👻 Souls without bodies, phantom types shenanigans 👻
#synacktiv
via Synacktiv Blog (author: Simon Marechal)
#synacktiv
via Synacktiv Blog (author: Simon Marechal)
Shellcode: Data Masking 2
#odzhan
Introduction This is a quick follow up post to Data Masking that discussed how one might use the Fisher-Yates shuffle and a DRBG to mask shellcode. There’s a lot of ways to mask data that don’t involve using an XOR …
via modexp Blog (author: odzhan)
#odzhan
Introduction This is a quick follow up post to Data Masking that discussed how one might use the Fisher-Yates shuffle and a DRBG to mask shellcode. There’s a lot of ways to mask data that don’t involve using an XOR …
via modexp Blog (author: odzhan)
OST Release Blog: EDR Tradecraft, Presets, PowerShell Tradecraft, and More
#outflank
Malicious actors continuously deploy new or improved techniques. Red teams must maintain an equally rapid pace of development of their tooling arsenal to remain effective at testing evolving defensive measure and preparing organizations for advanced threats. With the dedicated research and development efforts from the Outflank team, OST is constantly evolving, with additions of new, leading-edge tools unique to the market as well as regular enhancements to our existing tools.
In this quarterly release blog, we’ll summarize some of the latest updates we’ve made over the past few months.
via Outflank Blog (author: Marc Smeets)
#outflank
Malicious actors continuously deploy new or improved techniques. Red teams must maintain an equally rapid pace of development of their tooling arsenal to remain effective at testing evolving defensive measure and preparing organizations for advanced threats. With the dedicated research and development efforts from the Outflank team, OST is constantly evolving, with additions of new, leading-edge tools unique to the market as well as regular enhancements to our existing tools.
In this quarterly release blog, we’ll summarize some of the latest updates we’ve made over the past few months.
via Outflank Blog (author: Marc Smeets)
Full Disclosure: A Look at a Recently Patched Microsoft Graph Logging Bypass - GraphNinja
#trustedsec
From June 2023 to March 2024, Microsoft Graph was vulnerable to a logging bypass that allowed attackers to perform password-spray attacks undetected. During this period, any organization in Azure could have been…
via TrustedSec Blog (author: nyx geek)
#trustedsec
From June 2023 to March 2024, Microsoft Graph was vulnerable to a logging bypass that allowed attackers to perform password-spray attacks undetected. During this period, any organization in Azure could have been…
via TrustedSec Blog (author: nyx geek)
ADCS Attack Paths in BloodHound — Part 2
#specterops
via SpecterOps Team Medium (author: Jonas Bülow Knudsen)
#specterops
via SpecterOps Team Medium (author: Jonas Bülow Knudsen)
Medium
ADCS Attack Paths in BloodHound — Part 2
In this blog post, we will cover how we have incorporated the Golden Certificates and the ADCS ESC3 abuse technique in BloodHound.
Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps
#netspi
NetSPI explores extracting managed identity credentials from Azure Function Apps to expose sensitive data.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
NetSPI explores extracting managed identity credentials from Azure Function Apps to expose sensitive data.
via NetSPI Technical Blog (author: Karl Fosaaen)
Automating Managed Identity Token Extraction in Azure Container Registries
#netspi
Learn the processes used to create a malicious Azure Container Registry task that can be used to export tokens for Managed Identities attached to an ACR.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
Learn the processes used to create a malicious Azure Container Registry task that can be used to export tokens for Managed Identities attached to an ACR.
via NetSPI Technical Blog (author: Karl Fosaaen)
Why TOTP Won’t Cut It (And What to Consider Instead)
#netspi
Time-Based One-Time Password (TOTP) is a common method for two factor authentication (2FA) but its lack of rate limiting can create security gaps.
via NetSPI Technical Blog (author: Cory Cline)
#netspi
Time-Based One-Time Password (TOTP) is a common method for two factor authentication (2FA) but its lack of rate limiting can create security gaps.
via NetSPI Technical Blog (author: Cory Cline)
The Silk Wasm: Obfuscating HTML Smuggling with Web Assembly
#netspi
A new technique for HTML smuggling using Web Assembly helped us bypass potential malware detection.
via NetSPI Technical Blog (author: Phil Wilson-Smith-Kopp)
#netspi
A new technique for HTML smuggling using Web Assembly helped us bypass potential malware detection.
via NetSPI Technical Blog (author: Phil Wilson-Smith-Kopp)
Extracting Sensitive Information from the Azure Batch Service
#netspi
The added power and scalability of Batch Service helps users run workloads significantly faster, but misconfigurations can unintentionally expose sensitive data.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
The added power and scalability of Batch Service helps users run workloads significantly faster, but misconfigurations can unintentionally expose sensitive data.
via NetSPI Technical Blog (author: Karl Fosaaen)
The Midnight Alert: Navigating the Dark Web Data Dilemma
#trustedsec
In the dead of night, an ominous message hits your inbox: "Your company's sensitive data is for sale on the dark web." As the Chief Information Security Officer (CISO), this scenario is your ultimate test, a moment…
via TrustedSec Blog (author: Carlos Perez)
#trustedsec
In the dead of night, an ominous message hits your inbox: "Your company's sensitive data is for sale on the dark web." As the Chief Information Security Officer (CISO), this scenario is your ultimate test, a moment…
via TrustedSec Blog (author: Carlos Perez)
Understanding and evading Microsoft Defender for Identity PKINIT detection
#synacktiv
via Synacktiv Blog (author: Webmaster)
#synacktiv
via Synacktiv Blog (author: Webmaster)
Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes
#dirkjanm
Temporary Access Passes are a method for Microsoft Entra ID (formerly Azure AD) administrators to configure a temporary password for user accounts, which will also satisfy Multi Factor Authentication controls. They can be a useful tool in setting up passwordless authentication methods such as FIDO keys and Windows Hello. In this blog, we take a closer look at the options attackers have to abuse Temporary Access Passes for lateral movement, showing how they can be used for passwordless persistence and even to recover on-premises Active Directory passwords in certain hybrid configurations.
via Dirk-jan Blog (author: Dirk-jan Mollema)
#dirkjanm
Temporary Access Passes are a method for Microsoft Entra ID (formerly Azure AD) administrators to configure a temporary password for user accounts, which will also satisfy Multi Factor Authentication controls. They can be a useful tool in setting up passwordless authentication methods such as FIDO keys and Windows Hello. In this blog, we take a closer look at the options attackers have to abuse Temporary Access Passes for lateral movement, showing how they can be used for passwordless persistence and even to recover on-premises Active Directory passwords in certain hybrid configurations.
via Dirk-jan Blog (author: Dirk-jan Mollema)
Survivorship Bias and How Red Teams Can Handle It
#bcsecurity
If you have spent any time on our Discord, you have almost certainly seen some discussions about the prevalence of PowerShell and how it’s still used in most modern attacks. After all, we are still big fans of it in threat emulation and still publish research on it. Inevitably though, [...]
via BC Security Blog (author: Hubbl3)
#bcsecurity
If you have spent any time on our Discord, you have almost certainly seen some discussions about the prevalence of PowerShell and how it’s still used in most modern attacks. After all, we are still big fans of it in threat emulation and still publish research on it. Inevitably though, [...]
via BC Security Blog (author: Hubbl3)
Custom Beacon Artifacts
#rastamouse
If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: Beacon is a reflective DLL that needs to be loaded into memory to run.
via Rasta Mouse Blog
#rastamouse
If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: Beacon is a reflective DLL that needs to be loaded into memory to run.
via Rasta Mouse Blog
XZ Utils Made Me Paranoid
#trustedsec
On March 28, 2024, the news about the XZ Utils backdoor came out. Since then, I’ve been thinking about how we could identify these backdoors before packages are released or, at the very least, how to identify them after…
via TrustedSec Blog (author: Kevin Haubris)
#trustedsec
On March 28, 2024, the news about the XZ Utils backdoor came out. Since then, I’ve been thinking about how we could identify these backdoors before packages are released or, at the very least, how to identify them after…
via TrustedSec Blog (author: Kevin Haubris)
One month of Burp Suite in the Cloud - how are AppSec teams using it?
#portswigger
It’s now been a month since we launched the new Cloud-based Burp Suite Enterprise Edition, and we’re taking a look at the benefits our users have seen so far.
via PortSwigger Blog
#portswigger
It’s now been a month since we launched the new Cloud-based Burp Suite Enterprise Edition, and we’re taking a look at the benefits our users have seen so far.
via PortSwigger Blog
Hacking Apple - SQL Injection to Remote Code Execution
#projectdiscovery
Introduction
In our last blog post, we delved into the inner workings of Lucee and took a look at the source code of Masa/Mura CMS, and the vastness of the potential attack surface struck us. It became evident that investing time in understanding the code could pay off. After
via ProjectDiscovery Research Blog (author: Harsh Jaiswal)
#projectdiscovery
Introduction
In our last blog post, we delved into the inner workings of Lucee and took a look at the source code of Masa/Mura CMS, and the vastness of the potential attack surface struck us. It became evident that investing time in understanding the code could pay off. After
via ProjectDiscovery Research Blog (author: Harsh Jaiswal)