MurkyStrings.zip
10 KB
🔥String Obfuscation The Malware Way - blog post
While this technique is not as secure as encryption, it can still be useful for malware authors who want to avoid detection by simple string analysis and other static analysis techniques. Not encrypting or encoding the strings will also help avoid entropy-based detections.
💥MurkyStrings is a string obfuscator for .NET applications, built to evade static string analysis. It does not rely on encryption or encoding to evade entropy-based detections. Instead, it transforms strings into a murky mess by inserting special characters and random words. Removing them again on runtime.
Usage:
MurkyStrings.exe <file path> [--mode=<mode>]
Available modes:
💾replace[glyph] - Insert a variety of homoglyph characters that look identical to alphabetical characters
💾replace[simple] - Insert random amounts of a special character in between all actual characters
💾combine[glyph] - Combines remove and replace[glyph]
💾combine[simple] - Combines remove and replace[simple]
While this technique is not as secure as encryption, it can still be useful for malware authors who want to avoid detection by simple string analysis and other static analysis techniques. Not encrypting or encoding the strings will also help avoid entropy-based detections.
💥MurkyStrings is a string obfuscator for .NET applications, built to evade static string analysis. It does not rely on encryption or encoding to evade entropy-based detections. Instead, it transforms strings into a murky mess by inserting special characters and random words. Removing them again on runtime.
Usage:
MurkyStrings.exe <file path> [--mode=<mode>]
Available modes:
💾replace[glyph] - Insert a variety of homoglyph characters that look identical to alphabetical characters
💾replace[simple] - Insert random amounts of a special character in between all actual characters
💾combine[glyph] - Combines remove and replace[glyph]
💾combine[simple] - Combines remove and replace[simple]
На Source Zero Con 2022 представили данный инструмент. Если кратко: кидаете скомпилированный бинарь, тулза из бинаря убирает известные IoC строки, подписывает сертом из другого бинаря, ну и помогает EDR обходить (за счёт увеличения размера файла)
https://github.com/optiv/Mangle
#redteam #pentest #bypass
https://github.com/optiv/Mangle
#redteam #pentest #bypass
GitHub
GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from…
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - optiv/Mangle
🛡Akamai’s Perspective on December’s Patch Tuesday 2022
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.
🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)
🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)
🛡The December 2022 Security Update Review(ZDI)
🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)
🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)
🛡Patch Tuesday - December 2022(rapid7)
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed.
🛡December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack(crowdstrike)
🛡Microsoft Patch Tuesday for December 2022 — Snort rules and prominent vulnerabilities(talos intelligence)
🛡The December 2022 Security Update Review(ZDI)
🛡Microsoft’s December 2022 Patch Tuesday Addresses 48 CVEs(tenable)
🛡Microsoft Patch Tuesday, December 2022 Edition(KrebsonSecurity)
🛡Patch Tuesday - December 2022(rapid7)
This media is not supported in your browser
VIEW IN TELEGRAM
🔥🔥🔥 EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
Recently, BitsByWill have discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, he have decided to term this attack “EntryBleed.”
Recently, BitsByWill have discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, he have decided to term this attack “EntryBleed.”
👍1
💥Precious Gemstones: The New Generation of Kerberos Attacks
In this blog, after a brief primer on relevant Kerberos terms and the attacks themselves, we discussed the privileges required to perform such attacks and the importance of monitoring different forged ticket attacks. Additionally, we examined possible detection ideas that might help cover Golden Ticket attacks as well as new attack methods. Forged ticket attacks might be hard to detect with a cursory glance, since they can initially appear to be legitimate. However, if enough information is collected about suspicious network activity, malicious tool usage, or Windows events, we might be able to detect some of the most effective Kerberos attacks.
In this blog, after a brief primer on relevant Kerberos terms and the attacks themselves, we discussed the privileges required to perform such attacks and the importance of monitoring different forged ticket attacks. Additionally, we examined possible detection ideas that might help cover Golden Ticket attacks as well as new attack methods. Forged ticket attacks might be hard to detect with a cursory glance, since they can initially appear to be legitimate. However, if enough information is collected about suspicious network activity, malicious tool usage, or Windows events, we might be able to detect some of the most effective Kerberos attacks.
👍1
🔥Win32k User-Mode Printer Drivers StartDoc UAF
(PoC included)
A vulnerability(CVE-2022-41050) in the way BoundClipRGNToSurface merges surfaces allows attackers to trigger a UAF due to a function that frees the used data and then access it. If the memory where the freed memory is properly prepared, the attacker can control the crash and cause it to execute arbitrary code.
(PoC included)
A vulnerability(CVE-2022-41050) in the way BoundClipRGNToSurface merges surfaces allows attackers to trigger a UAF due to a function that frees the used data and then access it. If the memory where the freed memory is properly prepared, the attacker can control the crash and cause it to execute arbitrary code.
👍1👻1
🦠Home Grown Red Team: Let’s Make Some Malware In C
That was a fun project, but let’s take it a step further and create a script that will replicate the process and obfuscate the functions within our malware template so we get a new, unsignatured EXE every time.
💾Part1
💾Part2
🔖Completed scripts for this project here
That was a fun project, but let’s take it a step further and create a script that will replicate the process and obfuscate the functions within our malware template so we get a new, unsignatured EXE every time.
💾Part1
💾Part2
🔖Completed scripts for this project here
👍2
PingPlant.zip
15.4 KB
🔥PingPlant is a Linux implant PoC that starts a custom listener for ICMP data, and parses the ethernet frame to check for a special payload.
If this payload is found, it will then initiate a callback to a defined IP. Even though I have this connect back with a reverse shell, you could edit this to have it execute anything on the infected system when the special payload is received.
Features:
💾Runtime process renaming
💾No listening ports
💾Written in Go, so almost all AV's will never pick this up
If this payload is found, it will then initiate a callback to a defined IP. Even though I have this connect back with a reverse shell, you could edit this to have it execute anything on the infected system when the special payload is received.
Features:
💾Runtime process renaming
💾No listening ports
💾Written in Go, so almost all AV's will never pick this up
👻2👍1
#exploit
1. CVE-2022-28672:
Foxit PDF Reader - UaF RCE Exploit
https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672
]-> https://github.com/hacksysteam/CVE-2022-28672
2. CVE-2022-45451:
Acronis Cyber Protect/Home Cyber Protect - Arbitrary File Read
https://github.com/alfarom256/CVE-2022-45451
1. CVE-2022-28672:
Foxit PDF Reader - UaF RCE Exploit
https://hacksys.io/blogs/foxit-reader-uaf-rce-jit-spraying-cve-2022-28672
]-> https://github.com/hacksysteam/CVE-2022-28672
2. CVE-2022-45451:
Acronis Cyber Protect/Home Cyber Protect - Arbitrary File Read
https://github.com/alfarom256/CVE-2022-45451
#Offensive_security
1. How to Detect Malicious OAuth Device Code Phishing in M365
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
2. It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
1. How to Detect Malicious OAuth Device Code Phishing in M365
https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
2. It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications
https://kishorbalan.medium.com/its-all-about-android-ssl-pinning-bypass-and-intercepting-proxy-unaware-applications-91689c0763d8
👻2👌1
Traffers.pdf
5.3 MB
#Malware_analysis
"Traffers: a deep dive into the information stealer ecosystem", 2022.
"Traffers: a deep dive into the information stealer ecosystem", 2022.
#Threat_Research
1. Unusual Cache Poisoning between Akamai and S3 buckets
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
https://hackerone.com/reports/1665156
1. Unusual Cache Poisoning between Akamai and S3 buckets
https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3
2. HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding
https://hackerone.com/reports/1665156
AISY.pdf
727.7 KB
#Research
BlackHat Asia 2022:
"AISY - Deep Learning-based Framework for Side-channel Analysis".
]-> Repo: https://github.com/AISyLab/AISY_Framework
BlackHat Asia 2022:
"AISY - Deep Learning-based Framework for Side-channel Analysis".
]-> Repo: https://github.com/AISyLab/AISY_Framework
#Blue_Team_Techniques
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Spamworld.php
24.1 KB
New mini shell :)
⚠️ Bypass All waf
📌 Non Encoded :::)))
⚠️ Bypass All waf
📌 Non Encoded :::)))