😈 dirDevil: Hiding Code and Content Within Folder Structures

This article describes a method for hiding data within directory structures by using GUIDs in folder names to encode information. This approach bypasses AV and DLP systems since the data is stored in folder names rather than files, making it difficult to detect and analyze.

🔗 Research:
https://trustedsec.com/blog/dirdevil-hiding-code-and-content-within-folder-structures

🔗 Source:
https://github.com/nyxgeek/dirdevil

#hide #code #folder #evasion

⚙️ Remote Session Enumeration

The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.

🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/

🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp

#windows #qwinsta #session #winapi #cpp

Кросс-сессионная активация или захватываем сессию пользователя без RemotePotato0, TGSThief, mimikatz и Process Injection!

Давным-давно я писал о способе злоупотребления интерфейсом IHxHelpPaneServer. Однако вы когда в последний раз использовали моникеры? И я давным-давно... Поэтому нужно было найти альтернативный способ исполнения кода в сессии другого пользователя, забыв про все техники внедрения.

Если посмотреть на код RemotePotato0 или RemoteKrbRelay , то можно заметить использование недокументированных интерфейсов ISpecialSystemProperties и IStandartActivator. Причем не сказать, что их использование довольно редкое. Их можно встретить в любой программе, которая позволяет стащить учётные данные (имеет переключатель -session). Сами по себе, они позволяют контролировать сессию, в которой создавать COM-объект. Ранее мы ловили от них только аутентификацию, но что мешает соединить использование этих интерфейсов с описанным в SeMishaPrivilege COM-классом IHxHelpPaneServer? Конечно же ничего!

И я написал небольшой POC, который выложил на GitHub . Если вам интересно подробно окунуться в принцип работы инструмента, то советую обратить внимание на нашу статью на medium :)

How to fix the Crowdstrike thing:

1. Boot Windows into safe mode
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Delete C-00000291*.sys
4. Repeat for every host in your enterprise network including remote workers
5. If you're using BitLocker jump off a bridge

🛠 Adventures in Shellcode Obfuscation

This series of articles explores various methods for hiding shellcode, emphasizing techniques to avoid detection. The focus is on demonstrating diverse approaches to conceal shellcode.

🔗 Part 1: Overview
🔗 Part 2: Hail Caesar
🔗 Part 3: Encryption
🔗 Part 4: RC4 with a Twist
🔗 Part 5: Base64
🔗 Part 6: Two Array Method
🔗 Part 7: Flipping the Script
🔗 Part 8: Shellcode as IP Addresses
🔗 Part 9: Shellcode as UUIDs
🔗 Part 10: Shellcode as MAC Addresses
🔗 Part 11: Jargon
🔗 Part 12: Jigsaw
🔗 Part 13: Calculating Offsets
🔗 Part 14: Further Research

#shellcode #obfuscation #clang #maldev

😈 [ Print3M @Print3M_ ]

I wrote my first calc.exe "shellcode" in NASM. I find it a little strange that a lot of people write about malware development but almost no one talks about writing your own shellcode. I decided to write something on my own. (good comments, easy readable)

🔗 https://github.com/Print3M/shellcodes/blob/main/calc-exe.asm

🐥 [ tweet ]

#для_самых_маленьких

🥔 DeadPotato

This is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.

🔗 Source:
https://github.com/lypd0/DeadPotato

#windows #lpe #potato #seimpersonate

😈 [ Cube0x0 @cube0x0 ]

Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.

Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:

🔗 https://0xc2.io

The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.

All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.

More details will be available soon.

🐥 [ tweet ]

👻 Ghost in the PPL: BYOVDLL

This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/

#lsa #lsass #ppl #dll #maldev

DriverJack: Turning NTFS and Emulated Read-only Filesystems in an Infection and Persistence Vector

By: Alessandro Magnosi (@klezVirus)

DriverJack

Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths

Key Attack Phases:

   1) ISO Mounting and Driver Selection
      1.1) The attack begins with mounting the ISO as a filesystem.
      1.2) The attacker selects a service driver that can be manipulated, focusing on those that can be started or restarted without immediate detection.
   2) Hijacking the Driver Path
      2.1) The core of the attack involves hijacking the driver path. The methods used include:
      2.2) Direct Reparse Point Abuse
      2.3) DosDevice Global Symlink Abuse
      2.4) Drive Mountpoint Swap