Marcello Profile Banner
Marcello Profile
Marcello

@byt3bl33d3r

29,556
Followers
568
Following
730
Media
9,362
Statuses

CyBeRsEcUrItY | Not afraid to put down with some THICC malware on disk | securing and breaking AI @ProtectAICorp | Ex @spacex

Error: Unable to resolve
Joined December 2012
Don't wanna be here? Send us removal request.
Pinned Tweet
@byt3bl33d3r
Marcello
1 year
The demos and slides of my Defcon 31 talk are now publicly available.. 🧵 1/3 This first video demonstrates impersonating Satan (spoofing an email from satan @churchofsatan .com). This was the inspiration for the title of the talk 😛
8
67
240
@byt3bl33d3r
Marcello
2 years
Infosec peeps after burnout be like
28
165
1K
@byt3bl33d3r
Marcello
3 years
Wrote a scanner for PrintNightmare (CVE-2021-34527). Allows you to scan entire subnets and gives you a CSV report. Supports both MS-RPRN and MS-PAR checks. Haven't tested in a prod environment yet (just my lab). Feel free to send a PR if you see FPs.
4
294
725
@byt3bl33d3r
Marcello
5 years
Had no clue about this, as of Python 3.5 you can bundle an entire application into a ZipFile (with a .pyz extension) and execute it directly. This is the equivalent of Java .jar files for Python
9
240
694
@byt3bl33d3r
Marcello
7 years
Need a quick way to find hosts on your network that support SMBv1 connections? Run: cme smb <CIDR> Done.
Tweet media one
9
342
676
@byt3bl33d3r
Marcello
6 years
Just open-sourced the SprayingToolkit! A collection of Python scripts to take the headache out of performing password spraying attacks against OWA & S4B/Lync. Ever wanted to perform real time sprays while scraping LinkedIn profiles from Google? ;)
6
313
646
@byt3bl33d3r
Marcello
7 years
Automating the Empire with the Death Star: getting Domain Admin with a push of a button
23
380
585
@byt3bl33d3r
Marcello
4 years
Fucking priceless. Do an image search on google for “MITRE EDR evaluation results”. You’ll find a graph which links to a blog post on *EVERY* single EDR vendors website saying “we’re the best EDR”.
Tweet media one
Tweet media two
Tweet media three
Tweet media four
37
148
585
@byt3bl33d3r
Marcello
2 years
No need write obfuscators anymore
Tweet media one
Tweet media two
15
65
551
@byt3bl33d3r
Marcello
8 months
@maxafrass “We like thicc slices of bread in this house” should be a doormat
4
12
512
@byt3bl33d3r
Marcello
4 years
Just made the OffensiveNim repository public. This is a couple of weeks worth of notes and research into using Nim for general offensive operations. If you don't want to write your implants in C/C++, Nim is the way to go IMHO. Feedback welcom
14
202
502
@byt3bl33d3r
Marcello
7 years
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)
8
346
502
@byt3bl33d3r
Marcello
6 years
I made a bunch of Ansible playbooks the other day in order to streamline/automate my workflow during engagements. Specifically i wanted to install a bunch of tools from Git and have them all setup in separate Python virtualenvs.
4
176
491
@byt3bl33d3r
Marcello
7 months
Sydney Sweeney reveals in an interview that she has strong opinions about the EDR industry. “I think EDRs all fucking pieces of shit” She adds, “CrowdStrike needs to stop smoking crack and making action figures out of APTs. it’s cringe af”
Tweet media one
15
46
467
@byt3bl33d3r
Marcello
5 years
W00t! CrackMapExec now has binaries! You don't need to install it anymore! Just grab the binaries under the latest build under the action tab! Go forth and pwn!
10
196
469
@byt3bl33d3r
Marcello
5 years
Thank you everyone for coming to my @Derbycon talk! Just released v0.4.0 of SILENTTRINITY! Biggest update yet, ton of new modules thanks to @nicolas_dbresse , upload/download functionality and the new and improved minidump module which integrates pypykatz!
7
163
424
@byt3bl33d3r
Marcello
4 years
It has begun... 🔥
Tweet media one
9
77
408
@byt3bl33d3r
Marcello
3 years
Hot off the presses: part 2 of making C2 less painful. Modernizing the CIA's approach to offensive Infrastructure by using mesh VPN networks, micro-services and hybrid-cloud deployments. Get your buzzword bingo cards ready. #seo
9
150
398
@byt3bl33d3r
Marcello
5 years
Just noticed that apparently Win Defender just alerts on any PowerShell process touching lsass. The SILENTTRINITY Mimikatz module runs just fine if executed from cmd.exe. However, If running from Powershell it runs but Defender kills the process
Tweet media one
Tweet media two
Tweet media three
7
123
390
@byt3bl33d3r
Marcello
5 years
Super excited to finally release SILENTTRINITY v0.3.0 which has been in the works for a long time: The tool now supports multi-user collaboration and has a client/server architecture. Check out the readme for a list of the new features, hope its useful!
3
161
375
@byt3bl33d3r
Marcello
7 years
CrackMapExec v4.1 (ҪФԠЯДDЄ ԐDЇҐЇФЍ) is almost done! Will be making the changes public after my @BlackHatEvents Asia Arsenal demo next week! The entire C2/plugin system has been overhauled, details soon 😎
Tweet media one
10
124
350
@byt3bl33d3r
Marcello
4 years
I'm excited to be releasing the new DeathStar. Complete re-write of the original script, supports AD networks with multiple domains/forests, has a plugin system and "Active Monitoring": so adapts it's attack path based on real-time changes in the network.
9
129
327
@byt3bl33d3r
Marcello
3 years
Haven't blogged in a while but here's the first of a series of post exploring modern tech stacks making C2 infrastructure creation less painful
8
135
331
@byt3bl33d3r
Marcello
5 years
Really glad to finally get a blogpost out about this. Hopefully this is useful and gives Red Teamers ideas on how to use the BYOI concept in their own payloads. If anyone is interested in a few more follow up posts about this will gladly oblige :)
3
171
315
@byt3bl33d3r
Marcello
5 years
For anyone wondering, yes it’s written in C# and yes I will be totally adding it as a SILENTTRINITY module if I can get the source code (a few changes need to be made in order for it to run in memory). #makemalwarefunagain
@SamNChiet
Samperson
5 years
I made a goose that destroys your computer Download it free here:
3K
92K
253K
5
66
305
@byt3bl33d3r
Marcello
4 years
...computers used by water plant personnel ... used the 32-bit version of the Windows 7... all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection... 🤷🏻‍♂️
25
119
289
@byt3bl33d3r
Marcello
5 years
Just pushed a somewhat big update to SILENTTRINITY with a lot of forward compatibility fixes for Python 3.8 and made the PowerShell "stageless" stager public. Plus more modules and bug fixes
5
126
294
@byt3bl33d3r
Marcello
1 year
Pack it up people, Intel solved it
Tweet media one
8
52
281
@byt3bl33d3r
Marcello
7 years
CrackMapExec now supports Powershell script and launcher obfuscation using @danielhbohannon 's Invoke-Obfuscation! :D
Tweet media one
2
178
284
@byt3bl33d3r
Marcello
5 years
Bloodhound on an ultra wide curved monitor makes you feel like you’re hacking Hollywood Style.
Tweet media one
14
43
286
@byt3bl33d3r
Marcello
6 years
Pssst! Hey you! SEP got you down during a pentest ? TIL of smc -stop and smc -disable -ntp. Works like a charm, the latter doesn't even require admin rights
Tweet media one
7
106
285
@byt3bl33d3r
Marcello
4 years
Fuck computers
20
31
267
@byt3bl33d3r
Marcello
5 years
Just published the slides of my "IronPython OMFG v2.0" talk yesterday at @hackinparis on github here
2
108
274
@byt3bl33d3r
Marcello
6 years
Just released my slides for my talk at @hackinparis 2018 The Past, Present & Future of Enterprise Security the 'Golden Age' of Attack Automation #HIP18
3
129
275
@byt3bl33d3r
Marcello
6 years
Just migrated CrackMapExec away from PyCrypto, you should have a *lot* less dependency woes when installing the bleeding edge version from git
8
73
266
@byt3bl33d3r
Marcello
4 years
Xmas came early for me. Load .NET assemblies from memory using x-compiled Nim executable in 5 lines: import winim/clr var myassembly: array[4608, byte] = [ byte 0x4d, 0x5a... ] var loadedasm = load(myassembly) var instance = loadedasm .new("MyNamespace.Program") instance.Main()
Tweet media one
Tweet media two
4
77
268
@byt3bl33d3r
Marcello
4 years
CrackMapExec v5.1.1 is now available on Pypi. Thanks to @mpgn_x64 its stable enough for me to finally get rid of the old version. You can now install the latest version of CME with a `pip install crackmapexec`. Happy Pwnage.
4
94
254
@byt3bl33d3r
Marcello
4 years
omg.... I did it! Win32 Syscalls from Nim!!! 😍
Tweet media one
Tweet media two
7
46
251
@byt3bl33d3r
Marcello
5 years
Holy shit, this actually solves an incredible amount of packaging problems, you can put all dependencies into a single portable zip file! No more virtualenvs! All the end user needs is the python interpreter and everything else is self contained!
@byt3bl33d3r
Marcello
5 years
Had no clue about this, as of Python 3.5 you can bundle an entire application into a ZipFile (with a .pyz extension) and execute it directly. This is the equivalent of Java .jar files for Python
9
240
694
3
77
251
@byt3bl33d3r
Marcello
5 years
PSA: Executing an EXE from an SMB server is still an extremely valid way of bypassing a lot of “next-gen” EDR products 🤷🏻‍♂️
6
73
251
@byt3bl33d3r
Marcello
7 years
Pro tip: don't just look for public S3 buckets when doing OSINT. Remember to look for DigitalOcean spaces and Azure Containers as well
Tweet media one
Tweet media two
2
102
249
@byt3bl33d3r
Marcello
5 years
Just pushed a pretty huge update to WitnessMe. It now supports parsing .Nessus files, URL files, has a database search CLI tool and a lot more. Still a WIP but its getting there slowly.
10
86
243
@byt3bl33d3r
Marcello
3 years
We should ban PsExec, net.exe, group policy and most of the features in windows as they’re being used by ransomware gangs. Also we need to ban teamviewer and any remote administration tool as they have the potential of being abused. Also need to ban the internet
21
32
243
@byt3bl33d3r
Marcello
5 years
Just FYI, the python3 branch of CrackMapExec was merged into master as of a few minutes ago. Also @mpgn_x64 (the mad man who ported it over to Python 3) is now an official collaborator.
6
86
244
@byt3bl33d3r
Marcello
3 years
Why do I need an EDR bypass if I can just download process hacker ? 🧐
11
18
230
@byt3bl33d3r
Marcello
4 years
On today’s episode of weird windows shit, apparently if you rename a .exe to a .pif windows will still execute it just fine. On top of that, the file icon and type in explorer changes to “Shortcut to MS-DOS program”. Looks a lot less evil.
7
88
233
@byt3bl33d3r
Marcello
4 years
Here’s a recent discovery that changed my life: tired of manually creating Python virtual environments for every single Python tool ? Turns out Pipx is the solution
9
76
231
@byt3bl33d3r
Marcello
4 years
#CME6 🔥
Tweet media one
7
31
229
@byt3bl33d3r
Marcello
7 years
Bonus: ever wanted to actually exploit those Java deserialization bugs you find ? Check out @coalfirelabs awesome exploit collection ! Pushed an exploit for JBoss just last night!
1
116
227
@byt3bl33d3r
Marcello
5 years
Status update after 3-4 months of basically not writing a single line of code for any my open source tools: my health has improved, I’ve never been this well rested in my entire life and i don’t feel like a zombie every day. Question now is, why should I even go back to OSS dev?
32
7
226
@byt3bl33d3r
Marcello
4 years
📣 Ok peeps, have an announcement: all future tools and updates I release will be Sponsorware. Only people who have sponsored me on Github at a specific tier will get access to them initially. Finally, they will be made publicly available only after I reach a target n of sponsors
27
46
226
@byt3bl33d3r
Marcello
4 years
Just because you’re paying a lot of money for an EDR does not mean it actually works against the basic stuff.
8
42
216
@byt3bl33d3r
Marcello
4 years
We’re hiring interns at @BHinfoSecurity for a bunch of R&D projects! (All internships are payed & remote). Applicants must of some basic C# and Python knowledge. If you’re interested send me your resume and we’ll talk! (DMs are open)
20
140
211
@byt3bl33d3r
Marcello
5 years
I’ll tell you a secret :) giving me a tip on Patreon will automatically trigger a CI/CD pipeline which will push a freshly compiled & *obfuscated* SILENTTRINITY C# exe/dll stager to the public repository. For when you really need bypass all the things.
13
38
209
@byt3bl33d3r
Marcello
4 years
Shellcode execution via inline assembly through Nim works!
Tweet media one
Tweet media two
5
39
208
@byt3bl33d3r
Marcello
4 years
I've released the new WitnessMe update early in order to help people identify F5 BIG-IP devices vulnerable to CVE-2020-5902. Updated the Readme with a quick start for this specific use case, less then 5 min install and start scanning.
6
91
207
@byt3bl33d3r
Marcello
6 years
Excited to announce the release of Kukulkan to the OffensiveDLR repo! This is essentially a slimmed down version of SILENTTRINITY! Also the C2 comms (including the initial stage) are completely encrypted! And you can use it with CobaltStrike 🐍😈
0
103
206
@byt3bl33d3r
Marcello
6 years
Just pushed a Internal Monologue module for SILENTTRINITY! Cause touching LSASS is overrated ;) If you're not familiar with this attack it's pretty dope, check it out here
Tweet media one
1
91
204
@byt3bl33d3r
Marcello
6 years
Just pushed an enormous update to Red Baron! Highlights include Ansible support and dynamic SSH autocompletion of created infrastructure! If you find bugs (which you probably will) let me know !
0
69
200
@byt3bl33d3r
Marcello
4 years
Was playing with Impacket yesterday and accidently (re)discovered a bug that allows you to silently crash the Event Log Service over RPC. Apparently this was already reported to MSRC but didn't meet the bar to be serviced cause it requires Admin privs
5
74
197
@byt3bl33d3r
Marcello
3 years
Just pushed another snippet to OffensiveNim implementing the token sandboxing technique discovered by @gabriellandau . gr33tz to @0xpwnisher for the C++ PoC.
Tweet media one
4
67
198
@byt3bl33d3r
Marcello
4 years
I’m starting to get really sick of this industry. I feel like no progress is being made and everything that’s applauded as progress is smoke and mirrors and doesn’t have any actual value outside of making a few people wealthy.
13
13
194
@byt3bl33d3r
Marcello
4 years
GITHUB HAS A DARK MODE
9
20
187
@byt3bl33d3r
Marcello
4 years
In other news, I managed to embed Python (CPython) within Nim. Few things to work out to make it 100% OPSEC safe but it works. You can think of it as a mini PyInstaller Bootloader written in Nim. Can even pull down Python directly from the Python[.]org website :)
Tweet media one
Tweet media two
5
50
193
@byt3bl33d3r
Marcello
7 years
Working on a new project 🤟 i think this might be a game changer for red teams. It's the best of both worlds and more. Ever wanted a postex agent that can access all of .NET and dynamically compile C# without going through powershell ?
Tweet media one
7
64
194
@byt3bl33d3r
Marcello
7 years
Happy to announce @coalfirelabs just released Red Baron: a red team infrastructure automation tool! Ever wanted to create a C2 server and redirector with 8 lines of code? I got you covered.
@coalfirelabs
Coalfire Labs
7 years
The Coalfire Labs R&D team on it's one week anniversary is open-sourcing Red Baron: Automate creating resilient, disposable, secure and agile infrastructure for Red Teams!
0
31
49
6
122
185
@byt3bl33d3r
Marcello
6 years
"Injecting .Net Assemblies Into Unmanaged Processes" This is pretty amazing!
5
91
180
@byt3bl33d3r
Marcello
6 years
As of today, I'm humbled and honored to be joining the awesome team over at @BHinfoSecurity ! Exciting times ahead! \o/
27
7
184
@byt3bl33d3r
Marcello
7 years
Every time I speak with anyone in the Infosec community I'm just constantly blown away by how passionate and smart people are. I think a lot of us take this for granted. This is an extremely unique and privileged job.
2
30
175
@byt3bl33d3r
Marcello
5 years
4
43
176
@byt3bl33d3r
Marcello
7 years
CME now supports command execution via WinRM (PS Remoting), and parsing NMap XML / .Nessus files for targets! :D
Tweet media one
4
110
175
@byt3bl33d3r
Marcello
1 year
Really excited to be speaking at @defcon this year! My talk is titled "SpamChannel: Spoofing Emails from +2M Domains and Virtually becoming Satan" Love/hate Email security? Want your phishing campaigns to be a whole lot easier ? you should def come to my talk! 😈 #defcon31
Tweet media one
6
33
178
@byt3bl33d3r
Marcello
5 years
Added 2 more PoC scripts to the OffensiveDLR repo. One of which embeds the SSharp Compiler within a Posh script (Can be easily embedded from within any .NET language.) SSharp code compilation does not call csc.exe :)
1
62
173
@byt3bl33d3r
Marcello
4 years
This is really cool, surprised it isn't more popular. Does a bunch of OPSEC checks on PE files and allows you to "taint" various attributes.
1
56
172
@byt3bl33d3r
Marcello
4 years
I just had an EDR vendor straight up tell my client they had to “re-calibrate their AI engine” to detect a Python Reverse HTTPS meterpreter....... PORCA MADONNA.
14
16
168
@byt3bl33d3r
Marcello
5 years
Will be dropping the new SILENTTRINITY update later today or tomorrow just in time for my BlackHat Arsenal and Defcon Demo Labs presentations. This is a big one. Stay tuned :)
2
42
166
@byt3bl33d3r
Marcello
5 years
Been working on some PoC C# code which would allow you to dynamically invoke native Win32 API's from JScript using ClearScript's ExtendedHosts functions () Creds to @subTee for the Emit code
2
73
166
@byt3bl33d3r
Marcello
7 years
If you're running Windows 7, 10 or IOS 10.3.1 you're not affected by the Krack Attack unless you're using WPA2-GCMP.
Tweet media one
7
165
156
@byt3bl33d3r
Marcello
3 years
Yo this might sound crazy but turns out if you don’t look at your computer screen and go outside there’s stuff that doesn’t involve computers
18
16
164
@byt3bl33d3r
Marcello
2 years
Who’s got one of those cool mind maps for AD attacks that’s updated with all the shit that came out the past few years ?
10
23
156
@byt3bl33d3r
Marcello
2 years
Just published some research and scripts that allow you to do DLL sideloading/proxy loading with Nim DLLs. Also, by accident figured out how to remove the NimMain function from the export table :)
4
69
161
@byt3bl33d3r
Marcello
4 years
CrackMapExec hit 4k stars over the weekend on Github... Guess I really should start concentrating efforts on v6 huh 😬
Tweet media one
4
17
162
@byt3bl33d3r
Marcello
4 years
Trump drops 0day
@KDbyProxy
Ira 'Greybeard Homer' Goldman 🦆🦆🦆
4 years
Donald Trump on computer hacking: "Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password." [video]
78
363
756
9
32
154
@byt3bl33d3r
Marcello
5 years
Yearly reminder to remove PowerShell V2 EVERYWHERE. Doesn’t matter what EDR , logging, witchcraft you have in place. If an attacker has access to the Posh V2 runtime, they can automatically bypass it all.
3
52
162
@byt3bl33d3r
Marcello
5 years
Apperently the @CIA released most of the files that were on Osama Bin Laden’s computer / in his compound 🧐
7
64
158
@byt3bl33d3r
Marcello
4 years
If every major pentest/RT shop gave something back to the Responder project as supposed to just leeching off of it for profit, we wouldn’t have to rely on 1 goddamn person to maintain a tool that EVERYONE fucking uses. The entire system is broken.
8
31
160