -However, a direct connection to port 9050 on the ssh server from the attacker machine should also be possible. -``` - -### Start ssh session on pivot client -``` -ssh -o 'StrictHostKeyChecking=no' -p -i .\ -N -R 9050 @ -``` - -### Start vpn on attacker machine to server on the internet -``` -openvpn --config -``` - -### Adjust firewall on ssh server to allow connections from attacker machine -``` -ufw allow from -``` - -### If necessary adjust file /etc/proxychains4.conf on attacker machine -``` -socks4 9051 -``` - -### If necessary start socat on ssh server -``` -socat TCP-LISTEN:9051,fork TCP:localhost:9050 -``` - -### Execute attack from attacker machine using proxychains -``` -proxychains -``` - diff --git a/theorie/recon-methodology.md b/theorie/recon-methodology.md index 1d9e203..ca95f94 100644 --- a/theorie/recon-methodology.md +++ b/theorie/recon-methodology.md @@ -234,7 +234,7 @@ The metadata can also contain other informations like domains or e-mail addresse strings * | grep -i "@" ``` -Searching for PDF documents and extracting the metadata can also be done at once with the script `get-pdf-metadata` (see https://github.com/r1cksec/thoth/blob/master/scripts/get-pdf-metadata) +Searching for PDF documents and extracting the metadata can also be done at once with the script `get-pdf-metadata` (see https://github.com/r1cksec/corptrace/blob/master/ressources/modules/startpage_get_pdf_metadata.py) ``` get-pdf-Metadata @@ -306,12 +306,6 @@ But it is still possible to collect employees using Google Dorks. intitle:"companyName" inurl:"linkedin.com/in/" site:linkedin.com ``` -Since automation is king, there is of course a script `dork-linkedIn-employees` that crawls the first pages of the Dork query results (see https://github.com/r1cksec/thoth/blob/master/scripts/dork-linkedIn-employees) - -``` -python3 dork-linkedIn-employees -``` - Alternativly, you can pay for rekruting solutions like PhantomBuster (see https://phantombuster.com) and thus obtain additional information. Another source to get more email addresses are known database leaks. diff --git a/url/git-tools b/url/git-tools index dbea88e..c7bb0c5 100644 --- a/url/git-tools +++ b/url/git-tools @@ -169,6 +169,9 @@ Simple script that checks a domain for email protections https://github.com/BlackSnufkin/GhostDriver yet another AV killer tool using BYOVD +https://github.com/BloodHoundAD/BloodHound +Six Degrees of Domain Admin + https://github.com/C3n7ral051nt4g3ncy/Prot1ntelligence Protintelligence is a Python script for the OSINT and Cyber Community. It finds intelligence on Protonmail accounts @@ -331,6 +334,9 @@ Scan vulnerable drivers on Windows with loldrivers.io https://github.com/FoxIO-LLC/ja4 JA4+ is a suite of network fingerprinting standards +https://github.com/FoxIO-LLC/ja4tscan +JA4TScan is an active TCP server fingerprinting tool. + https://github.com/Frissi0n/GTFONow Automatic privilege escalation for misconfigured capabilities, sudo and suid binaries using GTFOBins. @@ -415,6 +421,9 @@ The Discretionary ACL Modification Project: Persistence Through Host-based Secur https://github.com/Helixo32/NimBlackout Kill AV/EDR leveraging BYOVD attack +https://github.com/HexaCluster/pgdsat +PostgreSQL Database Security Assessment Tool + https://github.com/HotCakeX/Harden-Windows-Security Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels @@ -955,6 +964,9 @@ Bash tool used for proactive detection of malicious activity on macOS systems. https://github.com/abdallah-elsharif/hellMaker Hiding unsigned DLL inside a signed DLL +https://github.com/absolomb/FindMeAccess +FindMeAccess is a tool useful for finding gaps in Azure/M365 MFA requirements for different resources, client ids, and user agents. + https://github.com/achyuthjoism/tweeds An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a Tweets and more while evading most API limitations. @@ -1102,6 +1114,9 @@ A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdom https://github.com/bobbyrsec/Microsoft-Teams-GIFShell Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs +https://github.com/boostsecurityio/poutine +poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD. + https://github.com/bridgecrewio/checkov Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew. @@ -1144,6 +1159,9 @@ Make security testing of K8s, Docker, and Containerd easier. https://github.com/cfalta/PowerShellArmoury A PowerShell armoury for security guys and girls +https://github.com/cgosec/Blauhaunt +A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in Security Incidents and Threat Hunts + https://github.com/channyein1337/jsleak jsleak is a tool to find secret , paths or links in the source code during the recon. @@ -1408,6 +1426,9 @@ Python3 terminal application that contains 260+ Neo4j cyphers for BloodHound dat https://github.com/fin3ss3g0d/evilgophish evilginx2 + gophish +https://github.com/firefart/stunner +Stunner is a tool to test and exploit STUN, TURN and TURN over TCP servers. + https://github.com/fkasler/cuddlephish Weaponized Browser-in-the-Middle (BitM) for Penetration Testers @@ -2029,6 +2050,9 @@ pure-python implementation of MemoryModule technique to load a dll entirely from https://github.com/narstybits/MacOS-DuckyScripts PLUG & PLAY FLIPPER ZERO SCRIPTS For MacOS +https://github.com/nbaertsch/AutoAppDomainHijack +Automated .NET AppDomain hijack payload generation + https://github.com/nccgroup/DroppedConnection Emulates a Cisco ASA Anyconnect VPN service, accepting any credentials (and logging them) before serving VBS to the client that gets executed in the context of the user. @@ -2248,6 +2272,9 @@ Nosey Parker is a command-line program that finds secrets and sensitive informat https://github.com/projectdiscovery/asnmap Go CLI and Library for quickly mapping organization network ranges using ASN information. +https://github.com/projectdiscovery/cdncheck +cdncheck is a tool for identifying the technology associated with dns / ip network addresses. + https://github.com/projectdiscovery/dnsx dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers. @@ -2431,6 +2458,9 @@ A PowerShell module to deploy active directory decoy objects. https://github.com/samratashok/nishang Nishang - Offensive PowerShell for red team, penetration testing and offensive security. +https://github.com/sarperavci/GoogleRecaptchaBypass +Solve Google reCAPTCHA in less than 5 seconds! + https://github.com/saw-your-packet/EC2StepShell EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances. @@ -2515,6 +2545,9 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne https://github.com/stealth/devpops Companion Worm research +https://github.com/strontic/xcyclopedia +The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system. + https://github.com/sullo/nikto Nikto web server scanner diff --git a/url/osint.md b/url/osint.md index a893e60..6b275a5 100644 --- a/url/osint.md +++ b/url/osint.md @@ -26,7 +26,7 @@ * https://epieos.com ; #osint #email #phone #user-profile * https://facecheck.id ; #osint #image-search #facial-recognition * https://fullhunt.io ; #osint #portscan #subdomain #country -* https://geospy.web.app ; #osint #geolocation #image +* https://geospy.ai ; #osint #geolocation #image * https://gps-coordinates.org/latitude-and-longitude.php ; #osint #geolocation #longitude #latitude * https://grep.app ; #osint #git #repository #source-code * https://hackertarget.com/reverse-analytics-search ; #osint #google-adsense #google-analytics #rootdomain #http-header #http-title #nameserver #reverse-ip diff --git a/url/services.md b/url/services.md index d8e0a73..e53275f 100644 --- a/url/services.md +++ b/url/services.md @@ -5,11 +5,12 @@ * https://andrewmarsh.com/apps/staging/sunpath3d.html * https://antiscan.me * https://anvaka.github.io/map-of-github -* https://any.run +* https://any.run ; #forensic #dfir #malware #sandbox * https://app.docguard.io * https://archlinux.org/mirrors/status * https://badfiles.ch * https://boostsecurityio.github.io/lotp ; #living-off-the-pipeline #ci-cd #continuous-integration-continous-deployment +* https://br0k3nlab.com/LoFP * https://browserleaks.com * https://canarytokens.org * https://caniuse.com @@ -42,7 +43,8 @@ * https://ifconfig.me * https://imagecolorpicker.com * https://ipv4.myip.wtf/json -* https://jwt.io +* https://jwt.io ; #json-web-token +* https://jwt.ms ; #json-web-token * https://kartaview.org * https://kiosk.vsim.xyz ; #kisok #escape #tooling * https://lofl-project.github.io @@ -71,6 +73,7 @@ * https://scamsearch.io * https://socradar.io/labs/accountbreach * https://spydialer.com +* https://strontic.github.io/xcyclopedia ; #windows #forensic #dfir #executable * https://threats.wiz.io ; #cloud #malware #watchlist * https://urlfiltering.paloaltonetworks.com * https://vim-adventures.com @@ -78,6 +81,7 @@ * https://wtfbins.wtf * https://www.breaches.cloud * https://www.browserling.com ; #online-browser +* https://www.capsolver.com ; #captcha-solving * https://www.cloudvulndb.org * https://www.denic.de/service/tools/idn-web-converter * https://www.irongeek.com/homoglyph-attack-generator.php diff --git a/url/tagged-urls.md b/url/tagged-urls.md index 5f41640..e80df73 100644 --- a/url/tagged-urls.md +++ b/url/tagged-urls.md @@ -53,6 +53,7 @@ * https://badoption.eu/blog/2023/10/03/MSIFortune.html ; #windows #msi #privilege-escalation #transform-files #dll-sideloading #powershell * https://badoption.eu/blog/2023/12/21/RedirectChain.html ; #windows #phishing #python #java #ruby #uri-handler #edge #protocol-provider #webdav #visual-studio * https://badoption.eu/blog/2024/01/12/teams5.html ; #ms-teams #phishing #bypass #instant-messenger +* https://badoption.eu/blog/2024/04/25/netntlm.html ; #windows #active-directory #ntlm-relaying #ssh #http-sys #searchConnectors-ms #lnk * https://badoption.eu/docs/blog/2023/01/31/code_c2.html ; #c2 #command-and-control #vscode #tunnel * https://bakerstreetforensics.com/2023/07/19/hunting-for-indicators-with-powershell-new-files ; #threat-intelligence #malware-analyse #forensic #dfir #powershell * https://baldur.dk/blog/writing-metasploit-exploit.html ; #metasploit #exploit-development #ruby @@ -62,7 +63,7 @@ * https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks ; #phishing #evilginx #conditional-access-policy #continous-access-evaluation * https://blog.0x4.xyz/bypassing-windows-protection-mechanisms/bypass-windows-defender-atp ; #windows-defender-atp #advanced-threat-protection #edr #evasion #bypass * https://blog.ampedsoftware.com/2023/02/28/cctv-the-beginners-guide ; #cctv #camera #video #hdd -* https://blog.apnic.net/2023/11/22/ja4-network-fingerprinting ; #ja4+ #jarm #threat-intel #dfir #forensic +* https://blog.apnic.net/2023/11/22/ja4-network-fingerprinting ; #ja4+ #jarm #threat-intelligence #dfir #forensic * https://blog.assetnote.io/2021/08/29/exploiting-graphql ; #webapp #graphql #batchql #csrf * https://blog.assetnote.io/2023/04/30/rce-oracle-opera ; #webapp #oracle-opera #rce #cve * https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3 ; #windows #active-directory #lolbas #wmi #powershell #registry #certificate #cim @@ -70,11 +71,11 @@ * https://blog.blacklanternsecurity.com/p/detecting-dcsync ; #active-directory #dcsync #detection * https://blog.bushidotoken.net/2023/07/investigating-sms-phishing-text.html ; #threat-intelligence #sms #phishing * https://blog.bushidotoken.net/2023/08/hacktivists-liars-and-morons.html ; #threat-intelligence #hacktivist #ftp -* https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html ; #akira #conti #ransomware #threat-intel +* https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html ; #akira #conti #ransomware #threat-intelligence * https://blog.calif.io/p/privilege-escalation-in-eks ; #cloud #aws #kuberneted #elastic #privesc #privilege-escalation * https://blog.calif.io/p/redash-saml-authentication-bypass ; #webapp #saml #authentication-bypass #cve * https://blog.christophetd.fr/dll-unlinking ; #windows #dll #injection #evasion #unlinking -* https://blog.cluster25.duskrise.com/2023/10/25/the-duck-is-hiring ; #threat-intel #telegram #c2 #command-and-control +* https://blog.cluster25.duskrise.com/2023/10/25/the-duck-is-hiring ; #threat-intelligence #telegram #c2 #command-and-control * https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-1 ; #active-directory #samr #gpo #bloodhound * https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2 ; #active-directory #session #enum #bloodhound * https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc ; #active-directory #certificate-service #adcs #ntlm #rpc #certipy @@ -104,7 +105,7 @@ * https://blog.redteam-pentesting.de/2024/bitwarden-heist ; #password-dump #password-manager #bitwarden #windows-hello * https://blog.sekoia.io/darkgate-internals ; #malware-analyse #threat-intelligence #darkgate * https://blog.sicuranext.com/how-attackers-fingerprint-your-wordpress-website ; #http #wordpress #methodology #user-enumeration -* https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability ; #threat-intel #malware #rocketmq #interactsh +* https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability ; #threat-intelligence #malware #rocketmq #interactsh * https://blog.slowerzs.net/posts/thievingfox ; #windows #keepass #credential-dump #hooking #dot-net #com #dll * https://blog.solidsnail.com/posts/npm-esc-seq ; #cve #ansi-escape-sequences #cli #iterm2 #npm #radare2 * https://blog.solidsnail.com/posts/vscode-shell-integ-rce ; #cve #ansi-escape-sequences #vscode @@ -134,7 +135,7 @@ * https://celes.in/posts/cloudflare_ns_whois ; #osint #nameserver #reverse-lookup #cloudflare #whoisxmlapi * https://charbelnemnom.com/deploy-microsoft-defender-for-identity/?expand_article=1 ; #microsoft #defender-for-identity #azure #entra #setup #adcs * https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html ; #webapp #graphql #cheatsheets #methodology -* https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit ; #threat-intel #malware-analyse #stager #lnk +* https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit ; #threat-intelligence #malware-analyse #stager #lnk * https://class.malware.re/2020/04/18/android-intro-and-tools.html ; #android #malware-analyse #manifest #apk #jar #java * https://cloudbrothers.info/azure-attack-paths ; #cloud #azure #entra #methodology #subscription #delegation #lighthouse #adfs #runbook * https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec ; #sccm #ccmexec #session-hijacking #appdomainmanager-injection @@ -185,8 +186,8 @@ * https://frischkorn-nicholas.medium.com/red-teaming-macos-101-33b5a1834a2e ; #macosx #methodology #wiki * https://fuzzing.io/hushcon23.pdf ; #fuzzing * https://ghostlulz.com/binary-exploitation-ret2libc ; #buffer-overflow #linux #gdb -* https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd ; #threat-intel #botnet #shodan -* https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 ; #threat-intel #webdav #uri-handler #search-ms #protocol-provider +* https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd ; #threat-intelligence #botnet #shodan +* https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 ; #threat-intelligence #webdav #uri-handler #search-ms #protocol-provider * https://gist.github.com/NotMedic/b1ab7809eea94cc05513905b26964663 ; #pivoting #tunnel #chrome * https://gist.github.com/ustayready/3ba2e4b1a4ec3cdad188f0f7d0dc4b73 ; #phishing #open-redirect #google-docs * https://git.culbertreport.com/posts/Sliver-vs-Havoc ; #c2 #command-and-control #sliver #havoc @@ -229,7 +230,7 @@ * https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-3-sid-filtering-explained ; #active-directory #kerberos #inter-realm #goldenticket #sid-filter * https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research ; #active-directory #kerberos #sid-filter #trust * https://inbits-sec.com/posts/in-memory-unhooking ; #edr #unhooking #windows -* https://infosecwriteups.com/behind-the-screens-exploring-a-fresh-phishing-campaign-in-indonesia-stealing-facebook-credentials-9240016c5989 ; #threat-intel #phishing #urlscanio #crtsh +* https://infosecwriteups.com/behind-the-screens-exploring-a-fresh-phishing-campaign-in-indonesia-stealing-facebook-credentials-9240016c5989 ; #threat-intelligence #phishing #urlscanio #crtsh * https://infosecwriteups.com/one-of-the-most-devastating-ransomware-is-a-good-point-to-start-learning-malware-analysis-a80007093de3 ; #threat-intelligence #malware-analyse #ransomware #wannacry * https://infosecwriteups.com/password-reset-poisoning-with-host-header-injection-345b902a9ca5?gi=7cf13b5f9d42 ; #webapp #host-header-injection * https://infosecwriteups.com/red-teaming-evading-av-c948ec5d10e9 ; #windows #av #anti-virus #edr #evasion #bypass #windows-defender #shellcode #meterpreter @@ -237,6 +238,7 @@ * https://infosecwriteups.com/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397 ; #cors #webapp #xss * https://intezer.com/blog/malware-analysis/malware-reverse-engineering-beginners ; #reverse-engineering #assembly #arithmetic-logical-unit * https://ipslav.github.io/2023-12-12-let-me-manage-your-appdomain ; #windows #appdomain #edr #evasion #dirtyclr #dot-net +* https://iq.thc.org/discover-proton-mail-registration-date-with-one-weird-trick ; #proto #email #osint #pgp #web-key-directory * https://isc.sans.edu/diary/A+new+spin+on+the+ZeroFont+phishing+technique/30248 ; #phishing #email #threat-intelligence * https://isc.sans.edu/diary/rss/30676 ; #phishing #threatintel #internet-archive #waybackmachine * https://itm4n.github.io/dll-proxying ; #windows #dll #privesc #privilege-escalation #proxying #wrapper @@ -260,7 +262,7 @@ * https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort ; #threat-intelligence #malware-analyse #proxy #socksescort #illicit-services * https://kuenzi.dev/toothbrush ; #internet-of-things #iot #philips-sonicare #reverse-engineering #nfc * https://labs.cognisys.group/posts/Combining-Indirect-Dynamic-Syscalls-and-API-Hashing ; #windows #api-hashing #indirect-dynamic-syscall -* https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d ; #threat-intel #malware #facebook #phishing #batch +* https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d ; #threat-intelligence #malware #facebook #phishing #batch * https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware ; #ms-teams #phishing #http-post #instant-messenger * https://labs.lares.com/adcs-exploits-investigations-pt1 ; #active-directory #certificate-service #adcs #detection #event-id * https://labs.lares.com/adcs-exploits-investigations-pt2 ; #active-directory #certificate-service #adcs #detection #esc1 #esc3 #esc4 esc6 @@ -298,13 +300,14 @@ * https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7 ; #c2 #command-and-control #gif #ms-teams #instant-messenger * https://medium.com/@bobbyrsec/microsoft-teams-attachment-spoofing-and-lack-of-permissions-enforcement-leads-to-rce-via-ntlm-458aea1826c5 ; #phishing #spoofing #attachment #ms-teams #instant-messenger * https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5 ; #phishing #spoofing #url #scheme-abuse +* https://medium.com/cider-sec/ppe-poisoned-pipeline-execution-34f4e8d0d4e9 ; #poisoned-pipeline-xecution #jenkins #ec2 #api #secrets #cicd #continuous-integration-continous-deployment * https://medium.com/@cyb_detective/how-to-automate-the-analysis-of-links-to-user-profiles-obtained-with-nickname-enumeration-tools-1d0abaf22c53 ; #osint #nickname #nuclei * https://medium.com/@knownsec404team/unveiling-the-dark-gray-market-organizations-behind-the-vpn-scenes-f2b8dbf09467 ; #threat-intelligence #vpn #zoomeye #ssl-certificate * https://medium.com/@lsepaolo/threat-hunting-dns-c2-c461abf4794d ; #threat-intelligence #dfir #elastic #sliver #dns #command-and-control #c2 * https://medium.com/@moon_osint/how-to-find-the-administrator-of-an-onion-site-89d176b0061a ; #osint #tor #darknet #threat-intelligence * https://medium.com/@psychsecurity/mfa-phishing-using-novnc-and-aws-ebc781b4d093 ; #phishing #mfa #vnc * https://medium.com/@ronkaminskyy/geolocating-a-traveler-via-osint-techniques-ed34ed120a00 ; #osint #geo-location #image -* https://medium.com/@Sec0ps/using-windows-helpfile-as-a-foothold-cebbb55f6655 ; #threat-intel #chm #initial-access #phishing +* https://medium.com/@Sec0ps/using-windows-helpfile-as-a-foothold-cebbb55f6655 ; #threat-intelligence #chm #initial-access #phishing * https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489 ; #aws #cloud #key-id #authentication #python * https://medium.com/@TalBeerySec/hi-meta-whatsapp-with-privacy-6d646c5aa3bc ; #whatsapp #linked-devices-enumeration * https://medium.com/tenable-techblog/wordpress-mycalendar-plugin-unauthenticated-sql-injection-cve-2023-6360-d272887ddf12 ; #web #sqli #wordpress #php @@ -353,7 +356,7 @@ * https://pentestlab.blog/2023/11/06/persistence-windows-telemetry ; #windows #persistence #compattelrunner * https://pentestlab.blog/2023/11/20/persistence-scheduled-task-tampering ; #windows #schtask #persistence * https://pentestlab.blog/2024/01/15/lateral-movement-visual-studio-dte ; #windows #lateral-movement #visual-studio-development-tools-environment -* https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud ; #threat-intel #ransomware #cloud #aws +* https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud ; #threat-intelligence #ransomware #cloud #aws * https://pgj11.com/posts/Diamond-And-Sapphire-Tickets ; #kerberoast #active-directory #diamond #sapphire #s4u2self * https://plessas.net/facebookmatrix ; #osint #facebook * https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack ; #active-directory #certificate-service #adcs #msds-keycredentiallink #shadowcredentials @@ -441,6 +444,7 @@ * https://securelist.com/network-tunneling-with-qemu/111803 ; #windows #socket #tunnel #pivot #qemu * https://securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams ; #ms-teams #phishing #enumeration #instant-messenger * https://securitycafe.ro/2023/04/03/mobile-pentesting-101-how-to-set-up-your-android-environment ; #mobile #android #lab-setup #emulator #mobsf +* https://securitycafe.ro/2024/05/08/aws-cloudquarry-digging-for-secrets-in-public-amis ; #aws #ami #git #secrets #api-key * https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-1-discover-components-and-ports ; #internet-of-things #iot #xiaomi #chip #fcc-id * https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-2-firmware-dump-and-analysis ; #internet-of-things #iot #swd-port #arm #microcontroller * https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-3-radio-communications ; #internet-of-things #iot #software-defined-radio #modulation @@ -458,7 +462,7 @@ * https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion ; #sandbox #evasion #time-based #cpu-cycles * https://skii.dev/rook-to-xss ; #web #xss #phpsessid #tinymce * https://sonarsource.com/blog/it-s-a-snmp-trap-gaining-code-execution-on-librenms?utm_source=twitter&utm_medium=social&utm_content=security ; #snmp #librenms #php #cisco -* https://soxoj.substack.com/p/getting-an-instagram-profile-by-phone ; #threat-intel #phone #instagram +* https://soxoj.substack.com/p/getting-an-instagram-profile-by-phone ; #threat-intelligence #phone #instagram * https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html ; #windows #lsass #token #uac #sspi #ntlm * https://squiblydoo.blog/2023/06/05/understanding-pe-bloat-with-malcat ; #reverse-engineering #pe-bloat #malcat * https://sra.io/blog/letitgo-a-case-study-in-expired-domains-and-azure-ad ; #cloud #azure #entra #domain-takeover #recon @@ -472,7 +476,7 @@ * https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps ; #webapp #jetty #file-upload #waf * https://syfuhs.net/understanding-windows-auth ; #windows #lsass #authentication #methodology #kerberos #azure #entra #trust * https://synthesis.to/2023/08/02/api_functions.html ; #reverse-engineering #reverse-engine #binary-analyse #api-functions #coreutils #plugx -* https://sysdig.com/blog/ambersquid ; #threat-intel #malware #aws #cloud #ec2 #cryptocurrency +* https://sysdig.com/blog/ambersquid ; #threat-intelligence #malware #aws #cloud #ec2 #cryptocurrency * https://systemweakness.com/alternate-data-streams-good-or-bad-3e22e972f8fd ; #windows #alternate-data-stream #powershell * https://systemweakness.com/satellite-osint-space-based-intelligence-in-cybersecurity-e87f9dca4d81?gi=75215bb0af82 ; #satelite #osint #api * https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-and-ppl-protection-in-go-7dd85d9a32e6 ; #anti-virus #bypass #ppl #windows #go #minidump #evasion @@ -480,7 +484,7 @@ * https://thebinaryhick.blog/2023/10/17/finding-phones-with-google-maps-part-1-android ; #android #forensic #dfir #googlemaps * https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware ; #threat-intelligence #malware-analyse #iso #lnk #dll * https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware ; #threat-intelligence #malware-analyse #icedid #vnc -* https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours ; #threat-intel #malware #ransomware +* https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours ; #threat-intelligence #malware #ransomware * https://thegreycorner.com/2023/08/30/aws-service-C2-forwarding.html ; #domain-fronting #aws #lambda #cloudfront #api * https://threatanatomy.io/en/posts/004-analyzing-a-dotnet-c2-agent ; #pestudio #windows #malware-analyse #visual-studio #dnspy #command-and-control #c2 #dot-net * https://tij.me/blog/harvesting-active-directory-credentials-via-http-request-smuggling ; #webapp #http-request-smuggling #proxy @@ -499,7 +503,7 @@ * https://undev.ninja/introduction-to-threat-intelligence-etw ; #windows #event-tracing #descriptors * https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/#post-130278-_no8dslefr23j ; #threat-intelligence #ransomware #torrent * https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains ; #phishing #threat-intelligence #domain #certificate -* https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat ; #threat-intel #fake-poc #powershell #python #malware +* https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat ; #threat-intelligence #fake-poc #powershell #python #malware * https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks ; #kerberos #active-directory #diamond #sapphire #s4u2self #delegation #tgs #tgt * https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup ; #phishing #malware #threat-intelligence #dropper #infection-chain * https://up.nttdata.com/l/970163/2024-01-22/58n5n/970163/1705913860OSud8AHj/Using_Microsoft_Teams_for_Phishing.pdf ; #ms-teams #phishing #spoofing #instant-messenger #splash-screen-bypass @@ -534,7 +538,7 @@ * https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995 ; #phishing #microsoft-direct-send #spoofing #mail * https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes ; #windows #amsi #bypass #dll * https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Konfigurationsempfehlungen_zur_Haertung_von_Windows_10.pdf?__blob=publicationFile&v=3 ; #windows #hardening -* https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet ; #malware #botnet #docker #threat-intel +* https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet ; #malware #botnet #docker #threat-intelligence * https://www.chudamax.com/posts/kerberos-102-overview ; #kerberos #windows #active-directory #methodology * https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit.pdf ; #threat-intelligence #malware-analyse #ransomware #lockbit * https://www.coresecurity.com/core-labs/articles/running-pes-inline-without-console ; #windows #evasion #edr #bypass #conhost @@ -544,10 +548,10 @@ * https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist ; #windows #persistence #methodology #wiki * https://www.cybereason.com/blog/dcom-lateral-movement-techniques ; #lateral-movement #windows #dcom #powershell * https://www.descope.com/blog/post/noauth ; #cloud #azure #entra #noauth #open-id -* https://www.docguard.io/deep-dive-analysis-of-shell-link-lnk-binary-file-format-and-malicious-lnk-files ; #windows #lnk #malware #threat-intel -* https://www.docguard.io/in-depth-analysis-of-typhon-stealer ; #threat-intel #malware-analyse #sandbox-evasion +* https://www.docguard.io/deep-dive-analysis-of-shell-link-lnk-binary-file-format-and-malicious-lnk-files ; #windows #lnk #malware #threat-intelligence +* https://www.docguard.io/in-depth-analysis-of-typhon-stealer ; #threat-intelligence #malware-analyse #sandbox-evasion * https://www.docguard.io/microsoft-compiled-html-help-chm-using-in-spearphishing-attack ; #threa-tinel #malware-analyse #chm -* https://www.docguard.io/unraveling-obfuscated-macros-in-office-filesa-step-by-step-guide ; #threat-intel #malware #macro #obfuscation #vba +* https://www.docguard.io/unraveling-obfuscated-macros-in-office-filesa-step-by-step-guide ; #threat-intelligence #malware #macro #obfuscation #vba * https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process ; #shellcode #process-injection #cheatsheets * https://www.errno.fr/TTYPushback.html ; #linux #privesc #privilege-escalation #tty-pushback * https://www.example-code.com/vbscript/http.asp ; #vbscript #cheatsheets @@ -569,7 +573,7 @@ * https://www.ired.team/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes ; #windows #dll #cheatsheets #methodology #detection * https://www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation ; #phishing #evilginx #cloudflare #html-obfuscation * https://www.kitploit.com/2023/03/qrexfiltrate-tool-that-allows-you-to.html ; #qr-code #data-exfiltration #air-gapped -* https://www.lemagit.fr/actualites/252529585/Ransomware-comment-traque-t-on-les-gains-des-cybercriminels ; #bitcoin #thread-intelligence +* https://www.lemagit.fr/actualites/252529585/Ransomware-comment-traque-t-on-les-gains-des-cybercriminels ; #bitcoin #threat-intelligence * https://www.mandiant.com/resources/blog/abusing-dll-misconfigurations ; #windows #dll #sideloading #hijack #enumeration * https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabilities ; #windows #privesc #privilege-escalation #msi #file-deletion #cve-2023-27470 #procmon * https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse ; #phishing #scheme-abuse #spoofing #yara @@ -605,8 +609,8 @@ * https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain ; #dll-sideloading #windows #frida * https://www.redteam.cafe/red-team/dll-sideloading/dll-sideloading-not-by-dllmain ; #windows #dll #sideloading #hijack #frida * https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise ; #scattered-spider #ransomware #threat-intelligence -* https://www.resecurity.com/blog/article/ransomware-attacks-against-the-energy-sector-on-the-rise-nuclear-and-oil-gas-are-major-targets-2024 ; #ransomware #threat-intel #negotiation -* https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft ; #threat-intel #telegram #smishing #phishing #sql-injection +* https://www.resecurity.com/blog/article/ransomware-attacks-against-the-energy-sector-on-the-rise-nuclear-and-oil-gas-are-major-targets-2024 ; #ransomware #threat-intelligence #negotiation +* https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft ; #threat-intelligence #telegram #smishing #phishing #sql-injection * https://www.rezonate.io/blog/har-files-attack-okta-customers ; #cookies #har #web #threat-intelligence * https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10 ; #edr #windows #evasion #bypass * https://www.rootcat.de/blog/ec2-meta_may23 ; #cloud #aws #ec2 #meta-data