#postexploitation — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #postexploitation, aggregated by home.social.
-
 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.
We have been talking about this in our classes for a long while, finally automation is present now.
 Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/ -
 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.
We have been talking about this in our classes for a long while, finally automation is present now.
 Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/ -
 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.
We have been talking about this in our classes for a long while, finally automation is present now.
 Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/ -
 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.
We have been talking about this in our classes for a long while, finally automation is present now.
 Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/ -
 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.
We have been talking about this in our classes for a long while, finally automation is present now.
 Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
 PyPI: https://pypi.org/project/keychecker/ -
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
They don’t need malware. They weaponize what’s already trusted - PowerShell, WMI, CertUtil. This is Living Off the Land. Defend or be devoured.
#LOLBins #infosec #cybersecurity #redteam #ethicalhacking #windowssecurity #postexploitation #DeadSwitchhttp://tomsitcafe.com/2025/05/06/living-off-the-land-how-hackers-use-your-tools-against-you/
-
⚠️ Nouvelle vulnérabilité Zero-Day ciblant les VPN Ivanti Connect Secure (CVE-2025-0282)
#Mandiant a publié les premiers signes d'exploitation (avec une première attribution à UNC5337) :
🔍 Étapes courantes identifiées lors de l'exploitation :
1️⃣ Désactive SELinux
2️⃣ Bloque le transfert des journaux syslog
3️⃣ Re-monte le disque en lecture-écriture
4️⃣ Écrit un script malveillant
5️⃣ Exécuter ce script
6️⃣ Déploie un ou plusieurs web shells
7️⃣ Modifie les journaux pour cacher l'activité
8️⃣ Réactive SELinux
9️⃣ Re-monte le disque🛑 Techniques de dissimulation post-exploitation :
- Suppression des messages kernel avec dmesg et modification des journaux de débogage.
- Effacement des dumps de l'état et des core dumps des crashs.
- Suppression des entrées liées aux échecs syslog, erreurs ICT internes, traces de crash et erreurs de certificat.
- Modification du journal d’audit SELinux pour masquer les commandes exécutées.
💡 Observations supplémentaires :
CVE-2025-0282 affecte plusieurs niveaux de patch d’ICS release 22.7R2.
Exploitation réussie dépendante de la version spécifique.
Des requêtes répétées au VPN sont observées avant exploitation, probablement pour identifier la version.
🗂️ Fichiers ciblés :
/dana-cached/hc/hc_launcher.22.7.2.2615.jar
/dana-cached/hc/hc_launcher.22.7.2.3191.jar
/dana-cached/hc/hc_launcher.22.7.2.3221.jar
/dana-cached/hc/hc_launcher.22.7.2.3431.jar⚠️Mandiant informe avoir observé des signes d'exploitation active en nature depuis mi-décembre 2024.
"Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation"
👇
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/?hl=en#CyberVeille #Ivanti #IoC #postexploitation
#attribution
#CVE_2025_0282 #CVE_2025_0283 -
Now that you’ve seen #WhatTheVuln Episode 2 featuring Lindsay Von Tish and Allan Cecil, check out the corresponding technical write-up where you can take a deep dive into how to use #LoLBins to bypass #EDR protection and install a #C2 agent for advanced #postexploitation control.
And don’t fret if you missed the initial livestream – you can watch the recording on demand! https://bfx.social/3K4T1mS
P.S. Episode 3 is on the way! -
Check out this list of #postexploitation tools we enjoy using in our #pentesting work, such as:
- Mimikatz
- PowerHub
- Bashark
- And Metasploit of course!See the full list: https://bishopfox.com/blog/post-exploitation-tools-for-pen-test