Exploring Android Exploitation: A Journey into Stack Overflow Vulnerability
Credit: @INVOXES
https://kousha1999.github.io/posts/2024/Android-Stack-Overflow-Exploitation-with-Frida
Credit: @INVOXES
https://kousha1999.github.io/posts/2024/Android-Stack-Overflow-Exploitation-with-Frida
👍7
themida-unmutate
A Python 3 tool to statically deobfuscate functions protected by Themida, WinLicense and Code Virtualizer 3.x's mutation-based obfuscation.
The tool has been tested on Themida up to version 3.1.9. It's expected to work on WinLicense and Code Virtualizer as well.
https://github.com/ergrelet/themida-unmutate
A Binary Ninja plugin is also available here.
#unpacking #packer
A Python 3 tool to statically deobfuscate functions protected by Themida, WinLicense and Code Virtualizer 3.x's mutation-based obfuscation.
The tool has been tested on Themida up to version 3.1.9. It's expected to work on WinLicense and Code Virtualizer as well.
https://github.com/ergrelet/themida-unmutate
A Binary Ninja plugin is also available here.
#unpacking #packer
👍5🔥4
Forwarded from 1N73LL1G3NC3
SCCMSecrets.py
A python utility that builds upon existing SCCM research. It goes beyond NAA credentials extraction, and aims to provide a comprehensive approach regarding SCCM policies exploitation. The tool can be executed from various levels of privileges, and will attempt to uncover potential misconfigurations related to policies distribution. It will dump the content of all secret policies encountered as well as collection variables, in addition to package noscripts hosted on the distribution points. Finally, it can be used throughout the intrusion process by configuring it to impersonate legitimate SCCM clients, in order to pivot across device collections.
For more details regarding the tool and its usage, see the associated article at: https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
P.S. Another tool allowing to dump SCCM distribution point resources via HTTP: https://github.com/badsectorlabs/sccm-http-looter
A python utility that builds upon existing SCCM research. It goes beyond NAA credentials extraction, and aims to provide a comprehensive approach regarding SCCM policies exploitation. The tool can be executed from various levels of privileges, and will attempt to uncover potential misconfigurations related to policies distribution. It will dump the content of all secret policies encountered as well as collection variables, in addition to package noscripts hosted on the distribution points. Finally, it can be used throughout the intrusion process by configuring it to impersonate legitimate SCCM clients, in order to pivot across device collections.
For more details regarding the tool and its usage, see the associated article at: https://www.synacktiv.com/publications/sccmsecretspy-exploiting-sccm-policies-distribution-for-credentials-harvesting-initial
P.S. Another tool allowing to dump SCCM distribution point resources via HTTP: https://github.com/badsectorlabs/sccm-http-looter
👍8❤1
Antimalware Scan Interface (AMSI) — A Red Team Analysis on Evasion
https://iwantmore.pizza/posts/amsi.html
+ Omer Yair’s talk
+ DerbyCon talk
+ Daniel Bohannon’s Hacktivity talk.
#amsi #windows #vb #winsec
In this post, we will analyze how AMSI works and recap existing known bypasses.
https://iwantmore.pizza/posts/amsi.html
+ Omer Yair’s talk
+ DerbyCon talk
+ Daniel Bohannon’s Hacktivity talk.
#amsi #windows #vb #winsec
👍4
SHELLSILO is a cutting-edge tool that translates C syntax into syscall assembly and its corresponding shellcode.
https://github.com/nixpal/shellsilo
https://github.com/nixpal/shellsilo
🔥3👍2
👍4
Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem
https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
A technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim’s system.
https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
👍3
Attribution of Advanced Persistent Threats
How to Identify the Actors Behind Cyber-Espionage
How to Identify the Actors Behind Cyber-Espionage
👍4
Automating Malware Deobfuscation with Binary Ninja
Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery.
+ The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage.
+The next exercise will teach attendees how to use PEFile to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
The next exercise will teach attendees how to use Binary Refinery to carve binary files from the decrypted resource
Code
Slides
Workshop Manual
Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery.
+ The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage.
+The next exercise will teach attendees how to use PEFile to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
The next exercise will teach attendees how to use Binary Refinery to carve binary files from the decrypted resource
Code
Slides
Workshop Manual
👍6
Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
(Used by APT-60)
#apt #analysis #cve
(Used by APT-60)
#apt #analysis #cve
👍7🌚1
The SOS Intelligence CVE Chatter Weekly Top Ten
This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
https://sosintel.co.uk/category/cve-top-10/
———
CISA (America's Cyber Defence Agency )
Bulletins provide weekly summaries of new vulnerabilities.
https://www.cisa.gov/news-events/bulletins
———
This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
https://sosintel.co.uk/category/cve-top-10/
———
CISA (
Bulletins provide weekly summaries of new vulnerabilities.
https://www.cisa.gov/news-events/bulletins
———
👍5❤1
Silly EDR Bypasses and Where To Find Them
Credit: Marcus Hutchins
_ Article _
https://github.com/MalwareTech/EDRception.git
#edr #redteam
Credit: Marcus Hutchins
A proof of concept for abusing exception handlers to hook and bypass user mode EDR hooks.
_ Article _
https://github.com/MalwareTech/EDRception.git
#edr #redteam
👍6