home.social

#postexploitation — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #postexploitation, aggregated by home.social.

  1.  Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.

    We have been talking about this in our classes for a long while, finally automation is present now.

      Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
     PyPI: https://pypi.org/project/keychecker/

    #bugbountytips #ssh #git #github #infosec #postexploitation

  2.  Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.

    We have been talking about this in our classes for a long while, finally automation is present now.

      Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
     PyPI: https://pypi.org/project/keychecker/

    #bugbountytips #ssh #git #github #infosec #postexploitation

  3.  Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.

    We have been talking about this in our classes for a long while, finally automation is present now.

      Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
     PyPI: https://pypi.org/project/keychecker/

    #bugbountytips #ssh #git #github #infosec #postexploitation

  4.  Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.

    We have been talking about this in our classes for a long while, finally automation is present now.

      Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
     PyPI: https://pypi.org/project/keychecker/

    #bugbountytips #ssh #git #github #infosec #postexploitation

  5.  Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts.

    We have been talking about this in our classes for a long while, finally automation is present now.

      Blog: https://cyfinoid.com/automating-a-known-weakness-introducing-keychecker/
     PyPI: https://pypi.org/project/keychecker/

    #bugbountytips #ssh #git #github #infosec #postexploitation

  6. Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

    @FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

    Built for red teamers but abused by threat actors, this sample goes full dark mode:

    • Shellcode loader in C++
    • AES-encrypted payload
    • XOR junk code to slow reverse engineering
    • Dynamic API resolving
    • LOLBin delivery via regsvr32

    It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Havoc ≠ harmless just because it’s open source
    • Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
    • Watch for process injection + thread creation anomalies
    • Memory analysis > file-based detection here
    • Don’t assume your EDR is catching every beacon on port 443

    Is it threat emulation or a real attack?

    — Blue teamer having a full-blown identity crisis at 2am

    Shoutout to @xpzhang and team for their amazing work!

    #ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

  7. Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

    @FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

    Built for red teamers but abused by threat actors, this sample goes full dark mode:

    • Shellcode loader in C++
    • AES-encrypted payload
    • XOR junk code to slow reverse engineering
    • Dynamic API resolving
    • LOLBin delivery via regsvr32

    It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Havoc ≠ harmless just because it’s open source
    • Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
    • Watch for process injection + thread creation anomalies
    • Memory analysis > file-based detection here
    • Don’t assume your EDR is catching every beacon on port 443

    Is it threat emulation or a real attack?

    — Blue teamer having a full-blown identity crisis at 2am

    Shoutout to @xpzhang and team for their amazing work!

    #ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

  8. Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

    @FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

    Built for red teamers but abused by threat actors, this sample goes full dark mode:

    • Shellcode loader in C++
    • AES-encrypted payload
    • XOR junk code to slow reverse engineering
    • Dynamic API resolving
    • LOLBin delivery via regsvr32

    It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Havoc ≠ harmless just because it’s open source
    • Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
    • Watch for process injection + thread creation anomalies
    • Memory analysis > file-based detection here
    • Don’t assume your EDR is catching every beacon on port 443

    Is it threat emulation or a real attack?

    — Blue teamer having a full-blown identity crisis at 2am

    Shoutout to @xpzhang and team for their amazing work!

    #ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

  9. Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

    @FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

    Built for red teamers but abused by threat actors, this sample goes full dark mode:

    • Shellcode loader in C++
    • AES-encrypted payload
    • XOR junk code to slow reverse engineering
    • Dynamic API resolving
    • LOLBin delivery via regsvr32

    It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Havoc ≠ harmless just because it’s open source
    • Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
    • Watch for process injection + thread creation anomalies
    • Memory analysis > file-based detection here
    • Don’t assume your EDR is catching every beacon on port 443

    Is it threat emulation or a real attack?

    — Blue teamer having a full-blown identity crisis at 2am

    Shoutout to @xpzhang and team for their amazing work!

    #ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

  10. Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.

    @FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.

    Built for red teamers but abused by threat actors, this sample goes full dark mode:

    • Shellcode loader in C++
    • AES-encrypted payload
    • XOR junk code to slow reverse engineering
    • Dynamic API resolving
    • LOLBin delivery via regsvr32

    It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Havoc ≠ harmless just because it’s open source
    • Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
    • Watch for process injection + thread creation anomalies
    • Memory analysis > file-based detection here
    • Don’t assume your EDR is catching every beacon on port 443

    Is it threat emulation or a real attack?

    — Blue teamer having a full-blown identity crisis at 2am

    Shoutout to @xpzhang and team for their amazing work!

    #ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity

  11. ⚠️ Nouvelle vulnérabilité Zero-Day ciblant les VPN Ivanti Connect Secure (CVE-2025-0282)

    #Mandiant a publié les premiers signes d'exploitation (avec une première attribution à UNC5337) :

    🔍 Étapes courantes identifiées lors de l'exploitation :
    1️⃣ Désactive SELinux
    2️⃣ Bloque le transfert des journaux syslog
    3️⃣ Re-monte le disque en lecture-écriture
    4️⃣ Écrit un script malveillant
    5️⃣ Exécuter ce script
    6️⃣ Déploie un ou plusieurs web shells
    7️⃣ Modifie les journaux pour cacher l'activité
    8️⃣ Réactive SELinux
    9️⃣ Re-monte le disque

    🛑 Techniques de dissimulation post-exploitation :

    • Suppression des messages kernel avec dmesg et modification des journaux de débogage.
    • Effacement des dumps de l'état et des core dumps des crashs.
    • Suppression des entrées liées aux échecs syslog, erreurs ICT internes, traces de crash et erreurs de certificat.
    • Modification du journal d’audit SELinux pour masquer les commandes exécutées.

    💡 Observations supplémentaires :

    CVE-2025-0282 affecte plusieurs niveaux de patch d’ICS release 22.7R2.

    Exploitation réussie dépendante de la version spécifique.

    Des requêtes répétées au VPN sont observées avant exploitation, probablement pour identifier la version.

    🗂️ Fichiers ciblés :
    /dana-cached/hc/hc_launcher.22.7.2.2615.jar
    /dana-cached/hc/hc_launcher.22.7.2.3191.jar
    /dana-cached/hc/hc_launcher.22.7.2.3221.jar
    /dana-cached/hc/hc_launcher.22.7.2.3431.jar

    ⚠️Mandiant informe avoir observé des signes d'exploitation active en nature depuis mi-décembre 2024.

    "Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation"
    👇
    cloud.google.com/blog/topics/t

    #CyberVeille #Ivanti #IoC #postexploitation
    #attribution
    #CVE_2025_0282 #CVE_2025_0283

  12. Now that you’ve seen #WhatTheVuln Episode 2 featuring Lindsay Von Tish and Allan Cecil, check out the corresponding technical write-up where you can take a deep dive into how to use #LoLBins to bypass #EDR protection and install a #C2 agent for advanced #postexploitation control.

    And don’t fret if you missed the initial livestream – you can watch the recording on demand! bfx.social/3K4T1mS


    P.S. Episode 3 is on the way!

  13. Check out this list of #postexploitation tools we enjoy using in our #pentesting work, such as:

    - Mimikatz
    - PowerHub
    - Bashark
    - And Metasploit of course!

    See the full list: bishopfox.com/blog/post-exploi