Hiding payloads in Java source code strings
#portswigger
In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to conceal payloads. We recently released a powerful
via PortSwigger Research
#portswigger
In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to conceal payloads. We recently released a powerful
via PortSwigger Research
Guys go C:/
#tool
Found funny C2 transport realisation through CS1.6 server via RCON
https://github.com/eversinc33/1.6_C2
#tool
Found funny C2 transport realisation through CS1.6 server via RCON
https://github.com/eversinc33/1.6_C2
🔥1
Why Join The Navy If You Can Be A Pirate?
#objectivesee
From a security point of view, pirating software is not recommended! Let's analyze a pirated application that contains a (malicious) surprise.
via Objective-See Blog
#objectivesee
From a security point of view, pirating software is not recommended! Let's analyze a pirated application that contains a (malicious) surprise.
via Objective-See Blog
ADCS Attack Paths in BloodHound — Part 1
#specterops
via SpecterOps Team Medium (author: Jonas Bülow Knudsen)
#specterops
via SpecterOps Team Medium (author: Jonas Bülow Knudsen)
Medium
ADCS Attack Paths in BloodHound — Part 1
Since Will Schroeder and Lee Christensen published the Certified Pre-Owned whitepaper, the BloodHound Enterprise team at SpecterOps has…
From Zero to Purple
#trustedsec
For any Purple Team, or team using offensive techniques for defensive purposes, we need to make sure we are developing new techniques based on real-world scenarios by threat actors and groups. You’ll receive…
via TrustedSec Blog (author: Zach Bevilacqua)
#trustedsec
For any Purple Team, or team using offensive techniques for defensive purposes, we need to make sure we are developing new techniques based on real-world scenarios by threat actors and groups. You’ll receive…
via TrustedSec Blog (author: Zach Bevilacqua)
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM
#cobaltstrike
In our ‘Cobalt Strike and YARA: Can I Have Your Signature?’ blog post, we highlighted that the sleep mask is a common target for in-memory YARA signatures. In that post we recommended using the evasive sleep mask option to scramble the sleep mask at run time and break any static signatures. However, this solves the [...]
via Cobalt Strike Blog (author: William Burgess)
#cobaltstrike
In our ‘Cobalt Strike and YARA: Can I Have Your Signature?’ blog post, we highlighted that the sleep mask is a common target for in-memory YARA signatures. In that post we recommended using the evasive sleep mask option to scramble the sleep mask at run time and break any static signatures. However, this solves the [...]
via Cobalt Strike Blog (author: William Burgess)
Forwarded from Offensive Xwitter
😈 [ 5pider @C5pider ]
Modern implant design: position independent malware development.
A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing.
🔗 https://5pider.net/blog/2024/01/27/modern-shellcode-implant-design
🔗 https://github.com/Cracked5pider/Stardust
🐥 [ tweet ]
Modern implant design: position independent malware development.
A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing.
🔗 https://5pider.net/blog/2024/01/27/modern-shellcode-implant-design
🔗 https://github.com/Cracked5pider/Stardust
🐥 [ tweet ]
A Practical Guide to PrintNightmare in 2024
#itm4n
Although PrintNightmare and its variants were theoretically all addressed by Microsoft, it is still affecting organizations to this date, mainly because of quite confusing group policies and settings. In this blog post, I want to shed a light on those configuration issues, and hopefully provide clear guidance on how to remediate them. “PrintNightmare” and “Point and Print” Unless you’ve been ...
via Itm4n Blog (author: itm4n)
#itm4n
Although PrintNightmare and its variants were theoretically all addressed by Microsoft, it is still affecting organizations to this date, mainly because of quite confusing group policies and settings. In this blog post, I want to shed a light on those configuration issues, and hopefully provide clear guidance on how to remediate them. “PrintNightmare” and “Point and Print” Unless you’ve been ...
via Itm4n Blog (author: itm4n)
KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises
#synacktiv
via Synacktiv Blog (author: Webmaster)
#synacktiv
via Synacktiv Blog (author: Webmaster)
ANYSIZE_ARRAY in C#
#rastamouse
There are multiple structures in Windows that contain fixed sized arrays. The instance I came across recently was the KERB_QUERY_TKT_CACHE_RESPONSE struct, which looks like this: ANYSIZE_ARRAY is defined as 1 in winnt.h, but the reality is that the array will be of size CountOfTickets. This value obviously cannot be known at compile time. Translating these
via Rasta Mouse Blog
#rastamouse
There are multiple structures in Windows that contain fixed sized arrays. The instance I came across recently was the KERB_QUERY_TKT_CACHE_RESPONSE struct, which looks like this: ANYSIZE_ARRAY is defined as 1 in winnt.h, but the reality is that the array will be of size CountOfTickets. This value obviously cannot be known at compile time. Translating these
via Rasta Mouse Blog
#labs
In this blogpost I tried to collect all InfoSec practical resources in one place, which I or my friends used to train. I will update this list periodically. If you found something missed, let me know 🙂
🌐 Web:
🔗 PortSwigger WebSecurity Academy - from zero to hero resource for web sec learning. Lots of articles and labs for each kind of web vulns. The only one resource you need to learn and practice web security.
💻 Infra:
🔗 TryHackMe - "hackthebox for beginners". (need subnoscription).
🔗 HackTheBox - a lot of hackable machines with different difficulty, OSes and vulnerabilities. Idea is to get the initial access and then escalate privileges. Also contains nice CTF challenges to practice in different fields.
🔗 CI/CD GOAT - self-hosted vulnerable CI/CD environment for practice CI/CD hacking with step-by-step writeups.
🪟Active Directory:
🔗 HackTheBox ProLabs - different Active Directory labs to practice exploitation, lateral movement, privilege escalation and more in complex game format. (need subnoscription).
🔗 GOAD - self-hosted AD lab with lots of vulnerabilities. Easy to deploy home lab for tools testing and exploitation practice (with step by step writeup).
🟦 Kubernetes:
🔗 EKS Cluster Games - AWS EKS (managed Kubernetes from AWS) exploration and exploitation challenge.
🔗 Kubernetes GOAT - self-hosted vulnerable kubernetes cluster with step-by-step guide to learn and practice Kubernetes security.
1️⃣0️⃣1️⃣ Binary exploitation:
🔗 LiveOverflow Binary Exploitation - youtube playlist with binary exploitation basics with tasks solutions. Better to start with it.
🔗 ropemporium - return-oriented programming practice challenges.
🔗 how2heap - lots of linux heap exploitation primitives mapped to glibc versions.
🔗 HEVD - HackSys Extreme Vulnerable Driver is vulnerable drivers for both Windows and Linux systems. You can exploit them by yourself or learn how to with provided exploits.
3️⃣ Web3:
🔗 ethernaut - Web3/Solidity based wargame with lots of vulnerable contracts you need to hack. WriteUps are easy to google.
🔑 Cryptography:
🔗 Cryptohack - lots of theory and practice tasks for math and modern crypto primitives and algorithms.
☁️ Cloud:
🔗 CloudGoat - Vulnerable by design AWS cloud-hosted infrastructure. Contains breath small walkthrough for each scenario.
🔗 AzureGoat - Vulnerable cloud-hosted Azure infrastructure contains web-vulns and cloud misconfigurations. Contains both attack and defense writeups.
🔗 flaws and flaws2 - Online AWS ctf-like security challenges without writeups. The second one also contains defensive part.
In this blogpost I tried to collect all InfoSec practical resources in one place, which I or my friends used to train. I will update this list periodically. If you found something missed, let me know 🙂
🌐 Web:
🔗 PortSwigger WebSecurity Academy - from zero to hero resource for web sec learning. Lots of articles and labs for each kind of web vulns. The only one resource you need to learn and practice web security.
💻 Infra:
🔗 TryHackMe - "hackthebox for beginners". (need subnoscription).
🔗 HackTheBox - a lot of hackable machines with different difficulty, OSes and vulnerabilities. Idea is to get the initial access and then escalate privileges. Also contains nice CTF challenges to practice in different fields.
🔗 CI/CD GOAT - self-hosted vulnerable CI/CD environment for practice CI/CD hacking with step-by-step writeups.
🪟Active Directory:
🔗 HackTheBox ProLabs - different Active Directory labs to practice exploitation, lateral movement, privilege escalation and more in complex game format. (need subnoscription).
🔗 GOAD - self-hosted AD lab with lots of vulnerabilities. Easy to deploy home lab for tools testing and exploitation practice (with step by step writeup).
🟦 Kubernetes:
🔗 EKS Cluster Games - AWS EKS (managed Kubernetes from AWS) exploration and exploitation challenge.
🔗 Kubernetes GOAT - self-hosted vulnerable kubernetes cluster with step-by-step guide to learn and practice Kubernetes security.
1️⃣0️⃣1️⃣ Binary exploitation:
🔗 LiveOverflow Binary Exploitation - youtube playlist with binary exploitation basics with tasks solutions. Better to start with it.
🔗 ropemporium - return-oriented programming practice challenges.
🔗 how2heap - lots of linux heap exploitation primitives mapped to glibc versions.
🔗 HEVD - HackSys Extreme Vulnerable Driver is vulnerable drivers for both Windows and Linux systems. You can exploit them by yourself or learn how to with provided exploits.
3️⃣ Web3:
🔗 ethernaut - Web3/Solidity based wargame with lots of vulnerable contracts you need to hack. WriteUps are easy to google.
🔑 Cryptography:
🔗 Cryptohack - lots of theory and practice tasks for math and modern crypto primitives and algorithms.
☁️ Cloud:
🔗 CloudGoat - Vulnerable by design AWS cloud-hosted infrastructure. Contains breath small walkthrough for each scenario.
🔗 AzureGoat - Vulnerable cloud-hosted Azure infrastructure contains web-vulns and cloud misconfigurations. Contains both attack and defense writeups.
🔗 flaws and flaws2 - Online AWS ctf-like security challenges without writeups. The second one also contains defensive part.
👍4
Burrowing a Hollow in a DLL to Hide
#trustedsec
Burrowing a Hollow in a DLL to Hide In this post about common malware techniques, we are still talking about hollowing—but this time, instead of hollowing a newly created process, we will make a process load a new…
via TrustedSec Blog (author: Scott Nusbaum)
#trustedsec
Burrowing a Hollow in a DLL to Hide In this post about common malware techniques, we are still talking about hollowing—but this time, instead of hollowing a newly created process, we will make a process load a new…
via TrustedSec Blog (author: Scott Nusbaum)
The Rising Threat: A Surge in Zero-Day Exploits
#trustedsec
IntroductionThe cat-and-mouse game between defenders and attackers continues to escalate in the ever-evolving cybersecurity landscape. Advanced Persistent Threats (APTs) and cybercriminals are constantly on the lookout…
via TrustedSec Blog (author: Carlos Perez)
#trustedsec
IntroductionThe cat-and-mouse game between defenders and attackers continues to escalate in the ever-evolving cybersecurity landscape. Advanced Persistent Threats (APTs) and cybercriminals are constantly on the lookout…
via TrustedSec Blog (author: Carlos Perez)
Unmanaged .NET Patching
#outflank
To execute .NET post-exploitation tools safely, operators may want to modify certain managed functions. For example, some C# tools use the .NET standard library to terminate their process after execution. This may not be an issue for fork&run implementations that spawn a sacrificial process, but executing in-process will terminate an implant. One could write a small .NET program that resolves and patches these functions, but we were interested in an unmanaged approach (i.e. a unmanaged implant executing managed code in-process). While our example targets
In January 2022, I uploaded a functional example of this approach to my personal GitHub. However, the implementation was a part of a larger project, and I’ve received a few questions about the technique, so I created this standalone example and writeup.
via Outflank Blog (author: Kyle Avery)
#outflank
To execute .NET post-exploitation tools safely, operators may want to modify certain managed functions. For example, some C# tools use the .NET standard library to terminate their process after execution. This may not be an issue for fork&run implementations that spawn a sacrificial process, but executing in-process will terminate an implant. One could write a small .NET program that resolves and patches these functions, but we were interested in an unmanaged approach (i.e. a unmanaged implant executing managed code in-process). While our example targets
System.Environment.Exit, a similar technique should work for any managed function.In January 2022, I uploaded a functional example of this approach to my personal GitHub. However, the implementation was a part of a larger project, and I’ve received a few questions about the technique, so I created this standalone example and writeup.
via Outflank Blog (author: Kyle Avery)
Introducing custom scan checks to Burp Suite Enterprise Edition
#portswigger
BChecks, in a nutshell, are easy to use custom-created scan checks that enable you to extend the capabilities of Burp Scanner in a quick and simple way. We recently released BChecks to Burp Suite Prof
via PortSwigger Blog
#portswigger
BChecks, in a nutshell, are easy to use custom-created scan checks that enable you to extend the capabilities of Burp Scanner in a quick and simple way. We recently released BChecks to Burp Suite Prof
via PortSwigger Blog
Microsoft Breach — What Happened? What Should Azure Admins Do?
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
#specterops
via SpecterOps Team Medium (author: Andy Robbins)
Medium
Microsoft Breach — What Happened? What Should Azure Admins Do?
On January 25, 2024, Microsoft published a blog post that detailed their recent breach at the hands of “Midnight Blizzard”. In this blog…
Microsoft Breach — How Can I See This In BloodHound?
#specterops
via SpecterOps Team Medium (author: Stephen Hinck)
#specterops
via SpecterOps Team Medium (author: Stephen Hinck)
Medium
Microsoft Breach — How Can I See This In BloodHound?
Mapping Attack Paths from Foreign Principals in BloodHound
PPID Spoofing & BlockDLLs with NtCreateUserProcess
#rastamouse
This week, Capt. Meelo released a great blog post on how to call the NtCreateUserProcess API as a substitue for the typical Win32 CreateProcess API. This post will build upon Meelo’s, so I highly encourage you to read it first. TL;DR, this code (not counting ntdll.h) is the bare minimum to spawn mmc.exe: #include <Windows.h> #include "ntdll.h" #pragma comment(lib, "ntdll") int main() { UNICODE_STRING NtImagePath; RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\mmc.exe"); PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL; RtlCreateProcessParametersEx(&ProcessParameters, &NtImagePath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED); PS_CREATE_INFO CreateInfo = { 0 }; CreateInfo.
via Offensive Defence Blog
#rastamouse
This week, Capt. Meelo released a great blog post on how to call the NtCreateUserProcess API as a substitue for the typical Win32 CreateProcess API. This post will build upon Meelo’s, so I highly encourage you to read it first. TL;DR, this code (not counting ntdll.h) is the bare minimum to spawn mmc.exe: #include <Windows.h> #include "ntdll.h" #pragma comment(lib, "ntdll") int main() { UNICODE_STRING NtImagePath; RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\mmc.exe"); PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL; RtlCreateProcessParametersEx(&ProcessParameters, &NtImagePath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED); PS_CREATE_INFO CreateInfo = { 0 }; CreateInfo.
via Offensive Defence Blog
Nt Token Theft
#rastamouse
Intro Grzegorz Tworek recently published some C code demonstrating how to steal and impersonate Windows tokens from a process. The standard way to do this is with the OpenProcess, OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser APIs. Grzegorz shows how to achieve the same using Nt* APIs, specifically NtOpenProcess, NtOpenProcessToken, NtDuplicateToken, and NtSetInformationThread. Because I’m a C# junky, I ported part of his code. This post will serve as a short walkthough on how to “getsystem” by stealing and impersonating the token of a SYSTEM process.
via Offensive Defence Blog
#rastamouse
Intro Grzegorz Tworek recently published some C code demonstrating how to steal and impersonate Windows tokens from a process. The standard way to do this is with the OpenProcess, OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser APIs. Grzegorz shows how to achieve the same using Nt* APIs, specifically NtOpenProcess, NtOpenProcessToken, NtDuplicateToken, and NtSetInformationThread. Because I’m a C# junky, I ported part of his code. This post will serve as a short walkthough on how to “getsystem” by stealing and impersonating the token of a SYSTEM process.
via Offensive Defence Blog
Spinning Webs — Unveiling Arachne for Web Shell C2
#specterops
via SpecterOps Team Medium (author: Cody Thomas)
#specterops
via SpecterOps Team Medium (author: Cody Thomas)
Medium
Spinning Webs — Unveiling Arachne for Web Shell C2
Web Shell Agent for Mythic C2