bypass EDR( crowdstrike and microsoft defender) 2022
— Abuse situations where the sensor is not configured and not updated
—The researcher has used the following 12 techniques:

1.Shellcode encryption
2.Reducing entropy
3.Escaping the (local) AV sandbox
4.Import table obfuscation
5.Disabling Event Tracing for Windows (ETW)
6.Evading common malicious API call patterns
7.Direct system calls and evading “mark of the syscall”
8.Removing hooks in ntdll.dll
9.Spoofing the thread call stack
10.In-memory encryption of beacon
11.A custom reflective loader
12.OpSec configurations in your Malleable profile

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

#EDR #crowdstrike #endpoint

Inspired by 7-Zip CVE-2022-29072 this vulnerability also exist in XVI32
by: will dormann

https://twitter.com/wdormann/status/1516217431437500419?s=21&t=f9YqLUEf65ykpDUdF5MCYw

7zip: https://t.iss.one/Peneter_Tools/305

Security Researcher Maddie stone from google’s Project Zero has published a blog to review in-the-wild 0-days exploits discovered in 2021:

I added Pocs or available exploits for easier access

Blog :

https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html


Exploits:


RCE in #Apache HTTP CVE-2021-41773

https://github.com/thehackersbrain/CVE-2021-41773


14 in Google #Chrome

6 JavaScript Engine - v8 (CVE-2021-21148, CVE-2021-30551, CVE-2021-30563, CVE-2021-30632, CVE-2021-37975, CVE-2021-38003)

https://github.com/xmzyshypnc/CVE-2021-30551

https://github.com/Phuong39/PoC-CVE-2021-30632

https://github.com/github/securitylab/tree/main/SecurityExploits/Chrome/v8/CVE-2021-37975

2 DOM Engine - Blink (CVE-2021-21193 & CVE-2021-21206)

1 WebGL (CVE-2021-30554)

1 IndexedDB (CVE-2021-30633)

1 webaudio (CVE-2021-21166)

1 Portals (CVE-2021-37973)

1 Android Intents (CVE-2021-38000)

1 Core (CVE-2021-37976)



7 in Webkit #safari

4 Javascript Engine - JavaScript Core (CVE-2021-1870, CVE-2021-1871, CVE-2021-30663, CVE-2021-30665)

1 IndexedDB (CVE-2021-30858)

1 Storage (CVE-2021-30661)

1 Plugins (CVE-2021-1879)



4 in #IE

MSHTML browser engine (CVE-2021-26411, CVE-2021-33742, CVE-2021-40444)

Javascript Engine - JScript9 (CVE-2021-34448)


10 in #Windows

2 Enhanced crypto provider (CVE-2021-31199, CVE-2021-31201)

2 NTOS kernel (CVE-2021-33771, CVE-2021-31979)

2 Win32k (CVE-2021-1732, CVE-2021-40449)

https://github.com/Al1ex/WindowsElevation/tree/master/CVE-2021-1732

https://github.com/Kristal-g/CVE-2021-40449_poc

1 Windows update medic (CVE-2021-36948)

1 SuperFetch (CVE-2021-31955)

https://github.com/freeide/CVE-2021-31955-POC

1 dwmcore.dll (CVE-2021-28310)

https://github.com/Rafael-Svechinskaya/IOC_for_CVE-2021-28310/blob/main/Malicious%20Payloads

1 ntfs.sys (CVE-2021-31956)

https://github.com/aazhuliang/CVE-2021-31956-EXP



5 in #iOS and #macOS

IOMobileFrameBuffer (CVE-2021-30807, CVE-2021-30883)

https://github.com/jsherman212/iomfb-exploit

XNU Kernel (CVE-2021-1782 & CVE-2021-30869)

https://github.com/synacktiv/CVE-2021-1782

CoreGraphics (CVE-2021-30860)

https://github.com/jeffssh/CVE-2021-30860

CommCenter (FORCEDENTRY sandbox escape - CVE requested, not yet assigned)



7 in #Android

Qualcomm Adreno GPU driver (CVE-2020-11261, CVE-2021-1905, CVE-2021-1906)

ARM Mali GPU driver (CVE-2021-28663, CVE-2021-28664)

Upstream Linux kernel (CVE-2021-1048, CVE-2021-0920)



5 in Microsoft #Exchange Server

(CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

https://github.com/0xAbdullah/CVE-2021-26855

https://github.com/sirpedrotavares/Proxylogon-exploit

https://github.com/hictf/CVE-2021-26855-CVE-2021-27065

(CVE-2021-42321)

https://github.com/DarkSprings/CVE-2021-42321

PoC for an NTLM relay attack dubbed DFSCoerce.
The method leverages the Distributed File System: Namespace Management Protocol (MS-DFSNM) to seize control of a Windows domain.
https://github.com/Wh04m1001/DFSCoerce

It's a Docker Environment for pentesting which having all the required tool for VAPT.
https://github.com/RAJANAGORI/Nightingale
Tools List:
https://owasp.org/www-project-nightingale/

Penetration Testing Sample Report
There are bunch of pentest reports can be found on https://pentestreports.com/reports/

Node.js security releases announced - high severity vulnerabilities in all active versions

https://groups.google.com/g/nodejs-sec/c/TXKhlMr55UA/m/Sqak2IJnBAAJ

Amsi-Bypass-Powershell

This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts.

Most of the scripts are detected by AMSI itself. So you have to find the trigger(https://github.com/RythmStick/AMSITrigger) and change the signature at the part via variable/function renaming, string replacement or encoding and decoding at runtime. Alternatively obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working. You can also take a look at blog(https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) post about manually changing the signature to get a valid bypass again.


https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Source:
https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Korkos-AMSI-and-Bypass.pdf

For more and Reference :

https://twitter.com/ShitSecure

CVE-2022-32250 (CVE-2022-1966) - A 6 year old bug in the Linux kernel exploited by NCCGroup
https://www.openwall.com/lists/oss-security/2022/05/31/1
Get those patches :
https://access.redhat.com/security/cve/CVE-2022-1966
https://ubuntu.com/security/CVE-2022-1966
https://www.debian.org/security/2022/dsa-5161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32250

Security firm SpectreOps has open-sourced a new tool called Koh that can be used to capture Windows account authentication tokens for new logon sessions and reuse them for future attacks
https://github.com/GhostPack/Koh
https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6

CVE-2022-32212: Node.js arbitrary code execution vulnerability
Recently, Node.js released an advisory to fix seven vulnerabilities including three separate HTTP Request Smuggling, one code execution (CVE-2022-32212), and other flaws.
https://securityonline.info/cve-2022-32212-node-js-arbitrary-code-execution-vulnerability/

Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability(CVE-2022-32223) to escalate their privileges and establish persistence in a target environment. The vulnerability can also provide another way to embed malicious code into packages.

https://blog.aquasec.com/cve-2022-32223-dll-hijacking

Open-source analytics and interactive visualization solution Grafana received a critical update recently to fix two high-severity security vulnerabilities that enabled account takeover(CVE-2022-31107).
https://securityonline.info/cve-2022-31107-grafana-oauth-account-takeover-vulnerability/

UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis
#unrar #zimbra

Multiple Vulnerabilities in Atlassian Products (CVE-2022-26136, CVE-2022-26137, CVE-2022-26138)

nuclei add a template for hardcoded vulnerability:

https://github.com/projectdiscovery/nuclei-templates/pull/4889

Atlassian advisory :

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

blog:

https://bugalert.org/content/notices/2022-07-20-atlassian.html?src=r

#Atlassian #hardcoded

Apple released multiple security updates for iPadOS and iOS
WebKit :
CVE-2022-32787,CVE-2022-32816
kernel :
CVE-2022-32813,CVE-2022-32817,CVE-2022-32815: Xinru Chi of Pangu Lab
https://support.apple.com/ko-kr/HT213346
#apple #update

Clément Labro published a blog post with a deep dive into the recent changes in the Windows 10 & 11 security hardening brought by the July patch tuesday. It turned out that Microsoft quietly fixed a bypass security issue that existed in the Protected Process Light (PPL) technology, made it impossible to use the famous PPLDump tool anymore. This tool is designed to run under an admin account and dumps memory of a specific PPL protected process. It became known a few days ago, when an issue was opened for PPLdump on GitHub, stating that it no longer worked on Windows 10 21H2 Build 19044.1826. The details.

https://itm4n.github.io/the-end-of-ppldump/
#redteam #hardening

kaspersky’s GReAT discovered a new version of the sophisticated UEFI firmware rootkit CosmicStrand that allows its owners to achieve very robust and stealthy persistence in the system being sure that only a few security products are able to detect it. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards. victims of CosmicStrand in China, Vietnam, Iran and Russia.

https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/

One of the most common methods to maintain access to the Windows web server is Web Shell, but it can be used by installing the malicious extension on IIS as a backdoor to run the command and dump the password. Learn how to identify and defend against these threats in our new blog post:
https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

Microsoft discovered and patched a 0-day exploit (CVE-2022-22047) that KNOTWEED, an Austria-based private sector offensive actor, used to deploy Subzero malware. Analysis of campaigns, tactics, & payloads in this MSTIC blog
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/

Running Exploit As Protected Process Light (PPL) From Userland

Protected Process Light(PPL) is a security mechanism introduced by Microsoft in Windows 8.1. It ensures that the operating system only loads trusted services and processes by enforcing them to have a valid internal or external signature that meets the Windows requirements. It also restricts access to processes and is used as a self-defence mechanism by anti-malware and windows native processes.

This blog reviews the recently patched(Windows 10 21H2 10.0.19044.1826 (24 July 2022 update))

https://tastypepperoni.medium.com/running-exploit-as-protected-process-ligh-from-userland-f4c7dfe63387

https://github.com/tastypepperoni/RunAsWinTcb