APT

@APT_Notes

Channel's geo and language: World, English

Category: Software & Applications

This channel discusses:
— Offensive Security
— RedTeam
— Malware Research
— OSINT
— etc
Disclaimer:
t.me/APT_Notes/6
Chat Link:
t.me/APT_Notes_PublicChat

Related channels | Similar channels

Channel's geo and language

World, English

APT

7 Mar, 19:00

Forward from: Ralf Hacker Channel

При эксплуатации уязвимостей ADCS могут возникать разные ошибки. В блоге подробно рассмотрены причины популярных ошибок, а также варианты решения этих проблем

https://sensepost.com/blog/2025/diving-into-ad-cs-exploring-some-common-error-messages/

#pentest #redteam #adcs

SensePost | Diving into ad cs: exploring some common error messages

Leaders in Information Security

833 0 44 6

APT

4 Mar, 18:55

🔑 lsassDumper

lsassDumper is a tool designed to dump the memory of the Windows process "lsass.exe". The dump is performed entirely in RAM, then compressed using the zlib library and fragmented for transmission via UDP packets disguised as NTP packets. This method helps reduce detection by security solutions such as Windows Defender and advanced Endpoint Detection and Response (EDR) tools.

🔗 Source:
https://github.com/Aur3ns/lsassStealer

#windows #lsass #edr #bypass

GitHub - Aur3ns/lsassStealer: Dumping lsass without mimikatz with SPECIAL exfiltrating capabilities

Dumping lsass without mimikatz with SPECIAL exfiltrating capabilities - Aur3ns/lsassStealer

3.1k 0 170 21

APT

26 Feb, 12:55

🔑 FindGPPPasswords

A cross-platforms tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.

🚀 Features:
— Only requires a low privileges domain user account.
— Automatically gets the list of all domain controllers from the LDAP.
— Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
— Decrypts the passwords and prints them in cleartext.
— Outputs to a Excel file.

🔗 Source:
https://github.com/p0dalirius/FindGPPPasswords

#ad #windows #gpo #credentials

4.2k 0 165 17

APT

24 Feb, 17:43

Forward from: SecuriXy.kz

Обнаружена SQLi уязвимость CVE-2025-26794 в #Exim версии 4.98 при использовании сериализации ETRN.

ETRN #',1); ## INSERT SQL HERE ## /*

Для устранения проблемы рекомендуется обновиться до версии 4.98.1.

Подробности и эксплойт в контейнере доступны по ссылке https://github.com/OscarBataille/CVE-2025-26794

3k 0 55 14

APT

21 Feb, 11:08

🦡 Technical Analysis of Brute Ratel C4 Payloads

This post provides a technical analysis of a Brute Ratel C4 badger/agent, a Red Team tool. The analysis includes API hashing, memory injection, encrypted C2 communications, and the first 20 C2 commands for remote control.

🔗 Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/

#analysis #brc4 #redteam #blueteam

4.8k 0 86 13

APT

20 Feb, 17:27

🔍 Exploring NTDS.dit

This blog post examines the structure of the NTDS.dit file, which stores data for Active Directory. It also introduces DIT Explorer, a new open-source tool designed for analyzing NTDS.dit, demonstrating how it interprets the database to provide a structured view of the directory.

🔗 Research:
https://trustedsec.com/blog/exploring-ntds-dit-part-1-cracking-the-surface-with-dit-explorer

🔗 Source:
https://github.com/trustedsec/DitExplorer

#ad #windows #ntds #dnt

12.5k 1 236 17

APT

18 Feb, 13:27

⚙️ Wazuh — Unsafe Deserialization RCE (CVE-2025-24016)

An unsafe deserialization vulnerability in Wazuh servers allows remote code execution through unsanitized dictionary injection in DAPI requests/responses. If an attacker injects an unsanitized dictionary into a DAPI request or response, they can craft an unhandled exception, allowing arbitrary Python code execution.

🔗 Source:
https://github.com/0xjessie21/CVE-2025-24016

#wazuh #deserialization #rce #cve

6.9k 2 173 19

APT

11 Feb, 21:44

🛠 PsExeSVC - Remote Execution via Python

PsExeSVC is a Python-based tool that interacts with the PsExec service to execute remote commands without relying on Windows binaries. It enables privilege escalation, remote shell access, and user authentication via primary tokens, mimicking legitimate PsExec.exe behavior while bypassing security controls like EDR detection.

🔗 Research:
https://sensepost.com/blog/2025/psexecing-the-right-way-and-why-zero-trust-is-mandatory/

🔗 Source:
https://github.com/sensepost/susinternals

#windows #ad #psexec #edr #bypass

6k 0 146 13

APT

9 Feb, 13:07

Forward from: RedTeam brazzers

Всем привет!

Недавно вышел интересный разбор LPE-уязвимости CVE-2024-12754 через AnyDesk. Разбор подробный, однако без POC. Поэтому надо исправлять :)

Сам механизм повышения привилегий основывается на возможности контроля целевого файла, который копируется в доступную для чтения низкопривилегированного пользователя директорию.

Нам остается лишь заставить AnyDesk, работающий от лица системы, прочитать файл, недоступный нам. Автор в статье использует чтение SAM из Shadow Copy.

Разработку, тестирование и отладку я проводил на AnyDesk версии 8.0.10, которую качал отсюда.

Вы можете сами попробовать POCнуть эту уязвимость, используя набор инструментов от Google Project Zero.

Моя реализация доступна здесь. Она осуществляет чтение произвольного файла, после чего копирует его содержимое на рабочий стол текущему пользователю.

Хоть Windows и активно продвигает механизм защиты, именуемый RedirectionTrust, предотвращающий переход по ссылкам, созданными не администраторами, однако эта митигация зачастую не распространяется на службы, которые были разработаны сторонними компаниями. Причина проста: разработчики не знают о ней и забывают применить, отсюда и появляется возможность LPE.

Демо можно посмотреть здесь

4.5k 0 51 19

APT

6 Feb, 14:18

🖼 AnyDesk — Local Privilege Escalation (CVE-2024-12754)

A vulnerability in AnyDesk allows low-privileged users to perform arbitrary file read and copy operations with NT AUTHORITY\SYSTEM privileges. Exploitation is possible by manipulating the background image, creating symbolic links, and leveraging ShadowCopy, granting access to SAM, SYSTEM, and SECURITY files, ultimately leading to privilege escalation to administrator.

🔗 Source:
https://mansk1es.gitbook.io/AnyDesk_CVE-2024-12754

#windows #anydesk #lpe #cve

20.9k 5 462 26

APT

4 Feb, 10:35

🔑 Windows BitLocker — Screwed without a Screwdriver

A newly discovered vulnerability in BitLocker allows attackers to bypass encryption without physical access. By exploiting flaws in Windows Boot Manager and TPM interaction, attackers can intercept or extract the BitLocker recovery key during the boot process. This makes encrypted data vulnerable even without direct physical access.

🔗 Presentation:
https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver

🔗 Research:
https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/#conclusion

#windows #bitlocker #bitpixie #tpm

5.4k 0 92 13

APT

3 Feb, 19:09

🖥 Living Off The Tunnels

Living Off The Tunnels a.k.a LOTTunnels Project is community driven project to document digital tunnels that can be abused by threat actors as well by insiders for data exfiltrations, persistence, shell access etc.

🔗 Source:
https://lottunnels.github.io/

#tunnels #persistence #cheatsheet #redteam

7.4k 1 210 16

APT

3 Feb, 12:41

💻 Elevation of Privilege via Network Configuration Operators (CVE-2025-21293)

This article discusses a vulnerability in Active Directory (CVE-2025-21293) related to the Network Configuration Operators group, which has excessive permissions to create subkeys in the registry for DnsCache and NetBT. This allows attackers to leverage Performance Counters to execute code with NT\SYSTEM privileges, potentially leading to privilege escalation.

🔗 Source:
https://birkep.github.io/posts/Windows-LPE/

#ad #network #group #lpe #cve

5.3k 0 102 1 14

APT

27 Jan, 23:40

Forward from: Ralf Hacker Channel

Telegram по неизвестной причине удалил канал 1N73LL1G3NC3. Однако автор решил продолжить делиться крутыми штуками и начал канал заново. Делюсь

https://t.me/P0x3k_1N73LL1G3NC3

1N73LL1G3NC3

Reborn…

4.9k 0 17 31

APT

21 Jan, 16:54

🔍 Exploring WinRM plugins for lateral movement

In this blog, the process of leveraging WinRM plugins to perform lateral movement to other systems is explored. Additionally, the use of the CIM_LogicFile WMI class to bypass certain tricky detections by Microsoft Defender is examined. Finally, all the logic is incorporated into a Cobalt Strike BOF.

🔗 Research:
https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement/

🔗 Source:
https://github.com/FalconForceTeam/bof-winrm-plugin-jump

#ad #winrm #cobaltstrike #bof #redteam

Exploring WinRM plugins for lateral movement - FalconForce

We explore how to leverage WinRM plugins to perform lateral movement to other systems and put all the logic in a Cobalt Strike BOF.

10.2k 1 131 13

APT

17 Jan, 01:16

Forward from: Ralf Hacker Channel

CVE-2024-43468: ConfigMgr/SCCM 2403 Unauth SQLi to RCE

PATCHED: Oct 8, 2024

Exploit: https://github.com/synacktiv/CVE-2024-43468

Blog: https://www.synacktiv.com/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections

#git #exploit #ad #rce #sccm #pentest #redteam

GitHub - synacktiv/CVE-2024-43468

Contribute to synacktiv/CVE-2024-43468 development by creating an account on GitHub.

5.1k 0 56 2 8

APT

6 Jan, 17:29

Forward from: Ralf Hacker Channel

Эта работа заслуживает внимание! Если кратко, то механизм MS UIA позволяет читать любые текстовые значения на экране, открывать меню, закрывать окна, ну и все такое)) А раз он дает такие возможности, то этим нужно пользоваться... Как пример, PoC от @Michaelzhm:

https://github.com/CICADA8-Research/Spyndicapped

Не думаю, что на данную технику вообще есть какие-то детекты. Все подробности в блоге.

#redteam #pentest #spyware

4.8k 0 101 19

APT

30 Dec 2024, 17:31

🎉 Happy New Year!

Дорогие друзья и подписчики канала,

Прошедший год был полон увлекательных открытий и новых достижений. Спасибо, что все это время оставались с нами, делились знаниями, юмором и поддержкой.

В новом году желаю нам всем оставаться открытыми друг для друга, ведь самое ценное в нашем сообществе — это люди. Пусть ваши проекты будут изящнее, а сердца — теплее. Не забывайте отдыхать, любить и проводить время с близкими.

Счастливого Нового года и до встречи в 2025-м!
❤️✨

———

Dear friends and subscribers,

The past year has been filled with exciting discoveries and new achievements. Thank you for staying with us all this time, sharing knowledge, humor, and support.

In the new year, I wish for all of us to remain open to one another, because the most valuable thing in our community is its people. May your projects become more elegant and your hearts grow warmer. Don’t forget to rest, love, and spend time with your loved ones.

Happy New Year, and see you in 2025!
❤️✨

5.5k 0 6 50

APT

25 Nov 2024, 20:54

Forward from: Offensive Twitter

😈 [ ap @decoder_it ]

M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...

GitHub:
🔗 https://github.com/decoder-it/KrbRelayEx

🐥 [ tweet ]

6k 0 45 1 15

APT

25 Nov 2024, 14:01

🎭 Spoofing Call Stacks To Confuse EDRs

The article focuses on techniques for call stack spoofing to bypass detection by EDR. It explains how to fake call stacks during Windows API interactions to mask malicious activity, such as accessing the lsass process, as legitimate operations. The text details the mechanics of call stacks in the x64 architecture, the use of unwind codes, tools for analysis, and provides a PoC implementation demonstrating call stack spoofing in practice.

🔗 Research:
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs

🔗 Source:
https://github.com/WithSecureLabs/CallStackSpoofer

#edr #evasion #stack #spoofing #lsass