Information/Analysis about of few new info stealer malware’s - BlackGuard, META
/ Analysis of BlackGuard - A New Info Stealer Malware
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
/ New Meta information stealer distributed in malspam campaign
https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
/ Analysis of BlackGuard - A New Info Stealer Malware
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
/ New Meta information stealer distributed in malspam campaign
https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/
Zscaler
Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog
In this blog, ThreatLabz analyzes BlackGuard, an emerging an info stealer malware being sold as a service on a Russian hacking forum.
Forwarded from Sys-Admin InfoSec
/ Performing / Modernization Bleeding Bear techniques
The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?
It is a interesting practice article:
https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/
The articles analysis of Bleeding Bear tactics, techniques and procedures left me with a couple of thoughts. The first was, “hey, I can probably perform some of these techniques!” and the second was, “how can I improve on them?
It is a interesting practice article:
https://labs.nettitude.com/blog/repurposing-real-ttps-for-use-on-red-team-engagements/
LRQA
Repurposing Real TTPs for use on Red Team Engagements
I recently read an interesting article by Elastic. It provides new analysis of a sophisticated, targeted campaign against several organizations. This has been labelled ‘Bleeding Bear’. The articles analysis of Bleeding Bear tactics, techniques and procedures…
Boopkit - Linux backdoor, rootkit, and eBPF bypass tools
Remote command execution over raw TCP:
- Tested on Linux kernel 5.16
- Tested on Linux kernel 5.17
- Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)
- Network gateway bypass (bad checksums, TCP reset)
- Self obfuscation at runtime (eBPF process hiding)
https://github.com/kris-nova/boopkit
Remote command execution over raw TCP:
- Tested on Linux kernel 5.16
- Tested on Linux kernel 5.17
- Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)
- Network gateway bypass (bad checksums, TCP reset)
- Self obfuscation at runtime (eBPF process hiding)
https://github.com/kris-nova/boopkit
GitHub
GitHub - krisnova/boopkit: Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More…
Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin. - krisnova/boopkit
Where to Find the Best Online Ethical Hacking Courses, Classes, and Training
https://careerkarma.com/blog/online-ethical-hacking-courses/
https://careerkarma.com/blog/online-ethical-hacking-courses/
Career Karma
The Best Online Ethical Hacking Courses, Classes, and Training
With the growing rate of #CyberAttacks, the need to improve our knowledge on how to protect digital information has become essential. Learn #EthicalHacking with some of the best courses, classes, and training for aspiring #CyberSecurity professionals.
Tarrask malware uses scheduled tasks for defense evasion
Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications)... threat actors commonly make use of this service to maintain persistence within a Windows environment.
Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism:
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications)... threat actors commonly make use of this service to maintain persistence within a Windows environment.
Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism:
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Microsoft News
Tarrask malware uses scheduled tasks for defense evasion
Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks,…
AWS VPN Client application is affected by an arbitrary file write as SYSTEM
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/
https://rhinosecuritylabs.com/aws/cve-2022-25165-aws-vpn-client/
Rhino Security Labs
CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client
The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.
Git commits improvement with Husky
Modern native git hooks made easy:
https://typicode.github.io/husky
Modern native git hooks made easy:
https://typicode.github.io/husky
typicode.github.io
Husky
Git hooks made easy
Vault 1.10 Release Highlights
Introducing both new and updated tutorials for Vault 1.10 release & usage tutorials:
https://learn.hashicorp.com/collections/vault/new-release
Introducing both new and updated tutorials for Vault 1.10 release & usage tutorials:
https://learn.hashicorp.com/collections/vault/new-release
HashiCorp Learn
Vault 1.10 Release Highlights | Vault - HashiCorp Learn
Introducing both new and updated tutorials for Vault 1.10 release.
5 million active installations Wordpress plugin has RCE
https://patchstack.com/articles/critical-vulnerability-fixed-in-elementor-plugin/
https://patchstack.com/articles/critical-vulnerability-fixed-in-elementor-plugin/
Patchstack
Critical Vulnerability Fixed In Elementor Plugin Version 3.6.3 - Patchstack
Vulnerability in Elementor - A critical vulnerability was fixed in the WordPress plugin Elementor version 3.6.3.
Bore - CLI tool for making tunnel in localhost written in Rust
https://news.1rj.ru/str/sysadm_in_channel/3936
https://news.1rj.ru/str/sysadm_in_channel/3936
Telegram
Sys-Admin & InfoSec Channel
/ Bore - is a simple CLI tool for making tunnels to localhost
https://github.com/ekzhang/bore
https://github.com/ekzhang/bore
Detecting Spring4Shell (CVE-2022-22965) with Wazuh
https://wazuh.com/blog/detecting-spring4shell-cve-2022-22965-with-wazuh/
https://wazuh.com/blog/detecting-spring4shell-cve-2022-22965-with-wazuh/
Wazuh
Detecting Spring4Shell (CVE-2022-22965) with Wazuh | Wazuh | The Open Source Security Platform
A remote code execution (RCE) vulnerability that affects the Spring Java framework has been discovered. The vulnerability is dubbed Spring4Shell or In this blog post, you will learn to detect Spring4Shell exploitation attempts with Wazuh
A blueprint for evading industry leading endpoint protection in 2022
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
Vincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Bypassing CrowdStrike and Microsoft Defender for Endpoint
Implementing Global Injection and Hooking in Windows
https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/
https://m417z.com/Implementing-Global-Injection-and-Hooking-in-Windows/
M417Z
Implementing Global Injection and Hooking in Windows
A couple of weeks ago, Windhawk, the customization marketplace for Windows programs, was released. You can read the announcement for more details and for the motivation behind creating it. In this post, I’ll focus on my journey in implementing the technical…
Make phishing great again. VSTO office files are the new macro nightmare?
Visual Studio Tools for Office (VSTO) has the capability to export an Add-In which is embedded inside an Office document file (such as a Word DOCX). If this document is delivered in the right way (to avoid some inbuilt mitigations) it provides rich capabilities for attackers to phish users and gain code execution on a remote machine through the installation of a word Add-In:
https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010
Visual Studio Tools for Office (VSTO) has the capability to export an Add-In which is embedded inside an Office document file (such as a Word DOCX). If this document is delivered in the right way (to avoid some inbuilt mitigations) it provides rich capabilities for attackers to phish users and gain code execution on a remote machine through the installation of a word Add-In:
https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010
Medium
Make phishing great again. VSTO office files are the new macro nightmare?
Intro to the Office VSTO format, a capability that provides rich capabilities for attackers to phish users and gain code execution
Limited Linux user creation noscript
Few time ago I needed create few limited users in my Linux distos, with limits - user can run only several commands - curl, ping…
Ok, I created simple noscript for this task… in short - sharing for you:
https://github.com/m0zgen/create-limited-user
P.S. All commands you can add in to
Few time ago I needed create few limited users in my Linux distos, with limits - user can run only several commands - curl, ping…
Ok, I created simple noscript for this task… in short - sharing for you:
https://github.com/m0zgen/create-limited-user
P.S. All commands you can add in to
commands.txt, all functionality described in the README.md, enjoy)GitHub
GitHub - m0zgen/create-limited-user: Create or modify existing user permissions to limited executable commands in Linux
Create or modify existing user permissions to limited executable commands in Linux - GitHub - m0zgen/create-limited-user: Create or modify existing user permissions to limited executable commands i...