👻 The Phantom Credentials of SCCM

If an Active Directory account has ever been configured as an NAA, the credentials may persist on former clients. Not only can we query the credential blobs from WMI, we can also retrieve previously used account blobs from the CIM repository, even if the computer is no longer a client.

https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9

#ad #credentials #sccm #nna #wmi

🎭 BOFMask

BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.

Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/

Source:
https://github.com/xforcered/bofmask

#cobaltstrike #bof #sleepmask #redteam

Интересная особенность, связанная с парсингом кук. Некоторые серверы, такие как Jetty или Undertow, в своей работе реализуют спецификацию RFC2965, в которой есть необычная реализация синтаксического анализа.

Если Jetty примет на вход

Cookie: search_history="lolkek; JSESSIONID=1337; asdf=end";

То такой заголовок будет разобран как одна кука search_history со значением lolkek; JSESSIONID=1337; asdf=end, вместо трех отдельных. Если Jetty видит значение, которое начинается с двойных кавычек, то он будет пытаться прочитать строку до тех пор, пока не увидит закрывающую кавычку, даже если на пути встретится точка с запятой.

Опасно это тем, что если search_history где-то рендерится на странице, то ее можно будет использовать для эксфильтрации любой куки (например, JSESSIONID) с флагом HttpOnly. Для этого нужно будет найти XSS и проэксплуатировать ее, записав в search_history двойные кавычки, чтобы оставшаяся часть заголовка отобразилась на странице.

К этому восприимчивы Jetty, Undertow, TomCat, Python Zope и любые другие серверы и фреймворки, которые руководствуются RFC2616, когда парсят строки. Библиотека http.cookies для Python, а именно классы BaseCookie и SimpleCookie тоже реализуют эту спеку. Ее используют aiohttp, cherrypy, web.py, bottle, webob (Pyramid, TurboGears).

RecycledInjector

Native Syscalls Shellcode Injector

(Currently) Fully Undetected same-process native/.NET assembly shellcode injector based on RecycledGate by thefLink, which is also based on HellsGate + HalosGate + TartarusGate to ensure undetectable native syscalls even if one technique fails.
To remain stealthy and keep entropy on the final executable low, do ensure that shellcode is always loaded externally since most AV/EDRs won't check for signatures on non-executable or DLL files anyway.

🎯 Meterpreter vs Modern EDR

This blog post explains how making minor adjustments to the Meterpreter shellcode dropper can effectively evade modern EDRs. Three modifications are employed on the Meterpreter reference dropper. These modifications involve encrypting the Meterpreter shellcode using the XOR algorithm, incorporating valid metadata via a manifest file, and relocating the Meterpreter shellcode from the .text section to the .data section.

https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023

#av #edr #meterpreter #xor #cpp

100 Methods for Container Attacks(RTC0010)

Container escape, tampering, insecure orchestration and etc.

🔥 Shodan is giving away a $5 Membership subscription
The sale lasts until July 17 23:59 UTC

https://twitter.com/shodanhq/status/1680723526494609409

Пора пилить свой Shodan ^_^

⛓ Divide and Rule — AMSI Bypass

By spliiting well known PowerShell scripts, e.g. an AMSI Bypass, we can directly bypass Windows Defender or get at least the line, where the detection occurs. Outcome: Several AMSI Bypasses and two scripts:

- One to split PowerShell snippets in multiple lines
- A second script to run all the files in an Oneliner, XOR obfuscated

https://badoption.eu/blog/2023/07/15/divideconqer.html

#amsi #av #bypass #powershell

Если есть привилегия SeTcbPrivilege (а локальный админ может ее активировать), то можно запросить TGS билет для любого авторизованного в системе пользователя без указания его пароля. Интересный сценарий...

https://github.com/foxlox/GIUDA

#ad #pentest #redteam #soft #git

TGSThief

I think a lot of people have seen the project GIUDA . It is an interesting way to get the TGS of a user whose logon session is just present on the computer. The problem is that its code is written in Pascal, so I had to rewrite the project in C++.

How to use:
Just run the tool and select the desired logon session! The tool will automatically escalate privileges and request a TGS.

Advantages:
- We do not need to run the code on behalf of the system. Run the program as a local administrator, the privilege escalation will happen automatically.
- I also added SPN validation through regex, so there is less chance of making a mistake and not getting TGS.
- The TGS ticket is optionally injected into the logon session where the tool is running. The TGS ticket is simply output in base64 for convenience, and only embedded if required.
- It is not necessary to run the tool ten times to see the LUID. You can now select the LUID you want from the drop down list.

Thanks to: @Michaelzhm

🔑 WSPCoerce

You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user.

https://github.com/slemire/WSPCoerce

#ad #relay #mswsp #poc

🔨KRBUACBypass

By adding a KERB-AD-RESTRICTION-ENTRY to the service ticket, but filling in a fake MachineID, we can easily bypass UAC and gain SYSTEM privileges.

Research:
https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html

Source:
https://github.com/wh0amitz/KRBUACBypass

#ad #kerberos #uac #bypass

Ⓜ️ Metabase Pre-auth RCE

Earlier this week, it was reported that Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 has a vulnerability that allows attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. This vulnerability was designated as CVE-2023-38646.

Research:
https://blog.calif.io/p/reproducing-cve-2023-38646-metabase

PoC:
https://gist.github.com/testanull/a7beb2777bbf550f3cf533d2794477fe

#metabase #cve #poc #rce

🍅 S4UTomato — Escalate Service Account To LocalSystem via Kerberos

Learn how to leverage Kerberos for privilege escalation in a Windows domain environment using virtual accounts with the help of Resource-based Constrained Delegation, Shadow Credentials, and Tgtdeleg techniques.

https://github.com/wh0amitz/S4UTomato

#ad #privesc #kerberos #windows

D1rkInject

Another approach of Threadless injection that loads a module into the target process and stomps it, and reverting back memory protections and original memory state

🐕 BloodHound CE: A New Era!

Discover the latest update of BloodHound - now called BloodHound Community Edition (CE). Here's what you need to know:

🚀 Key Features:

— Enhanced GUI for a user-friendly experience
— New containerized architecture for streamlined deployment
— Cached query results for boosted performance
— User management, multi-factor authentication, and SAML authentication

More about it
https://posts.specterops.io/bloodhound-community-edition-a-new-era-d64689806e90

#ad #bloodhound

🔐 Exploiting SCCM’s AdminService API for Site Takeover 🔐

Extensive research into SCCM services has revealed a security flaw within the AdminService API, exploiting the authentication process and leading to unauthorized access. The AdminService API, backed by Microsoft Negotiate authentication, could be leveraged by malicious actors for privilege escalation, granting unauthorized Full Administrator privileges on the targeted site.

🌐 Details:
https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e22b2bf

#ad #sccm #site #takeover

🛠 From C to Shellcode: Crafting Position-Independent Code

Ever wondered how malware developers create shellcode? Dive into the world of Position-Independent Code (PIC) and learn about a shellcode development method using MinGW. This approach combines assembly and C to create efficient and stealthy payloads.

🌐 Details:
https://steve-s.gitbook.io/0xtriboulet/just-malicious/from-c-with-inline-assembly-to-shellcode

#maldev #clang #shellcode #asssembly

Black Hat USA 2023
Schedule
Presentations

DEF CON 31
Schedule
Presentations

Расписание (с описанием докладов) и презентации с Black Hat USA 2023 & DEF CON 31