/ Deep Dive Analysis – Borat RAT
Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/
Remote Access Trojan Capable Of Conducting Ransomware & DDOS Activities
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/
Cyble
Deep Dive Analysis – Borat RAT | Cyble
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
/ Malware Specifically Targeting AWS Lambda
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
P.S. Malware domains already blocked in BLD DNS https://lab.sys-adm.in
Darktrace
Solve Cloud Forensics at Scale
Darktrace has acquired Cado security, a cyber investigation and response solution provider and leader in cloud data capture and forensics.
Tampering With ForcePoint One DLP EndPoint
ForcePoint One DLP EndPoint lacks tamper protection allowing attackers to disable the product, raise privileges and establish persistence on the machine…
Steb by step guide:
https://mrd0x.com/tampering-with-forcepoint-dlp/
ForcePoint One DLP EndPoint lacks tamper protection allowing attackers to disable the product, raise privileges and establish persistence on the machine…
Steb by step guide:
https://mrd0x.com/tampering-with-forcepoint-dlp/
Mrd0X
Security Research | mr.d0x
Providing security research and red team techniques
Unmanaged Code Execution With .net Dynamic Pinvoke
In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.
DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.
https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
In this post, .NET loosely refers to modern versions of the .NET Framework (4+). Other versions of .NET runtimes (e.g. Core) may be relevant.
DInvoke is an API for dynamically calling the Windows API, using syscalls, and evading endpoint security controls through powerful primitives and other advanced features such as module overloading and manual mapping.
https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
bohops
Unmanaged Code Execution with .NET Dynamic PInvoke
Yes, you read that correctly – “Dynamic Pinvoke” as in “Dynamic Platform Invoke” Background Recently, I was browsing through Microsoft documentation and other blogs to…
/ How to write an Ansible plugin to create inventory files
Nmap scanner plugin:
https://www.redhat.com/sysadmin/ansible-plugin-inventory-files
Nmap scanner plugin:
https://www.redhat.com/sysadmin/ansible-plugin-inventory-files
Redhat
How to write an Ansible plugin to create inventory files
In my previous articles in this series, I wrote about dynamic Ansible inventories and how to write a very flexible Python noscript that uses Nmap results to cr...
The Curious Case of Coulus Coelib
The technique we invented to uncover the active exploitation of side and covert channels continues to work on Android:
https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
The technique we invented to uncover the active exploitation of side and covert channels continues to work on Android:
https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
Information/Analysis about of few new info stealer malware’s - BlackGuard, META
/ Analysis of BlackGuard - A New Info Stealer Malware
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
/ New Meta information stealer distributed in malspam campaign
https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
/ Analysis of BlackGuard - A New Info Stealer Malware
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
/ New Meta information stealer distributed in malspam campaign
https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
Zscaler
Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog
In this blog, ThreatLabz analyzes BlackGuard, an emerging an info stealer malware being sold as a service on a Russian hacking forum.
Forwarded from Sys-Admin InfoSec
/ Performing / Modernization Bleeding Bear techniques
The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?
It is a interesting practice article:
https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/
The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?
It is a interesting practice article:
https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/
LRQA
Repurposing Real TTPs for use on Red Team Engagements
I recently read an interesting article by Elastic. It provides new analysis of a sophisticated, targeted campaign against several organizations. This has been labelled ‘Bleeding Bear’. The articles analysis of Bleeding Bear tactics, techniques and procedures…
Boopkit - Linux backdoor, rootkit, and eBPF bypass tools
Remote command execution over raw TCP:
- Tested on Linux kernel 5.16
- Tested on Linux kernel 5.17
- Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)
- Network gateway bypass (bad checksums, TCP reset)
- Self obfuscation at runtime (eBPF process hiding)
https://github.com/kris-nova/boopkit
Remote command execution over raw TCP:
- Tested on Linux kernel 5.16
- Tested on Linux kernel 5.17
- Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)
- Network gateway bypass (bad checksums, TCP reset)
- Self obfuscation at runtime (eBPF process hiding)
https://github.com/kris-nova/boopkit
GitHub
GitHub - krisnova/boopkit: Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More…
Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin. - krisnova/boopkit
Where to Find the Best Online Ethical Hacking Courses, Classes, and Training
https://careerkarma.com/blog/online-ethical-hacking-courses/
https://careerkarma.com/blog/online-ethical-hacking-courses/
Career Karma
The Best Online Ethical Hacking Courses, Classes, and Training
With the growing rate of #CyberAttacks, the need to improve our knowledge on how to protect digital information has become essential. Learn #EthicalHacking with some of the best courses, classes, and training for aspiring #CyberSecurity professionals.
Tarrask malware uses scheduled tasks for defense evasion
Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications)... threat actors commonly make use of this service to maintain persistence within a Windows environment.
Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism:
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications)... threat actors commonly make use of this service to maintain persistence within a Windows environment.
Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism:
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Microsoft News
Tarrask malware uses scheduled tasks for defense evasion
Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks,…
AWS VPN Client application is affected by an arbitrary file write as SYSTEM
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/
Rhino Security Labs
CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client
The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.
Git commits improvement with Husky
Modern native git hooks made easy:
https://typicode.github.io/husky
Modern native git hooks made easy:
https://typicode.github.io/husky
typicode.github.io
Husky
Git hooks made easy
Vault 1.10 Release Highlights
Introducing both new and updated tutorials for Vault 1.10 release & usage tutorials:
https://learn.hashicorp.com/collections/vault/new-release
Introducing both new and updated tutorials for Vault 1.10 release & usage tutorials:
https://learn.hashicorp.com/collections/vault/new-release
HashiCorp Learn
Vault 1.10 Release Highlights | Vault - HashiCorp Learn
Introducing both new and updated tutorials for Vault 1.10 release.
5 million active installations Wordpress plugin has RCE
https://patchstack.com/articles/critical-vulnerability-fixed-in-elementor-plugin/
https://patchstack.com/articles/critical-vulnerability-fixed-in-elementor-plugin/
Patchstack
Critical Vulnerability Fixed In Elementor Plugin Version 3.6.3 - Patchstack
Vulnerability in Elementor - A critical vulnerability was fixed in the WordPress plugin Elementor version 3.6.3.
Bore - CLI tool for making tunnel in localhost written in Rust
https://news.1rj.ru/str/sysadm_in_channel/3936
https://news.1rj.ru/str/sysadm_in_channel/3936
Telegram
Sys-Admin & InfoSec Channel
/ Bore - is a simple CLI tool for making tunnels to localhost
https://github.com/ekzhang/bore
https://github.com/ekzhang/bore
Detecting Spring4Shell (CVE-2022-22965) with Wazuh
https://wazuh.com/blog/detecting-spring4shell-cve-2022-22965-with-wazuh/
https://wazuh.com/blog/detecting-spring4shell-cve-2022-22965-with-wazuh/
Wazuh
Detecting Spring4Shell (CVE-2022-22965) with Wazuh | Wazuh | The Open Source Security Platform
A remote code execution (RCE) vulnerability that affects the Spring Java framework has been discovered. The vulnerability is dubbed Spring4Shell or In this blog post, you will learn to detect Spring4Shell exploitation attempts with Wazuh