@ZeroNLabs profile picture
Zero Labs @ZeroNLabs
Joined June 2023
  • Tweets 125
  • Following 25
  • Followers 242
29 Photos and videos
Zero Labs@ZeroNLabs
25 Jun 2025
#NauthNRPC is a tool that can help you enumerate computer / user accounts anonymously in #ActiveDirectory via DsrGetDcNameEx2 RPC calls. This is not often in most environments, so used could be blocked via #RPCFirewall. Nice job by @haider_kabibo šŸ†šŸ† hubs.li/Q03tvVVY0
8
28
3,866
Zero Labs retweeted
Sagie Dulce@SagieDulce
18 Jun 2025
My thoughts about CVE-2025-33073, and on how to prevent #NTLM / #Kerberos relay attacks in general using #RPCFirewall & #LDAPFirewall zeronetworks.com/blog/examinā€¦

Examining Relay Attacks Through the Lens of CVE-2025-33073

CVE-2025-33073 reminds us relay attacks aren't going anywhere; learn strategies for protecting against relay and reflection attacks with layered security.

zeronetworks.com
6
10
960
Zero Labs@ZeroNLabs
12 Jun 2025
Learn about how to find hidden resources in #Azure using our new #opensource tool #MapAz
Sagie Dulce@SagieDulce
12 Jun 2025
Are you sure you can enumerate all of your #Azure resources? You may be missing some out. #MapAz is a new #PowerShell Module that (among other things) can help you enumerate hidden resources. Read more in my latest post: zeronetworks.com/blog/discovā€¦
1
2
206
Zero Labs@ZeroNLabs
11 Jun 2025
Excellent writeup by @cybergentix on #WMI #LateralMovement Didn't mention mitigation via #RPCFirewall, which could be achieved by blocking remote #DCOM operations blog.fndsec.net/2024/09/11/wā€¦

WMI Research and LateralĀ Movement

In this article, we will go over the WMI technology, the potential attack vectors it opens, some detection pitfalls (from an attackerā€™s perspective), and how we can enumerate the technology for useā€¦

blog.fndsec.net
1
34
128
6,505
Zero Labs retweeted
Florian Roth āš”ļø
@cyb3rops
8 Jun 2025
ADCS ā€¦ often exploited, rarely mentioned
DirectoryRanger@DirectoryRanger
8 Jun 2025
ADCS Cheat Sheet, by @pentest_swissky swisskyrepo.github.io/Internā€¦
2
12
82
11,965
Zero Labs@ZeroNLabs
3 Jun 2025
Read @dekel_paz excellent writeup on #badsuccessor #LDAP vulnerability, and how to mitigate with the #LDAPFirwall
Dekel Paz@dekel_paz
3 Jun 2025
BadSuccessor is a slick AD privilege escalation that uses LDAP to take over user accounts ā€¦and the LDAP Firewall can already block it ā€” no updates needed. How the attack works how to block it: šŸ‘‰ zeronetworks.com/blog/stoppiā€¦
3
160
Zero Labs@ZeroNLabs
28 May 2025
Yes, LDAP enumeration is still a thing in 2025. 2ns.fi/en/ldap-enumeration-iā€¦

1
18
86
4,872
Zero Labs@ZeroNLabs
26 May 2025
A new open source tool to visualize #LDAP data ovre #Neo4j graph database: #Neo4LDAP by @_kripteria ! And, you can inject data directly from #BloodHound šŸ• Check it out here: github.com/Krypteria/Neo4LDAā€¦
1
18
88
7,946
Zero Labs@ZeroNLabs
15 May 2025
CVE-2025-29969 is an RPC #RemoteCodeExecution vulnerability, base score 7.5. Exploits a time-of-check time-of-use & affects Windows vers 2025, 2022, 2019, 2016, 2012 R2, 2012, 2008 R2 SP1, 2008 SP2; Win 11 22H2/23H2/24H2, Win 10 1607/1809/21H2/22H2. msrc.microsoft.com/update-guā€¦
488
Zero Labs retweeted
Tal Be'ery
@TalBeerySec
30 Apr 2025
Shields up! time to limit access to Telnet (TCP port 23) on internal network. CC: @ZeroNetworks
Florian Roth āš”ļø
@cyb3rops
30 Apr 2025
A critical vuln in Microsoftā€™s Telnet Server - complete 0-click NTLM auth bypass Most people laughed: ā€œWho the hell still runs Telnet?ā€ But a quick Shodan search shows over 2,000 exposed instances, most of them on Windows XP. Hopefully, many are honeypots - hopefullyā€¦ Internally though, itā€™s a different story. Ask your IT team or run a proper asset discovery - you might find Telnet quietly running on: - Embedded devices - Factory lines - Legacy control systems - Display systems in airports or hospitals Iā€™ve seen it before - and itā€™s probably still out there. (Shameless plug: our THOR scanners can still assess systems as old as Windows XP for signs of compromise.) securityonline.info/0-click-ā€¦
1
4
8
1,138
Zero Labs@ZeroNLabs
28 Apr 2025
A handy list of LDAP search filters used by common enumeration tools, compiled by @Unit42_Intel (@PaloAltoNtwks). The best part? You can block all of them with our open-source #LDAPFW! šŸ“· Full article: unit42.paloaltonetworks.com/ā€¦ Get started: github.com/zeronetworks/ldapā€¦
2
48
150
9,030
Zero Labs@ZeroNLabs
8 Apr 2025
Did you know that you can block DCOM via the #RPCFirewall? Make sure you're protected against #RemoteMonologue #NTLM #Coersion ! github.com/zeronetworks/rpcfā€¦

GitHub - zeronetworks/rpcfirewall

Contribute to zeronetworks/rpcfirewall development by creating an account on GitHub.

github.com
Andrew Oliveau
@AndrewOliveau
8 Apr 2025
RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop šŸ¤Ÿ ibm.com/think/x-force/remoteā€¦
6
13
983
Zero Labs@ZeroNLabs
1 Apr 2025
This one checks a lot of #LateralMovement TTPs. Could have been nicely blocked by #LDAPFirewall & #RPCFirewall some #NetworkSegmentation How #blackSuit #ransomware spread from first fake #zoom installer -> d3f@ckloader #IDAT #SectopRAT thedfirreport.com/2025/03/31ā€¦
The DFIR Report
@TheDFIRReport
31 Mar 2025
šŸŒŸNew report out today!šŸŒŸ Fake Zoom Ends in BlackSuit Ransomware Analysis and reporting completed by @pigerlin, UC1 and @Miixxedup Audio: Available on Spotify, Apple, YouTube and more! thedfirreport.com/2025/03/31ā€¦
2
7
668
Zero Labs retweeted
Sagie Dulce@SagieDulce
5 Feb 2025
Nice work by @YaronZi & @CrowdStrike promoting LDAP Security to detect suspicious LDAP activities. crowdstrike.com/en-us/blog/iā€¦ Maybe someone wants to slap an AI agent on their #LDAPFirewall for similar results? :) github.com/zeronetworks/ldapā€¦

Inside CrowdStrike's New ML-Powered LDAP Reconnaissance Detections

Read this blog on a new feature available to all CrowdStrike FalconĀ® Identity Protection customers to detect early signs of reconnaissance queries using AI.

crowdstrike.com
3
65
218
15,267
Zero Labs@ZeroNLabs
29 Jan 2025
How to stop #LDAPNightmare / #LDAPBleed CVE-2024-49112 & CVE-2024-49113 zeronetworks.com/blog/preempā€¦

Preemptively Block LDAPNightmare with Zero Networks

Discover how Zero Networks prevents LDAPNightmare vulnerabilities (CVE-2024-49112 & CVE-2024-49113) through advanced network segmentation, RPC firewall protection, and zero trust security strategies...

zeronetworks.com
3
7
679
Zero Labs@ZeroNLabs
14 Jan 2025
When we first published "What the Filter" we never thought we would have more than a 100 downloads, let alone a thousand. We're happy to see the community getting value with the latest version bypassing the 1000 mark ! šŸ† powershellgallery.com/packagā€¦
2
5
212
Zero Labs retweeted
Zero Networks
@ZeroNetworks
31 Dec 2024
šŸŽ‰2024 brought remarkable growth, new faces to #ZeroNation, and plenty of fun moments together šŸ’ŖšŸ¼šŸš€. To our customers, partners, investors, and teamā€”thank you for an incredible year; hereā€™s to a successful and inspiring 2025! šŸ„‚ #ZeroNetworks #NewYear2025 #Cybersecurity #Gratitude
2:20
2
1
4
2,134
Zero Labs@ZeroNLabs
16 Dec 2024
Hi all! We released a native version for WTF-WFP, supporting a limited number of operations. Especially good for those instances when you can't use #PowerShell module #NtObjectManager. /bypass command will skip the entire layer of filters github.com/zeronetworks/WTF-ā€¦
2
3
215
Zero Labs retweeted
Tal Be'ery
@TalBeerySec
12 Dec 2024
Unauthenticated Remote Code Execution (RCE) on Domain Controllers (DC). It does not get worse than that. Probably will be included in #ransomware campaigns. Any technical analysis of CVE-2024-49112 published? CC: @gentilkiwi @harmj0y @_wald0
16
177
638
146,942
Zero Labs@ZeroNLabs
10 Dec 2024
#ShadowHound by @yudasm_ evades EDRs by operating as a PS module & using a stealthy LDAP search query. šŸšØBlock it with our free #LDAPFirewall tool! github.com/Friends-Security/ā€¦
6
5
372
Load more