Disssect: the incident response framework build from various parsers and implementations of file formats, developed by Fox-IT (now open source!) https://github.com/fox-it/dissect
GitHub
GitHub - fox-it/dissect: Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access…
Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fo...
Windows 11 Time Rules https://www.khyrenz.com/blog/windows-11-time-rules/
Khyrenz
Windows 11 Time Rules
Time rules for certain user file interactions are documented in the SANS red poster, tested on a Windows 10 1903 system. This blog post looks at these same user interactions with files on a Windows 11 22H2 system, with some further testing conducted on a…
WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/
SentinelOne
WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
Precision targeting of critical infrastructure industries indicates espionage-related activity by an unattributed Chinese-speaking threat group.
A journey of fuzzing Nvidia graphic driver leading to LPE exploitation https://github.com/quarkslab/conf-presentations/blob/master/Hexacon-2022/fuzzing_NVIDIA_drivers-tdore.pdf
3242933 – [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution https://redrays.io/3242933-cve-2022-39802-file-path-traversal-vulnerability-in-sap-manufacturing-execution/
RedRays
3242933 - [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution
With a CVSS rating of 9.9, the vulnerability fixed in SAP Security Note #3242933 affects SAP Manufacturing Execution and is considered significant.
Bringing passkeys to Android & Chrome https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html
Android Developers Blog
Bringing passkeys to Android & Chrome
developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels
Good cheatsheet on crypto » https://twitter.com/hackinarticles/status/1577196641886474240
Adobe Reader - XFA - ANSI-Unicode Confusion Information Leak https://hacksys.io/blogs/adobe-reader-xfa-ansi-unicode-confusion-information-leak
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech – JPCERT/CC Eyes https://blueteam.news/f5-big-ip-vulnerability-cve-2022-1388-exploited-by-blacktech-jpcert-cc-eyes
Analysis of Malloc Protections on Singly Linked Lists https://maxwelldulin.com/BlogPost/Analysis-Malloc-Protections-on-Singly-Linked-Lists
Strikeout Security Blog
Analysis of Malloc Protections on Singly Linked Lists
glibc malloc singly linked list uses pointer mangling to prevent easy overwrites. The article explains how this works and how to defeat it.
Blinding EDR On Windows https://synzack.github.io/Blinding-EDR-On-Windows/
Red Team Blog
Blinding EDR On Windows
Acknowledgements My understanding of EDRs would not be possible without the help of many great security researchers. Below are some write-ups and talks that really helped me gain the understanding needed and hit the ground running on the research that will…
Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
Zscaler
Windows CLFS Zero-Day Vulnerability CVE-2022-37969 | Zscaler
Demystifying the Windows Common Log File System Driver Privilege Escalation Zero-Day Vulnerability (CVE-2022-37969)
Great cheatsheets on AI, ML and DL topics https://stanford.edu/~shervine/teaching/
stanford.edu
Teaching - Shervine Amidi
Teaching page of Shervine Amidi, Adjunct Lecturer at Stanford University.
New “Prestige” ransomware impacts organizations in Ukraine and Poland https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
Microsoft Security Blog
New “Prestige” ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog
The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware…
Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) https://asec.ahnlab.com/en/39828/
ASEC
Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) - ASEC
While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their…
House of Muney - Leakless Heap Exploitation Technique https://maxwelldulin.com/BlogPost/House-of-Muney-Heap-Exploitation
Strikeout Security Blog
House of Muney - Leakless Heap Exploitation Technique
Leakless glibc heap exploitation technique for code execution. Overwriting the symbol resolution process.
Toner Deaf – Printing your next persistence (Hexacon 2022) https://research.nccgroup.com/2022/10/17/toner-deaf-printing-your-next-persistence-hexacon-2022/
NCC Group Research Blog
Toner Deaf – Printing your next persistence (Hexacon 2022)
On Friday 14th of October 2022 Alex Plaskett (@alexjplaskett) and Cedric Halbronn (@saidelike) presented Toner Deaf – Printing your next persistence at Hexacon 2022. This talk demonstrated re…
RedEye: a visual analytic tool supporting Red & Blue Team operations https://github.com/cisagov/RedEye
GitHub
GitHub - cisagov/RedEye: RedEye is a visual analytic tool supporting Red & Blue Team operations
RedEye is a visual analytic tool supporting Red & Blue Team operations - cisagov/RedEye
Good tips about RE with Ghidra https://twitter.com/embee_research/status/1582274165280690176