System32 Important Files by Hadess, 2024

Cloud-Based Identity to Exfiltration Attack Part1
As I've divided this blog into two parts, this part focuses on Part 1, examining cloud-based identity attacks leading to successful logins to Outlook activities.


https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part1.md

Cloud-Based Identity to Exfiltration Attack Part2
Today, I would like to showcase some detection insights regarding attacks, starting from cloud-based identity attacks and extending to compromised Office 365 environment.

https://github.com/LearningKijo/SecurityResearcher-Note/blob/main/SecurityResearcher-Note-Folder/Day16-CloudId-Exfiltration-AttackReport-Part2.md

https://github.com/shreyaschavhan/advanced-sql-injection-for-awae

Learning a lil' bit of SQL
#github  #SQL

:(

Golang Virus Example

ExfilDocs
Searches drive for specific file extensions
Uploads files to C2 via SSH
Outlook Exfil
Asks for Outlook Credentials
Authenticates via IMAP, searches attachments and uploads files to C2 via SSH TO DO: Fix Windows Compilation
Screen Shotter
Uploads screenshot every 20 seconds to C2 via SSH
Dropper
Hosts 3 files, downloads them from itself then executes them.

[ GitHub ]


Process Injection Techniques with Golang
[ GitHub ]


Proof of concept SMB C2 using named pipes in Golang
[ GitHub ]


DLL creation and injection with Golang
[ Medium ]

ColdFire II(Golang malware development library)
[ GitHub ]


A POC Windows crypto-ransomware (Academic). Now Ransom:Win32/MauriCrypt.MK!MTB
[ GitHub ]


Windows Botnet written in Golang
[ GitHub ]



@source_byte

#malware_dev #go

TrollUAC

• .NET library that serves as a UAC bypass for x64
• Any* process with the uiAccess flag enabled can "Send Keystrokes" to high integrity processes even from medium integrity
• We steal the token of On Screen Keyboard (uiAccess enabled) to spawn a new process that does GUI automation
• The GUI automation simply sends keystrokes to taskmgr (auto elevate) to spawn our new desired process in high integrity
• *Refer to tiraniddo's article for requirements, although they can easily be conjured up

Zero EAT touch way to retrieve function addresses (GetProcAddress on steroids)
[ GitHub ]

#malware_dev
#windows

Unorthodox and stealthy way to inject a DLL into the explorer using icons
[ GitHub ]


@source_byte
#malware_dev
#windows

Malware for education

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing

https://github.com/reveng007/DarkWidow.git

Honourable Mentions:
BlackHat Asia, 2024 - Call For Tools
BlackHat USA, 2024 - Call For Tools


@source_byte
#malware_dev
#windows

🦀 | RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language.
https://github.com/joaoviictorti/RustRedOps.git


@source_byte
#malware_dev #rust

Writing an Independent Malware

There’s no greater feeling when the malware (or any project/tool) you’re developing works as expected. Until suddenly you realized it only works on your dev machine but not on any other machine.

https://captmeelo.com//redteam/maldev/2022/10/17/independent-malware.html

@source_byte
#malware_dev #compile

We have many people asking us how to begin their journey into malware development. Here is a step by step guide to get started!

1. Stop asking how to get started
2. Learn to code (NOT PYTHON)
3. Do something
4. Expect failure

Have a nice day.

VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL

Void Manticore (aka Storm-842) is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations.

(Checkpoint Report)
Research

Explain about:
Liontail framework


@source_byte
#APT #Ti