سلام دوستان وقتتون بخیر،
انشالله امروز یه لایو ساعت 18 در خدمتتون هستم، روی APT 28 🇷🇺تا جایی که شد تاکتیک میریم جلو
https://youtube.com/live/-j3OZfu7zfI?feature=share

سلام وقت بخیر، امروز مجدد ساعت 18 لایو #ردتیم دارم APT Simulation تا جایی که بشه تاکتیک تکنیک‌های مربوط به APT28 🇷🇺 کاور میکنم.
https://youtube.com/live/RYcku1kRYWE?feature=share

سلام وقت بخیر، امروز ساعت 18 (قسمت آخر) لایو #ردتیم در خدمتتون هستم با APT 28 Simulation🇷🇺 و تاکتیک‌های باقی مانده کاور میکنم.
ریپو براش ساختم بعد از اتمام لایو هر چی کامند، پیلود هست آپلود میکنم براتون که بعدا بتونید استفاده کنید
https://youtube.com/live/5E8vsvT4Rvc?feature=share
https://github.com/soheilsec/APT-28-Simulation

The PrintNightmare is not Over Yet:
https://itm4n.github.io/printnightmare-not-over/

metasploit 15%
active + attacks 41%
mitre 15%
owasp top 10 29%
طبق تجمیع دو نظر سنجی آموزش اکتیو‌دایرکتوری + حملات به صورت عملی میریم جلو تقریبی 20 تا قسمتی باید بشه که تمام حملات کاور بشه و سعی میکنم بیس شبکه بیشتر توضیح بدم چون میدونم این بیس شبکه بین کسانی که شروع میکنن خیلی کمرنگ هست
جهت حمایت از بنده کانال ساب کنید حتما نظرتتان کامنت بزارید که آموزش کاربردی جلو بره
https://youtube.com/@soheilsec

CVE-2024-43582: RCE in RDP Servers, 8.1 rating❗️

A use after free vulnerability in some RDP servers could allow an attacker to carry out remote code execution.
https://app.netlas.io/responses/?q=protocol%3Ardp%20geo.country%3AIR&page=1&indices=

IntelBroker, in collaboration with EnergyWeaponUser and zjj, claims to be selling data from a recent Cisco breach.

The compromised data reportedly includes GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, certificates, customer SRCs, confidential Cisco documents, Jira tickets, API tokens, AWS private buckets, Cisco technology SRCs, Docker builds, Azure storage buckets, private and public keys, SSL certificates, and Cisco premium products.

Several high-profile companies, including Verizon, AT&T, Bank of America, Barclays, British Telecom, Microsoft, Vodafone, and Chevron, are allegedly impacted.

Samples have been provided.
https://x.com/H4ckManac/status/1845884053574025416?t=xWMDW5t78xM9OUg5Olx7fA&s=19

DEF CON 32 talk Windows Downdate: Downgrade Attacks Using Windows Updates
https://youtu.be/HHmxuxQ7bE8?si=zYrdh420K0nHVmtB

❓Think your EDR solution is bullet proof?
🔥 Intuitive threat actors now leverage Windows Filtering Platform rules to block EDRs from alerting the SOC Team. ⬇️

⚙️ Specifically, EDRSilencer is a very neat opensource tool that detects running EDR processes and uses custom Windows Filtering Platform (WFP) rules to block outbound communications between the EDR agent on a workstation or sever to the EDR management server. This means that alerts don’t make it to the SOC team or IT department and are not aware of the system being compromised.

⬇️ EDRSilencer on Github:
https://github.com/netero1010/EDRSilencer

📰 Kudos to TrendMicro on their article covering this topic in detail:
https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html

🛡How to block this attack?
While TrendMicro notes that blocking EDRSilencer is one prevention method; there is nothing stopping threat actors from just crafting another app that calls WFP to block EDR agent communications. A better detection method for a SOC team would be to log WFP events and specifically alert on 5155 & 5157 event IDs (WFP blocked apps and connections) which are filtered in your SIEM platform by the Application Name which equals the path of your EDR agent.

📕WFP Event Auditing:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-filtering-platform-connection

Ref:https://www.linkedin.com/posts/christiancscott_think-your-edr-solution-is-bullet-proof-activity-7252879878260170753-XrF4/?utm_source=share&utm_medium=member_android

I gathered samples related to Attack Against Iran’s State Broadcaster if you have access to those three missing files plz share it in group

file pass : infected

credits :
vx-underground
MalwareBazaar
checkpoint

⚠️ New details available on the FortiManager zero-day exploitation campaign:
— It now has a CVE: CVE-2024-47575.
— It was exploited early as June by UNC5820
— They exfiltrated the config data of FortiGate devices
👇
https://www.fortiguard.com/psirt/FG-IR-24-423

https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575

An attacker exploiting the security issue could relay NTLM authentication to Active Directory Certificate Services (ADCS) to obtain a user certificate for further domain authentication.
همین یه تیکش مشخص تو شبکه داخلی ایران ج نمیده 🤔
The flaw affects all Windows server versions 2008 through 2022 as well as Windows 10 and Windows 11.

https://www.bleepingcomputer.com/news/security/exploit-released-for-new-windows-server-winreg-ntlm-relay-attack/

https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532

Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices

Sophos detailed to me its
5-year cat-and-mouse game with Chinese hackers repeatedly exploiting its firewalls. The company resorted to installing spy "implants" on devices the hackers were testing on—tracing them to a university and contractor in Chengdu.
Sophos' experience gives a glimpse of how determinedly and on what a huge scale China's state hackers are hijacking "perimeter" security appliance like firewalls and VPNs to breach targets—and how a network of Chinese academic and private-sector researchers is enabling them.
https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/

قسمت اول از مجموعه اکتیو مفاهیم ابتدایی برگرفته از مایکروسافت
https://youtu.be/EtKFrogBiTA
به مرور که حملات مختلف بخوام بگم نحوه پیاده سازی لب و موارد غیره براتون میزارم روی
https://github.com/soheilsec/Active-Directory-For-Hackers
این مجموعه آموزش صرفا روی Misconfiguration بحث میکنم بدون هیچ اکسپلویتی چی کارها میتونم بکنم مثل آزمون OSCP که باید Admin DC بشی در انتهاش و این روند کاری که تو تمام پروژه تست نفوذ و ردتیم انجام میشه