Retcon Monthly Resources

This is just a collection of relevant red team/cyber related resources.

• Cant get wireshark to show http streams properly? it May be due to this https://serverfault.com/questions/377147/why-wireshark-does-not-recognize-this-http-response

Offensive - Tools

• SSH Password Theft - https://eapolsniper.github.io/2020/08/22/SSH-Password-Theft/
  • https://jm33.me/sshd-injection-and-password-harvesting.html
  • https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/
  • https://raj3shp.medium.com/exploiting-linux-systems-with-ptrace-637f13a7d9ea
• Hawk (SSH Credential Harvest)
  • https://www.prodefense.io/blog/hawks-prey-snatching-ssh-credentials
• TermSpy (Keylogger)
  • https://github.com/raj3shp/termspy/tree/main
• Coal (Rootkit?)
  • https://github.com/cblack-r7/coal
• Gobot
  • https://github.com/SaturnsVoid/GoBot/blob/master/rootkit/rootkit.go
• CMvarDecrypt
  • https://github.com/1njected/CMvarDecrypt
• Inflative Loading?
  • https://github.com/senzee1984/InflativeLoading?tab=readme-ov-file
• Tinyshell
  • https://github.com/creaktive/tsh/blob/master/tsh.c
• Obfuscation Themida
  • https://grimthereaperteam.medium.com/printspoofer-obfuscation-with-themida-c7efe8563298
• SharpPageGrab
  • https://github.com/breakid/SharpPageGrab/blob/main/SharpPageGrab/Program.cs
• OffensiveZig
  • https://github.com/darkr4y/OffensiveZig
• BokuLoader
  • https://github.com/boku7/BokuLoader

Offensive - Tools (from the crypts)

• frostbyte (edr evasion)
  • https://github.com/pwn1sher/frostbyte
• Awesome-Rat
  • https://github.com/darkr4y/awesome-Rat
• Alaris - protective and low level shellcode loader that defeats modern edr systems
  • https://github.com/joshfaust/Alaris

Offensive - Infrastructure

• Self-Signed Apache Certificate
• https://medium.com/@pasanglamatamang/configuring-a-self-signed-ssl-certificate-on-a-apache-server-cbcd6eefdf1a
  • https://www.arubacloud.com/tutorial/how-to-enable-https-protocol-with-apache-2-on-ubuntu-20-04.aspx
• Ahttps://www.tutorialspoint.com/how-to-setup-virtual-hosts-with-apache-web-server-on-linux
• Modsecurity https://www.linuxcapable.com/how-to-install-modsecurity-nginx-owasp-crs-with-ubuntu-linux/
  • `https://docs.cpanel.net/knowledge-base/experimental-software/modsecurity-3/`
• AWS - Nameserver issue https://medium.com/featurepreneur/nameserver-issue-in-aws-ec2-on-ubuntu-a8b455a2bac3
• Lighthttpd
  • https://www.cyberciti.biz/tips/howto-lighttpd-block-useragent.html
• Interact.Sh
  • https://github.com/projectdiscovery/interactsh
• Github Redirect
  • https://dev.to/steveblue/setup-a-redirect-on-github-pages-1ok7

Offensive - Tradecraft

• LDAP Queries
  • https://podalirius.net/en/articles/useful-ldap-queries-for-windows-active-directory-pentesting/#list-of-all-kerberoastables-users
• CobaltStrike A defenders guide
  • https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
• Indirect syscall c sharp
  • https://www.netero1010-securitylab.com/evasion/indirect-syscall-in-csharp
• HW-Call-Stack
  • https://github.com/fortra/hw-call-stack
• ZW-Process Hollowing
  • https://github.com/XaFF-XaFF/ZwProcessHollowing/tree/master
• Threadless Inject
  • https://github.com/CCob/ThreadlessInject
• So you think you can block macros
  • https://www.outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/
• Cobalt Strike Yara Rules - https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_CobaltStrike.yar
  • https://www.cobaltstrike.com/blog/cobalt-strike-and-yara-can-i-have-your-signature
  • https://github.com/paranoidninja/Cobaltstrike-Detection/blob/main/cs49.yara
• Defender Yara (Yara rules for Defender) - https://github.com/roadwy/DefenderYara
• Your bofs are grosshttps://securityintelligence.com/x-force/how-to-hide-beacon-during-bof-execution/
• Hunting for linux persistence mechanisms - https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/
• DefenderPretender - https://www.safebreach.com/blog/defender-pretender-when-windows-defender-updates-become-a-security-risk/
  • https://i.blackhat.com/EU-21/Wednesday/EU-21-Mougey-Windows-Defender-demystifying-and-bypassing-asr-by-understanding-the-avs-signatures.pdf
• Hiding your process in PS (Linux)
  • https://itnext.io/evasion-techniques-hiding-your-process-from-ps-2122cf487485
• Coff Loaders
  • https://otterhacker.github.io/Malware/CoffLoader.html#symbol-table
  • https://github.com/latortuga71/GOCoffLoader/blob/main/pkg/coff/coff.go#L359
  • https://0xpat.github.io/Malware_development_part_8/
• Aggressor Scripts
  • https://www.networksgroup.com/blog/aggressor-101-unleashing-cobalt-strike-for-fun-and-profit
• Bof encryptor?
  • https://www.securify.nl/blog/bofryptor-encrypting-your-beacon-during-bof-execution-to-avoid-memory-scanners/
• Golang - Stripping metadata
  • https://xnacly.me/posts/2023/go-metadata/
• Tunneling Proxychains and Socks
  • https://medium.com/@s12deff/tunneling-networks-with-proxychains-socks-f4cc6e655c75
• Boff/Coff Object to Position Independent Code
  • https://github.com/timwhitez/Bof2PIC
• HWSyscalls
  • https://github.com/Dec0ne/HWSyscalls

Offensive - Windows

• Shell code loader evasion edrs
  • https://frischkorn-nicholas.medium.com/windows-evasion-edrs-shellcode-loaders-e57db92de630
• Coercion
  • https://www.akamai.com/blog/security-research/authentication-coercion-windows-server-service
  • https://www.akamai.com/blog/security-research/authentication-coercion-windows-server-service
• SMB Relaying
  • https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing
• SCCM
  • https://www.guidepointsecurity.com/blog/sccm-exploitation-account-compromise-through-automatic-client-push-amp-ad-system-discovery/
  • https://specterops.io/blog/2023/08/10/site-takeover-via-sccms-adminservice-api/
• Universal EDR Bypass
  • https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/?s=03
• PreCreated Windows Account
  • https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
• Windows Python Related Thingies?
  • https://github.com/bigb0sss/RedTeam-OffensiveSecurity/blob/master/02-Windows_Security/python/05_dnsCacheEntry.py
• Rpcdump
  • https://gist.github.com/enigma0x3/092da9f249499391adffe2c46abfa1a1
• How UAC Bypass works
  • https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz/
• DcSync Resume functionality?
  • https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/eb6876c5-6997-4541-8165-3844e46b464d
• Practical attacks against ntlmv1
  • https://trustedsec.com/blog/practical-attacks-against-ntlmv1
  • https://github.com/evilmog/ntlmv1-multi
  • https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/
• ADCS
  • https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/
  • https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
  • https://www.ispcolohost.com/2020/05/29/extracting-the-ca-certificate-from-an-active-directory-server/
  • https://www.crowdstrike.com/wp-content/uploads/2023/12/investigating-active-directory-certificate-abuse.pdf
• Logmein
  • https://github.com/alfarom256/LogMeInPoCHandleDup
• SEImpersonate Attacks
  • https://pentest.party/notes/windows/privilege-impersonate ~~~
  • https://micahvandeusen.com/the-power-of-seimpersonation/
  • https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
• Art of Get System
  • https://github.com/daem0nc0re/PrivFu/tree/main/ArtsOfGetSystem#efspotato

Windows

• Application Domains
  • https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.createdomain?view=net-7.0
• Get Disk Drive information in windows 😄
  • https://winaero.com/get-disk-drive-information-in-windows-10-with-this-command/
• Generate Random Crypt
  • https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom
• Samaccounttype
  • https://chrisbeams.wordpress.com/2009/05/10/active-directory-samaccounttype/
  • https://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/
• Example APIs
  • https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcomputernamea
• Crypt Apis
  • https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecodeobjectex
  • https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptencrypt
  • https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal
• Sysmon
  • https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
  • https://www.blackhillsinfosec.com/getting-started-with-sysmon/
  • https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
  • https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Ace Types
  • https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.acetype?view=net-8.0
• Web App for Containers
  • https://azure.microsoft.com/en-us/products/app-service/containers?activetab=pivot:deploytab
• Azure Connected Machine
  • https://learn.microsoft.com/en-us/cli/azure/connectedmachine?view=azure-cli-latest
• Group Managed Service Accounts
  • https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/ous/guide/gmsa/
  • https://www.tutorialspoint.com/windows_server_2012/windows_server_2012_group_managed_service_accounts.htm
• SMB Protocol
  • https://www.prosec-networks.com/en/blog/smb-server-message-block-protokoll

EDRS

• Carbonblack
  • https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/cbc-sensor-installation-guide/GUID-89461AB9-8069-4034-9E7E-D170F1467D82.html
• Crowdstrike
  • https://help.redcanary.com/hc/en-us/articles/4405722007319-Collect-Crowdstrike-Diagnostic-Logs-macOS-and-Windows
  • https://www.crowdstrike.com/guides/net-logging/advanced-concepts/
• Cortex
  • https://laokoon-security.com/cortex-xdr-config-exctractor/
  • https://github.com/Laokoon-SecurITy/Cortex-XDR-Config-Extractor?tab=readme-ov-file

CVEs

• 2024-3400 Palo Alto
  • https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Misc

• Golang by default will attempt to decompress gzip headers - https://groups.google.com/g/golang-nuts/c/e60TAcvm6Qw?pli=1
• Rsync - various filters you can use to list directory - https://stackoverflow.com/questions/13414086/how-to-use-rsync-list-only-source-to-list-all-the-files-in-that-directory
• Forking - little deeper dive into how it works on Linux - https://c-for-dummies.com/blog/?p=5358
  • https://www.linuxjournal.com/content/how-kill-zombie-processes-linux
• WDExtract - Extract Windows Defender Rules - https://github.com/hfiref0x/WDExtract/tree/master
  • https://gist.github.com/dezhub/4c8f775010547a3c37c57bf40414c1ba
  • https://github.com/roadwy/SIGNATURE_TYPE_LUASTANDALONE/tree/main
  • https://gist.github.com/HackingLZ/65f289b8b0b9c8c3a675aa26c06dfe09
  • https://github.com/viruscamp/luadec
  • https://github.com/viruscamp/luadec/tree/master
  • https://github.com/commial/experiments/tree/master
  • https://github.com/roadwy/DefenderYara?tab=readme-ov-file
• Settingup Zig
  • https://cvo-23052022.fly.dev/unable-to-find-zig-installation-directory-filenotfound
• Structure of x509 Certificate
  • https://dev.to/wayofthepie/structure-of-an-ssl-x-509-certificate-16b
  • https://docs.oracle.com/cd/E24191_01/common/tutorials/authz_cert_attributes.html
• HaProxy - Session Persistence
  • https://www.haproxy.com/documentation/haproxy-configuration-tutorials/session-persistence/
• Integrating Sliver into Mythic
  • https://github.com/MythicAgents/sliver/blob/main/blog/blog.md
• Interesting investigation into logs
  • https://nishtahir.com/i-looked-through-attacks-in-my-access-logs-heres-what-i-found/
• What is encrypted sni
  • https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/
• Practical Cryptography
  • https://github.com/nakov/Practical-Cryptography-for-Developers-Book/blob/master/asymmetric-key-ciphers/rsa-encrypt-decrypt-examples.md
• How to extend Server 2016 Trial
  • https://sid-500.com/2017/08/08/windows-server-2016-evaluation-how-to-extend-the-trial-period/
• Cypher Queries
  • https://posts.specterops.io/cypher-queries-in-bloodhound-enterprise-c7221a0d4bb3
• AWS (SSM Command)
  • https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-param-runcommand.html
• Linux syscall
  • https://filippo.io/linux-syscall-table/
• Change hostname for linux hostname
  • https://phoenixnap.com/kb/how-to-set-or-change-a-hostname-in-centos-7
• Determining ptrace levels
  • https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/

Intel Source

• Hacker Trends
  • https://github.com/nomi-sec/Hacker-Trends/blob/main/2023/05/16.tsv
• People to Follow
  • https://github.com/DamonMohammadbagher/Some_Pentesters_SecurityResearchers_RedTeamers