RefleXXion

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.

https://github.com/hlldz/RefleXXion

#edr #evasion #cpp #redteam

SonicWall SMA-100 Unauth RCE

Bad Blood is an exploit for CVE-2021-20038, a stack-based buffer overflow in the httpd binary of SMA-100 series systems using firmware versions 10.2.1.x. The exploit, as written, will open up a telnet bind shell on port 1270. An attacker that connects to the shell will achieve execution as nobody.

Research:
https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis

Exploit:
https://github.com/jbaines-r7/badblood

#sonicwall #exploit #rce #cve

Linux Root PrivEsc and Escaping Containers (CVE-2022-0185)

Research:
https://www.willsroot.io/2022/01/cve-2022-0185.html

Exploit:
https://github.com/Crusaders-of-Rust/CVE-2022-0185

#linux #kernel #lpe #escape #container #0day

PwnKit: Local Privilege Escalation Vulnerability in Polkit’s Pkexec (CVE-2021-4034)

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Research:
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

PoC:
https://github.com/arthepsy/CVE-2021-4034

Exploit:
https://github.com/berdav/CVE-2021-4034

#linux #lpe #polkit #cve

Cobalt Strike, a Defender’s Guide

In this research, exposes adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools use to execute mission objectives. In most of cases, the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this articles is to expose the most common techniques from the intrusions track and provide detections. Having said that, not all of Cobalt Strike’s features will be discussed.

# https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
# https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/

#cobaltstrike #research #blueteam

List of Vulnerable Functions for Different Languages

This list contains signatures for potentially vulnerable functions for numerous languages in a format suitable for use.

https://rules.sonarsource.com/
https://github.com/wireghoul/graudit

#appsec #vulnerable #function #source

SMBeagle

This is fileshare auditing tool that hunts out all files it can see in the network and reports if the file can be read and/or written.

https://github.com/punk-security/SMBeagle

#ad #share #enum #tools

FunctionStomping

This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stomping and has some similarities.The big advantage of this technique is that it isn't overwritting an entire module or PE, just one function and the target process can still use any other function from the target module.

https://github.com/Idov31/FunctionStomping

#edr #evasion #stomping #maldev #cpp

Windows Win32k — Local Privilege Escalation (CVE-2022-21882)

https://github.com/KaLendsi/CVE-2022-21882

#windows #lpe #cve

Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign

StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

#threatintel #dfir #blueteam #malware

Converting C# Tools to PowerShell

In this post, we will be looking at how we can make our own PowerSharpPack by learning how to convert ANY C# tool into a PowerShell script ourselves. This is useful in cases where we want to modify a specific tool’s default behavior, use a tool that hasn’t already been converted for us, or use a custom tool that we develop ourselves.

https://icyguider.github.io/2022/01/03/Convert-CSharp-Tools-To-PowerShell.html

SysWhispers is dead, long live SysWhispers!

In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.

https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/

#edr #evasion #syscall #redteam #blueteam

EvilSelenium

This project weaponizes Selenium to attack Chrome. Dump saved credentials, cookies, take (authenticated) screenshots, dump emails from gmail/o365 or chats from Whatsapp and exfiltrate & download files

https://github.com/mrd0x/EvilSelenium

#selenium #chrome #dump #password

Understanding Process Ghosting in detail

https://dosxuz.gitlab.io/post/processghosting/

#edr #evasion #process #ghosting #csharp

LFIDump

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.

https://github.com/p0dalirius/LFIDump

#lfi #dump #tools #bugbounty

A Tip for SQL Injection WAF Bypass

NTLM Relaying — A comprehensive guide

This guide covers a range of techniques from most common to the lesser-known.

https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/

#ad #ntlm #relay #guide

EmbedExeLnk

Embedding an EXE inside a LNK with automatic execution

https://www.x86matthew.com/view_post?id=embed_exe_lnk

#embed #lnk #exe #cpp

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory

https://github.com/S3cur3Th1sSh1t/Nim-RunPE

#nim #run #pe #memory