Hybrid Attack Paths, New Views and your favorite dog learns an old trick
#specterops
via SpecterOps Team Medium (author: Justin Kohler)
#specterops
via SpecterOps Team Medium (author: Justin Kohler)
Medium
Hybrid Attack Paths, New Views and your favorite dog learns an old trick
Introducing Hybrid Attack Paths
Execution Guardrails: No One Likes Unintentional Exposure
#trustedsec
1.1 IntroductionA hopefully rare scenario that gives red teamers a mini heart-attack is a sudden check-in from a new agent: admin on ALICE-PC.If a blue teamer has managed to get hold of a payload used on an engagement…
via TrustedSec Blog (author: Brandon McGrath)
#trustedsec
1.1 IntroductionA hopefully rare scenario that gives red teamers a mini heart-attack is a sudden check-in from a new agent: admin on ALICE-PC.If a blue teamer has managed to get hold of a payload used on an engagement…
via TrustedSec Blog (author: Brandon McGrath)
Adventures in Shellcode Obfuscation Part 8: Shellcode as UUIDs
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the eighth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the eighth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
BloodHound Operator — Dog Whispering Reloaded
#specterops
via SpecterOps Team Medium (author: SadProcessor)
#specterops
via SpecterOps Team Medium (author: SadProcessor)
Medium
BloodHound Operator — Dog Whispering Reloaded
It’s summer 2024 and we are back! Actually, we are SO back, so I decided that this return required a little blog post.
Version Tracking in Ghidra
#nettitude
When a binary is reverse engineered using Ghidra, various annotations are applied to aid in understanding the binary's behaviour. These annotations come in the form of comments, renamed functions, variables, arguments and more. Collectively these annotations are known as "markup" and are specific to a single binary in the Ghidra project. For long running reverse [...]
via Nettitude Labs Blog (author: Connor Ford)
#nettitude
When a binary is reverse engineered using Ghidra, various annotations are applied to aid in understanding the binary's behaviour. These annotations come in the form of comments, renamed functions, variables, arguments and more. Collectively these annotations are known as "markup" and are specific to a single binary in the Ghidra project. For long running reverse [...]
via Nettitude Labs Blog (author: Connor Ford)
LRQA Nettitude Labs
Version Tracking in Ghidra
When a binary is reverse engineered using Ghidra, various annotations are applied to aid in understanding the binary's behaviour. These annotations come in the form of comments, renamed functions, variables, arguments and more. Collectively these annotations…
Listen to the whispers: web timing attacks that actually work
#portswigger
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets
via PortSwigger Research
#portswigger
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets
via PortSwigger Research
Introducing Outflank C2 with Implant Support for Windows, macOS, and Linux
#outflank
We are rebranding our commercial C2 framework from Stage1 to Outflank C2 to reflect its continued growth and functionality, including native implant support for Windows, macOS, and Linux.
The Evolution of Stage1
Since the origin of our red team tooling offering, Outflank Security Tooling (OST), Stage1 C2 has been a core component. Stage1 began as a minimal framework, with its sole focus being an initial access implant with some nifty OPSEC and C2 characteristics. It was ideal for initial reconnaissance, modifying C2 channels if needed, and OPSEC safe techniques for loading another C2 framework once you required stage-2 capabilities.
As more red teams adopted OST, Stage1 quickly proved to be an unexpectedly popular framework, with users providing consistently positive feedback and requests for more features. Subsequently, we began to slowly add cool new functionality,
via Outflank Blog (author: Marc Smeets)
#outflank
We are rebranding our commercial C2 framework from Stage1 to Outflank C2 to reflect its continued growth and functionality, including native implant support for Windows, macOS, and Linux.
The Evolution of Stage1
Since the origin of our red team tooling offering, Outflank Security Tooling (OST), Stage1 C2 has been a core component. Stage1 began as a minimal framework, with its sole focus being an initial access implant with some nifty OPSEC and C2 characteristics. It was ideal for initial reconnaissance, modifying C2 channels if needed, and OPSEC safe techniques for loading another C2 framework once you required stage-2 capabilities.
As more red teams adopted OST, Stage1 quickly proved to be an unexpectedly popular framework, with users providing consistently positive feedback and requests for more features. Subsequently, we began to slowly add cool new functionality,
via Outflank Blog (author: Marc Smeets)
Splitting the email atom: exploiting parsers to bypass access controls
#portswigger
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an
via PortSwigger Research
#portswigger
Some websites parse email addresses to extract the domain and infer which organisation the owner belongs to. This pattern makes email-address parser discrepancies critical. Predicting which domain an
via PortSwigger Research
#labs #tool
Fully migrated GOAD for Cloud.ru provider, awaiting merging 🙂
If you are also using Cloud.ru, you already may use my fork.
https://github.com/Orange-Cyberdefense/GOAD/pull/261
Fully migrated GOAD for Cloud.ru provider, awaiting merging 🙂
If you are also using Cloud.ru, you already may use my fork.
https://github.com/Orange-Cyberdefense/GOAD/pull/261
🔥4
Defense in Depth of a Single HTTP Parameter
#redsiege
by Douglas Berdeaux, Senior Security Consultant As cybersecurity professionals, we adhere to standard practices that ensure that we are absolutely as thorough as possible in our hunt for security vulnerabilities […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Douglas Berdeaux, Senior Security Consultant As cybersecurity professionals, we adhere to standard practices that ensure that we are absolutely as thorough as possible in our hunt for security vulnerabilities […]
via RedSiege Blog (author: Red Siege)
Gotta cache 'em all: bending the rules of web cache exploitation
#portswigger
Through the years, we have seen many attacks exploiting web caches to hijack sensitive information or store malicious payloads. However, as CDNs became more popular, new discrepancies between propriet
via PortSwigger Research
#portswigger
Through the years, we have seen many attacks exploiting web caches to hijack sensitive information or store malicious payloads. However, as CDNs became more popular, new discrepancies between propriet
via PortSwigger Research
Ghost in the PPL Part 1: BYOVDLL
#itm4n
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary DLL in LSASS, or even dump its memory. Bring Your Own Vulnerable DLL (BYOVDLL) In July 2022, Microsoft brought some changes to their Pro...
via Itm4n Blog (author: itm4n)
#itm4n
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary DLL in LSASS, or even dump its memory. Bring Your Own Vulnerable DLL (BYOVDLL) In July 2022, Microsoft brought some changes to their Pro...
via Itm4n Blog (author: itm4n)
🔥3
Must I TRA?: PCI Targeted Risk Analysis
#trustedsec
Use of Targeted Risk Analysis (TRA) is a PCI best practice until March 31, 2025, at which time it becomes required for several controls across many assessment types. Unlike many other new controls, this applies as much…
via TrustedSec Blog (author: Steve Maxwell)
#trustedsec
Use of Targeted Risk Analysis (TRA) is a PCI best practice until March 31, 2025, at which time it becomes required for several controls across many assessment types. Unlike many other new controls, this applies as much…
via TrustedSec Blog (author: Steve Maxwell)
Will the real #GrimResource please stand up? – Abusing the MSC file format
#outflank
In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code via MMC (Microsoft Management Console) for initial access or lateral movement purposes. A sample payload that implements this technique was publicly shared recently. This sample was generated using our Outflank Security Tooling (OST) offering and hence we decided to publish additional details on this method and its discovery.
Context of this blog post
Recently, Elastic released details on a new initial access vector technique leveraging MSC files, which they dubbed “GrimResource”. These files can be used to execute code within MMC (Microsoft Management Console). This technique was researched and developed by Outflank as part of the Outflank Security Tooling (OST) toolkit. The analyzed sample was a payload generated using our In-Phase Builder
via Outflank Blog (author: Cedric Van Bockhaven)
#outflank
In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code via MMC (Microsoft Management Console) for initial access or lateral movement purposes. A sample payload that implements this technique was publicly shared recently. This sample was generated using our Outflank Security Tooling (OST) offering and hence we decided to publish additional details on this method and its discovery.
Context of this blog post
Recently, Elastic released details on a new initial access vector technique leveraging MSC files, which they dubbed “GrimResource”. These files can be used to execute code within MMC (Microsoft Management Console). This technique was researched and developed by Outflank as part of the Outflank Security Tooling (OST) toolkit. The analyzed sample was a payload generated using our In-Phase Builder
via Outflank Blog (author: Cedric Van Bockhaven)
SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement
#synacktiv
via Synacktiv Blog (author: Quentin Roland)
#synacktiv
via Synacktiv Blog (author: Quentin Roland)
Oops I UDL'd it Again
#trustedsec
IntroductionPhishing. We all love phishing. This post is about a new phishing technique based on some legacy knowledge I had that can be used to get past email filters and such. I would expect that after publication,…
via TrustedSec Blog (author: Oddvar Moe)
#trustedsec
IntroductionPhishing. We all love phishing. This post is about a new phishing technique based on some legacy knowledge I had that can be used to get past email filters and such. I would expect that after publication,…
via TrustedSec Blog (author: Oddvar Moe)
Adventures in Shellcode Obfuscation! Part 9: Shellcode as IP Addresses
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the ninth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the ninth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
👏1
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
#itm4n
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution. The User-After-Free (UAF) Bug Before going down t...
via Itm4n Blog (author: itm4n)
#itm4n
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution. The User-After-Free (UAF) Bug Before going down t...
via Itm4n Blog (author: itm4n)
👏1
Navigating the Uncharted: A Framework for Attack Path Discovery
#specterops
via SpecterOps Team Medium (author: Elad Shamir)
#specterops
via SpecterOps Team Medium (author: Elad Shamir)
Medium
Navigating the Uncharted: A Framework for Attack Path Discovery
This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in…