Lazarus_Byovd.pdf
3.2 MB
#Whitepaper
"Lazarus & Byovd: Evil to the Windows Core", 2022.
In October 2021, we recorded an attack on an endpoint of a corporate network in the Netherlands [1]. Various types of
malicious tools were deployed onto the victim’s computer, many of which can confidently be attributed to the infamous
Lazarus threat actor [2]. Besides usual malware like HTTP(S) backdoors, downloaders and uploaders, one sample attracted
our curiosity – an 88,064-byte user-mode dynamically linked library with internal name FudModule. Its functionality is the
main subject of this paper.
"Lazarus & Byovd: Evil to the Windows Core", 2022.
In October 2021, we recorded an attack on an endpoint of a corporate network in the Netherlands [1]. Various types of
malicious tools were deployed onto the victim’s computer, many of which can confidently be attributed to the infamous
Lazarus threat actor [2]. Besides usual malware like HTTP(S) backdoors, downloaders and uploaders, one sample attracted
our curiosity – an 88,064-byte user-mode dynamically linked library with internal name FudModule. Its functionality is the
main subject of this paper.
windows_privileges.pdf
123.5 KB
Windows has user privileges such as SeDebugPrivilege, SeImpersonatePrivilege, SeBackupPrivilege and others. They can even be used to elevate privileges on the system. And most likely, everyone in their life had the idea to test the promotion on the stand, at that moment everyone asked the question: "how to give the user these privileges?". Actually it's not that easy, you need to edit the GPO and reboot the host. But a respected researcher has introduced the Privileger tool, which will allow you to quickly and easily grant the right privilege to any user in 2 elegant ways:
1. Through the LSA by calling the LsaAddAccountRights() function
2. Through the creation of a process with the addition of the necessary privileges to the access token.
And also for debugging or during a pentest, it will help you find the necessary privilege for users on nodes in the network.
#windows #privilege
1. Through the LSA by calling the LsaAddAccountRights() function
2. Through the creation of a process with the addition of the necessary privileges to the access token.
And also for debugging or during a pentest, it will help you find the necessary privilege for users on nodes in the network.
#windows #privilege
Hidden_in_Plain_Sight.pdf
862.4 KB
"Hidden in Plain Sight: Exploring Encrypted Channels in Android apps", 2022.
WindTape.pdf
18.1 MB
"Unmasking WindTape: an in-depth analysis of OSX.WindTape", 2022.
#Malware_analysis
#Malware_analysis
DaNuoYi.pdf
1.7 MB
"DaNuoYi: Evolutionary Multi-Task Injection Testing on Web Application Firewalls", 2022.
]-> Multitask Injection Generation Tool:
https://github.com/yangheng95/DaNuoYi
]-> Multitask Injection Generation Tool:
https://github.com/yangheng95/DaNuoYi
Matrix.pdf
199.4 KB
"Practically-exploitable Cryptographic Vulnerabilities in Matrix Communication Protocol", 2022.
#cryptography
#cryptography
CacheQL.pdf
2.1 MB
"CacheQL: Quantifying and Localizing Cache Side-Channel Vulnerabilities in Production Software", 2022.
redteam_with_onenote (1).pdf
576.3 KB
#Red_Team
RedTeam With OneNote Sections
1. Not affected by Protected View/ MOTW
2. Allows embedding Malicious Excel/Word/PPT files that will be played without protected view
3. Allows embedding HTA, LNK, EXE files and spoof extensions
4. Possible to format document in a way user are tricked into opening a malicious file or a link
RedTeam With OneNote Sections
1. Not affected by Protected View/ MOTW
2. Allows embedding Malicious Excel/Word/PPT files that will be played without protected view
3. Allows embedding HTA, LNK, EXE files and spoof extensions
4. Possible to format document in a way user are tricked into opening a malicious file or a link
decap.pdf
676.3 KB
#Research
"Decap: Deprivileging Programs by Reducing Their Capabilities", 2022.
]-> Tools for BPF-based Linux IO analysis, networking, monitoring, and more:
https://github.com/iovisor/bcc
"Decap: Deprivileging Programs by Reducing Their Capabilities", 2022.
]-> Tools for BPF-based Linux IO analysis, networking, monitoring, and more:
https://github.com/iovisor/bcc
Assembly_Code_Invocation.pdf
2.9 MB
"Native function and Assembly Code Invocation", 2022.
]-> https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
]-> https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation