A CI/CD artifact repository shows a build job that fetched a third-party dependency from an attacker-controlled location. You need to determine scope and impact. Which immediate steps yield both containment and forensic value?
Final Results
86%
Revoke credentials, snapshot logs and artifacts, preserve the environment varriables for analysis.
0%
Delete the repo and inform developers to re-push.
11%
Change all developer SSH keys.
3%
Reconfigure the runner to use a different VM image.
β€1
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
π@malwr
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
π@malwr
dirkjanm.io
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise every Entra ID tenant in the world (except probably thoseβ¦
Under the Hood of AFD.sys Part 1: Investigating Undocumented Interfaces
https://leftarcode.com/posts/afd-reverse-engineering-part1/
π@malwr
https://leftarcode.com/posts/afd-reverse-engineering-part1/
π@malwr
Mateusz Lewczak
Under the Hood of AFD.sys Part 1: Investigating Undocumented Interfaces
A quick look at how I used WinDbg and NtCreateFile to craft a raw TCP socket via AFD.sys on Windows 11, completely skipping Winsock.
Modus Operandi of Subtle Snail
https://catalyst.prodaft.com/public/report/modus-operandi-of-subtle-snail/overview#heading-1000
π@malwr
https://catalyst.prodaft.com/public/report/modus-operandi-of-subtle-snail/overview#heading-1000
π@malwr
Mateusz Lewczak
Under the Hood of AFD.sys Part 1: Investigating Undocumented Interfaces
A quick look at how I used WinDbg and NtCreateFile to craft a raw TCP socket via AFD.sys on Windows 11, completely skipping Winsock.
Open source SOC2 compliance scanner - Alternative to $20k/year tools
https://github.com/guardian-nexus/auditkit
π@malwr
https://github.com/guardian-nexus/auditkit
π@malwr
π3
A PNG file is suspected of containing a malware config. You cannot run the sample.
How do you check for hidden content?
How do you check for hidden content?
Final Results
20%
Rename the PNG to .zip and try to unzip it.
28%
Upload the PNG to VirusTotal and wait for results.
48%
Parse the PNG chunks and extract non-standard fields.
4%
Open the image in a photo editor and zoom in.
π5
A Very Cool Process Injector That supports both Shellcode injection and dll injection
https://github.com/B4shCr00k/R4venInject0r
π@malwr
https://github.com/B4shCr00k/R4venInject0r
π@malwr
GitHub
GitHub - pseud0c1de/R4venInject0r: A Very Cool Process Injector That supports both Shellcode injection and dll injection
A Very Cool Process Injector That supports both Shellcode injection and dll injection - pseud0c1de/R4venInject0r
sigmaker is an IDA Pro 9.0+ cross-platform signature maker plugin that works on MacOS/Linux/Windows. It allows configurable wildcard operand patterns and signature generation just by right clicking.
https://github.com/mahmoudimus/ida-sigmaker
π@malwr
https://github.com/mahmoudimus/ida-sigmaker
π@malwr
GitHub
GitHub - mahmoudimus/ida-sigmaker: sigmaker is a zero-dependency IDA Pro 9.0+ cross-platform signature maker plugin with optionalβ¦
sigmaker is a zero-dependency IDA Pro 9.0+ cross-platform signature maker plugin with optional SIMD (e.g. AVX2/NEON/SSE2) speedups that works on MacOS/Linux/Windows. It allows configurable wildcard...
β€1
Multi-architecture emulation for the modern era.
https://github.com/styx-emulator/styx-emulator
π@malwr
https://github.com/styx-emulator/styx-emulator
π@malwr
GitHub
GitHub - styx-emulator/styx-emulator: Multi-architecture emulation for the modern era.
Multi-architecture emulation for the modern era. Contribute to styx-emulator/styx-emulator development by creating an account on GitHub.
Electron Research in Desktop apps [Part 1]
https://blog.securelayer7.net/electron-app-security-risks/
π@malwr
https://blog.securelayer7.net/electron-app-security-risks/
π@malwr
SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management
Electron Research in Desktop apps [Part 1]
What's electron?, the design of electron desktop app, the story bug of the bug, the static code of the bug and how to find it, how to develop it and explain the code, explain how to discover it,...
CISA Shares Lessons Learned from an Incident Response Engagement
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a
π@malwr
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a
π@malwr
SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management
Electron Research in Desktop apps [Part 1]
What's electron?, the design of electron desktop app, the story bug of the bug, the static code of the bug and how to find it, how to develop it and explain the code, explain how to discover it,...
β€1π1
During analysis of an Android banking trojan, you notice it requests the Accessibility Service. What is the most likely purpose?
Final Results
80%
To capture screen taps and keystrokes
8%
To disable Play Store protections
7%
To bypass network encryption
5%
To spoof device geolocation
π4π1
While analyzing a malicious MSI installer, you see custom actions triggered during installation. What should you examine first?
Final Results
68%
Embedded scripts in the MSI tables
4%
MSI icon resources
12%
Installer digital signature
17%
Default installation path
β€1
You find a malicious Word doc that spawns eqnedt32.exe. What is this behavior linked to?
Final Results
30%
Hiding payload inside OLE package
52%
Exploiting legacy Office equation editor
10%
Blocking macro detection in Word
8%
Using ActiveX to download scripts
π6
A phishing attachment executes an HTA script that loads PowerShell via COM. How do you capture the executed commands?
Final Results
11%
Only capture network traffic
21%
Disassemble the HTA file statically
8%
Search browser history for executed URLs
61%
Enable PowerShell script block logging before executing the sample
β€2
Forwarded from CVE Notify
π¨ CVE-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
π@cveNotify
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
π@cveNotify
react.dev
Critical Security Vulnerability in React Server Components β React
The library for web and native user interfaces
β€6π1