Adventures in Shellcode Obfuscation! Part 6: Two Array Method
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the sixth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the sixth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
Injecting Java in-memory payloads for post-exploitation
#synacktiv
via Synacktiv Blog (author: Clement Amic)
#synacktiv
via Synacktiv Blog (author: Clement Amic)
Vulnerabilities in AI Agents
#nettitude
LLMs are becoming increasingly accessible to everyone. It is very easy to create your own LLM system, however like with any new technology, they are challenging to secure. Many AI systems are vulnerable to various attacks - the following are three examples of such attacks on LLM agents that we have identified recently. The examples [...]
via Nettitude Labs Blog (author: Jakub Partyka)
#nettitude
LLMs are becoming increasingly accessible to everyone. It is very easy to create your own LLM system, however like with any new technology, they are challenging to secure. Many AI systems are vulnerable to various attacks - the following are three examples of such attacks on LLM agents that we have identified recently. The examples [...]
via Nettitude Labs Blog (author: Jakub Partyka)
Lapse of Control: Applauding PCI SSC for FAQ 1572
#trustedsec
I want to applaud the PCI Security Standards Council (PCI SSC) for FAQ 1572 published in March of 2024 for simply and effectively answering a question asked by countless assessors for several years.The question is: Can…
via TrustedSec Blog (author: Steve Maxwell)
#trustedsec
I want to applaud the PCI Security Standards Council (PCI SSC) for FAQ 1572 published in March of 2024 for simply and effectively answering a question asked by countless assessors for several years.The question is: Can…
via TrustedSec Blog (author: Steve Maxwell)
Out of Chaos: Applying Structure to Web Application Penetration Testing
#redsiege
By Stuart Rorer, Security Consultant As a kid, I remember watching shopping contest shows where people, wildly, darted through a store trying to obtain specific objects, or gather as much […]
via RedSiege Blog (author: Red Siege)
#redsiege
By Stuart Rorer, Security Consultant As a kid, I remember watching shopping contest shows where people, wildly, darted through a store trying to obtain specific objects, or gather as much […]
via RedSiege Blog (author: Red Siege)
Specula - Turning Outlook Into a C2 With One Registry Change
#trustedsec
There exist a few singular Registry changes that any non-privileged user can make that transform the Outlook email client into a beaconing C2 agent. Given that outlook.exe is a trusted process, this allows an attacker…
via TrustedSec Blog (author: Christopher Paschen)
#trustedsec
There exist a few singular Registry changes that any non-privileged user can make that transform the Outlook email client into a beaconing C2 agent. Given that outlook.exe is a trusted process, this allows an attacker…
via TrustedSec Blog (author: Christopher Paschen)
TrustedSec
Specula - Turning Outlook Into a C2 With One Registry Change
Unlock enhanced API scanning with Burp Suite
#portswigger
More comprehensive scans. More vulnerabilities identified. More time saved. Enhance your API scanning with Burp Suite. As web portfolios have diversified, APIs have become an increasingly critical fun
via PortSwigger Blog
#portswigger
More comprehensive scans. More vulnerabilities identified. More time saved. Enhance your API scanning with Burp Suite. As web portfolios have diversified, APIs have become an increasingly critical fun
via PortSwigger Blog
Persisting on Entra ID applications and User Managed Identities with Federated Credentials
#dirkjanm
Using applications and service principals for persistence and privilege escalation is a well-known topic in Entra ID (Azure AD). I’ve written about these kind of attacks many years ago, and talked about how we can use certificates and application passwords to authenticate as applications and abuse the permissions they have. In this blog, we cover a third way of authenticating as an application: using federated credentials. Federated credentials have been around for a few years, but haven’t been covered much yet from the offensive side. For Entra ID applications, there is no large difference between configuring federated credentials or regular client secrets/certificates. The more interesting part on this topic is that we can also configure federated credentials on User Managed Identities in Azure. This is unusual, because normally Managed Identities have their authentication controlled by Microsoft, and their authentication is tied to a certain resource such as a Virtual Machine. With federated credentials, we can bypass that limitation, given that we have sufficient privileges, and authenticate as this managed identity without requiring access to another resource in Azure. With this blog I’m also introducing a new utility to the ROADtools family: roadoidc, which can set up a minimal Identity Provider (IdP), allowing us to authenticate using federated credentials as apps and user managed identities with roadtx.
via Dirk-jan Blog (author: Dirk-jan Mollema)
#dirkjanm
Using applications and service principals for persistence and privilege escalation is a well-known topic in Entra ID (Azure AD). I’ve written about these kind of attacks many years ago, and talked about how we can use certificates and application passwords to authenticate as applications and abuse the permissions they have. In this blog, we cover a third way of authenticating as an application: using federated credentials. Federated credentials have been around for a few years, but haven’t been covered much yet from the offensive side. For Entra ID applications, there is no large difference between configuring federated credentials or regular client secrets/certificates. The more interesting part on this topic is that we can also configure federated credentials on User Managed Identities in Azure. This is unusual, because normally Managed Identities have their authentication controlled by Microsoft, and their authentication is tied to a certain resource such as a Virtual Machine. With federated credentials, we can bypass that limitation, given that we have sufficient privileges, and authenticate as this managed identity without requiring access to another resource in Azure. With this blog I’m also introducing a new utility to the ROADtools family: roadoidc, which can set up a minimal Identity Provider (IdP), allowing us to authenticate using federated credentials as apps and user managed identities with roadtx.
via Dirk-jan Blog (author: Dirk-jan Mollema)
Government Contractor’s Ultimate Guide to CUI
#trustedsec
Every government contractor when they hear about CUI Contractors and subcontractors working for the US Federal Government (as well as some other unrelated organizations) may encounter contract clauses that…
via TrustedSec Blog (author: Chris Camejo)
#trustedsec
Every government contractor when they hear about CUI Contractors and subcontractors working for the US Federal Government (as well as some other unrelated organizations) may encounter contract clauses that…
via TrustedSec Blog (author: Chris Camejo)
TrustedSec
Government Contractor’s Ultimate Guide to CUI
Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover
#specterops
via SpecterOps Team Medium (author: Nick Powers)
#specterops
via SpecterOps Team Medium (author: Nick Powers)
Medium
Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover
Even within organizations that have achieved a mature security posture, targeted NTLM relay attacks are still incredibly effective after…
Adventures in Shellcode Obfuscation! Part 7: Flipping the Script
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the seventh in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the seventh in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]
via RedSiege Blog (author: Red Siege)
Hybrid Attack Paths, New Views and your favorite dog learns an old trick
#specterops
via SpecterOps Team Medium (author: Justin Kohler)
#specterops
via SpecterOps Team Medium (author: Justin Kohler)
Medium
Hybrid Attack Paths, New Views and your favorite dog learns an old trick
Introducing Hybrid Attack Paths
Execution Guardrails: No One Likes Unintentional Exposure
#trustedsec
1.1 IntroductionA hopefully rare scenario that gives red teamers a mini heart-attack is a sudden check-in from a new agent: admin on ALICE-PC.If a blue teamer has managed to get hold of a payload used on an engagement…
via TrustedSec Blog (author: Brandon McGrath)
#trustedsec
1.1 IntroductionA hopefully rare scenario that gives red teamers a mini heart-attack is a sudden check-in from a new agent: admin on ALICE-PC.If a blue teamer has managed to get hold of a payload used on an engagement…
via TrustedSec Blog (author: Brandon McGrath)
Adventures in Shellcode Obfuscation Part 8: Shellcode as UUIDs
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the eighth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the eighth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
BloodHound Operator — Dog Whispering Reloaded
#specterops
via SpecterOps Team Medium (author: SadProcessor)
#specterops
via SpecterOps Team Medium (author: SadProcessor)
Medium
BloodHound Operator — Dog Whispering Reloaded
It’s summer 2024 and we are back! Actually, we are SO back, so I decided that this return required a little blog post.
Version Tracking in Ghidra
#nettitude
When a binary is reverse engineered using Ghidra, various annotations are applied to aid in understanding the binary's behaviour. These annotations come in the form of comments, renamed functions, variables, arguments and more. Collectively these annotations are known as "markup" and are specific to a single binary in the Ghidra project. For long running reverse [...]
via Nettitude Labs Blog (author: Connor Ford)
#nettitude
When a binary is reverse engineered using Ghidra, various annotations are applied to aid in understanding the binary's behaviour. These annotations come in the form of comments, renamed functions, variables, arguments and more. Collectively these annotations are known as "markup" and are specific to a single binary in the Ghidra project. For long running reverse [...]
via Nettitude Labs Blog (author: Connor Ford)
LRQA Nettitude Labs
Version Tracking in Ghidra
When a binary is reverse engineered using Ghidra, various annotations are applied to aid in understanding the binary's behaviour. These annotations come in the form of comments, renamed functions, variables, arguments and more. Collectively these annotations…
Listen to the whispers: web timing attacks that actually work
#portswigger
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets
via PortSwigger Research
#portswigger
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets
via PortSwigger Research