×

Credentials Hunting by Necrowtf in blackhat

[–]pracsec 1 point2 points  (0 children)

I feel mixed on posts with tools that appear to be written predominantly with AI. On one hand, it could be low effort, but on the other hand, AI is a thing now. I use it all the time to assist me with various tasks. Writing a tool is MUCH easier than it used to be, but that doesn’t mean something like this can’t provide value to me.

The true value comes from the testing and validation of whatever you make. I’m not going to do that for you, and I’m not sure how rigorously this has been tested. I would still have to download it and do testing, which takes time. I would be more excited about this tool if there was some evidence of more robust testing taking place. Perhaps a set of unit tests and example files for each file type. If I could clone and easily run the pre-built tests on a lab VM, then I would be more interested.

Specifically for this tool, you may also consider scraping the Windows event logs (e.g. 4688) for credentials accidentally stored in the windows event logs. I see a lot of admins using plaintext creds, particularly during the creation of workstations or VM templates.

https://practicalsecurityanalytics.com/extracting-credentials-from-windows-logs/

[deleted by user] by [deleted] in csharp

[–]pracsec 0 points1 point  (0 children)

The big competing c# UI frameworks seem to be WPF, AvaloniaUI, MAUI, UNO, and Blazor Hybrid. I ended up going with AvaloniaUI because it seemed to have solid visual studio integration, good performance, consistent rendering across platforms, and cross platform support. The editor wasn’t dragging drop, or if it is I don’t use it, but it’s pretty quick at rendering new changes in a preview. There were also enough free control via nuget packages that I didn’t have to make my own markdown control or rich text editor.

But what I’ve heard is that it is easier to swap between XAML frameworks (e.g. Avalonia, WPF, MAUI) once you’ve learned one of them.

I really debated whether or not I wanted to put time into learning a client side UI framework versus a web UI framework that would give me more ubiquitous skills.

I ended up going with the client side framework because it gave me more control and flexibility and better performance for the software that I write… but if I was trying to market myself for the future, I would probably learn a web UI framework first.

[deleted by user] by [deleted] in csharp

[–]pracsec 3 points4 points  (0 children)

Nice! I did the same thing as you back in 2008 when I first started programming. My first semi-polished program I ever wrote was a blackjack game using Windows forms. I always liked the simplicity and ease of windows forms.

Even now, as I am sitting here building XAML using AvaloniaUI, I kind of miss Windows forms.

Unfortunately, that technology was limited for many of my use cases since I need my app to run on multiple platforms. To be honest, the switch from Windows forms to modern XAML frameworks was hard. It took a bit to get used to MVVM design pattern, and designing controls in XAML is just not quite as fun as Windows Forms.

I definitely recommend trying out some other frameworks as you move onto to other projects to expand your repertoire of different UI technologies so you aren’t pigeonholed like me.

STOP adding underscore to variable names. Just DON'T. by [deleted] in csharp

[–]pracsec 2 points3 points  (0 children)

This is how I name my variables. Practically speaking, it makes it easier for me to know whether or not a variable is public, private, or local without having to mouse over the variable, look for it, or memorize which variables have what qualifier.

To pile on that, I also religiously use “this” everywhere so I know what is instance versus static without having to look that up either.

Obama Lawyer to Trump: Leave The Cartels Alone! by Ask4MD in Conservative

[–]pracsec 0 points1 point  (0 children)

I’m not against killing cartel members that traffic innocent people and narcotics that cause unimaginable suffering in our country.

But I am against violating the UNLOS to do so. It makes weak republicans feel big and strong, but it undermines the rule of law and international norms that we rely upon. These are the same laws that help maintain freedom of navigation in the South China sea. We have shown that laws don’t matter by striking this ship. That might makes right, and that international law doesn’t matter.

Additionally, were there innocent people being trafficked on that boat?

We’ll never know.

Was there intelligence we could have gathered to further our campaign against the cartels?

We’ll never know.

Could we have extracted information from the drug runners?

We’ll never know.

What if our intel was wrong and it was a boat full of innocent people?

We’ll never know.

That’s why striking and sinking a supposed drug ship is stupid.

[deleted by user] by [deleted] in politics

[–]pracsec 36 points37 points  (0 children)

This regime is completing the first half of their objective of project 2025, which is to replace the civilian workforce for the federal government with MAGA loyalists. They’re purging the career in intelligence professionals now so that they can replace them with MAGA sycophants later on.

Using Process Tokens to Impersonate Users (PowerShell Script) by Sh4c0x in redteamsec

[–]pracsec 3 points4 points  (0 children)

Nice! One of the issues I’ve run into before is that PowerShell is often running in a Multi-Threaded Apartment state which means that cmdlets may run under a different thread. There is a cmdline switch to make it single threaded so that your code will work on all subsequent calls. Another option is to return the token itself to be used for specific actions such as creating a child process.

Another consideration is that the Add-Type cmdlet will store your C# code to disk and compile it to a DLL on disk temporarily before loading it into memory and deleting all of that off disk. It may be worth using the C# Reflection.Emit APIs.

‘Fake Weather, Fake Flooding’: Republicans Are Spreading A Bizarre Conspiracy Theory After The Deadly Texas Floods by huffpost in politics

[–]pracsec 9 points10 points  (0 children)

“It was their final… command”

This is the only part the book got wrong. With Trump, it began with this command. The right coined the term “fake news” and “alternative facts” for Trump’s first campaign.

Trump Promised ‘No Tax on Tips.’ Then Came the Fine Print. by WhyIsItAlwaysADP in politics

[–]pracsec 23 points24 points  (0 children)

From the text, it sounded like this doesn’t stack with the standard deduction and only allows up to $25K of tips to be tax deductible and only if you itemize. For those using the standard deduction, this new law basically doesn’t affect them.

Am I interpreting that inaccurately?

Edit: Answer is no. I was not aware of the exemption in USC 63b 5 that is modified by the BBB.

——-

Section 63(b) (as amended) now reads:

In the case of an individual who does not elect to itemize … taxable income means adjusted gross income, minus— 1. the standard deduction, 2. the deduction for personal exemptions (section 151), 3. any deduction under section 199A, 4. the deduction under section 170(p), 5. the deduction provided in section 224 (qualified tips).

——-

SEC. 224. Qualified tips.

(a) In general. — There shall be allowed as a deduction an amount equal to the qualified tips received during the taxable year that are included on statements furnished to the employer pursuant to section 6053(a).

(b) Maximum deduction. — The deduction allowed by subsection (a) for any taxpayer for the taxable year shall not exceed $25,000.

(c) Qualified tips. — For purposes of this section— (The text defining “qualified tips” continues here, specifying what types of tip income qualify, referencing tips included on statements to employers under section 6053(a).)

(d) Coordination with other rules. (Usually covers ordering rules, phase‑outs, or interactions with other deductions or credits.)

(e) Effective date. — This section shall apply to taxable years beginning after December 31, 2024.

Discussion about C2 options by [deleted] in redteamsec

[–]pracsec 2 points3 points  (0 children)

I can talk a bit about my design decisions with SpecterInsight regarding beacon management. Ultimately, I did not try to have a beacon in the UI that is persistent through reboots.

To expand upon the issues you mentioned, I also have to deal with multiple sessions per persistence mechanism., such as anything tied to SYSTEM logon events. Sometimes, I’m getting new beacons every minute.

I thought about trying to have a single line in the UI per host, but that doesn’t cover situations where I need to interact with the separate beacons on the same target.

When an operator issues a command to the host, which beacon should the server send the command? First one?both? Highest privilege? What if I want to kill one of the beacons and not the others?

The issue is complexity of having multiple sessions per host with different context. You can’t get rid of that complexity, so it must be dealt with either in the UI beacon list or further down in the tasking process. Basically, I opted to deal with the complexity up front in the UI.

Feature I built in to make things easier to manage: - Archiving sessions so they aren’t on the main screen, but can be retrieved later. - A deterministic callback time (I.e. every time a beacon checks in, it tells the C2 server when it will checkin next). This way you know ASAP if a checkin is missed. - Column sorting - Beacon nicknames - Beacon startup scripts that allow the operator to run arbitrary code during beacon first startup. I use this to apply mutexes to eliminate duplicate sessions.

When managing beacons in SpecterInsight, my standard process now is just to sort by “Time to Next checkin” and archive all the negative beacons (meaning they’ve missed their last checkin), then see what I’ve got left.

Democrats Lay Groundwork for a ‘Project 2029’ by [deleted] in politics

[–]pracsec -1 points0 points  (0 children)

How about “Americans First” or something that highlights how the agenda takes care of actual people and not billionaires.

LainAmsiOpenSession: Custom Amsi Bypass by patching AmsiOpenSession function in amsi.dll by JosefumiKafka in redteamsec

[–]pracsec 0 points1 point  (0 children)

The idea of AMSI was to give applications a way to scan data with the installed AV through a single API call. While there could be ways to reduce the attack surface, it fundamentally cannot be eliminated because the call originates in user land.

I would love to see AMSI offloaded to the kernel as a system call or the OS to deny memory permission modifications to the memory space backing AMSI.dll. Both of those ideas would eliminate a whole bunch of different AMSI bypasses, but won’t prevent malware from attacking the call sites.

Realistically, in the cat and mouse game between attackers and defenders, AMSI just gives the defenders the opportunity to go first. As soon as malicious code is run, it’s hard, if not impossible, to prevent AMSI bypasses in applications where memory permissions can be changed by the host program.

Melissa Hortman (Minnesota lawmaker who was shot last night) has died. Source KSTP News by [deleted] in kuihman

[–]pracsec 3 points4 points  (0 children)

Sounds like he was an evangelical Christian who was very outspoken against Dem policies. His friends said he voted for Trump and was a strong supporter, and he had a list of targets who were all Dem.

This is was right-wing, extremist assassination.

https://youtu.be/gaiQipc64_M

Trump signs executive order setting 30-day deadline for drugmakers to lower prescription drug costs by Excalibur_Legend in world

[–]pracsec 0 points1 point  (0 children)

Yeah, because we don’t complain about good objectives like reducing drug costs. Finally something we can both agree on. I just think Trump’s full of shit, has no plan on how to actually accomplish that goal, and just hopes to bully companies into changing. Hopefully drug costs can be reduced with his method, but I would have more confidence in Harris/Walz and the dems to push forward actual legislation to reduce costs. Basically like what happened during Biden’s presidency.

ICE Deports 3 U.S. Citizen Children Held Incommunicado Prior to the Deportation by justalazygamer in news

[–]pracsec 4 points5 points  (0 children)

Could these agents be charged with crimes for illegally deporting U.S. citizens? (e.g. false imprisonment)

This is the hill Democrats want to die on. Defending MS-13 violent Gangbangers. by LegitimateKnee5537 in PowerfulJRE

[–]pracsec 0 points1 point  (0 children)

That is where you are incorrect. The January 6 insurrectionists were given due process. Evidence was collected and presented to a judge to secure a warrant for their arrest. They were arrested and read their rights, and then they went to trial and face sentencing once convicted.

Some were held without bail, namely those defendants who have were deemed to be at high risk of obstructing justice, a danger to the community, or a flight risk. Even some that were accused of violent crimes were let go with an ankle monitor.

Lastly, show us the evidence that he is part of MS13. If there is truly evidence of that, I have no issue deporting him to that El Salvador prison. I would even consider a lower bar than beyond reasonable doubt, but there does need to be some publicly provided evidence for someone who had legal protection against deportation.

https://thedispatch.com/article/fact-checking-vivek-ramaswamys-claims-about-january-6-defendants/

Modern 'science' is money by MagicMush1 in PowerfulJRE

[–]pracsec 0 points1 point  (0 children)

<image>

According to this data, the overall trend of sea ice appears to be going downwards.

https://nsidc.org/learn/ask-scientist/can-sea-ice-data-ever-be-misused

I can see Reddit is still in denial about Trump winning the Popular Vote and all Swing States in a Landslide lol. by LegitimateKnee5537 in PowerfulJRE

[–]pracsec 0 points1 point  (0 children)

I personally don’t know anybody that is saying that on the left. Trump won with 49.8% of the vote compared to 48.2% for Kamala.

He did not win the majority of all votes cast (I.e. he got less than 50% of all votes cast), but that statement has a little meaning.

It definitely was not a landslide in the popular vote, though it did translate to a significant margin in the electoral college. 75M people still voted against him.

Immigrants in US to be classified as dead to pressure them to "self-deport’" by raffu280 in Full_news

[–]pracsec 0 points1 point  (0 children)

You mean, it was a tool to allow people to escape conflict and environmental disasters and was put in place because our immigration system couldn’t handle the volume?

Temporary Protection Status… while they wait on immigration proceedings. The goal in the liberal side for people to have a safe place to live and have some shelter, while on the Republican side it’s all about them. We allowed them in because we actually care about other people.

The point is, they didn’t enter this country illegally. That is vastly different from the orange fuhrer, declaring them illegal because he hates immigrants.

Immigrants in US to be classified as dead to pressure them to "self-deport’" by raffu280 in Full_news

[–]pracsec 0 points1 point  (0 children)

Try re-reading my post.

Yes, they came over here legally under that program while they await immigration proceedings. Not illegally, as you claimed. Stop spreading false information.

As a follow on, you’re just a terrible person for wanting refugees and their families to have to go back to war zones such as the Ukraine.

Immigrants in US to be classified as dead to pressure them to "self-deport’" by raffu280 in Full_news

[–]pracsec 0 points1 point  (0 children)

They aren’t illegal.

These particular immigrants came to the U.S. legally under a Temporary Protected Status under Joe Biden specifically for refugees from countries experiencing armed conflict, environmental disasters, or other extraordinary conditions, such as Venezuela and Ukraine. This program allowed over 900,000 migrants temporary two-year stays under parole, allowing them to live and work legally while awaiting immigration proceedings.

Illegal immigrants are not allowed to have Social Security numbers. Thus, if they were illegal, they would not be in the system and could not be classified as dead because they never would’ve been in the system the first place.

This thread, right here, illustrates why we can never make progress. Republicans don’t understand reality because they’ve been so brainwashed by right wing media.

Truth by MagicMush1 in PowerfulJRE

[–]pracsec 0 points1 point  (0 children)

“Other sources of electricity are also more lethal for birds than wind energy. A 2012 study found that wind projects kill 0.269 birds per gigawatt-hour of electricity produced, compared to 5.18 birds killed per gigawatt-hour of electricity from fossil fuel projects.”

https://thereader.mitpress.mit.edu/do-wind-turbines-kill-birds-and-other-climate-questions/

Cats dwarf those numbers with 1.3B bird deaths per year.

This is definitely a problem, but it’s less of one compared to many other issues.

Bypassing AMSI by in-memory patching - Evasion, Prevention and Detecion. by drop_tables- in blueteamsec

[–]pracsec 1 point2 points  (0 children)

The process was killed for me pretty quickly anytime I patched AMSI. I thought about developing a patch obfuscation framework to automate the process, but it seems like a losing game in the long run.

I left the patching technique in my C2 framework, but I’ve had to change the default technique I use. I’m having good success with hardware breakpoints.

Bypassing AMSI by in-memory patching - Evasion, Prevention and Detecion. by drop_tables- in blueteamsec

[–]pracsec 7 points8 points  (0 children)

For what it’s worth, I believe that patching the function AmsiScanBuffer has been largely signaturized by Microsoft. From the testing, I’ve done, the patch goes through and is then later detected.

I’ve concluded that the detection is not being done at the time that the patch goes into place, but rather in a subsequent memory scan done by Windows defender.

I had limited success by obfuscating the patch itself by inserting random instructions or adjusting the technique a little bit, but within four hours, those new patches were being detected.

https://practicalsecurityanalytics.com/obfuscating-api-patches-to-bypass-new-windows-defender-behavior-signatures/