#exploit
1. Unpacking CVE-2021-40444:
A Deep Technical Analysis of an Office RCE Exploit
https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce
2. CVE-2021-38000:
Chrome Intents Logic Flaw
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html
@BlueRedTeam
1. Unpacking CVE-2021-40444:
A Deep Technical Analysis of an Office RCE Exploit
https://billdemirkapi.me/unpacking-cve-2021-40444-microsoft-office-rce
2. CVE-2021-38000:
Chrome Intents Logic Flaw
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html
@BlueRedTeam
Bill Demirkapi's Blog
Unpacking CVE-2021-40444: A Deep Technical Analysis of an Office RCE Exploit
In the middle of August 2021, a special Word document was uploaded to VirusTotal by a user from Argentina. Although it was only detected by a single antivirus engine at the time, this sample turned out to be exploiting a zero day vulnerability in Microsoft…
#Red_Team
A cheat sheet that contains advanced queries for SQL Injection of all types
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet
@BlueRedTeam
A cheat sheet that contains advanced queries for SQL Injection of all types
https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet
@BlueRedTeam
GitHub
GitHub - kleiton0x00/Advanced-SQL-Injection-Cheatsheet: A cheat sheet that contains advanced queries for SQL Injection of all types.
A cheat sheet that contains advanced queries for SQL Injection of all types. - kleiton0x00/Advanced-SQL-Injection-Cheatsheet
#Blue_Team
1. Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
https://unit42.paloaltonetworks.com/strategically-aged-domain-detection
2. Windows Process Listing using NTQuerySystemInformation
https://tbhaxor.com/windows-process-listing-using-ntquerysysteminformation
@BlueRedTeam
1. Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
https://unit42.paloaltonetworks.com/strategically-aged-domain-detection
2. Windows Process Listing using NTQuerySystemInformation
https://tbhaxor.com/windows-process-listing-using-ntquerysysteminformation
@BlueRedTeam
Unit 42
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
Strategically aged domain detection can capture domains registered by advanced persistent threats or likely to be used for network abuses.
#Blue_Team
An "Attack Path" Mapping Approach to CVEs 2021-42287 and 2021-42278
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
@BlueRedTeam
An "Attack Path" Mapping Approach to CVEs 2021-42287 and 2021-42278
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
@BlueRedTeam
TrustedSec
An 'Attack Path' Mapping Approach to CVEs 2021-42287 and 2021-42278
Figure 1 - CVE 2021-42287 and 2021-42278 Attack Path 1 Diagram While each detection strives for high fidelity and may be able stand on its own accord,…
🔥1
#Red_Team
1. Domain Escalation - sAMAccountName Spoofing
https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofing
2. Loading dbk64.sys and grabbing a handle to it
https://github.com/ioncodes/ceload
3. O365 - Bypass Malicious Link Analysis
<a href="phishing link">click</a> ==> junk
<a href="" href="phishing link">click</a> ==> inbox
// If you compose an email using the "Reply" function on O365 which has a link, intercept the request and add an extra empty href attribute then O365 won't scan the link anymore
@BlueRedTeam
1. Domain Escalation - sAMAccountName Spoofing
https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofing
2. Loading dbk64.sys and grabbing a handle to it
https://github.com/ioncodes/ceload
3. O365 - Bypass Malicious Link Analysis
<a href="phishing link">click</a> ==> junk
<a href="" href="phishing link">click</a> ==> inbox
// If you compose an email using the "Reply" function on O365 which has a link, intercept the request and add an extra empty href attribute then O365 won't scan the link anymore
@BlueRedTeam
Penetration Testing Lab
Domain Escalation – sAMAccountName Spoofing
Computer accounts have the $ sign appended at the end of their names in contrast with standard user accounts. By default Microsoft operating systems lack of security controls and hardening that wou…
👍1
#tools
#Blue_Team
1. SysmonSimulator: Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules
https://github.com/ScarredMonk/SysmonSimulator
2. DefenderDetectionhistoryParser: A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables
https://github.com/jklepsercyber/defender-detectionhistory-parser
@BlueRedTeam
#Blue_Team
1. SysmonSimulator: Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules
https://github.com/ScarredMonk/SysmonSimulator
2. DefenderDetectionhistoryParser: A parser of Windows Defender's DetectionHistory forensic artifact, containing substantial info about quarantined files and executables
https://github.com/jklepsercyber/defender-detectionhistory-parser
@BlueRedTeam
GitHub
GitHub - ScarredMonk/SysmonSimulator: Sysmon event simulation utility which can be used to simulate the attacks to generate the…
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams. - ScarredMonk/SysmonS...
👍2
#Red_Team
A collection of Python noscripts for Red Teaming or otherwise
https://github.com/Brunocs1991/Udemy_React_Redux
@BlueRedTeam
A collection of Python noscripts for Red Teaming or otherwise
https://github.com/Brunocs1991/Udemy_React_Redux
@BlueRedTeam
#Red_Team
1. Domain Escalation - ShadowCoerce [MS-FSRVP]
https://pentestlaboratories.com/2022/01/11/shadowcoerce
]-> MS-FSRVP coercion abuse PoC:
https://github.com/ShutdownRepo/ShadowCoerce
2. Bash noscript to check if a domain or list of domains can be spoofed based in DMARC records
https://github.com/v4d1/SpoofThatMail
@BlueRedTeam
1. Domain Escalation - ShadowCoerce [MS-FSRVP]
https://pentestlaboratories.com/2022/01/11/shadowcoerce
]-> MS-FSRVP coercion abuse PoC:
https://github.com/ShutdownRepo/ShadowCoerce
2. Bash noscript to check if a domain or list of domains can be spoofed based in DMARC records
https://github.com/v4d1/SpoofThatMail
@BlueRedTeam
Pentest Laboratories
ShadowCoerce
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coer…
#Red_Team
C2X-HTTP - C2/Post-Exploitation Tool For Red Teaming and Ethical Hacking [on HTTP(S)]
https://github.com/silveryseaChens/nxenon7
@BlueRedTeam
C2X-HTTP - C2/Post-Exploitation Tool For Red Teaming and Ethical Hacking [on HTTP(S)]
https://github.com/silveryseaChens/nxenon7
@BlueRedTeam
GitHub
silveryseaChens/nxenon7
C2X-HTTP - C2/Post-Exploitation Tool For Red Teaming and Ethical Hacking [on HTTP(S)] - silveryseaChens/nxenon7
#APT #Log4j
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit (CharmPower)
https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit
@BlueRedTeam
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit (CharmPower)
https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit
@BlueRedTeam
Check Point Research
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
Introduction With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also…
#Blue_Team
1. Abusing MS Office Using Malicious Web Archive Files
https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files
2. A Quick CVE-2022-21907 FAQ
https://isc.sans.edu/forums/diary/A+Quick+CVE202221907+FAQ+work+in+progress/28234
@BlueRedTeam
1. Abusing MS Office Using Malicious Web Archive Files
https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files
2. A Quick CVE-2022-21907 FAQ
https://isc.sans.edu/forums/diary/A+Quick+CVE202221907+FAQ+work+in+progress/28234
@BlueRedTeam
Netskope
Abusing Microsoft Office Using Malicious Web Archive Files
Summary In November of 2021, we described several techniques used by attackers to deliver malware through infected Microsoft Office files. In addition to
#CVE-2021
CVE-2021-46075 - A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations.
https://github.com/plsanu/CVE-2021-46075
@BlueRedTeam
CVE-2021-46075 - A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations.
https://github.com/plsanu/CVE-2021-46075
@BlueRedTeam
GitHub
GitHub - plsanu/CVE-2021-46075: CVE-2021-46075 - A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service…
CVE-2021-46075 - A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations....
#CVE-2021
CVE-2021-46076 - Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
https://github.com/plsanu/CVE-2021-46076
@BlueRedTeam
CVE-2021-46076 - Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.
https://github.com/plsanu/CVE-2021-46076
@BlueRedTeam
GitHub
GitHub - plsanu/CVE-2021-46076: CVE-2021-46076 - Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload.…
CVE-2021-46076 - Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution. -...
#Red_Team
Nim variant of MDSec's Parallel Syscalls EDR hook bypass
https://github.com/frkngksl/ParallelNimcalls
@BlueRedTeam
Nim variant of MDSec's Parallel Syscalls EDR hook bypass
https://github.com/frkngksl/ParallelNimcalls
@BlueRedTeam
GitHub
GitHub - frkngksl/ParallelNimcalls: Nim version of MDSec's Parallel Syscall PoC
Nim version of MDSec's Parallel Syscall PoC. Contribute to frkngksl/ParallelNimcalls development by creating an account on GitHub.
#Blue_Team
1. Identifying beaconing malware using Elastic
https://www.elastic.co/blog/identifying-beaconing-malware-using-elastic#
2. Suspicious named pipe events - 0xFF1B
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
@BlueRedTeam
1. Identifying beaconing malware using Elastic
https://www.elastic.co/blog/identifying-beaconing-malware-using-elastic#
2. Suspicious named pipe events - 0xFF1B
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
@BlueRedTeam
www.elastic.co
Identifying beaconing malware using Elastic — Elastic Security Labs
In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.
👍2
#Red_Team
Alias identity manager for Red Teams, OSINT collectors, journalists, and privacy-conscious people
https://github.com/mattreduce/sockdrawer
@BlueRedTeam
Alias identity manager for Red Teams, OSINT collectors, journalists, and privacy-conscious people
https://github.com/mattreduce/sockdrawer
@BlueRedTeam
GitHub
GitHub - srcmtd/sockdrawer: Alias identity manager for Red Teams, OSINT collectors, journalists, and privacy-conscious people
Alias identity manager for Red Teams, OSINT collectors, journalists, and privacy-conscious people - srcmtd/sockdrawer
🔥1