netbiosX

@[email protected]
655 Followers
79 Following
256 Posts
What I DoRed Team Lead
Bloghttps://pentestlab.blog
Websitehttps://pentestlaboratories.com
Discordhttps://discord.gg/rR6FJBH
BlueSkyhttps://bsky.app/profile/netbiosx.bsky.social
netbiosX8h ago

πŸ“’ New Article Drop: Weaponizing Windows Toast Notifications for Social Engineering
🧠 Windows Toast Notifications are everywhere: policy updates, VPN reminders, password expiry alerts. Because these are legitimate applications that users trust, they can become a high‑impact social‑engineering surface.
πŸ¦„ I just published a deep‑dive playbook on how Toast Notifications can be abused for credential harvesting, lateral movement, user manipulation etc. and how defenders can perform detection.
πŸ“– 1x Playbook
πŸ’‘ Detection Opportunities
🎯 1x MDE Query
🚨 1x SIGMA Rule

πƒπžπ­πžπœπ­π’π¨π§ - π„π―πžπ§π­ πˆπƒ'𝐬
βœ… 7 & 13 (Sysmon)
βœ… DLL Monitoring: wpnapps.dll & msxml6.dll from unexpected processes
βœ’οΈ https://ipurple.team/2026/03/25/toast-notifications/
#purpleteam #detectionengineering #blueteam #threathunting

Toast Notifications

The Application User Model ID (AUMID) is a unique identifier that Windows assigns to modern applications. It enables Windows to identify which applications should receive notifications, how start m…

Purple Team
netbiosXMar 17
Offensive Cases about Credential Guard & Detection Strategies https://ipurple.team/2026/03/17/credential-guard/ #purpleteam
Credential Guard

Microsoft introduced Credential Guard in Windows 10 (2015) and Windows Server 2016 to prevent credential harvesting from the LSASS process that was abused for years by threat actors. Microsoft used…

Purple Team
netbiosXFeb 12
Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons https://github.com/EricEsquivel/CobaltStrike-Linux-Beacon #redteam
GitHub - EricEsquivel/CobaltStrike-Linux-Beacon: Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons

Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons - EricEsquivel/CobaltStrike-Linux-Beacon

GitHub
netbiosXFeb 10

πŸ“’ New article about GAC Hijacking to perform Code Execution and Persistence
πŸ“– 1x Playbook - A structured breakdown of the full approach
πŸ’‘ 3x Detection Opportunities
🏹 2x Threat Hunting Queries - Defender & Splunk

https://ipurple.team/2026/02/10/gac-hijacking/ #purpleteam

GAC Hijacking

The Global Assembly Cache is a system-wide repository in the .NET framework that stores strong named (name + version + culture + public key token identity) assemblies so multiple applications can u…

Purple Team
netbiosXFeb 4
CustomDpapi: Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData! https://github.com/EvilBytecode/CustomDpapi #redteam
GitHub - EvilBytecode/CustomDpapi: Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData!

Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData! - EvilBytecode/CustomDpapi

GitHub
netbiosXFeb 3
An open-source port/reimplementation of the Cobalt Strike BOF Loader https://github.com/CodeXTF2/Cobaltstrike_BOFLoader #redteam
GitHub - CodeXTF2/Cobaltstrike_BOFLoader: open source port/reimplementation of the Cobalt Strike BOF Loader as is

open source port/reimplementation of the Cobalt Strike BOF Loader as is - CodeXTF2/Cobaltstrike_BOFLoader

GitHub
netbiosXFeb 2
AppLocker Rules Abuse https://ipurple.team/2026/02/02/applocker-rules-abuse/ #purpleteam
AppLocker Rules Abuse

AppLocker was introduced by Microsoft in Windows 7 to enable organizations to define which executables, scripts or installers are allowed to run in their environments. AppLocker can reduce the atta…

Purple Team
netbiosXJan 14
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP https://specterops.io/blog/2026/01/14/wait-why-is-my-webclient-started-sccm-hierarchy-takeover-via-ntlm-relay-to-ldap/ #redteam
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.

SpecterOps
netbiosXJan 12

πŸ“’ EDR Silencing
πŸ“– 1x Playbook - A structured breakdown of the full approach
πŸ’‘ 6x Procedures - Practical, reproducible techniques mapped to real-world operator workflows
🚨 1x Sigma Rule - To help defenders spot this activity
🎯 A compact, practical resource for detection engineers and purple team operators.
πŸ’­ Would love your thoughts.

https://ipurple.team/2026/01/12/edr-silencing/

EDR Silencing

Modern Endpoint Detection and Response systems depend on persistent, bidirectional communication with their cloud management console, enabling them to continuously report suspicious activity and re…

Purple Team
netbiosXJan 4
DbgNexum - a Proof-of-Concept for injecting shellcode using the Windows Debugging API and Shared Memory (File Mapping) https://github.com/dis0rder0x00/DbgNexum