Уязвимости и атаки на CMS Bitrix

1. Особенности
2. Уязвимости
3. Методы атак

Приятного чтения!

🔐 Credential Guard Bypass

The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.

Research:
https://itm4n.github.io/credential-guard-bypass/

PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

#lsass #wdigest #credential #guard #research

⚙️ WTFBins

WTFBin(n): a binary that behaves exactly like malware, except, somehow, it's not?
Site detailing noisy, false positive binaries created that's super helpful in getting filter ideas together for monitoring and hunting rules.

https://wtfbins.wtf/

#wtfbins #blueteam

😴 DeepSleep

A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC

https://github.com/thefLink/DeepSleep

#memory #evasion #maldev

🎁 Application Security Pipelines
(Now with guides)

Scan your code, infrastructure configs and domains with many open source scanners.

Currently supported: trufflehog, gitleaks, bandit, gosec, spotbugs, terrascan, hadolint, retirejs, eslint, phpcs, sonarqube integration, semgrep, arachni, zap, subfinder, nuclei..

All reports will be passed to defectdojo

Guides:
https://github.com/Whitespots-OU/DevSecOps-Pipelines

Integration examples:
https://gitlab.com/whitespots-public/vulnerable-apps

#appsec #devsecops #pipelines

🔐 Combination of 2 PoCs for bypassing Credential Guard with in-memory invocation

PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240

PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99

#lsass #wdigest #credguard

🔍 Find Uncommon Shares

This Python tool equivalent of PowerView Invoke-ShareFinder.ps1 allows to quickly find uncommon shares in vast Windows Active Directory Domains.

https://github.com/p0dalirius/FindUncommonShares

#ad #enum #shares #tools

🩸Max (BloodHound)

Maximizing BloodHound with a simple suite of tools

https://github.com/knavesec/Max

#bloodhound #neo4j #cypher

🔥 MS-MSDT Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Research:
https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

PoC:
https://github.com/JohnHammond/msdt-follina
https://github.com/chvancooten/follina.py
https://gist.github.com/tothi/66290a42896a97920055e50128c9f040

Demo Follina with Cobalt Strike:
https://www.youtube.com/watch?v=oM4GHtVvv1c

For BlueTeam:
https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2

Everything new is well-forgotten old:
Research from August 2020. And a few other payloads.

#office #rce #msmsdt #nomacro

📒Simulating attacks with Sysmon

SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.

Attack coverage:

— Process Events
— File Events
— Named Pipes Events
— Registry Actions
— Image Loading
— Network Connections
— Create Remote Thread
— Raw Access Read
— DNS Query
— WMI Events
— Clipboard Capture
— Process Image Tampering

Research:
https://rootdse.org/posts/understanding-sysmon-events/

Tool:
https://github.com/ScarredMonk/SysmonSimulator

#sysmon #simulator #blueteam #lab

🕵️ OSINT Collection

Collection of 4000+ OSINT resources

https://metaosint.github.io/table

#osint #recon #collection

⚙️ Active Directory Delegation Management Tool

Is an Active Directory delegation management tool. It allows you to make a detailed inventory of delegations set up so far in a forest, along with their potential issues:

— Objects owned by users
— Objects with ACEs for users
— Non canonical ACL
— Disabled ACL inheritance
— Default ACL modified in schema
— Deleted delegation trustees

It also allows you to document your delegation model in JSON files, to obtain a more readable view:

https://github.com/mtth-bfft/adeleg

#ad #delegations #ace #acl #tools

🔥 Фильм о команде Codeby на The Standoff 2022

Друзья, уже в скором времени мы будем готовы представить вам документальный фильм об участии команды Codeby на мероприятии The Standoff 2022!

Вспомним, какие эмоции испытывали все мы каждый день соревнований, а также узнаем, что происходило в эти дни от лица игроков. А пока предлагаем вам насладиться просмотром небольшого трейлера!

🔑 Extracting Credentials from Chrome Memory

An excellent study on how Chrome's memory works and how to extract credentials, cookies, etc. in а low privileges plain text format.

https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory

#chrome #memory #dump #creds