Windows Kernel Introspection (WKI) https://amonsec.net/posts/2022/09/0000000d/
amonsec.net
Windows Kernel Introspection (WKI)
Table of contents Table of contents Introduction User-Mode Application Kernel-Mode Driver Example: Listing Kernel Memory Pool Tag Final Thoughts Introduction Over the last few years that I spent learning more and more about Microsoft Windows, it has been…
Reviewing macOS Unified Logs https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs
Mandiant
macOS Unified Logs | Challenges Related to the Unified Logs
Reviewing macOS Unified Logs. We cover an overview of macOS Unified Logs and the challenges presented in using them during an investigation.
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/
SentinelOne
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
Partially encrypting victims' files improves ransomware speed and aids evasion. First seen in LockFile, the technique is now being widely adopted.
Profiling DEV-0270: PHOSPHORUS’ ransomware operations https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
Microsoft News
Profiling DEV-0270: PHOSPHORUS’ ransomware operations
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns tied to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
Fun with Windows Containers - Popping Calc https://raesene.github.io/blog/2022/09/03/Fun-With-Windows-Containers-Popping-Calc/
raesene.github.io
Fun with Windows Containers - Popping Calc
Exploiting Intel Graphics Kernel Extensions on macOS https://blog.ret2.io/2022/06/29/pwn2own-2021-safari-sandbox-intel-graphics-exploit/
RET2 Systems Blog
Exploiting Intel Graphics Kernel Extensions on macOS
To escape the Safari sandbox for our Pwn2Own 2021 submission, we exploited a vulnerability in the Intel graphics acceleration kernel extensions (drivers) on ...
SSD Advisory – Linux CONFIG_WATCH_QUEUE LPE https://ssd-disclosure.com/ssd-advisory-linux-config_watch_queue-lpe/?hello-lanjelot
SSD Secure Disclosure
SSD Advisory – Linux CONFIG_WATCH_QUEUE LPE - SSD Secure Disclosure
A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root.
Nice notes on this topic » SAT/SMT
by Example (by Dennis Yurichev) https://sat-smt.codes/SAT_SMT_by_example.pdf
by Example (by Dennis Yurichev) https://sat-smt.codes/SAT_SMT_by_example.pdf
Fork Bomb for Flutter https://swarm.ptsecurity.com/fork-bomb-for-flutter/
PT SWARM
Fork Bomb for Flutter
Flutter applications can be found in security analysis projects or bugbounty programs. Most often, such assets are simply overlooked due to the lack of methodologies and ways to reverse engineer them. I decided not to skip this anymore and developed the reFlutter…
Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html
Google Online Security Blog
Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically
Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team Recently, OSS-Fuzz —our community fuzzing servi...
Thoughts on the use of noVNC for phishing campaigns https://adepts.of0x.cc/novnc-phishing/
Thoughts on the use of noVNC for phishing campaigns |
Thoughts on the use of noVNC for phishing campaigns | AdeptsOf0xCC
Detecting NoVNC for phishing campaigns
Browser Exploitation: Firefox OOB to RCE https://vulndev.io/2022/09/09/browser-exploitation-firefox-oob-to-rce/
Uninitialized Memory Disclosures in Web Applications https://blog.silentsignal.eu/2020/04/20/uninitialized-memory-disclosures-in-web-applications/
The seventh way to call a JavaScript function without parentheses https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses
PortSwigger Research
The seventh way to call a JavaScript function without parentheses
I thought I knew all the ways to call functions without parentheses: alert`1337` throw onerror=alert,1337 Function`x${'alert\x281337\x29'}x``` 'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eva
WriteProcessMemoryAPC - Write memory to a remote process using APC calls https://www.x86matthew.com/view_post?id=writeprocessmemory_apc
The Anatomy of a Malicious Package https://blog.phylum.io/malicious-javascript-code-in-npm-malware
Dead or Alive? An Emotet Story https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/
The DFIR Report
Dead or Alive? An Emotet Story - The DFIR Report
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after the initial compromise. The threat actors began…
memOptix: A Jupyter notebook to assist with the analysis of the output generated from Volatility memory extraction framework https://github.com/blueteam0ps/memOptix/
GitHub
GitHub - blueteam0ps/memOptix: A Jupyter notebook to assist with the analysis of the output generated from Volatility memory extraction…
A Jupyter notebook to assist with the analysis of the output generated from Volatility memory extraction framework. - blueteam0ps/memOptix
Attacking the Android kernel using the Qualcomm TrustZone https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone
Tamir Zahavi-Brunner’s Blog
Attacking the Android kernel using the Qualcomm TrustZone
In this post I describe a somewhat unique Android kernel exploit, which utilizes the TrustZone in order to compromise the kernel.