Forwarded from Exploiting Crew (Pr1vAt3)
🦑Disabling EDRs by File Rename Junctions (Crowdstrike)
PendingFileRenameOperations allows applications to create file rename operations by creating a registry entry under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. Initially I attempted to create this entry, pointing it towards the EDR binary as such in PowerShell, based on the StackOverflow thread.
➡️ Powershell start :
new-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "PendingFileRenameOperations" -Value $($((Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -ErrorAction SilentlyContinue).PendingFileRenameOperations) + "\??\C:\Program Files\<EDR_PATH>.exe`0`0") -type MultiString -Force | Out-Null
➡️ Powershell end.
⚠️ This works for AVs/EDRs without anti-tampering. Security products with anti-tampering can use [CmRegisterCallbackEx](https://lnkd.in/dmCGSwnX) to monitor and block registry operations from the kernel. A kernel driver could block registry keys from being created if they referenced their core services.
Using a reparse point (junction) - kudos again to sixtyvividtails - we can create a junction from: C:\program-files -> C:\Program Files\
And yet again we can create our PendingFileRenameOperations, pointing the key at the EDR binary pathed through our junction, something that most EDRs do not check. All of this of course requires Admin privileges. On the next reboot, any core EDR binaries will be renamed to "", in turn being deleted.
Ref: Simon Ngoy
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
PendingFileRenameOperations allows applications to create file rename operations by creating a registry entry under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. Initially I attempted to create this entry, pointing it towards the EDR binary as such in PowerShell, based on the StackOverflow thread.
➡️ Powershell start :
new-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "PendingFileRenameOperations" -Value $($((Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -ErrorAction SilentlyContinue).PendingFileRenameOperations) + "\??\C:\Program Files\<EDR_PATH>.exe`0`0") -type MultiString -Force | Out-Null
➡️ Powershell end.
⚠️ This works for AVs/EDRs without anti-tampering. Security products with anti-tampering can use [CmRegisterCallbackEx](https://lnkd.in/dmCGSwnX) to monitor and block registry operations from the kernel. A kernel driver could block registry keys from being created if they referenced their core services.
Using a reparse point (junction) - kudos again to sixtyvividtails - we can create a junction from: C:\program-files -> C:\Program Files\
And yet again we can create our PendingFileRenameOperations, pointing the key at the EDR binary pathed through our junction, something that most EDRs do not check. All of this of course requires Admin privileges. On the next reboot, any core EDR binaries will be renamed to "", in turn being deleted.
Ref: Simon Ngoy
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
lnkd.in
LinkedIn
This link will take you to a page that’s not on LinkedIn
This media is not supported in your browser
VIEW IN TELEGRAM
🦑HACK-RF BLUETOOTH SPAM?
Most people don’t know that before Flipper zero came, Hackrf was and is still doing Bluetooth spamming and crushing iOS devices. I’m doing this POC on my iPhone 13 with 18.2.1 update and as you can see is working even with Bluetooth is off. The HackRF is bigger than the Flipper Zero in the context of Bluetooth spoofing because it provides greater flexibility, power, and signal control for professional-grade research and exploitation. You can do on both iOS, windows and Android 🤝
Ref: Daniel Anyemedu
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
Most people don’t know that before Flipper zero came, Hackrf was and is still doing Bluetooth spamming and crushing iOS devices. I’m doing this POC on my iPhone 13 with 18.2.1 update and as you can see is working even with Bluetooth is off. The HackRF is bigger than the Flipper Zero in the context of Bluetooth spoofing because it provides greater flexibility, power, and signal control for professional-grade research and exploitation. You can do on both iOS, windows and Android 🤝
Ref: Daniel Anyemedu
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
UNDERCODE TESTING
Video
🦑XSS Attack Simulation Using DVWA and Metasploit
In this simulation, I demonstrated how Cross-Site Scripting (XSS) attacks work using Kali Linux, Metasploit, and the Damn Vulnerable Web Application (DVWA).
Here’s a breakdown of what I did:
1. Set up the target environment: DVWA was configured to demonstrate how vulnerable web apps can be.
2. Launched the attack: Using Metasploit, I injected a malicious script into a vulnerable input field on the DVWA platform.
3. Observed the impact: The script executed successfully, proving how attackers can use XSS to steal sensitive information or manipulate web content.
Attackers use XSS to hijack user sessions, steal cookies, or manipulate data, all without the user knowing. It’s one of the most common vulnerabilities in web applications.
Hence, it's important to
1. Validate and sanitize all user inputs.
2. Implement strong Content Security Policies (CSP).
3. Regularly test your web applications for vulnerabilities using tools like DVWA.
4. Educate developers and organizations on secure coding practices.
This is a reminder of why secure coding and constant vulnerability testing are critical for protecting web applications.
Ref: Kate Amarachukwu Igwilo
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
In this simulation, I demonstrated how Cross-Site Scripting (XSS) attacks work using Kali Linux, Metasploit, and the Damn Vulnerable Web Application (DVWA).
Here’s a breakdown of what I did:
1. Set up the target environment: DVWA was configured to demonstrate how vulnerable web apps can be.
2. Launched the attack: Using Metasploit, I injected a malicious script into a vulnerable input field on the DVWA platform.
3. Observed the impact: The script executed successfully, proving how attackers can use XSS to steal sensitive information or manipulate web content.
Attackers use XSS to hijack user sessions, steal cookies, or manipulate data, all without the user knowing. It’s one of the most common vulnerabilities in web applications.
Hence, it's important to
1. Validate and sanitize all user inputs.
2. Implement strong Content Security Policies (CSP).
3. Regularly test your web applications for vulnerabilities using tools like DVWA.
4. Educate developers and organizations on secure coding practices.
This is a reminder of why secure coding and constant vulnerability testing are critical for protecting web applications.
Ref: Kate Amarachukwu Igwilo
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑How to Check If Someone Is Spying On Your Computer! 🧑💻🥷 (Level: Basic- Mac)
1️⃣ Go to System Preferences: Open the Apple menu and click on "System Preferences."
2️⃣ Check Users & Groups: Click on "Users & Groups" to see the list of accounts on your Mac.
3️⃣ Look for Suspicious Users: Review the list and ensure all accounts are familiar. If there’s an account you don’t recognize, it could be a sign of unauthorized access.
4️⃣ Check for Sharing Settings: Go back to "System Preferences" and click on "Sharing." Ensure only the services you intentionally turned on (like file sharing) are enabled, and verify the users who have access.
5️⃣ Audit Your Applications: Open "Activity Monitor" and check the running processes. Look out for any apps or processes you don’t recognize. Google their names if you’re unsure.
Ref: Caitlin Sarian
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
1️⃣ Go to System Preferences: Open the Apple menu and click on "System Preferences."
2️⃣ Check Users & Groups: Click on "Users & Groups" to see the list of accounts on your Mac.
3️⃣ Look for Suspicious Users: Review the list and ensure all accounts are familiar. If there’s an account you don’t recognize, it could be a sign of unauthorized access.
4️⃣ Check for Sharing Settings: Go back to "System Preferences" and click on "Sharing." Ensure only the services you intentionally turned on (like file sharing) are enabled, and verify the users who have access.
5️⃣ Audit Your Applications: Open "Activity Monitor" and check the running processes. Look out for any apps or processes you don’t recognize. Google their names if you’re unsure.
Ref: Caitlin Sarian
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑 After revolutionizing the cyber and tech news landscape with UndercodeNews.com and building a rapidly growing vulnerability database at DailyCVE.com, now attracting hundreds of human visitors daily, we proudly present our latest venture: UndercodeTesting.com
An AI-powered cybersecurity platform designed to monitor hacker feeds, serve as a hacker-centric search engine, and provide cutting-edge tools.
Updated and upgraded daily/weekly, it’s your go-to destination for the future of cybersecurity intelligence!
An AI-powered cybersecurity platform designed to monitor hacker feeds, serve as a hacker-centric search engine, and provide cutting-edge tools.
Updated and upgraded daily/weekly, it’s your go-to destination for the future of cybersecurity intelligence!
☁️ #Windows Internals: The Implementation of the #Windows Operating Environment
https://undercodetesting.com/windows-internals-the-implementation-of-the-windows-operating-environment/
@Undercode_testing
https://undercodetesting.com/windows-internals-the-implementation-of-the-windows-operating-environment/
@Undercode_testing
Undercode Testing
Windows Internals: The Implementation of the Windows Operating Environment - Undercode Testing
2025-01-29 This book is truly top-notch when it comes to Windows services, one of a kind! It not only covers […]
🔐 Advanced Attack Scenario With Full Analysis From Both The Attacker’s Perspective And Defensive Actions
https://undercodetesting.com/advanced-attack-scenario-with-full-analysis-from-both-the-attackers-perspective-and-defensive-actions/
@Undercode_testing
https://undercodetesting.com/advanced-attack-scenario-with-full-analysis-from-both-the-attackers-perspective-and-defensive-actions/
@Undercode_testing
Undercode Testing
Advanced Attack Scenario With Full Analysis From Both The Attacker’s Perspective And Defensive Actions - Undercode Testing
2025-01-29 This document provides a detailed breakdown of how attackers progress through multiple stages of an attack while defenders work […]
The Enduring Relevance of SQL Injection: A Historical Perspective
https://undercodetesting.com/the-enduring-relevance-of-sql-injection-a-historical-perspective/
@Undercode_testing
https://undercodetesting.com/the-enduring-relevance-of-sql-injection-a-historical-perspective/
@Undercode_testing
Undercode Testing
The Enduring Relevance of SQL Injection: A Historical Perspective - Undercode Testing
2025-01-29 This book was groundbreaking in its time, emerging during an era when a single misplaced quote could crash 90% […]
🛡️ Understanding SQL Injection Vulnerabilities: A Timeless Cyber Security Resource
https://undercodetesting.com/understanding-sql-injection-vulnerabilities-a-timeless-cyber-security-resource/
@Undercode_testing
https://undercodetesting.com/understanding-sql-injection-vulnerabilities-a-timeless-cyber-security-resource/
@Undercode_testing
Undercode Testing
Understanding SQL Injection Vulnerabilities: A Timeless Cyber Security Resource - Undercode Testing
2025-01-29 SQL injection vulnerabilities have long been a critical concern in the realm of cybersecurity. This book, emerging during a […]
🛡️ Understanding the #Linux Kernel's TCP/#IP Stack for Cybersecurity
https://undercodetesting.com/understanding-the-linux-kernels-tcp-ip-stack-for-cybersecurity/
@Undercode_testing
https://undercodetesting.com/understanding-the-linux-kernels-tcp-ip-stack-for-cybersecurity/
@Undercode_testing
Undercode Testing
Understanding the Linux Kernel's TCP/IP Stack for Cybersecurity - Undercode Testing
2025-01-29 Whether you’re diving into OS development or security research to uncover the next network remote code execution (RCE) vulnerability, […]
🌐 Understanding the #Linux Kernel's Network Stack: A Deep Dive into TCP/#IP and Sockets
https://undercodetesting.com/understanding-the-linux-kernels-network-stack-a-deep-dive-into-tcp-ip-and-sockets/
@Undercode_testing
https://undercodetesting.com/understanding-the-linux-kernels-network-stack-a-deep-dive-into-tcp-ip-and-sockets/
@Undercode_testing
Undercode Testing
Understanding The Linux Kernel's Network Stack: A Deep Dive Into TCP/IP And Sockets - Undercode Testing
Understanding the Linux Kernel's Network Stack: A Deep Dive into TCP/IP and Sockets - "Undercode Testing": Monitor hackers like a pro. Get real-time updates,
🛡️ Mastering #Linux Kernel Debugging: A Guide for Developers and Security Researchers
https://undercodetesting.com/mastering-linux-kernel-debugging-a-guide-for-developers-and-security-researchers/
@Undercode_testing
https://undercodetesting.com/mastering-linux-kernel-debugging-a-guide-for-developers-and-security-researchers/
@Undercode_testing
Undercode Testing
Mastering Linux Kernel Debugging: A Guide for Developers and Security Researchers - Undercode Testing
2025-01-29 Linux kernel debugging is a critical skill for developers and security researchers, yet it remains an underexplored topic in […]
Understanding the #Linux Kernel: A Deep Dive into #OS Internals
https://undercodetesting.com/understanding-the-linux-kernel-a-deep-dive-into-os-internals/
@Undercode_testing
https://undercodetesting.com/understanding-the-linux-kernel-a-deep-dive-into-os-internals/
@Undercode_testing
Undercode Testing
Understanding the Linux Kernel: A Deep Dive into OS Internals - Undercode Testing
2025-01-29 The Understanding the Linux Kernel book by Daniel P. Bovet and Marco Cesati is widely regarded as one of […]
SQL Injection: Understanding SELECT Queries
https://undercodetesting.com/sql-injection-understanding-select-queries/
@Undercode_testing
https://undercodetesting.com/sql-injection-understanding-select-queries/
@Undercode_testing
Undercode Testing
SQL Injection: Understanding SELECT Queries - Undercode Testing
2025-01-29 SQL (Structured Query Language) is a powerful language used for managing and manipulating databases. One of the most fundamental […]
SQLi SELECT Queries: A Beginner’s Guide
https://undercodetesting.com/sqli-select-queries-a-beginners-guide/
@Undercode_testing
https://undercodetesting.com/sqli-select-queries-a-beginners-guide/
@Undercode_testing
Undercode Testing
SQLi SELECT Queries: A Beginner’s Guide - Undercode Testing
2025-01-29 SQL (Structured Query Language) is a powerful language used for querying databases. SQL queries, often referred to as statements, […]
🚨 #SQLMap Cheat Sheet: Automating SQL Injection Detection and Exploitation
https://undercodetesting.com/sqlmap-cheat-sheet-automating-sql-injection-detection-and-exploitation/
@Undercode_testing
https://undercodetesting.com/sqlmap-cheat-sheet-automating-sql-injection-detection-and-exploitation/
@Undercode_testing
Undercode Testing
SQLMap Cheat Sheet: Automating SQL Injection Detection and Exploitation - Undercode Testing
2025-01-29 👉🏻 What is SQLMap? SQLMap is an open-source penetration testing tool designed to automate the process of detecting and […]
📱 Web Application Hacking with SQLi!
https://undercodetesting.com/web-application-hacking-with-sqli/
@Undercode_testing
https://undercodetesting.com/web-application-hacking-with-sqli/
@Undercode_testing
Undercode Testing
Web Application Hacking with SQLi! - Undercode Testing
2025-01-29 👉🏻 What is SQL Injection? SQL injection is a code injection technique used to attack data-driven applications, in which […]
📱 Web Application Hacking with SQL Injection (SQLi)
https://undercodetesting.com/web-application-hacking-with-sql-injection-sqli/
@Undercode_testing
https://undercodetesting.com/web-application-hacking-with-sql-injection-sqli/
@Undercode_testing
Undercode Testing
Web Application Hacking with SQL Injection (SQLi) - Undercode Testing
2025-01-29 SQL injection (SQLi) is a code injection technique used to attack data-driven applications. It involves inserting malicious SQL statements […]