🔥🔥🔥Blindside is a technique for evading the monitoring of EDR and XDR platforms using hardware breakpoints to inject commands and perform unexpected, unwanted, or malicious operations. It involves creating a breakpoint handler, and setting a hardware breakpoint that will force the debugged process to load only ntdll to memory. This will result in a clean and unhooked ntdll which then could be copied to our process and unhook the original ntdll.

🔖Technical blog post:
Blindside: A New Technique for EDR Evasion with Hardware Breakpoints

🛡Fix memory leak in set_mempolicy_home_node system call

When encountering any vma in the range with policy other than MPOL_BIND or
MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on
the policy just allocated with mpol_dup().

⚠️This allows arbitrary users to leak kernel memory(Dos).

🔥🔥🔥PoC of wfshbr64.sys LPE(Windows Kernel Mode Anti-Cheat Driver, CVE-2022-42046)

wfshbr64.sys and wfshbr32.sys specially crafted payload allows arbitrary user to perform bitwise operation with arbitrary EPROCESS offset and flags value to purposely elevate the game process to CodeGen Full protection by manipulating EPROCESS.Protection and EPROCESS.SignatureLevel flags (security hole as a feature).

⚠️The driver is signed by Microsoft hardware compatibility publisher that is submitted via Microsoft Hardware Program.

#Threat_Research
1. Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
2. New Ransomware Strains Emerging From Leaked Conti’s Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code

#Red_Team_Tactics
Using Leaking Sentinel Value to Bypass the Latest Chrome v8 HardenProtect
https://medium.com/@numencyberlabs/using-leaking-sentinel-value-to-bypass-the-latest-chrome-v8-hardenprotect-c4ed40e3d34f

#tools
#Offensive_security
1. Rps_Http ClientInfo IOC search PowerShell script for recent Exchange issue to check for signs of exploitation
https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
2. Vultriever - Vulnerability scoring with Nmap with the built-in Vulners snap-in
https://github.com/MalwareHunters/vultriever

#Cloud_Security
Detecting Cloud Account Takeover
https://www.splunk.com/en_us/blog/security/detecting-cloud-account-takeover-attacks-threat-research-release-october-2022.html

#exploit
1. CVE-2020-9854:
"Unauthd" - three logic bugs ftw
https://objective-see.org/blog/blog_0x4D.html

2. CVE-2022-3875, CVE-2022-3876, CVE-2022-3877:
Vulnerabilities in Passwordstate
https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_password_manager_is_secure/index.html

#WebApp_Security
1. Analyzing ClipboardEvent Listeners for Stored XSS
https://spaceraccoon.dev/analyzing-clipboardevent-listeners-stored-xss
2. Firebase: Insecure by Default
https://saligrama.io/blog/post/firebase-insecure-by-default

#Blue_Team_Techniques
1. Linux kernel module generator for Hidden firewall that follows the rules in the external YAML file
https://github.com/CoolerVoid/HiddenWall
2. Guide to Use Sigma EVTX Checker
https://gist.github.com/Neo23x0/9eb505a00f7ba591645a6246fa6c5246
// Fast go-based scanner for Linux, Windows, macOS that applies Sigma rules and outputs the matches as JSON

#Tech_book
"Privacy in Practice: Establish and Operationalize a Holistic Data Privacy Program", 2023.

#Malware_analysis
1. Zerobot Malware
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities
2. IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html

#tools
#OSINT
CVE and PoC SearchBot v.0.5.0:

Added:
- New sources of information about CVE vendor/products: nvd.nist.gov and cve.org;
- Feedback answer option.
Changed:
- App's architecture;
- APIv2 from nvd.nist.gov is now used;
- Changed message-broker software;
- Default level now is set to ALL;
- PoC search based on CVE description and vendor/product;
- The manual query PoCs now uses the logical AND.
Fixed:
- Vendor/products duplication issue;
- Settings menu errors;
- Number of minor bugs.

#reversing
Reverse Engineering Tiktok's VM Obfuscation
https://nullpt.rs/reverse-engineering-tiktok-vm-1

#tools
#Red_Team_Tactics
1. Blindside - technique for evading the monitoring of EDR / XDR platforms using hardware breakpoints to inject commands
https://github.com/CymulateResearch/Blindside
2. Avoiding Detection with Shellcode Mutator
https://labs.nettitude.com/blog/shellcode-source-mutations
]-> https://github.com/nettitude/ShellcodeMutator

Happy Tulsi Pujan ❤️

Hello everyone in this auspicious day we are going to launch our Forum powered by @H4ckerinthehouse where you can connect, share and communicate with each others.

Here are some features of this forum:
You can ask questions, create polls, answer to any question. You can refer to anyone using your refferal code. You can make a public discussion group as well as a private discussion group! Also you can send a private message to an individual and you can ask anything.

A lot of upcoming features and surprises are coming in upcoming days.

So what you guys are looking for? Go and register on the Hackerinthehouse Forum.

Here is the link of the forum to register: https://forum.hackerinthehouse.in

Overview of Glibc Heap Exploitation Techniques (currently up to v2.34)
https://ift.tt/dnPVLZc

Submitted December 25, 2022 at 10:17AM by himeko98
via reddit https://ift.tt/YqBW6Sz

​​dnscrypt-proxy

A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).

▫️ dnscrypt-proxy documentation ← Start here
▫️ DNSCrypt project home page
▫️ Discussions
▫️ DNS-over-HTTPS and DNSCrypt resolvers
▫️ Server and client implementations
▫️ DNS stamps
▫️ FAQ

https://github.com/DNSCrypt/dnscrypt-proxy

#DNS #privacy