Bad Sector Labs @badsectorlabs Twitter profile

Pinned Tweet

Bad Sector Labs

8 months

Stop testing in prod (even someone else's)! Are you tired of installing Active Directory on your test VMs for the 100th time? Ever YOLO a binary off GitHub into prod because your testing setup is tedious? I've built a solution: (1/5)

Ludus

The easiest way to deploy testing infrastructure

ludus.cloud

12

64

166

Last Seen Profiles

@YingTian29790

@Fredo_cas16

@Insaisissable42

@bigaderne1

@92ndStreetY

@SKayz36618

@DJ_ELI_0701

@SKayz36618

@glainrhys

@mc_orinz

@eatskolnikov

@m_wo8y

@monogusa3

@_moonaaaaaa_

@KeaonnaWorley

@Antonius061

@stw_pdg

@VApicV

@GoblinsBoston

@fReH8hd2odJfxIK

@capetapardo

@BinorRaja

@miimm112

@_m3ganfoxx

@VApicV

@MharsMohammed

@AlmhamyhZhra

@miimm112

@Shahwani_Narrr

@fxzz_7

@BersetBircher

@stw367041087359

@Sjohn8_

@dmmdouga147

@mepooja

@aijyonowifi

Bad Sector Labs

@badsectorlabs

6 months

7

164

1K

Bad Sector Labs

@badsectorlabs

6 months

The xz package tar's were backdoored. Only discovered because the backdoor slowed down sshd enough for Andres Freund to investigate. Consider the case where the backdoor didn't cause perf issues... How long would this have gone undetected?

8

360

1K

Bad Sector Labs

@badsectorlabs

2 months

Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with We've found credentials, certificates, custom apps, keystores, etc. What will you find?

GitHub - badsectorlabs/sccm-http-looter: Find interesting files stored on (System Center) Configu...

Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s) - badsectorlabs/sccm-http-looter

github.com

0

127

306

Bad Sector Labs

@badsectorlabs

7 months

The most requested feature for 🏟️ Ludus is here: GOAD support! Follow the guide to deploy the amazing Game of Active Directory environment from @M4yFly on Ludus!

3

50

159

Bad Sector Labs

@badsectorlabs

4 years

This looks like a great new EDR bypass tool. Reading the blog posts and will poke around with it tonight!

GitHub - optiv/ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass.

ScareCrow - Payload creation framework designed around EDR bypass. - optiv/ScareCrow

github.com

1

56

160

Bad Sector Labs

@badsectorlabs

6 months

It's here! Fully automated🔒Elastic Security server and agents for your Ludus labs. @__ar0d__ and I have made this one as easy as adding the roles to your config. Comes with: -ELK+Fleet+Detection engine -Auto agent install+registration -Detection rules

7

36

152

Bad Sector Labs

@badsectorlabs

3 months

It's happened. Unauthenticated OpenSSH RCE 🤯. It's a race condition so it takes ~10,000 attempts to get execution (hours to days under default config), so fail2ban etc should mitigate, but update ASAP. Qualys always impresses with these writeups.

5

37

148

Bad Sector Labs

@badsectorlabs

6 months

The level of sophistication to get this backdoor into the xz repo unnoticed is pretty incredible. See for yourself. Which of these commits added the backdoor? Spoiler, it was hidden in binary test files:

2

29

135

Bad Sector Labs

@badsectorlabs

3 years

User readable SAM hives ( @jonasLyk + @cube0x0 ), PetitPotam takes off ( @topotam77 ), Smart AD bruteforcing ( @_nwodtuhs ), automated maldocs ( @33y0re + @Inf0secRabbit ), Windows command line obfuscation ( @Wietze ), dockerized Android ( @sickcodes ), and more!

Last Week in Security (LWiS) - 2021-07-26

User readable SAM hives (@jonasLyk and @cube0x0), PetitPotam takes off (@topotam77), Smart AD bruteforcing (@_nwodtuhs and @podalirius_), automated advanced maldocs (@33y0re), Windows command line...

blog.badsectorlabs.com

3

44

108

Bad Sector Labs

@badsectorlabs

3 years

The DownloadFile() addition to BOF[.]NET allows for better opsec. First lsass dumps without touching disk (CredBandit - @anthemtotheego ), and now SharpHound without any json or zip written to disk.

William Knowles

@william_knows

3 years

Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using and Cobalt Strike.

2

134

323

0

49

103

Bad Sector Labs

@badsectorlabs

8 months

Want to test out the new ADCS ESC13 attack path by @Jonas_B_K ? We've made it easy to do in 🏟️Ludus. Get 7 ADCS attack paths set up in minutes with the new Ansible role by @__ar0d__ and myself. This is the power of !

2

32

98

Bad Sector Labs

@badsectorlabs

3 years

CloudFlare IP filtering ( @vysecurity ), DNSStager ( @mohammadaskar2 ), Cobalt Strike OPSEC ( @jmoosdijk ), Azure app phishing ( @nikhil_mitt ), decision making in red teams ( @Jackson_T ), GoPhish mods ( @michael_eder_ ), Offensive Process Hacker ( @OccamsXor ), +more!

Last Week in Security (LWiS) - 2021-05-24

CloudFlare IP filtering (@vysecurity), DNSStager (@mohammadaskar2), Cobalt Strike OPSEC (@jmoosdijk), Azure app phishing (@nikhil_mitt), decision making in red teams (@Jackson_T), and more!

blog.badsectorlabs.com

0

34

93

Bad Sector Labs

@badsectorlabs

3 years

DLL proxying with artifact kit ( @joevest ), lateral movement 101 ( @_RastaMouse ), Windows kernel driver hooking ( @cerbersec ), macOS XAR arbitrary file write ( @buffaloverflow ), launch ( @mrd0x ), protobuf in sqlmap ( @APTortellini ),+more!

Last Week in Security (LWiS) - 2021-11-01

DLL proxying with artifact kit (@joevest), lateral movement 101 (@_RastaMouse), Windows kernel driver hooking (@cerbersec), macOS XAR arbitrary file write (@buffaloverflow), malapi.io launch (@mrd0...

blog.badsectorlabs.com

0

34

83

Bad Sector Labs

@badsectorlabs

6 months

You've seen the XZ backdoor, but have you gotten hands on with it? With just a config edit and a deploy, the backdoor and xzbot tool is setup for you - thats the power of 🏟️ Ludus! New Flare VM, REMnux, and Commando VM roles/templates dropped too!

2

21

84

Bad Sector Labs

@badsectorlabs

3 years

Always Notify UAC bypass ( @hFireF0X + @axagarampur ), NTLM relaying to AD CS ( @_dirkjan ), 2x AD tools ( @_nwodtuhs ), Jira advisory to RCE ( @dozernz ),BitLocker key from TPM ( @DolosGroup ),PetitPotam + ESC8 tool ( @_batsec_ + @Flangvik ),eBPF LPE ( @chompie1337 )+more!

Last Week in Security (LWiS) - 2021-08-02

"Always Notify" UAC bypass (@hFireF0X + @axagarampur), NTLM relaying to AD CS (@_dirkjan), 2x AD tools (@_nwodtuhs), from Jira advisory to RCE (@dozernz), BitLocker key from a TPM (@DolosGroup),...

blog.badsectorlabs.com

0

30

76

Bad Sector Labs

@badsectorlabs

2 years

Full Edge exploit ( @33y0re ), dynamic P/Invoke ( @bohops ), Veeam exploits ( @SinSinology ), macOS LPE ( @patch1t ), AV debugger ( @PlowSec ), SMB over QUIC ( @_xpn_ ), and more!

Last Week in Security (LWiS) - 2022-04-11

Full Edge exploit (@33y0re), dynamic P/Invoke (@bohops), Veeam exploits (@SinSinology), macOS LPE (@patch1t), AV debugger (@PlowSec), SMB over QUIC (@_xpn_), and more!

blog.badsectorlabs.com

1

31

77

Bad Sector Labs

@badsectorlabs

3 years

AD pwnage ( @harmj0y , @tifkin_ , and @elad_shamir ), ImageLoad bypass ( @_batsec_ ), bofnet_executeassembly ( @william_knows ), reverse port knocking on Windows ( @TheXC3LL ), LNK generator ( @Jean_Maes_1994 ), payload automation ( @BinaryFaultline ), and more!

Last Week in Security (LWiS) - 2021-06-21

AD pwnage (@harmj0y, @tifkin_, and @elad_shamir), ImageLoad bypass (@_batsec_), bofnet_executeassembly (@william_knows), reverse port knocking on Windows (@TheXC3LL), LNK generator (@Jean_Maes_1994),...

blog.badsectorlabs.com

1

11

76

Bad Sector Labs

@badsectorlabs

3 years

The future of NTLM relaying ( @_EthicalChaos_ ), Windows updates for hackers ( @bitsadmin ), Syscall malware analysis ( @m0rv4i ), fighting EDRs in the kernel ( @cerbersec ), Living Off Trusted Sites (LOTS) Project ( @mrd0x ), and more!

Last Week in Security (LWiS) - 2021-11-16

The future of NTLM relaying (@_EthicalChaos_), Windows updates for hackers (@bitsadmin), Syscall malware analysis (@m0rv4i), fighting EDRs in the kernel (@cerbersec), Living Off Trusted Sites (LOTS)...

blog.badsectorlabs.com

0

30

73

Bad Sector Labs

@badsectorlabs

3 years

Another great technique from @mrdox . Impressive cadence of relevant releases. A must follow for any red or blue teamer.

mr.d0x

@mrd0x

3 years

I published a blog article detailing a phishing technique I called Browser in the Browser (BITB) Attack. It's very simple but can be very effective. I also published templates on my Github feel free to test them out.

117

1K

4K

2

9

71

Bad Sector Labs

@badsectorlabs

4 years

Censorship or restrictive networks blocking your browsing or C2 traffic? Try domain hiding! Available as a replacement for crypto/tls in Go or as a standalone proxy, you can try it today. You can hide behind any Cloudflare DNS hosted domain (26MM+).

DEF CON Safe Mode - Erik Hunstad - Domain Fronting is Dead, Long Live...

Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud...

www.youtube.com

2

36

72

Bad Sector Labs

@badsectorlabs

3 years

DLL proxying helper BOFs ( @the_bit_diddler ), Cobalt Strike traffic decryption ( @DidierStevens ), CES/CEP on Linux ( @duff22b ), Kerberoasting OPSEC ( @DebugPrivilege ), certutil LOLbin replacement ( @ElliotKillick ), and more!

Last Week in Security (LWiS) - 2021-11-08

DLL proxying helper BOFs (@the_bit_diddler), Cobalt Strike traffic decryption (@DidierStevens), CES/CEP on Linux (@duff22b), Kerberoasting OPSEC (@DebugPrivilege), certutil LOLbin replacement...

blog.badsectorlabs.com

0

29

68

Bad Sector Labs

@badsectorlabs

3 years

Browser in the Browser ( @mrd0x ), OSINT Map ( @MalfratsInd ), Rust packer ( @verixvogel ), local Kerberos to bypass UAC ( @tiraniddo ), crash to read/write in Chakra ( @33y0re ), AtlasC2 ( @Gr1mmie ), detecting Shadow Credentials ( @cfalta ), and more!

Last Week in Security (LWiS) - 2022-03-21

Browser in the Browser (@mrd0x), OSINT Map (@MalfratsInd), Rust packer (@verixvogel), local Kerberos to bypass UAC (@tiraniddo), crash to read/write in Chakra (@33y0re), AtlasC2 (@Gr1mmie), detecting...

blog.badsectorlabs.com

3

19

64

Bad Sector Labs

@badsectorlabs

1 year

Finally dug out of the DEF CON hole! 🕳️🥵 Thanks to everyone who shared their work over the past few weeks, and if I missed it let me know.

Last Week in Security (LWiS) - 2023-08-29

DEF CON 31 tools and so much more!

blog.badsectorlabs.com

4

22

67

Bad Sector Labs

@badsectorlabs

3 years

Prevent IP takeover ( @infosec_au ), Windows LPE via handles ( @last0x00 ), Exception Oriented Programming ( @BillDemirkapi @x86matthew ), Bloodhound 4.1 ( @_wald0 ), object overloading ( @_xpn_ ), arb file write on DCs ( @Junior_Baines ) KrbRelay ( @cube0x0 ) and more!

Last Week in Security (LWiS) - 2022-02-14

Prevent IP takeover (@infosec_au), Windows LPE via handles (@last0x00), Exception Oriented Programming (@BillDemirkapi and @x86matthew), Bloodhound 4.1 (@_wald0), object overloading (@_xpn_), arb...

blog.badsectorlabs.com

1

24

66

Bad Sector Labs

@badsectorlabs

3 years

PoCs for CAP_SYS_ADMIN bug (CVE-2022-0185) and the polkit (pwnkit) bug (CVE-2021-4034) are both out. User to root LPEs in lots of Linux distros and versions. Patch now!

1

19

66

Bad Sector Labs

@badsectorlabs

3 years

Log4j RCE, sAMAccountName [DA from any user] ( @exploitph ), XLAM tricks ( @_DaWouw ), Cobalt Strike 4.5 and MiTM ( @joevest , @DidierStevens ), CVEtrends ( @SimonByte ), additional Windows kernel tricks ( @cerbersec ), and more!

Last Week in Security (LWiS) - 2021-12-14

Log4j RCE, sAMAccountName [DA from any user] (@exploitph), XLAM tricks (@_DaWouw), Cobalt Strike 4.5 and MiTM (@joevest, @DidierStevens), CVEtrends (@SimonByte), additional Windows kernel tricks...

blog.badsectorlabs.com

0

20

65

Bad Sector Labs

@badsectorlabs

3 years

Mental models for offsec dev ( @Jackson_T ), lockscreen bypass ( @KLINIX5 ), DLL hijacking/cloning ( @Jean_Maes_1994 ), AV evasion framework ( @bb_hacks ), jailbreak detection defeat ( @_Kc57 ), drivers against EDR ( @synzack21 ), Golden SAML ( @inversecos ), and more!

Last Week in Security (LWiS) - 2021-09-07

Mental models for offsec dev (@Jackson_T), lockscreen bypass (@KLINIX5), DLL hijacking/cloning (@Jean_Maes_1994), AV evasion framework (@bb_hacks), jailbreak detection defeat (@_Kc57), Kernel drivers...

blog.badsectorlabs.com

0

17

64

Bad Sector Labs

@badsectorlabs

8 months

VMware (Broadcom) just officially killed free vShpere (ESXi). Sounds like a perfect time to try out Proxmox and why not automate it with the free and open source 👀

Ludus

The easiest way to deploy testing infrastructure

ludus.cloud

Justin Elze

@HackingLZ

8 months

RIP

49

228

613

3

8

65

Bad Sector Labs

@badsectorlabs

3 years

pkexec Linux LPE ( @jogibharat ), .NET remoting ( @codewhitesec ), usernames from CUCM ( @n00py1 ), Notepad++ persistence ( @_RastaMouse ), Mythic update ( @its_a_feature_ ), modern password spraying ( @SprocketSec ), and more!

Last Week in Security (LWiS) - 2022-01-31

pkexec Linux LPE (@jogibharat), .NET remoting (@codewhitesec), usernames from CUCM (@n00py1), Notepad++ persistence (@_RastaMouse), Mythic update (@its_a_feature_), modern password spraying (@Sproc...

blog.badsectorlabs.com

1

26

64

Bad Sector Labs

@badsectorlabs

4 years

Exchange RCE [ProxyLogon] ( @orange_8361 ), Windows DNS RCE [SIGRed] ( @chompie1337 ), C# AV Bypass ( @ShitSecure ), Google Chrome LPE ( @KLINIX5 ), SaltStack API vulns ( @dozernz ), SACL honeypots ( @jmoosdijk ), Universal loader in Go ( @symbolcrash1 ), and more!

Last Week in Security (LWiS) - 2021-03-08

Exchange RCE [ProxyLogon] (@orange_8361), Windows DNS RCE [SIGRed] (@chompie1337), C# AV Bypass (@ShitSecure), Google Chrome LPE (@KLINIX5), SaltStack API vulns (@dozernz), SACL honeypots (@jmoosdi...

blog.badsectorlabs.com

0

19

64

Bad Sector Labs

@badsectorlabs

4 months

JS-Tap by @hoodoer is my favorite new tool in the past few months. Very polished, and brings new capability to an often ignored vulnerability (XSS). Red teamers, now is the time to leverage those XSS vulns to further your objectives! (1/2)

GitHub - hoodoer/JS-Tap: JavaScript payload and supporting software to be used as XSS payload or...

JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom Java...

github.com

8

20

64

Bad Sector Labs

@badsectorlabs

3 years

The latest in a long line of LSASS dumpers. Besides the (now) standard direct syscalls and in-memory only features it also ignores DLLs you don’t need to reduce the download size dramatically. This is the current state of the art in LSASS dumping.

Panos Gkatziroulis 🦄

@netbiosX

3 years

NanoDump - A Beacon Object File that creates a minidump of the LSASS process

0

94

259

0

9

63

Bad Sector Labs

@badsectorlabs

3 years

EXE in LNK embeds ( @x86matthew ), LinkedIn Slink phishers ( @briankrebs ), Apollo 2.0 ( @djhohnstein ), modern relaying ( @Jean_Maes_1994 ), exfil with Power Automate ( @varonis ), sandboxing defender ( @GabrielLandau ), SysWhispers rundown ( @KlezVirus ), and more!

Last Week in Security (LWiS) - 2022-02-07

EXE in LNK embeds (@x86matthew), LinkedIn Slink phishers (@briankrebs), Apollo 2.0 (@djhohnstein), modern relaying (@Jean_Maes_1994), exfil with Power Automate (@varonis), sandboxing defender...

blog.badsectorlabs.com

3

33

63

Bad Sector Labs

@badsectorlabs

6 months

The backdoor "trigger" was only present in the distributed tars - and not even in the "source code" tar! Here it is in Debian's import of the xz tar:

1

4

61

Bad Sector Labs

@badsectorlabs

3 years

New APIs/syscalls for EDR bypass ( @yarden_shafir ), UAF browser exploit dev ( @33y0re ), PowerView replacement [EDD] ( @FortyNorthSec ), phishing banner defeat ( @whynotsecurity ), malware packer teardown ( @fumik0_ ), NANDcromancy ( @Atredis ), and more!

Last Week in Security (LWiS) - 2021-04-26

New APIs/syscalls for EDR bypass (@yarden_shafir), UAF browser exploit dev (@33y0re), PowerView replacement [EDD] (@FortyNorthSec), phishing banner defeat (@whynotsecurity), packer teardown (@fumik...

blog.badsectorlabs.com

1

20

61

Bad Sector Labs

@badsectorlabs

2 years

.NET with docx ( @danonit ), AV evasion ( @_vivami ), 🎣 errors ( @Marco_Ramilli ), global 💉+🪝 ( @m417z ), advanced fuzzing ( @kasifdekel ), NTLM auth from SCCM ( @_Mayyhem ), xss iframe 🪤 ( @hoodoer ), patchless AMSI bypass ( @_EthicalChaos_ ), and more!

Last Week in Security (LWiS) - 2022-04-18

.NET execution with docx (@danonit), AV evasion masterclass (@_vivami), Phisher's errors (@Marco_Ramilli), global injection and hooking (@m417z), custom transport protocols in Burp(@pentagridsec),...

blog.badsectorlabs.com

0

28

62

Bad Sector Labs

@badsectorlabs

3 years

PrintNightmare saga ( @cube0x0 , @gentilkiwi , + others), Gatekeeper bypass ( @theevilbit ), DLL sideloading finder ( @ConsciousHacker ), sudo LPE on vCenter 7 ( @saidelike ), intro to Windows driver exploits ( @gf_256 ), C# merge tool ( @_EthicalChaos_ ), and more!

Last Week in Security (LWiS) - 2021-07-06

PrintNightmare saga (@cube0x0, @gentilkiwi, + others), Gatekeeper bypass (@theevilbit), DLL sideloading finder (@ConsciousHacker), Sudo LPE on vCenter (@saidelike), intro to Windows driver exploits...

blog.badsectorlabs.com

0

15

61

Bad Sector Labs

@badsectorlabs

1 year

Windows LPE ( @chompie1337 ), TPM Bitlocker deepdive, unhooking effects ( @dazzyddos ), CastGuard, Apple OTA -> kernel hack ( @patch1t ), FalconHound ( @olafhartong ), GraphRunner ( @dafthack ), and more! Nearly didn't make it by the end of Tuesday 🥵

Last Week in Security (LWiS) - 2023-10-24

Windows LPE (@chompie1337), TPM Bitlocker deepdive (@[email protected]), unhooking effects (@dazzyddos), CastGuard (@[email protected]), Apple OTA -> kernel hack (@patch1t), FalconHound...

blog.badsectorlabs.com

1

19

58

Bad Sector Labs

@badsectorlabs

6 months

"Jia Tan's" commits to xz started 2022-02-06. Perhaps the account was compromised, but this looks like trust building with the maintainers before the backdoor commits.

3

59

Bad Sector Labs

@badsectorlabs

3 months

4 commands to get 18 VM templates with zero manual interaction. Set up a new instance today and it's still a neat experience to have complex things that used to take tons of manual effort just work 😊

0

6

58

Bad Sector Labs

@badsectorlabs

3 years

PrinterLogic RCEs ( @TheParanoids ), Java analysis ( @infosec_au ), DCSync from Linux ( @n00py1 ), race conditions ( @itscachemoney ), ManageEngine auth bypass ( @sourceincite ), Windows driver RE methods ( @Void_Sec ), Sliver + BOFs ( @LittleJoeTables ), and more!

Last Week in Security (LWiS) - 2022-01-25

PrinterLogic RCEs (@TheParanoids), Java app analysis (@infosec_au), DCSync from Linux (@n00py1), timed race conditions (@itscachemoney), ManageEngine auth bypass (@sourceincite), Windows driver RE...

blog.badsectorlabs.com

0

21

57

Bad Sector Labs

@badsectorlabs

3 years

Windows LPE 0day ( @KLINIX5 ), Win 10 URI "RCE" ( @positive_sec ), detect bad TLS certs with ML ( @NCCGroupInfosec ), USB-over-ethernet vuln ( @kasifdekel ), bitlocker key leak ( @theluemmel ), Linux TIPC LPE ( @bl4sty ), abusing SecLogon ( @splinter_code ), and more!

Last Week in Security (LWiS) - 2021-12-07

Windows LPE 0day (@KLINIX5), Windows 10 URI handler "RCE" (@positive_sec), detect anomalous TLS certs with ML (@NCCGroupInfosec), USB-over-ethernet vuln (@kasifdekel), bitlocker key leak (@theluemm...

blog.badsectorlabs.com

0

15

56

Bad Sector Labs

@badsectorlabs

6 months

Luckily that was caught in Debian "sid" the unstable testing distro, so the blast radius should be small? If your SSHD seems a bit slower, its a good idea to figure out why! Stay safe out there!

1

2

55

Bad Sector Labs

@badsectorlabs

3 years

iOS exploit campaign ( @amnesty + others), #printnightmare refuses to die ( @gentilkiwi ), readable SAM/SYSTEM hives ( @jonasLyk ), Ubuntu shifts LPE ( @vdehors ), SharpHound exfil in memory ( @william_knows ), Windows exploit dev ( @33y0re ), and more!

Last Week in Security (LWiS) - 2021-07-19

iOS exploit campaign (@amnesty + others), PrintNightmare refuses to die (@gentilkiwi), readable SAM/SYSTEM hives (@jonasLyk), Ubuntu shifts LPE (@vdehors), SharpHound exfil in memory (@william_know...

blog.badsectorlabs.com

0

23

54

Bad Sector Labs

@badsectorlabs

3 years

Word RCE, advanced Nim tradecraft ( @snovvcrash ), TCC bypass ( @_r3ggi ), encrypted heap allocations ( @waldoirc ), vuln hunting ( @renorobertr ), token priv 🔧 BOF ( @the_bit_diddler + @hackersoup ), 📧 for C2 ( @0xBoku ), 🤖 DLL hijacking ( @knight0x07 ), and more!

Last Week in Security (LWiS) - 2021-09-14

Word RCE, Advanced Nim tradecraft (@snovvcrash), TCC bypass (@_r3ggi), encrypted heap allocations (@waldoirc), vuln hunting with binary ninja (@renorobertr), token priv manipulation BOF (@the_bit_d...

blog.badsectorlabs.com

1

18

52

Bad Sector Labs

@badsectorlabs

3 years

ESXi heap overflow RCE ( @straight_blast ), abusing .NET dev features ( @bohops ), new book ( @1njection ), LNK tricks ( @V3ded ), Outlook post-ex fun ( @checkymander ), new C# obfuscation tool ( @h4wkst3r ), WOW64 injector ( @aaaddress1 ), and more!

Last Week in Security (LWiS) - 2021-05-31

ESXi heap overflow RCE (@straight_blast), abusing .NET dev features (@bohops), new book (@1njection), LNK for initial access and persistence (@V3ded), Outlook post-ex fun (@checkymander), new C#...

blog.badsectorlabs.com

1

15

53

Bad Sector Labs

@badsectorlabs

3 years

Exim RCE ( @lockedbyte ), Windows kernel exploit writeup ( @33y0re ), plaintext RDP creds from memory ( @jonasLyk , @n00py1 ), MS Defender ATP bypasses ( @Tyl0us ), hashcat 6.2.0 ( @hashcat ), persist and blend C2 with Teams ( @BlackArrowSec ), and more!

Last Week in Security (LWiS) - 2021-05-17

Exim RCE (@lockedbyte), Windows kernel exploit writeup (@33y0re), plaintext RDP creds from memory (@jonasLyk, @n00py1), MS Defender ATP bypasses (@Tyl0us), hashcat 6.2.0 (@hashcat), and more!

blog.badsectorlabs.com

0

24

52

Bad Sector Labs

@badsectorlabs

6 months

Great day to set up a new 🏟️Ludus host! This is a GMKTec NucBox K8 (AMD Ryzen 7 8845HS), 96 GB of 5600MHz RAM, and 2x 2TB PCIe 4.0 NVMe (will RAID 0 for max speed). Should be 🔥 What are you running Ludus on?

12

2

51

Bad Sector Labs

@badsectorlabs

3 years

ProFTPd UAF ( @lockedbyte ), API hacking ( @hakluke and @Farah_Hawaa ), file extension tricks on cloud storage ( @mrd0x ), built-in AD searching with ADSI ( @Gr1mmie ), DCE/RPC fingerprints ( @hdmoore ), SAML issues ( @Secureworks , @joonas_fi ), and more!

Last Week in Security (LWiS) - 2021-08-16

ProFTPd UAF (@lockedbyte), API hacking (@hakluke and @Farah_Hawaa), file ext tricks (@mrd0x), built-in AD searching w/ADSI (@Gr1mmie), DCE/RPC fingerprints (@hdmoore), SAML issues (@joonas_fi), and...

blog.badsectorlabs.com

1

17

48

Bad Sector Labs

@badsectorlabs

3 years

More JDNI to RCE ( @jfrog ), parallel loader ( @peterwintrsmith and @cube0x0 ), MS signed phishing docs ( @ptrpieter and @_DaWouw ), IP-takeover vulns ( @sebsalla ), driver loading BOF dev ( @cerbersec ), and more!

Last Week in Security (LWiS) - 2022-01-10

More JDNI to RCE (@jfrog), parallel loader (@peterwintrsmith and @cube0x0), MS signed phishing docs (@ptrpieter and @_DaWouw), IP-takeover vulns (@sebsalla), driver loading BOF dev (@cerbersec), and...

blog.badsectorlabs.com

0

19

48

Bad Sector Labs

@badsectorlabs

4 months

If you've been 👀 SCCM tradecraft from the sidelines there is now an easy way to set up a fully custom SCCM env thanks to @synzack21 . It's so cool to see Ludus making advanced, customized setups as easy as a few commands and a config edit! 🥳 Guide:

SCCM Lab | Ludus

Shout out to Zach Stein (@synzack21) for collaborating to create the Ludus SCCM Ansible collection!

docs.ludus.cloud

Zach Stein

@synzack21

4 months

Been playing with lab automation with Ansible & and released my recent project. If you are looking for a customizable SCCM home lab to practice tradecraft, check out the corresponding blog and repository!

1

39

75

1

10

49

Bad Sector Labs

@badsectorlabs

9 months

This might be the most feature complete, well documented offsec tool I have ever seen. Bravo @Hultoko ! 👏👏👏

GitHub - spellshift/realm: Realm is a cross platform Red Team engagement platform with a focus on...

Realm is a cross platform Red Team engagement platform with a focus on automation and reliability. - spellshift/realm

github.com

2

14

49

Bad Sector Labs

@badsectorlabs

3 years

This is cool for two reasons: 1️⃣ The two step injection and use of InlineShapes is pretty nifty. 2️⃣ The automation interop between C# and Word can be used as a basis for your own maldoc pipelines for red teaming.

Connor McGarr

@33y0re

3 years

Trying to get into .NET lately I ended up putting together a new project as a result. LittleCorporal is an automated Maldoc generator that leverages VBA, Donut, and thread hijacking to load a user specified shellcod blob into a remote process. Project:

2

121

327

1

6

49

Bad Sector Labs

@badsectorlabs

4 months

No AI, no content automation (besides an RSS reader), 100% human curated cybersecurity content by myself and @__ar0d__ . Published weekly to the web with no Javascript, via email, or RSS. It's the blog I wish existed before I started it. Don't sleep on it!

Last Week in Security (LWiS)

@lastweekinfosec

4 months

Nighthawk 0.3 ( @MDSecLabs ), Musl heap exploit ( @NCCsecurityUS ), Copilot chat 💉 ( @wunderwuzzi23 ), and more!

0

7

22

1

15

48

Bad Sector Labs

@badsectorlabs

2 months

Achievement unlocked: Appear in the background of a @LiveOverflow video. I checked, and the first LiveOverflow video I watched was 8 years ago (First Exploit. Buffer Overflow with Shellcode - Bin 0x0E). Really cool to meet Fabian in person and have a table next to @hextreeio !

2

1

48

Bad Sector Labs

@badsectorlabs

2 months

Great minds think alike! More SCCM tooling from @croco_byte that shares some elements with our recently released tool while also having unique features. Cheers to parallel discovery! 🍻

GitHub - badsectorlabs/sccm-http-looter: Find interesting files stored on (System Center) Configu...

Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s) - badsectorlabs/sccm-http-looter

github.com

Synacktiv

@Synacktiv

2 months

In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces , a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.

0

56

133

2

5

47

Bad Sector Labs

@badsectorlabs

6 months

User readable /sys/kernel/notes exposed the address of xen_startup, effectively breaking kernel address space layout randomization (KASLR) for local privilege escalation exploits (or any exploit with file read ability) for the entire history of KASLR… 😬

c0m0r1

@c0m0r1

6 months

17 yrs of KASLR bypasses was a total waste of time 🫤

7

117

673

0

13

47

Bad Sector Labs

@badsectorlabs

6 months

Exploit devs stealing work and dropping 0days like old days!

matteyeux

@matteyeux

6 months

Looks like someone dropped a Linux kernel 0day

41

531

3K

0

4

47

Bad Sector Labs

@badsectorlabs

7 months

Get 257 (and counting) vulnerable services in Ludus with one config edit. Test popular vulnerabilities against products like Confluence or Apache Airflow. It's easy with the badsectorlabs.ludus_vulhub role!

1

13

46

Bad Sector Labs

@badsectorlabs

6 months

Oh boy, sometimes being cutting edge cuts back 🔪🩸.

Kali Linux

@kalilinux

6 months

The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.

45

1K

3K

2

1

46

Bad Sector Labs

@badsectorlabs

3 years

AFL++ on Android ( @Gr33nh4t ), Qualcomm NPU exploits ( @mmolgtm ), sysWhipser research ( @CaptMeelo ), TPM sniffing (Julien Oberson), CheckCert and SQLRecon ( @sanjivkawa ), and more!

Last Week in Security (LWiS) - 2021-11-22

AFL++ on Android (@Gr33nh4t), Qualcomm NPU exploits (@mmolgtm), sysWhipser research (@CaptMeelo), TPM sniffing (Julien Oberson), CheckCert and SQLRecon (@sanjivkawa), and more!

blog.badsectorlabs.com

0

16

45

Bad Sector Labs

@badsectorlabs

3 years

PPLDump BOF ( @the_bit_diddler ), code-signed rootkits ( @HackingThings ), remote windows password resets ( @n00py1 ), XSS to RCE ( @whynotsecurity ), FinSpy bootkit ( @kaspersky ), Azure brute-forceable endpoint ( @DrAzureAD ?), and no C2 drama!

Last Week in Security (LWiS) - 2021-09-28

PPLDump BOF (@the_bit_diddler), code-signed rootkits (@HackingThings), remote windows password resets (@n00py1), XSS to RCE (@whynotsecurity), FinSpy bootkit (@kaspersky), Azure brute-forceable...

blog.badsectorlabs.com

0

17

44

Bad Sector Labs

@badsectorlabs

2 years

Ever wanted to use Splunk or Osquery as your C2? @__ar0d__ and my talk at @BSidesAugusta shows you how. If you aren't thinking about using #traitorware on your next engagement or how to defend against it in your environment, check out the slides and code:

Sign in · GitLab

GitLab.com

gitlab.com

0

25

44

Bad Sector Labs

@badsectorlabs

3 years

I've been a @RumbleDiscovery user since it was in beta. It has replaced every masscan + nmap + other tool script for enumeration because it's that good. Red team tip: if you aren't worried about network detection, the offline rumble scanner is so good once inside a network.

1

12

43

Bad Sector Labs

@badsectorlabs

6 months

Want more epic Linux hack content? This was my go to for "real APT on Linux content" posted in 2021 and the author hasn't posted since... @IgorBog61650384 you ok?

APT Encounters of the Third Kind

A few weeks ago an ordinary security assessment turned into an incident response whirlwind. It was definitely a first for me, and I was kindly granted permission to outline the events in this blog...

igor-blue.github.io

1

10

44

Bad Sector Labs

@badsectorlabs

3 years

OffensiveRust ( @trickster012 ), persistence via preview panes ( @matterpreter + @mutantvillian ), decrypting CyberArk ( @jelleverg ), enumerate uncommon SMB shares ( @podalirius_ ), and more!

Last Week in Security (LWiS) - 2021-10-06

OffensiveRust (@trickster012), persistence via preview panes (@matterpreter + @mutantvillian), decrypting CyberArk (@jelleverg), enumerate uncommon SMB shares (@podalirius_), and more!

blog.badsectorlabs.com

1

9

43

Bad Sector Labs

@badsectorlabs

3 years

Stealing GitHub secrets ( @not_an_aardvark ), TeamsImplant ( @allevon412 ), Nimcrypt2 ( @icyguider ), VMware RCEs ( @elk0kc ), LdapSignCheck ( @cube0x0 ), ( @DissectMalware ), and more!

Last Week in Security (LWiS) - 2022-02-28

Stealing GitHub secrets (@not_an_aardvark), TeamsImplant (@allevon412), Nimcrypt2 (@icyguider), VMware RCEs (@elk0kc), LdapSignCheck (@cube0x0), yaradbg.dev (@DissectMalware), and more!

blog.badsectorlabs.com

0

20

39

Bad Sector Labs

@badsectorlabs

3 years

Instantly level up your Cobalt Strike game with these amazing BOFs, now with support for the latest Windows 10 versions thanks to SysWhispers2. Probably the set of BOFs I reach for more often than any other (except maybe BOF[.]NET).

Alfie Champion

@ajpc500

3 years

Late to the party, but thrilled to have my BOFs in the Community Kit. I've just updated the injectors (NtCreateThreadEx and NtQueueApcThread variations) and process dumping BOF to SysWhispers2 so they're ready to roll with 21H1+.

3

29

97

2

5

42

Bad Sector Labs

@badsectorlabs

2 years

BOFs are becoming the new standard cross C2 primitive like powershell and C# were before and I’m here for it.

0

14

42

Bad Sector Labs

@badsectorlabs

1 month

🥳 200th Last Week in Security! 🥳 I remember talking to @riskybusiness early in 2020, offering to partner on a more technical subsection of risky biz. He (wisely) said, "Let's wait and see, this is a lot of work." He was right, but I'm still at it!

Last Week in Security (LWiS) - 2024-09-03

argv[0] tampering (@Wietze), Moodle eval() misuse (@RedTeamPT), ntoskrnl.exe PoC (@b1thvn_), 4x wappd exploits (@hyprdude), and more!

blog.badsectorlabs.com

6

42

Bad Sector Labs

@badsectorlabs

2 years

Two weeks worth of cybersecurity news, techniques, write-ups, exploits, and tools!

Last Week in Security (LWiS) - 2022-05-16

blog.badsectorlabs.com

3

8

42

Bad Sector Labs

@badsectorlabs

2 years

GitHub OAuth token hack, security.txt RFC ( @EdOverflow ), channel binding bypass for LDAP ( @lowercase_drm ), #ExtraReplica ( @sagitz_ @shirtamari @nirohfeld @ronenshh ), Windows kernel driver fun ( @_xpn_ ), prefetch on Apple Silicon ( @jose_vicarte +team) +more!

Last Week in Security (LWiS) - 2022-05-02

GitHub OAuth token hack, security.txt RFC (@EdOverflow), channel binding bypass for LDAP (@lowercase_drm), #ExtraReplica (@sagitz_, @shirtamari, @nirohfeld, @ronenshh), Windows kernel driver fun...

blog.badsectorlabs.com

0

13

39

Bad Sector Labs

@badsectorlabs

4 years

vCenter RCE, JSON interop vulns ( @theBumbleSec ), PHPWind RCE presentation ( @orange_8361 ), infra automation ( @cedowens ), AMSI knowledge ( @ShitSecure ), binary format magic 🧙( @JustineTunney ), modular password spraying ( @0xZDH ), and more!

Last Week in Security (LWiS) - 2021-03-01

JSON interop vulns (@theBumbleSec), PHPWind RCE presentation (@orange_8361), infra automation (@cedowens), AMSI knowledge (@ShitSecure), actual magic (@JustineTunney), modular password spraying...

blog.badsectorlabs.com

0

16

40

Bad Sector Labs

@badsectorlabs

3 years

iOS 15.0.1 IOMFB exploit ( @AmarSaar ), new lsass dumper ( @thefLinkk ), SharpCalendar ( @sadpanda_sec ), gcpHound ( @desi_jarvis + @Richarjb ), macOS app sandbox escape ( @epsilan ), and more!

Last Week in Security (LWiS) - 2021-10-11

iOS 15 IOMFB exploit (@AmarSaar), new lsass dumper (@thefLinkk), SharpCalendar (@sadpanda_sec), gcpHound (@desi_jarvis + @Richarjb), macOS SBX (@epsilan), and more!

blog.badsectorlabs.com

0

14

39

Bad Sector Labs

@badsectorlabs

1 year

I feel seen by this post @HackingLZ . So many blogs focus on *a* bug or *a* tool, not many on the adversary simulation exercise and what it encompasses. I once spent a full week planning, mocking up, and rehearsing a path - went from 🎣 to DA in 23 minutes.

Walking the Tightrope: Maximizing Information Gathering while…

www.trustedsec.com

1

6

39

Bad Sector Labs

@badsectorlabs

7 months

Unmanaged VMs (think EDR appliances, IoT devices, other systems that don't support qemu-guest-agent) are now supported in Ludus 1.2.0! Just add `unmanaged: true` to your ludus range config for the VM.

1

10

38

Bad Sector Labs

@badsectorlabs

3 years

Arbitrary exes as BOFs ( @phraaaaaaa ), .NET exes via BOF ( @anthemtotheego ), legacy enterprise RCE ( @AdamOfDc949 ), built-in packet sniffing in Windows ( @TheXC3LL ), patching EternalBlue for embedded ( @CaptMeelo ), and more!

Last Week in Security (LWiS) - 2021-07-12

Arbitrary exe's as BOFs (@phraaaaaaa), .NET exe's via BOF (@anthemtotheego), enterprise grade RCE (@AdamOfDc949), built-in packet sniffing in Windows (@TheXC3LL), patching EternalBlue for embedded...

blog.badsectorlabs.com

0

13

37

Bad Sector Labs

@badsectorlabs

1 year

More Fortinet RCE ( @frycos ), alloc-less injection ( @bohops ), embedded system hacking ( @levaronsky ), miniDLNA head exploitation ( @hyprdude ), dump creds from sshd ( @jm33_m0 ) MS Teams phishing ( @CorbridgeMax + @tde_sec ) ThreatCheck + Ghidra ( @_RastaMouse )+more!

Last Week in Security (LWiS) - 2023-06-26

More Fortinet RCE (@frycos), alloc-less injection (@bohops), embedded system hacking (@levaronsky), miniDLNA head exploitation (@hyprdude), dump creds from sshd (@jm33_m0), MS Teams phishing (@Corb...

blog.badsectorlabs.com

0

18

37

Bad Sector Labs

@badsectorlabs

3 years

DEF CON/Blackhat talks/tools, Cobalt Strike Updates ( @joevest , @adamsvoboda ), ProxyShell [another exchange RCE] ( @orange_8361 ). DeployPrinterNightmare ( @Flangvik ), Pulse Connect patch bypass ( @buffaloverflow ), Snapcraft App exploitation ( @itszn13 ), + more!

Last Week in Security (LWiS) - 2021-08-09

Cobalt Strike Updates (@joevest, @adamsvoboda), ProxyShell [another exchange RCE] (@orange_8361). DeployPrinterNightmare (@Flangvik), Pulse Connect patch bypass (@buffaloverflow), Snapcraft App...

blog.badsectorlabs.com

1

10

36

Bad Sector Labs

@badsectorlabs

3 years

Full DarkHotel exploit ⛓️ ( @_ForrestOrr ), DomainBorrowing ( @md5_salt ), WinPmem to dump LSASS ( @TheXC3LL ), Twitter Tip Jar fail ( @RachelTobac ), the reasoning behind DripLoader ( @_lpvoid ), .NET + NTFS tricks ( @G0ldenGunSec ), and more!

Last Week in Security (LWiS) - 2021-05-10

Full DarkHotel exploit ⛓️ (@_ForrestOrr), DomainBorrowing (@md5_salt), WinPmem to dump LSASS (@TheXC3LL), Twitter Tip Jar fail (@RachelTobac), the reasoning behind DripLoader (@_lpvoid), .NET + NTFS...

blog.badsectorlabs.com

1

11

35

Bad Sector Labs

@badsectorlabs

5 months

🏟️Ludus 1.4.0 is out! New features: ✨set `always_blocked_networks` to protect LAN or other networks ✨ set timezone via the config for all VMs 1.4.0 includes lots of improvements and "testing mode" has been totally refactored. Check it out!

🌐 Networking | Ludus

'The Ludus Network'

docs.ludus.cloud

0

6

35

Bad Sector Labs

@badsectorlabs

3 years

CI/CD pipeline war stories ( @0xZon1 + others), Serv-U exploit writing (Cal Livitt of @bishopfox ), Safari IndexedDB leak ( @FingerprintJS ), RDP services vuln ( @sztejnworcel ), a very slick loader ( @cerbersec ), and more!

Last Week in Security (LWiS) - 2022-01-18

CI/CD pipeline war stories (@0xZon1 + others), Serv-U exploit writing (Carl Livitt of @bishopfox), Safari IndexedDB leak (@FingerprintJS), RDP services vuln (@sztejnworcel), a very slick loader...

blog.badsectorlabs.com

1

12

34

Bad Sector Labs

@badsectorlabs

3 years

RCE on a NAS ( @alexjplaskett , @saidelike , and @FidgetingBits ), Double Fetch vulns ( @N1ckDunn ), Razer LPE ( @matthiasdeeg ), DFIR cloud automation ( @ZawadiDone ), Ubuntu LPE ( @ETenal7 ), and more!

Last Week in Security (LWiS) - 2022-03-28

RCE on a NAS (@alexjplaskett, @saidelike, and @FidgetingBits), Double Fetch vulns (@N1ckDunn), Razer LPE (@matthiasdeeg), DFIR cloud automation (@ZawadiDone), Ubuntu LPE (@ETenal7), and more!

blog.badsectorlabs.com

0

9

32

Bad Sector Labs

@badsectorlabs

4 years

Ubuntu LPE ( @Gr33nh4t ), open source FIDO2 🔑 ( @SoloKeysSec ), new ways to copy shellcode in VBA ( @TheXC3LL ), unconventional exploitation ( @itm4n ), harvesting hashes ( @domchell ), M1 mac malware ( @ForensicITGuy ), BOFs outside of CS ( @TrustedSec ), and more!

Last Week in Security (LWiS) - 2021-02-22

Ubuntu LPE (@Gr33nh4t), open source FIDO2 🔑 (@SoloKeysSec), new ways to copy shellcode in VBA (@TheXC3LL), unconventional exploitation (@itm4n), harvesting hashes (@domchell), M1 mac malware...

blog.badsectorlabs.com

1

10

34

Bad Sector Labs

@badsectorlabs

2 years

Back from summer break with a big post! Tons of great content for red teamers, bug bounty hunters, exploit devs, defenders, and anyone else in the security space!

Last Week in Security (LWiS) - 2022-08-30

AceLdr (@kyleavery_), DLL fun (@Wietze + @ConsciousHacker), CI/CD pwnage (@smarticu5), Kerberos LPE (@monoxgas + @tiraniddo), Burp ➡️ C2 profile (@codex_tf2), AD CS + PIV (@_EthicalChaos_), and more!

blog.badsectorlabs.com

1

9

34

Bad Sector Labs

@badsectorlabs

4 years

SolarWinds news and dumping tool ( @mubix ), C# runtime dependency resolution ( @Jean_Maes_1994 + @_RastaMouse ), direct syscalls in BOFs ( @OutflankNL + @ajpc500 ), C# from Nim ( @ShitSecure ), Ubuntu LPE ( @scannell_simon ), and more!

Last Week in Security (LWiS) - 2021-01-04

SolarWinds news and dumping tool (@mubix), Android exploit from an iOS exploiter (@_bazad), C# runtime dependency resolution (@Jean_Maes_1994 + @_RastaMouse), direct syscalls in BOFs (@OutflankNL +...

blog.badsectorlabs.com

1

15

33

Bad Sector Labs

@badsectorlabs

4 years

New macOS C2 ( @cedowens ), Nim implant ( @NotoriousRebel1 ), x64 AMSI bypass in VBA ( @rd_pentest ), VBA purging tool ( @h4wkst3r / @AndrewOliveau ), macOS privesc via MS Teams ( @theevilbit ), Kali tool developer partnership ( @kalilinux / @byt3bl33d3r ), and more!

Last Week in Security (LWiS) - 2020-11-23

New macOS C2 (@cedowens), Nim implant (@NotoriousRebel1), x64 AMSI bypass in VBA (@rd_pentest), VBA purging tool (@h4wkst3r/@AndrewOliveau), macOS privesc via MS Teams (@theevilbit), Kali tool...

blog.badsectorlabs.com

0

7

32

Bad Sector Labs

@badsectorlabs

4 years

I think this is the first public, stable PoC for SIGRed (unauth RCE as SYSTEM against a DC running DNS). Excellent post!

chompie

@chompie1337

4 years

My first ever blog post: Anatomy of an Exploit: RCE CVE-2020-1350 #SIGRed . RCE PoC included, for research purposes. This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround.

14

271

688

0

11

32

Bad Sector Labs

@badsectorlabs

6 months

Ludus runs on top of Debian Bookworm - no impact to Ludus users 😃 (unless you have a Debian sid VM!)

1

2

32

Bad Sector Labs

@badsectorlabs

3 years

Plaintext RDP credentials are now accessible to mimikatz without injection or hooking.

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Now in #mimikatz 🥝, #mstsc credentials (passwords / PIN codes) for RDP / Remote Desktop Client - ts::mstsc - on client credentials - ts::logonpasswords - on server credentials Does not rely on previously injected hook/library, useful on jumping servers >

22

472

1K

0

14

32

Bad Sector Labs

@badsectorlabs

2 years

Acrobat extension issues ( @WPalant ), ECDSA signature in Java vuln ( @neilmaddog ), GPO LPE ( @decoder_it ), SSN resolution from process structs ( @modexpblog ), AWS container escape ( @yuvalavra ), and more!

Last Week in Security (LWiS) - 2022-04-25

Acrobat extension issues (@WPalant), ECDSA signature in Java vuln (@neilmaddog), GPO LPE (@decoder_it), SSN resolution from process structs (@modexpblog), AWS container escape (@yuvalavra), and more!

blog.badsectorlabs.com

1

15

32

Bad Sector Labs

@badsectorlabs

1 year

Microsoft O365 compromised for a few months for 25 customers, block EDR DLLs ( @ShitSecure ), shellcode in 3D models ( @TrustedSec ), AMSI bypasses ( @pfiatde ), Atlassian macOS RCE ( @_r3ggi ), the smallest C# binary ( @washi_dev ), >350 blogs monitored, +more!

Last Week in Security (LWiS) - 2023-07-17

Microsoft O365 was compromised for a few months for 25 customers, block EDR DLL loading (@ShitSecure), stashing shellcode in 3D models (@TrustedSec), AMSI bypasses (@pfiatde), Atlassian Companion...

blog.badsectorlabs.com

0

7

31

Bad Sector Labs

@badsectorlabs

3 years

macOS ESF playground ( @jbradley89 ), Azure privesc via service principles ( @_wald0 ), Java gadget finding ( @hugow_vincent ), malicious Azure AD OAuth2 ( @nyxgeek ), and more!

Last Week in Security (LWiS) - 2021-10-19

macOS ESF playground (@jbradley89), Azure privesc via service principles (@_wald0), Java gadget finding (@hugow_vincent), malicious Azure AD OAuth2 (@nyxgeek), and more!

blog.badsectorlabs.com

1

11

31

Bad Sector Labs

@badsectorlabs

4 years

Dependency Confusion ( @alxbrsn ), 🪝 MiniDump ( @Mari0Bartolome , @spotheplanet ), SharePoint hacking ( @acap4z ), stealthy Windows IPC ( @LloydLabs ) direct syscall detection ( @winternl_t ) on-the-fly 🪝 from .NET ( @FuzzySec ) Windows LPE forever-day ( @itm4n )+more!

Last Week in Security (LWiS) - 2021-02-15

Dependency Confusion (@alxbrsn), hooking MiniDump (@Mari0Bartolome, @spotheplanet), SharePoint hacking (@acap4z), stealthy Windows IPC (@LloydLabs), direct syscall detection (@winternl_t), on-the-fly...

blog.badsectorlabs.com

0

19

31

Bad Sector Labs

@badsectorlabs

5 months

@mrd0x I made a nice landing page for a free and open source tool, and I’ve shared it and gotten some “lol is this a sales pitch?” People are primed to reject anything that looks too good. As EDR gets better, tools are harder to come by as well. You’re one of few sharing access tools.

2

0

30

Bad Sector Labs

@badsectorlabs

3 years

Shared section abuse ( @BillDemirkapi ), ISOs and office MOTW ( @DidierStevens ), better fuzzing harnesses ( @h0mbre_ ), PoshC2 Linux ELF loader ( @jdsnape ), "Event pipes" for IPC ( @x86matthew ), Linux LPE ( @pqlqpql ), .soap webshells ( @0xbad53c ), and more!

Last Week in Security (LWiS) - 2022-04-04

Shared section abuse (@BillDemirkapi), ISOs and office MOTW (@DidierStevens), better fuzzing harnesses (@h0mbre_), PoshC2 Linux ELF loader (@jdsnape), "Event pipes" for IPC (@x86matthew), Linux LPE...

blog.badsectorlabs.com

0

10

29

Bad Sector Labs

@badsectorlabs

1 year

🥵 You guys publish a lot of stuff, it can be hard to keep up! This is my catch-up post to get back on track. Keep hacking!

Last Week in Security (LWiS) - 2023-06-15

A months worth of news, techniques, tools and exploits!

blog.badsectorlabs.com

3

8

27

Bad Sector Labs

@badsectorlabs

1 month

Step 1: Look cool 😎 🏟️Ludus has a brand new installer powered by @charmcli ! 1.5.0 also allows for `depends_on` when using roles - opening up complex server/client roles to be deployed in any order! Install docs have been simplified too - now is the best time to try Ludus!

2

8

29

Bad Sector Labs

@badsectorlabs

3 months

Kernel Samepage Merging (KSM) is pure magic 🪄. The Linux kernel can scan memory and deduplicate pages that store the same info. Huge savings for hypervisors (). Here I am running 92 VMs (23x router, DC, Win 11, Kali) on a NUC 🤯

3

2

29