A Thousand Sails, One Harbor - C2 Infra on Azure
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
#darkvortex
via Dark Vortex Blog (author: Paranoid Ninja)
Okta for Red Teamers
#xpn
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, Silver Ticket, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.
via XPN InfoSec Blog
#xpn
In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, Silver Ticket, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.
via XPN InfoSec Blog
How to build custom scanners for web security research automation
#portswigger
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l
via PortSwigger Research
#portswigger
In this post, I'll share my approach to developing custom automation to aid research into under-appreciated attack classes and (hopefully) push the boundaries of web security. As a worked example, I'l
via PortSwigger Research
Cobalt Strike Aggressor Callbacks
#rastamouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
via Rasta Mouse Blog
#rastamouse
The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate
via Rasta Mouse Blog
Solving The “Unhooking” Problem
#outflank
For avoiding EDR userland hooks, there are many ways to cook an egg:
Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple combinations of these. For instance, you could use a strong indirect syscall library for kernel functionality, then use unhooking or hardware breakpoints for user mode-only (i.e.
Regarding system calls, excellent research has already been done. A small selection of relevant blog posts is Klezvirus’ post on syswhispers, MDSec’s post on direct invocation of system calls and our own blog post on combining direct system calls srdi.
So, in this blog we’ll zoom in on protecting calls to user mode functions.
via Outflank Blog (author: Dima)
#outflank
For avoiding EDR userland hooks, there are many ways to cook an egg:
Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple combinations of these. For instance, you could use a strong indirect syscall library for kernel functionality, then use unhooking or hardware breakpoints for user mode-only (i.e.
Rtl) functions.Regarding system calls, excellent research has already been done. A small selection of relevant blog posts is Klezvirus’ post on syswhispers, MDSec’s post on direct invocation of system calls and our own blog post on combining direct system calls srdi.
So, in this blog we’ll zoom in on protecting calls to user mode functions.
via Outflank Blog (author: Dima)
MacOS "DirtyNIB" Vulnerability
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
#xpn
While looking for avenues of injecting code into platform binaries back in macOS Monterey, I was able to identify a vulnerability which allowed the hijacking of Apple application entitlements. Recently I decided to revisit this vulnerability after a long time of trying to have it patched, and was surprised to see that it still works. There are some caveats introduced with later versions of macOS which we will explore, but in this post we’ll look at a vulnerability in macOS Sonoma which has been around for a long time, and remains an 0day, urm, to this day.
via XPN InfoSec Blog
Out of Band Update: Cobalt Strike 4.9.1
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
#cobaltstrike
Cobalt Strike 4.9.1 is now available. This is an out of band update to fix an issue that was discovered in the 4.9 release that we felt would negatively impact customers as they start to roll out the release and for which there is no straightforward workaround. We also took the opportunity to address a [...]
via Cobalt Strike Blog (author: Greg Darwin)
Phishing for Primary Refresh Tokens and Windows Hello keys
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
#dirkjanm
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
via Dirk-jan Blog (author: Dirk-jan Mollema)
Finding a POP chain on a common Symfony bundle : part 2
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
A Deep Dive into TPM-based BitLocker Drive Encryption
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
#itm4n
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key from the Recovery Environment (WinRE). The o...
via Itm4n Blog (author: itm4n)
The single-packet attack: making remote race-conditions 'local'
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
#portswigger
The single-packet attack is a new technique for triggering web race conditions. It works by completing multiple HTTP/2 requests with a single TCP packet, which effectively eliminates network jitter an
via PortSwigger Research
Uncovering RPC Servers through Windows API Analysis
#specterops
via SpecterOps Team Medium (author: Kai Huang)
#specterops
via SpecterOps Team Medium (author: Kai Huang)
Medium
Uncovering RPC Servers through Windows API Analysis
Intro
Listing remote named pipes
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
#outflank
On Windows, named pipes are a form of interprocess communication (IPC) that allows processes to communicate with one another, both locally and across the network. Named pipes serve as a mechanism to transfer data between Windows components as well as third-party applications and services. Both locally as well as on a domain. From an offensive perspective, named pipes may leak some information that could be useful for reconnaissance purposes. Since named pipes can also be used (depending on configuration) to access services remotely – they could allow remote exploits (MS08-067).
In this post we will explore how named pipes can be listed remotely in offensive operations, for example via an implant running on a compromised Windows system.
via Outflank Blog (author: Cedric Van Bockhaven)
Bloodhound Enterprise: securing Active Directory using graph theory
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
#specterops
via SpecterOps Team Medium (author: Irshad Ajmal Ahmed)
Medium
BloodHound Enterprise: securing Active Directory using graphs
Prior to my employment at SpecterOps, I hadn’t worked in the information security industry- as a result, many security related terms and…
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
#specterops
via SpecterOps Team Medium (author: Matt Nelson)
#specterops
via SpecterOps Team Medium (author: Matt Nelson)
Medium
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
Version: Lenovo Updater Version <= 5.08.01.0009
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater…
Operating System Tested On: Windows 10 22H2 (x64)
Vulnerability: Lenovo System Updater…
Lateral Movement: Abuse the Power of DCOM Excel Application
#specterops
via SpecterOps Team Medium (author: Raj Patel)
#specterops
via SpecterOps Team Medium (author: Raj Patel)
SpecterOps
Lateral Movement: Abuse the Power of DCOM Excel Application - SpecterOps
Learn about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application.