Andrew Oliveau @AndrewOliveau Twitter profile | Pikagi

Pikagi

Andrew Oliveau

@AndrewOliveau

2,828

Followers

705

Following

137

Media

598

Statuses

Adversary Simulation♦️IBM @XForce

Texas, USA

Joined June 2012

Don't wanna be here? Send us removal request.

Pinned Tweet

@AndrewOliveau

Andrew Oliveau

6 months

👀👀🫵💥 "SeeSeeYouExec: Windows Session Hijacking via CcmExec" New @Mandiant Red Team blog explores how SCCM's CcmExec service can be utilized for session hijacking and introduces a new tool, CcmPwn, to weaponize this technique! Defense tips included 🔵

Tweet card media

SeeSeeYouExec: Windows Session Hijacking via CcmExec | Google Cloud Blog

cloud.google.com

7

146

318

Last Seen Profiles

@planetmorgoth

@WONGBIMA7

@hoshichaan_

@fx_sikayet

@OO18073712

@HoneycomX

@BinorRaja

@hotaru_vlada

@LewisCox_star

@lnxchk

@tempi723265

@TeamFVED

@rxgnaloki

@EviteSupport

@tacsc

@DrMagnolias

@Shiroisan__

@GreysABC

@arcisgolf

@marywillsbooks

@seemaverma3032

@ajeahn1

@Mooman75983924

@NBCSCycling

@Simone992

@Dack_901

@Granma_it

@miura_takako

@monotart

@roxanne_kho

@xxsurtych

@DigitalNeal

@993_Aal

@Alejand71833463

@intothesun

@BelizG

@AndrewOliveau

Andrew Oliveau

3 years

Quick and easy "semi" UAC bypass to read/write on system. > net use A: \\127.0.0.1\C$ > A:

Tweet media one

Tweet media two

20

317

1K

@AndrewOliveau

Andrew Oliveau

2 years

I took this personally

Tweet media one

13

74

602

@AndrewOliveau

Andrew Oliveau

3 years

Compromising Azure AD Connect servers during pen tests and red teams is a lot of fun (and useful😉). 1. Escalate privileges from Domain Admin to Global Administrator 2. Compromise AD account with directory replication permissions (DCSync) 3. Opsec safe for DCSync attacks

5

165

583

@AndrewOliveau

Andrew Oliveau

1 year

Good new everyone! MinecraftLauncher.exe is susceptible to DLL sideloading. And YES, it is digitally signed by Mojang. EDRs have no idea what's coming for them😌

Tweet media one

11

147

574

@AndrewOliveau

Andrew Oliveau

10 months

This is a great blog by @Tw1sm Tldr; Compromise workstations by coercing machine account HTTP authentications and relaying them to LDAP to set shadow credentials on the computer object. Then extract the NT hash, create a silver ticket, move laterally 🔥

Tweet card media

Shadow Credentials: Workstation Takeover Edition

Active Directory Certificates and PKINIT are hot topics these days in the world of offensive cybersecurity, and our operators at Fortalice have been doing their best to stay on top of the new...

www.fortalicesolutions.com

8

172

554

@AndrewOliveau

Andrew Oliveau

3 years

As some of you may know, #CobaltStrike beacons can be detected using ETW. For CCDC our team built and used BeaconHunter to detect and respond to these threats. Github: We were able to kill +210 beacons (~70% automated) and monitor their behavior like...

Tweet card media

GitHub - 3lp4tr0n/BeaconHunter: Detect and respond to Cobalt Strike beacons using ETW.

Detect and respond to Cobalt Strike beacons using ETW. - 3lp4tr0n/BeaconHunter

7

216

532

@AndrewOliveau

Andrew Oliveau

1 year

💥BOOM!💥 Another privilege escalation blog, this time showcasing how to convert arbitrary file deletions 🗑️ to SYSTEM command prompt🌈 CVE-2023-27470. Learn about TOCTOU, pseudo-symlinks, MSI rollback exploits, and, of course, how to protect yourselves!

Tweet card media

Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter | Mandiant |...

cloud.google.com

8

208

532

@AndrewOliveau

Andrew Oliveau

2 years

Lateral movement with Outlook + WMI COM objects

Tweet media one

Tweet media two

3

131

484

@AndrewOliveau

Andrew Oliveau

2 years

Hidden WinMail.exe executable in C:\Program Files\ Windows Mail\ susceptible to DLL hijacking #lolbin

Tweet media one

Tweet media two

3

99

397

@AndrewOliveau

Andrew Oliveau

1 year

🔥 Excited to share my latest @Mandiant Red Team blog on "Escalating Privileges via Third-Party Windows Installers" Learn how attackers exploit this privilege escalation vector and ways to defend against it. Includes BOF release and a couple CVEs!

Tweet card media

Escalating Privileges via Third-Party Windows Installers | Mandiant | Google Cloud Blog

cloud.google.com

8

152

360

@AndrewOliveau

Andrew Oliveau

10 months

Targeting Okta servers in internal networks is 🔥. This week I used @_xpn_ OktaPostExToolkit to set a skeleton key and login to Okta as anyone💀Absolutely brilliant

Tweet card media

GitHub - xpn/OktaPostExToolkit

Contribute to xpn/OktaPostExToolkit development by creating an account on GitHub.

5

86

303

@AndrewOliveau

Andrew Oliveau

7 months

If your a Red Teamer and not looking for this👇your missing out! Got Domain Admin in 3 out of my last 4 engagements using this attack 🔥 AD Tip: Enforce LDAP Signing and Channel Binding to stay protected.

@AndrewOliveau

Andrew Oliveau

10 months

This is a great blog by @Tw1sm Tldr; Compromise workstations by coercing machine account HTTP authentications and relaying them to LDAP to set shadow credentials on the computer object. Then extract the NT hash, create a silver ticket, move laterally 🔥

8

172

554

0

62

278

@AndrewOliveau

Andrew Oliveau

9 months

Got my first Microsoft CVE 🔥 CVE-2023-36004: Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability

19

34

260

@AndrewOliveau

Andrew Oliveau

9 months

You’re in a red team assessment and you’ve secured domain admin privileges without detection. How would you shake up the blue team's incident response? What scenarios, tactics, or tools would you use to raise the noise and test their defenses? 🚨

73

27

235

@AndrewOliveau

Andrew Oliveau

2 months

I’m excited to share that I’ve joined IBM’s @XForce Adversary Simulation team. Eager to dive into new challenges and collaborate with some of the industry’s brightest minds. Looking forward to the new adventure!

28

20

226

@AndrewOliveau

Andrew Oliveau

2 years

Dear Blue Teamers, If your EDR isn’t detecting and preventing CobaltStrike’s logonpasswords from notepad.exe, the EDR sucks

11

16

201

@AndrewOliveau

Andrew Oliveau

3 months

Another option is to run “openssl s_client -connect <DC>:636 -showcerts -debug” and look for the CA server tied to the domain controller.

@Defte_

Aurélien Chalot

3 months

Wanna blindly check if the ADCS web enroll is installed on a domain ? Bruteforce the /certenroll endpoint without the trailing/ on all webservers. If you hit the ADCS web enroll you will get a location: /certenroll/ header in the response. Now enjoy blind ntlmrelayx ESC8👀👀👀

Tweet media one

3

38

211

2

59

200

@AndrewOliveau

Andrew Oliveau

3 months

👀Why attackers love SSO! "Mandiant observed pivots into client SaaS applications. Traditionally used to centralize and increase security, in these instances they allowed access to applications hosted through MFA providers... vCenter, CyberArk, SalesForce, Azure, CrowdStrike"

4

26

155

@AndrewOliveau

Andrew Oliveau

2 years

Do you enjoy developing malware and stealthy C2 protocols? We have an open position for Senior Consultant - Red Team Development at Mandiant! 🔥🔥💵💵

1

24

120

@AndrewOliveau

Andrew Oliveau

2 months

Today is my last day at Mandiant. It’s been an incredible journey filled with unforgettable memories and experiences, and most importantly, the great friendships I made along the way 💜 Going to miss you all, don’t be a stranger!

8

0

120

@AndrewOliveau

Andrew Oliveau

11 months

Over the last few months, we've come across a significant number of LPE zero-day vulnerabilities that were identified and responsibly disclosed with the help of msi_search. Love to see it! 🔥

Tweet card media

GitHub - mandiant/msi-search

Contribute to mandiant/msi-search development by creating an account on GitHub.

1

30

115

@AndrewOliveau

Andrew Oliveau

2 years

Just leveraged an arbitrary file deletion vulnerability to SYSTEM command prompt! Great article 👇

Tweet card media

Zero Day Initiative — Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks

We would like to thank researcher Abdelhamid Naceri for his great work in developing these exploit techniques, as well as for the vulnerabilities he has been reporting to our program. We look forward...

www.zerodayinitiative.com

1

44

108

@AndrewOliveau

Andrew Oliveau

2 years

Tweet card media

GitHub - nccgroup/SCOMDecrypt: SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM...

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers - nccgroup/SCOMDecrypt

1

28

93

@AndrewOliveau

Andrew Oliveau

3 years

Want thousands of malicious Office document samples and their classification? @InQuest got you covered 🔥 Bunch of juicy stuff here… 👀

Tweet card media

GitHub - InQuest/microsoft-office-macro-clustering

Contribute to InQuest/microsoft-office-macro-clustering development by creating an account on GitHub.

2

26

92

@AndrewOliveau

Andrew Oliveau

1 year

Bonus: Use COM objects that have the RunAs key set to "Interactive User" to hijack user sessions 👀👇

Tweet media one

Tweet media two

@kyleavery_

Kyle Avery

1 year

New DLL hijacking opportunities, triggered using DCOM for lateral movement:

1

118

307

0

18

83

@AndrewOliveau

Andrew Oliveau

2 years

Small trick to upload and run payloads through Jenkins: 1. Create new job and enable "This project is parameterized" with "File Parameter" 2. Go to "Build with Parameters" and select payload 3. Run payload from Script Console. Payload in ".\workspace\jobname\payload.exe" 💵🔥💵

Tweet media one

Tweet media two

2

20

71

@AndrewOliveau

Andrew Oliveau

6 months

CcmPwn is equipped with various modules. The “exec” module runs an AppDomainManager Injection payload for every logged-in user. The “coerce” module coerces SMB/HTTP authentications, which can then be used for password cracking or relay attacks. 👇

Tweet card media

GitHub - mandiant/ccmpwn

Contribute to mandiant/ccmpwn development by creating an account on GitHub.

0

18

70

@AndrewOliveau

Andrew Oliveau

5 months

JumpCloud Local Privilege Escalation via MSI repair💥CVE-2023-26603

Tweet card media

Vulnerability-Disclosures/2024/MNDT-2024-0003.md at master · mandiant/Vulnerability-Disclosures

Contribute to mandiant/Vulnerability-Disclosures development by creating an account on GitHub.

3

24

68

@AndrewOliveau

Andrew Oliveau

10 months

To coerce machine account HTTP authentications, the target system must have WebClient service running. The service typically runs on workstations, less likely on servers. To determine if WebClient is running, check out

Tweet card media

GitHub - Hackndo/WebclientServiceScanner: Python tool to Check running WebClient services on...

Python tool to Check running WebClient services on multiple targets based on @leechristensen - Hackndo/WebclientServiceScanner

3

9

54

@AndrewOliveau

Andrew Oliveau

1 year

Tweet card media

GitHub - iilegacyyii/ThreadlessInject-BOF: BOF implementation of @_EthicalChaos_'s ThreadlessInject...

BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023. - iilegacyyii/ThreadlessInject-BOF

1

14

50

@AndrewOliveau

Andrew Oliveau

2 years

I love COMpromising COMputers 🔥 Do you?

1

8

49

@AndrewOliveau

Andrew Oliveau

6 months

New red team blog & tool... ██████████████]99%

4

4

49

@AndrewOliveau

Andrew Oliveau

2 years

Impersonate Twitter handles by converting lowercase “i” to uppercase “I”. @SentinelOne I’ll be happy to give you my current Twitter handle 😄

3

3

49

@AndrewOliveau

Andrew Oliveau

8 months

First 0day of the year

4

0

47

@AndrewOliveau

Andrew Oliveau

2 years

I believe a recent Windows update is impacting Certipy’s auth. Had this issue last week and ended up using PKINITtools. Rubeus also working fine.

@ShitSecure

S3cur3Th1sSh1t

2 years

Certipy throws strange Kerberos errors when using auth for NT-Hash retrieval of Computer Accounts? Like "KRB_AP_ERR_BAD_INTEGRITY(Integrity check on decrypted field failed)" or others? Use "-ldap-shell" instead to authenticate to LDAP and configure RBCD to take over the target.

Tweet media one

2

32

102

4

7

47

@AndrewOliveau

Andrew Oliveau

6 months

Update: 5 out of my last 6 engagements😬Treat this as a free RCE from Microsoft🤤

@AndrewOliveau

Andrew Oliveau

7 months

If your a Red Teamer and not looking for this👇your missing out! Got Domain Admin in 3 out of my last 4 engagements using this attack 🔥 AD Tip: Enforce LDAP Signing and Channel Binding to stay protected.

0

62

278

5

7

47

@AndrewOliveau

Andrew Oliveau

5 years

Rooted 2 OSCP lab machines today 🤓 Looking forward to what lies ahead! @offsectraining #oscp

Tweet media one

4

2

43

@AndrewOliveau

Andrew Oliveau

3 years

UNC897 has Red Team internship openings in Dallas! I can guarantee you will get PLENTY of opportunities to hack and participate in very interesting and complex projects - even as an intern 😁 Apply!

1

25

45

@AndrewOliveau

Andrew Oliveau

2 years

Had a great time presenting with ⁦ @evan_pena2003 ⁩ at the ⁦ @TexasCyberConf ! It was also a pleasure meeting new people and learning from them too. Really looking forward to do this again 🙂

Tweet media one

4

2

42

@AndrewOliveau

Andrew Oliveau

3 years

UNC897

Tweet media one

4

5

41

@AndrewOliveau

Andrew Oliveau

1 year

I believe the best way to learn is to do it yourself, so I’m sharing an exercise for the curious minded. The following GitHub repo contains code that replicates CVE-2023-27470 with and without the ProcessRedirectionTrustPolicy mitigation policy. Have fun!

Tweet card media

GitHub - 3lp4tr0n/CVE-2023-27470_Exercise

Contribute to 3lp4tr0n/CVE-2023-27470_Exercise development by creating an account on GitHub.

0

2

37

@AndrewOliveau

Andrew Oliveau

10 months

@_xpn_ Alternating between non-stealth internal pentests and stealthy red teams allows me to experiment comfortably. Successful techniques are documented in my “opsec” TTP list. Also communication between team members is key. Afterall, this is a red TEAM.

1

1

36

@AndrewOliveau

Andrew Oliveau

3 years

JUST FINISHED MY LAST EXAM IN COLLEGE

5

0

37

@AndrewOliveau

Andrew Oliveau

10 months

LPE ZERO-DAY

2

0

36

@AndrewOliveau

Andrew Oliveau

2 years

@n00py1 @bugch3ck Aka, Golden Certificate attack. If stealth is not required you can use Certipy to remotely extract the cert and key for the CA

Tweet card media

Golden Certificate

Domain persistence techniques enable red teams that have compromised the domain to operate with the highest level of privileges in a large period. One of the most common domain persistence techniqu…

pentestlab.blog

1

7

36

@AndrewOliveau

Andrew Oliveau

3 years

For the blue team: 1. Enforce MFA for all Global Administrator accounts 2. Treat your Azure AD Connect server as Tier 0 Happy Hacking!

4

5

34

@AndrewOliveau

Andrew Oliveau

7 months

You discover that an organization's domain controllers have SMB signing disabled (enabled by default). How do you abuse this configuration?

8

2

34

@AndrewOliveau

Andrew Oliveau

3 years

Nice article. It is also trivial to detect Cobalt Strike beacons using ETW. One year later and this technique still works :)

Tweet card media

GitHub - 3lp4tr0n/BeaconHunter: Detect and respond to Cobalt Strike beacons using ETW.

Detect and respond to Cobalt Strike beacons using ETW. - 3lp4tr0n/BeaconHunter

@TheDFIRReport

The DFIR Report

3 years

Cobalt Strike, a Defender's Guide - Part 2 ➡️In this report we talk about domain fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/S, RITA & more. Big shout-out to @Kostastsale for helping put this together!

Tweet media one

Tweet media two

Tweet media three

Tweet media four

6

356

769

0

4

32

@AndrewOliveau

Andrew Oliveau

2 months

Anyone keeping a list of companies using Crowdstrike? Asking for a friend

2

1

28

@AndrewOliveau

Andrew Oliveau

2 years

It's really disappointing to see 3rd party firms give horrible security suggestions, such as recommending an AD CS template susceptible to ESC1.

Tweet media one

3

3

29

@AndrewOliveau

Andrew Oliveau

1 year

LPE 0-day 🕺🏽

2

0

27

@AndrewOliveau

Andrew Oliveau

2 years

Looks like @MITREattack recently added ADCS abuse to their framework. The ONLY threat actor abusing ADCS is APT29? 🤨

1

11

27

@AndrewOliveau

Andrew Oliveau

4 years

Read more about VBA Purging and detection and hunting rules in our blog post!

0

7

27

@AndrewOliveau

Andrew Oliveau

1 year

One of the best videos out there on researching and exploiting LPE vulnerabilities in 3rd party software

Tweet card media

"Easy LPEs and Common Software Vulnerabilities" - Christopher Vella

BSides Canberra 2021, 9-10th April

www.youtube.com

0

5

25

@AndrewOliveau

Andrew Oliveau

3 years

LETS GOOOOOOO!!! 3rd place at Nationals CCDC. Very proud of my team @masoncompcyber ! #NCCDC

Tweet media one

2

0

25

@AndrewOliveau

Andrew Oliveau

6 days

Great blog by @h4wkst3r ! 🔥👇

@h4wkst3r

Brett Hawkins

6 days

Do you want to see how to deploy C2 payloads to Windows devices via Microsoft Intune Win32 apps AND how to detect it? Check out this @XForce research I conducted earlier this year:

3

54

142

0

6

25

@AndrewOliveau

Andrew Oliveau

1 year

Have a great day! Sincerely, Andrew Oliveau | CISSP | CEH | Harvard Educated | Keynote Speaker | MBA | LandLord

7

0

25

@AndrewOliveau

Andrew Oliveau

1 year

First Microsoft CVE on the way? 👀

2

0

25

@AndrewOliveau

Andrew Oliveau

2 years

@vysecurity @_EthicalChaos_ @byt3bl33d3r More and more I’ve been avoiding native DLLs that show up in Hijack Libs Using 3rd party, non-native EXEs and DLLs for sideloading is pretty successful

2

2

25

@AndrewOliveau

Andrew Oliveau

1 year

UNC897 is hiring

1

3

24

@AndrewOliveau

Andrew Oliveau

2 years

@n00py1 That’s awesome. Did something similar recently with an LFI vulnerability. Relayed machine account creds to ADCS, got cert with client authentication, use cert to get NT hash via U2U authentication. Then forged Silver Ticket to get local admin :)

1

1

23

@AndrewOliveau

Andrew Oliveau

1 year

Researchers shouldn't have to dread vulnerability disclosures. If you're considering sharing vulnerabilities via BugCrowd, I highly recommend diving into this article.

0

10

23

@AndrewOliveau

Andrew Oliveau

1 year

Follow up blog soon ™️

@AndrewOliveau

Andrew Oliveau

1 year

🔥 Excited to share my latest @Mandiant Red Team blog on "Escalating Privileges via Third-Party Windows Installers" Learn how attackers exploit this privilege escalation vector and ways to defend against it. Includes BOF release and a couple CVEs!

8

152

360

0

0

23

@AndrewOliveau

Andrew Oliveau

1 year

✌️ Another LPE vulnerability in Atera CVE-2023-37243:

3

5

23

@AndrewOliveau

Andrew Oliveau

2 years

Looking forward to present some Red Team tricks at this year’s @texascyber !

2

3

21

@AndrewOliveau

Andrew Oliveau

3 years

GMU is still in the game! Super proud of my team @masoncompcyber ! This will be GMU's first time ever competing in #NCCDC and we look forward to it 🔥

2

4

21

@AndrewOliveau

Andrew Oliveau

3 years

tfw you find webshells through your webshell

1

0

21

@AndrewOliveau

Andrew Oliveau

4 years

What a journey! Rastalabs was challenging but a lot of fun. Great stuff @_RastaMouse #htb

Tweet media one

1

1

21

@AndrewOliveau

Andrew Oliveau

3 months

Elevator could not find the SYSTEM hive 🙃

Tweet media one

0

0

20

@AndrewOliveau

Andrew Oliveau

1 year

Got DA

1

0

20

@AndrewOliveau

Andrew Oliveau

4 years

LETS GOOOOOOO

Tweet media one

0

0

19

@AndrewOliveau

Andrew Oliveau

3 months

Whether you are on the red team or the blue team, I highly recommend reading this blog. There are many things to learn, and it highlights real and often overlooked issues that I've encountered numerous times. Lastly, be careful with SSO and enforce MFA!

Tweet card media

UNC3944 Targets SaaS Applications | Google Cloud Blog

UNC3944's recent attacks against SaaS applications provide insights into the group's evolving TTPs.

cloud.google.com

0

6

19

@AndrewOliveau

Andrew Oliveau

3 years

That feeling when you get DA in a red forest environment

2

0

18

@AndrewOliveau

Andrew Oliveau

3 months

WITHOUT the EDR triggering a single alert! Additionally, attackers could deploy a VM and perform malicious activities with minimal footprint. How can you protect yourself? - Enforce MFA, even if its via SSO - Network segmentation - Logging (new user accounts, cloning, etc)

1

0

18

@AndrewOliveau

Andrew Oliveau

2 years

Parent/child process relationship: svchost.exe -> Outlook.exe (DCOM) -> WmiPrvSE.exe (COM) -> Profit

2

3

17

@AndrewOliveau

Andrew Oliveau

3 years

National CCDC today. Lets do this @masoncompcyber ! #NCCDC

4

1

17

@AndrewOliveau

Andrew Oliveau

1 year

@EricaZelic CISO: We use STATE OF THE ART mail gateway that stops ransomware Me: Your DCs are vulnerable to Zerologon. CISO: 👁️👄👁️ Me: 😬

1

3

17

@AndrewOliveau

Andrew Oliveau

3 years

with . Once recovered, spin up AADInternals toolkit, find GAs with ImmutableIDs (base64 encoded GUID of the user's AD object), and change GA passwords as described here...

Unnoticed sidekick: Getting access to cloud as an on-prem admin

This post is part 5⁄5 of Azure AD and Microsoft 365 kill chain blog series. Although on-prem administrators doesn’t usually have admin rights to Azure AD, they can have access to crucial information,...

aadinternals.com

3

3

16

@AndrewOliveau

Andrew Oliveau

6 months

SCCM-related 👀

2

0

16

@AndrewOliveau

Andrew Oliveau

2 months

VIVA ESPAÑA 🇪🇸

Tweet media one

0

1

15

@AndrewOliveau

Andrew Oliveau

2 years

DA on a Monday

0

0

15

@AndrewOliveau

Andrew Oliveau

10 months

🔴CVE-2023-3181: Splashtop Software Updater for Windows contains a local privilege escalation vulnerability which affected versions 1.5.6.21 and prior. Issue is fixed in version 1.5.6.23.

1

3

15

@AndrewOliveau

Andrew Oliveau

1 year

Take it easy Thursday 🏝️

Tweet media one

0

0

14

@AndrewOliveau

Andrew Oliveau

3 years

Clipboard monitoring > keylogging

0

0

14

@AndrewOliveau

Andrew Oliveau

3 months

Congrats on the first 0-day @psycep_ ! This man is a rockstar 👇

@psycep_

Jacob Paullus

3 months

Disclosed my first 0-day today (with @AndrewOliveau )

0

2

12

0

0

14

@AndrewOliveau

Andrew Oliveau

3 months

How can you protect yourself? - Once again, enforce MFA, regardless of whether SSO is being used. I've been in several environments where I could access the CrowdStrike dashboard via SSO. - Monitor the RTR module for lateral movement attempts - Restrict access to Tier 0 servers?

2

3

14

@AndrewOliveau

Andrew Oliveau

3 months

CrowdStrike: Living-off-the-land C2 (LOLC2)? Attackers with access to the CrowdStrike Falcon dashboard could execute system commands using the Real Time Response (RTR) module. What are the odds that a CrowdStrike agent is running on a DC? VERY HIGH.

Tweet media one

1

2

14

@AndrewOliveau

Andrew Oliveau

2 years

Murican Football!

Tweet media one

1

0

13

@AndrewOliveau

Andrew Oliveau

2 years

In this talk I'll be presenting traditional and novel techniques to abuse COM, including: Hijacking Scheduled Tasks Bypassing AMSI Proxied Payload Execution Lateral Movement with DCOM Remote Credential Harvesting

2

1

13

@AndrewOliveau

Andrew Oliveau

10 months

🔵CVE-2023-37244: N-Able's AutomationManagerAgent application for Windows contains a local privilege escalation vulnerability which affected versions 2.80.0.1 and prior. The issue was fixed in version 2.91.0.0.

2

0

13

@AndrewOliveau

Andrew Oliveau

5 years

Had a great time at @hackinparis Met very interesting people and never thought I would be hacking a Barbie house! 😂 #HIP19

Tweet media one

Tweet media two

1

7

13

@AndrewOliveau

Andrew Oliveau

2 years

@r3dQu1nn noVNC + vishing + HTML smuggling + MSI = 💜

0

1

13

@AndrewOliveau

Andrew Oliveau

4 years

New evasion tool to VBA purge malicious Office documents!

Tweet card media

GitHub - mandiant/OfficePurge

Contribute to mandiant/OfficePurge development by creating an account on GitHub.

0

6

13

@AndrewOliveau

Andrew Oliveau

2 years

@mariuszbit @peterwintrsmith @domchell This tool helped us a lot in red team vs blue team competitions. We didn’t use it at scale, but identifying and analyzing beacons on a couple systems made it easier to find the rest of the beacons in the environment 🙂

Tweet card media

GitHub - 3lp4tr0n/BeaconHunter: Detect and respond to Cobalt Strike beacons using ETW.

Detect and respond to Cobalt Strike beacons using ETW. - 3lp4tr0n/BeaconHunter

1

4

13

@AndrewOliveau

Andrew Oliveau

3 years

tfw when you complete objectives without DA privs

0

0

12

@AndrewOliveau

Andrew Oliveau

3 years

@_EthicalChaos_ Niice! By any chance are you using ETW and/or looking for threads in a DelayExecution state? Combining the two has given me surprisingly good results and built BeaconHunter as a PoC. Looking forward to BeaconEye's release :)

Tweet card media

GitHub - 3lp4tr0n/BeaconHunter: Detect and respond to Cobalt Strike beacons using ETW.

Detect and respond to Cobalt Strike beacons using ETW. - 3lp4tr0n/BeaconHunter

1

4

12

@AndrewOliveau

Andrew Oliveau

6 months

@nickvourd @EricaZelic @Tw1sm @ChadWst You can also use something like this to programmatically enable WebClient on your localhost via ETW

Tweet card media

A PoC in C# to enable WebClient Programmatically

A PoC in C# to enable WebClient Programmatically. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

1

0

12

@AndrewOliveau

Andrew Oliveau

3 years

Want to change a GA Azure password back to the on-prem one? Easy! Just resync them on the AAD Connect server using AAD Connect's Troubleshooting tool

Tweet card media

Troubleshoot password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID

This article provides information about how to troubleshoot password hash synchronization problems.

learn.microsoft.com

1

3

12

@AndrewOliveau

Andrew Oliveau

7 months

Monday morning DA

2

0

12