Leo Loobeek

@leoloobeek

Penetration Tester | Adaptable Adversary | | Thoughts and tweets are my own

Vrijeme pridruživanja: srpanj 2009.

Tweetovi

Blokirali ste korisnika/cu @leoloobeek

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @leoloobeek

  1. Prikvačeni tweet
    29. kol 2019.

    Just published a post (its been a while) on proxying COM objects during hijacking to avoid crashing the process. Also includes some insight into in-process COM servers and weaponization! Feedback welcome.

    Poništi
  2. 29. sij

    Great thread, I echo the love for tracking pixels. I try to put them everywhere I can which doesn't impact OPSEC. You should never walk away from a phishing campaign without any new knowledge.

    Poništi
  3. proslijedio/la je Tweet
    27. sij

    If 's DotnetToJScript is blocked on newer versions of Windows or if it gets flagged by AMSI, you can use Excel automation via a COM object as an alternative to execute shellcode from JScript or VBScript w/o touching disk. PoC for x86 & x64 here:

    Poništi
  4. proslijedio/la je Tweet
    18. sij

    New stealthy lateral movement technique looks incredible (existing socket hijacking). Definitely something to keep eyes on when released. The PDF paper is extremely impressive and worth the read.

    Poništi
  5. proslijedio/la je Tweet
    8. sij

    Exploring code coverage for module stomping - injecting into unused code areas in legitimately loaded DLLs -

    Poništi
  6. proslijedio/la je Tweet
    10. sij
    Poništi
  7. proslijedio/la je Tweet
    17. pro 2019.

    New tool: rubeus2ccache Generates ccache files directly from Rubeus dump output. Major thanks to for basically writing anything hard. Merry Christmas Red Team! 🎄

    Poništi
  8. proslijedio/la je Tweet
    16. pro 2019.

    Quick arbitrary disk read (LPE) exploit for the Nalpeiron licensing service. Avoid NLSSRV32 and Nitro PDF =< v10.

    Poništi
  9. 13. pro 2019.

    This was such a great experience to not only share what I do everyday but hear some really thoughtful questions and comments. The next generation is on top of infosec and I'm excited to see what they bring!!

    Poništi
  10. proslijedio/la je Tweet
    13. pro 2019.

    Well segmented networks have caused me the most headaches when I'm attacking networks. I can't stress how much harder it becomes for me as an attacker. If you haven't already, make it your New Years resolution to deploy the Windows firewall and make attackers lives much harder

    Poništi
  11. proslijedio/la je Tweet
    10. pro 2019.

    HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusion\ScanningEngines\ can be monitored to identify unauthorized SEP policy exceptions. It can also be used by red teams to identify SEP policy exceptions that can be leveraged to avoid detection.

    Poništi
  12. proslijedio/la je Tweet
    4. pro 2019.

    🔨A Tough Outlook for Home Page Attacks 🔗 Blog has 🇮🇷, 🇮🇷, and 🏴󠁵󠁳󠁯󠁨󠁿😉 home page persistence & RCE. 🔒We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide! 😱Cool TTPs (pictured)

    UNC1194 macros and CVE-2017-11774 patch tampering
    Domain guardrail, Azure storage blobs, and registry tomfoolery.
    Prikaži ovu nit
    Poništi
  13. proslijedio/la je Tweet
    21. stu 2019.

    I wrote a blog post about some of my work in Electron, also covers work by and more:

    Poništi
  14. proslijedio/la je Tweet
    14. stu 2019.

    [Blog] A simple write-up for a recent discovery - CVE-2019-1378 - WUA Priv Esc

    Poništi
  15. proslijedio/la je Tweet
    14. stu 2019.

    Thanks to for releasing their write up on CVE-2019-1405 and CVE-2019-1322. I figured it is time for me to learn some COM stuff so I whip up a PoC. Source: . Video: Thanks to and

    Poništi
  16. proslijedio/la je Tweet
    12. stu 2019.

    Oooh this is cool research by , NTLM reflection is back by waiting for the NTLM challenge cache entry to timeout... awesome post

    Poništi
  17. proslijedio/la je Tweet
    11. stu 2019.

    Re-rentrant self-loading and code execution with the registration free COM.

    Poništi
  18. proslijedio/la je Tweet
    4. stu 2019.

    New blog post looking at how Cobalt Strike’s “blockdlls” command works, how to recreate it in our own payloads, and a quick look at Arbitrary Code Guard.

    Poništi
  19. proslijedio/la je Tweet
    30. lis 2019.

    Neat Trickbot analysis, enjoyed the read. Pirated CS was used amongst other stuff. Server mentioned has default CS self-signed certificate (146473198) and has 50050 exposed. Lots of opportunity for discovery here.

    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    30. lis 2019.

    [blog] Covenant: Developing Custom C2 Communication Protocols Covenant v0.4 is now out as well 🙂🔥

    Prikaži ovu nit
    Poništi
  21. proslijedio/la je Tweet
    18. lis 2019.

    Convert your Go EXE to shellcode: 1. Build this patched version of Go 2. go build -buildmode=pie to include .reloc section in your PE 3. donut -f target.exe props to and odzhan for the awesome tool

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·