Ghost in the PPL Part 1: BYOVDLL
#itm4n
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary DLL in LSASS, or even dump its memory. Bring Your Own Vulnerable DLL (BYOVDLL) In July 2022, Microsoft brought some changes to their Pro...
via Itm4n Blog (author: itm4n)
#itm4n
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary DLL in LSASS, or even dump its memory. Bring Your Own Vulnerable DLL (BYOVDLL) In July 2022, Microsoft brought some changes to their Pro...
via Itm4n Blog (author: itm4n)
🔥3
Must I TRA?: PCI Targeted Risk Analysis
#trustedsec
Use of Targeted Risk Analysis (TRA) is a PCI best practice until March 31, 2025, at which time it becomes required for several controls across many assessment types. Unlike many other new controls, this applies as much…
via TrustedSec Blog (author: Steve Maxwell)
#trustedsec
Use of Targeted Risk Analysis (TRA) is a PCI best practice until March 31, 2025, at which time it becomes required for several controls across many assessment types. Unlike many other new controls, this applies as much…
via TrustedSec Blog (author: Steve Maxwell)
Will the real #GrimResource please stand up? – Abusing the MSC file format
#outflank
In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code via MMC (Microsoft Management Console) for initial access or lateral movement purposes. A sample payload that implements this technique was publicly shared recently. This sample was generated using our Outflank Security Tooling (OST) offering and hence we decided to publish additional details on this method and its discovery.
Context of this blog post
Recently, Elastic released details on a new initial access vector technique leveraging MSC files, which they dubbed “GrimResource”. These files can be used to execute code within MMC (Microsoft Management Console). This technique was researched and developed by Outflank as part of the Outflank Security Tooling (OST) toolkit. The analyzed sample was a payload generated using our In-Phase Builder
via Outflank Blog (author: Cedric Van Bockhaven)
#outflank
In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code via MMC (Microsoft Management Console) for initial access or lateral movement purposes. A sample payload that implements this technique was publicly shared recently. This sample was generated using our Outflank Security Tooling (OST) offering and hence we decided to publish additional details on this method and its discovery.
Context of this blog post
Recently, Elastic released details on a new initial access vector technique leveraging MSC files, which they dubbed “GrimResource”. These files can be used to execute code within MMC (Microsoft Management Console). This technique was researched and developed by Outflank as part of the Outflank Security Tooling (OST) toolkit. The analyzed sample was a payload generated using our In-Phase Builder
via Outflank Blog (author: Cedric Van Bockhaven)
SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement
#synacktiv
via Synacktiv Blog (author: Quentin Roland)
#synacktiv
via Synacktiv Blog (author: Quentin Roland)
Oops I UDL'd it Again
#trustedsec
IntroductionPhishing. We all love phishing. This post is about a new phishing technique based on some legacy knowledge I had that can be used to get past email filters and such. I would expect that after publication,…
via TrustedSec Blog (author: Oddvar Moe)
#trustedsec
IntroductionPhishing. We all love phishing. This post is about a new phishing technique based on some legacy knowledge I had that can be used to get past email filters and such. I would expect that after publication,…
via TrustedSec Blog (author: Oddvar Moe)
Adventures in Shellcode Obfuscation! Part 9: Shellcode as IP Addresses
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the ninth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the ninth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
👏1
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
#itm4n
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution. The User-After-Free (UAF) Bug Before going down t...
via Itm4n Blog (author: itm4n)
#itm4n
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution. The User-After-Free (UAF) Bug Before going down t...
via Itm4n Blog (author: itm4n)
👏1
Navigating the Uncharted: A Framework for Attack Path Discovery
#specterops
via SpecterOps Team Medium (author: Elad Shamir)
#specterops
via SpecterOps Team Medium (author: Elad Shamir)
Medium
Navigating the Uncharted: A Framework for Attack Path Discovery
This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in…
The Hidden Treasures of Crash Reports
#objectivesee
Analyzing crash reports reveals malware, (0-day) bugs, and much more!
via Objective-See Blog
#objectivesee
Analyzing crash reports reveals malware, (0-day) bugs, and much more!
via Objective-See Blog
Adventures in Shellcode Obfuscation! Part 10: Shellcode as MAC Addresses
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the tenth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the tenth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of […]
via RedSiege Blog (author: Red Siege)
The Hunter’s Workshop: Mastering the Essentials of Threat Hunting
#trustedsec
As an incident unfolds, skilled threat hunters with a special talent for uncovering hidden threats stand at the ready. These hunters smoke jump into the chaos and meticulously sift through network logs and endpoint…
via TrustedSec Blog (author: Justin Vaicaro)
#trustedsec
As an incident unfolds, skilled threat hunters with a special talent for uncovering hidden threats stand at the ready. These hunters smoke jump into the chaos and meticulously sift through network logs and endpoint…
via TrustedSec Blog (author: Justin Vaicaro)
Try it for yourself: the latest PortSwigger Research from Black Hat USA
#portswigger
The modern web is constantly developing, with new potential vulnerabilities emerging all the time. Ensuring your web applications are secure in the face of this evolving threat is a constant challenge
via PortSwigger Blog
#portswigger
The modern web is constantly developing, with new potential vulnerabilities emerging all the time. Ensuring your web applications are secure in the face of this evolving threat is a constant challenge
via PortSwigger Blog
Ring Around The Regex: Lessons learned from fuzzing regex libraries (Part 2)
#secretclub
I’m a little late (one whole month passed in a blink of an eye!). Let’s catch up.
via Secret Club (author: addison)
#secretclub
I’m a little late (one whole month passed in a blink of an eye!). Let’s catch up.
via Secret Club (author: addison)
This Badge is My Badge
#nettitude
When it comes to covert entry assessments, successfully capturing RFID badge values can mean the difference between failure and successful entry to a target site. In a previous Labs post, “I Don’t Need a Badge – Lessons Learned from Physical Social Engineering”, we introduced the ESPKey as a method of capture. Although the ESPKey is [...]
via Nettitude Labs Blog (author: Dalton Wright)
#nettitude
When it comes to covert entry assessments, successfully capturing RFID badge values can mean the difference between failure and successful entry to a target site. In a previous Labs post, “I Don’t Need a Badge – Lessons Learned from Physical Social Engineering”, we introduced the ESPKey as a method of capture. Although the ESPKey is [...]
via Nettitude Labs Blog (author: Dalton Wright)