Fuzzing the Windows API for AV Evasion

https://winternl.com/fuzzing-the-windows-api-for-av-evasion/
#evasion #bypass #av #windows

Tsunami

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

https://github.com/google/tsunami-security-scanner
#go #tools #pentesting #scanning

Exploiting DLL Hijacking by DLL Proxying Super Easily

This is a tutorial about exploiting DLL Hijack vulnerability without crashing the application. The method used is called DLL Proxying.

https://github.com/tothi/dll-hijack-by-proxying
#windows #dll #exploitation #tools

SQL Injection using Unicode Characters

I found this vulnerability while performing penetration testing for an e-learning application that uses Moodle as LMS in the background. Moodle LMS uses Unicode by default, for content transformation which also helps for data sanitization. These filters could be bypassed to achieve a successful SQL Injection exploit.

https://medium.com/bugbountywriteup/sql-injection-using-unicode-characters-8d360ead379c
#web #sql #appsec

Bypassing JailBreak Detection - DVIAv2 Part 2

When you subvert security controls on an iOS device to gain access as the root user, it is called Jailbreaking. This gives you a ‘jailbroken’ device. When this happens, the security is significantly weaker and essentially breaks the sandboxing between applications, allowing malicious apps to gain any data they want. This is useful for research, however is risky for end users.

https://philkeeble.com/ios/reverse-engineering/iOS-Bypass-Jailbreak/
#mobile #ios #appsec

Attacking MS Exchange Web Interfaces

In this article, I’ll cover all the available techniques for attacking MS Exchange web interfaces and introduce a new technique and a new tool to connect to MS Exchange from the Internet and extract arbitrary Active Directory records, which are also known as LDAP records.

https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/
#ad #windows #pentesting #redteaming #owa

Fun with PowerShell Payload Execution and Evasion

In this article, we’re going to learn how to use COM objects and PowerShell in Windows to execute shell commands with a couple of techniques for evading some endpoint security.

https://medium.com/swlh/fun-with-powershell-payload-execution-and-evasion-f5051fd149b2
#windows #powershell #evasion #obfuscation

How to start Threat Hunting (even if your team is small!)

Okay, I get it, there are hundreds of blogs about Threat Hunting already, but many are focused at large SOC teams with lots of resources. Even if you are a one-person team, this blog will address the problems you may face, a very simple process to structure your hunts, and a small library of hunts to get you started!

https://medium.com/@7a616368/how-to-start-threat-hunting-even-if-your-team-is-small-a31e656b8ba1
#blueteaming #soc

Cracking VBA Project Passwords

https://blog.didierstevens.com/2020/07/20/cracking-vba-project-passwords/
#vba #windows #tools #bruteforce

Offensive Security Exam Report Template in Markdown

I created an Offensive Security Exam Report Template in Markdown so LaTeX, Microsoft Office Word, LibreOffice Writer are no longer needed during your Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam!

https://github.com/noraj/OSCP-Exam-Report-Template-Markdown
#oscp #certification #osce

Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection

I'm going to release and detail a stealthy process injection technique that uses a combination of two functions to achieve allocation primitive (that i have already described some time ago) CreateFileMapping() and MapViewOfFile2() ( well i have made some updates to use a stealthier version called MapViewOfFile3() ) and chain a very powerful execution primitive through the call NtSetInformationProcess().

https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
#windows #injection #bypass #evasion #redteaming

Masking Malicious Memory Artifacts Part II: Insights from Moneta

This is the second in a series of posts on malware forensics and bypassing defensive scanners, the part one of which can be found here. It was written with the assumption that the reader understands the basics of Windows internals, memory scanners and malware design.

https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
#forensics #blueteaming #dfir #malware

Hunting for Skeleton Key Implants

During a recent presentation I examined various ways of persisting within Active Directory (AD) and how every technique can be detected, using both intrinsic IoC of the specific technique or tooling default behaviour. One of the analysed attacks was the skeleton key implant.

https://riccardoancarani.github.io/2020-08-08-hunting-for-skeleton-keys/
#windows #ad #blueteaming #redteaming

Semgrep A Practical Introduction

In this blogpost, Rohit Salecha will discuss an open source, multi-language tool called Semgrep . Semgrep is a fork of Sgrep tool, which was originally created at Facebook for performing SAST scans.

https://www.notsosecure.com/semgrep-a-practical-introduction/
#web #owasp #sdlc #appsec

Abusing MacOS Entitlements for code execution

Recently I disclosed some vulnerabilities to Dropbox and PortSwigger via H1 and Microsoft via MSRC pertaining to Application entitlements on MacOS. We’ll be exploring what entitlements are, what exactly you can do with them, and how they can be used to bypass security products.

https://secret.club/2020/08/14/macos-entitlements.html
#bypass #macos #gatekeeper

SECURING GMSA PASSWORDS

If you’re not familiar with Group Managed Service Accounts (gMSA), you can review my last post which gave a high-level overview of how they work. In case you need a quick recap, a gMSA is a special Active Directory object used for securely running automated tasks, services and applications. The most important thing to note about these accounts, which plays into to their increased security, is the automatically generated and rotating password that no human has to know to make use of the account.

https://blog.stealthbits.com/securing-gmsa-passwords/
https://gist.github.com/kdejoyce/f0b8f521c426d04740148d72f5ea3f6f

#windows #ad #pentesting

Windows Debugger API — The End of Versioned Structures

Some time ago I was introduced to the Windows debugger API and found it incredibly useful for projects that focus on forensics or analysis of data on a machine. This API allows us to open a dump file taken on any windows machine and read information from it using the symbols that match the specific modules contained in the dump.

https://medium.com/swlh/windows-debugger-api-the-end-of-versioned-structures-ac4acaa351bd
#windows #internals #debug

TLS Poison

A tool that allows for generic SSRF via TLS, as well as CSRF via image tags in most browsers. The goals are similar to SNI injection, but this new method uses inherent behaviors of TLS, instead of depending upon bugs in a particular implementation.

https://github.com/jmdx/TLS-poison/
#tools #appsec #web #bugbounty

Debugging into .NET

.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent.

https://blog.xpnsec.com/debugging-into-net/
#windows #dotnet #redteaming #internals

Hiding PE Imports

You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.

https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion

Lateral Movement in Azure App Services

We test a lot of web applications at NetSPI, and as everyone continues to move their operations into the cloud, we’re running into more instances of applications being run on Azure App Services.Whenever we run into an App Services application with a serious vulnerability, I’ll frequently get a ping asking about next steps to take in an Azure environment. This blog will hopefully answer some of those questions.

https://blog.netspi.com/lateral-movement-azure-app-services/
#windows #ad #redteaming #pentesting #azure