@snowscan profile picture
Snowscan @snowscan

Load "$",8; Red Team

Joined January 2009
  • Tweets 374
  • Following 424
  • Followers 6,236
14 Photos and videos
Snowscan retweeted
SpecterOps@SpecterOps
Apr 2
Relayed NTLM creds are powerful, if you can use them. @senderend shows why browsers fail through ntlmrelayx SOCKS and introduces ghostsurf to make NTLM-authenticated web apps accessible. Read more ⤵️ ghst.ly/4tnJOtx

ghostsurf: From NTLM Relay to Browser Session Hijacking

Why ntlmrelayx's HTTP SOCKS proxy fails with browsers, how kernel-mode auth silently kills relay sessions, and a tool built to fix both.

specterops.io
2
91
276
17,896
Snowscan retweeted
hasherezade
@hasherezade
14 Apr 2025
And the source code: github.com/hasherezade/waiti…

GitHub - hasherezade/waiting_thread_hijacking: Waiting Thread Hijacking - injection by overwriting...

Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread - hasherezade/waiting_thread_hijacking

github.com
2
22
105
6,276
Snowscan retweeted
hasherezade
@hasherezade
14 Apr 2025
My new blog for Check Point Research - check it out! 💙 // #ProcessInjection : #WaitingThreadHijacking
Check Point Research
@_CPResearch_
14 Apr 2025
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code. In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking. Read More : research.checkpoint.com/2025…
18
135
478
92,223
Snowscan retweeted
SkelSec@SkelSec
27 Feb 2025
#pypykatz new version 0.6.11 is out on github and pip. Big thanks to all awesome contributors!! Besides the fixes, the two important things in this version: - Kerberos aes keys extraction is now supported - !!!!Windows 24H2 support is here!!!!! github.com/skelsec/pypykatz/…

Release 0.6.11 · skelsec/pypykatz

What's Changed Supporting Windows 24H2 dumps @skelsec :) Fixing Service User Bug by @brettgus in #169 Fix Python 3.12 SyntaxWarning (use raw strings) by @X0RW3LL in #163 aesKey extraction by @...

github.com
5
52
141
14,583
Snowscan retweeted
NetSPI@NetSPI
14 Nov 2024
Introducing PowerHuntShares 2.0 Release! NetSPI VP of Research @_nullbind introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares: ow.ly/6Rjo50U7tNr
1:14
3
35
107
15,850
Snowscan@snowscan
12 Jul 2024
Just got some nice swag from @vulnlab_eu 😄
6
4
129
8,537
Snowscan retweeted
Andrew Oliveau
@AndrewOliveau
28 Mar 2024
CcmPwn is equipped with various modules. The “exec” module runs an AppDomainManager Injection payload for every logged-in user. The “coerce” module coerces SMB/HTTP authentications, which can then be used for password cracking or relay attacks. 👇 github.com/mandiant/CcmPwn

GitHub - mandiant/ccmpwn

Contribute to mandiant/ccmpwn development by creating an account on GitHub.

github.com
18
67
4,727
Snowscan retweeted
adamm@adamsimuntis
16 Mar 2024
Found a flaw in NetBSD's utmp_update allowing injection of ASCII escape sequences into utmpx logs, leading to unexpected terminal emulator behavior and utmpx database integrity concerns. ftp.netbsd.org/pub/NetBSD/se… #NetBSD #Security

1
14
20
6,604
Snowscan retweeted
CODE WHITE GmbH@codewhitesec
1 Mar 2024
Struggeling to get those precious certificates with #certipy and AD CS instances that do not support web enrollment and do not expose CertSvc via RPC? @qtc_de has you covered and added functionality to use DCOM instead of good old RPC #redteaming github.com/ly4k/Certipy/pull…

Add DCOM support for req command by qtc-de · Pull Request #201 · ly4k/Certipy

In the last few months, we encountered more and more ADCS instances that neither supported web enrollment, nor exposed the CertSvc via plain RPC. The output of certipy req looks like this in that c...

github.com
3
70
150
13,588
Snowscan retweeted
Dirk-jan@_dirkjan
1 Dec 2023
It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!). github.com/dirkjanm/bloodhou…

GitHub - dirkjanm/BloodHound.py: A Python based ingestor for BloodHound

A Python based ingestor for BloodHound. Contribute to dirkjanm/BloodHound.py development by creating an account on GitHub.

github.com
11
196
624
60,821
Snowscan retweeted
Antonio Cocomazzi@splinter_code
21 Oct 2023
Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe 👇
24
304
1,083
259,395
Snowscan@snowscan
14 Sep 2023
Did Bethesda hire the Microsoft UX team to work on Starfield? This is so shit. Really disappointed with the game so far.
5
2,080
Snowscan@snowscan
18 Aug 2023
Thanks to the generous folks @bcsecurity @hackthebox_eu @SANSOffensive @sektor7net and @nostarch for sponsoring prizes at the DEF CON Red Team Village CTF!
1
9
2,423
Snowscan@snowscan
26 Jul 2023
You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user. Haven't been able to do WebDAV with it though so usefulness is limited. PoC: github.com/slemire/WSPCoerce

GitHub - slemire/WSPCoerce: PoC to coerce authentication from Windows hosts using MS-WSP

PoC to coerce authentication from Windows hosts using MS-WSP - slemire/WSPCoerce

github.com
5
97
284
30,898
Snowscan retweeted
Andrew Oliveau
@AndrewOliveau
19 Jul 2023
🔥 Excited to share my latest @Mandiant Red Team blog on "Escalating Privileges via Third-Party Windows Installers" mandiant.com/resources/blog/… Learn how attackers exploit this privilege escalation vector and ways to defend against it. Includes BOF release and a couple CVEs!

Escalating Privileges via Third-Party Windows Installers | Mandiant | Google Cloud Blog

cloud.google.com
7
146
347
35,804
Snowscan retweeted
Louis Dion-Marcil@ldionmarcil
5 Jun 2023
Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain left-to-right mark (U 200E) Links in <a> tags will show the fake domain, but open the real domain. No need to buy .zip! :) Convincing #phishing #redteam
13
229
803
117,213
Snowscan retweeted
Louis Dion-Marcil@ldionmarcil
25 May 2023
Been playing with the .zip TLD for phishing, apparently Outlook on Windows doesn't let you click links containing credentials, mitigating the "attack". haven't seen anyone talk about this, weirdly. after looking into this a bit, I found a way to bypass this behaviour!
0:09
1
8
17
3,004
Snowscan@snowscan
18 May 2023
4
43
6,031
Snowscan retweeted
LRQA Cyber Labs
@LRQA_Cyber_Labs
3 May 2023
Introducing ETWHash! ETWHash is a new method and tool by @lefterispan for consuming SMB events from Event Tracing for Windows (ETW) and extracting NetNTLMv2 hashes for cracking offline. labs.nettitude.com/blog/etwh…

ETWHash -

ETWHash is a small C# tool used during Red Team engagements, that can consume ETW SMB events and extract NetNTLMv2 hashes for cracking offline, unlike currently documented methods.

lrqa.com
170
324
47,512
Snowscan@snowscan
25 Apr 2023
More quality video content by @xct_de. Those labs are really great.
Martin Mielke
@xct_de
25 Apr 2023
I'm starting a new video series on pentesting the new lab (Wutai). In the first one, we'll start from the perspective of an unauthenticated, external attacker and will mainly focus on enumeration and getting initial access. youtu.be/QpQ66IaR06U
3
1,496
Load more