🦑P11-Malware Development for Red Teamers.

Structure of a Portable Executable (PE) file
-----
MS-DOS Header

Located at the very beginning of the PE file, this header ensures backward compatibility with MS-DOS systems. It starts with the signature "MZ" (hexadecimal 4D5A) to indicate that the file is an executable. The header also includes metadata and, most importantly, a pointer (at the e_lfanew field) to the location of the PE signature, which marks the start of the Windows-specific portion of the file.
-
MS-DOS Stub

Following the MS-DOS Header is a small program, known as the DOS Stub, that displays a message if the file is run in an MS-DOS environment. Typically, this message is: "This program cannot be run in DOS mode." While it serves no purpose on modern Windows systems, it remains in the file for compatibility reasons.
-
PE Signature

This marks the beginning of the Portable Executable (PE) format. The signature is always PE\0\0 (hexadecimal 50 45 00 00), signaling that the file conforms to the PE standard. This signature separates the DOS-specific data from the Windows-specific data.
-
File Header

Following the PE Signature, the File Header contains critical information about the executable. This includes details like the target machine type (e.g., x86 or x64), the number of sections, the timestamp of file creation, and flags indicating the file's characteristics. It acts as a roadmap for understanding the executable's overall structure.
-
Optional Header

Despite its name, this header is mandatory for executable files. It provides essential details such as the entry point (the starting address for execution), the image base (preferred memory location), and sizes of various segments. This header bridges the gap between the high-level structure of the file and its low-level memory layout.
-
Section Headers (PE Sections)

These headers define the various sections of the executable, such as .text (code), .data (initialized data), and .rdata (read-only data). Each section header specifies attributes like the section's size, location in memory, and access permissions. These sections contain the actual content of the program, including its instructions, data, and resources.

Ref: Mohit SoniMohit Soni
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑DNS Record Types You Should Know!

Here are the 8 most commonly used DNS Record Types.

1 - A (Address) Record
Maps a domain name to an IPv4 address. It is one of the most essential records for translating human-readable domain names into IP addresses.

2 - CNAME (Canonical Name) Record
Used to alias one domain name to another. Often used for subdomains, pointing them to the main domain while keeping the actual domain name hidden.

3 - AAAA Record
Similar to an A record but maps a domain name to an IPv6 address. They are used for websites and services that support the IPv6 protocol.

4 - PTR Record
Provides reverse DNS lookup, mapping an IP address back to a domain name. It is commonly used in verifying the authenticity of a server.

5 - MX Record
Directs email traffic to the correct mail server.

6 - NS (Name Server) Record
Specifies the authoritative DNS servers for the domain. These records help direct queries to the correct DNS servers for further lookups.

7 - SRV (Service) Record
SRV record specifies a host and port for specific services such as VoIP. They are used in conjunction with A records.

8 - TXT (Text) Record
Allows the administrator to add human-readable text to the DNS records. It is used to include verification records, like SPF, for email security.

Over to you: Which other DNS Record Type have you seen?

Ref: Alex Xu
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Chatgpt Hack:

Official Repo of ChatGPT "DAN" (and other "Jailbreaks"):


https://github.com/0xk1h0/ChatGPT_DAN

🦑What is Honeypot: Simplified

Follow Santosh Nandakumar for daily simplified infosec learnings.

A honeypot is a security mechanism designed to detect, deflect, or study hacking attempts by acting as a decoy system. It looks like a legitimate target but is isolated from the actual network to gather intelligence on attackers.

Example

Imagine you’re protecting a house (your network) from burglars. You set up a fake house nearby, filled with dummy valuables. Burglars are attracted to this fake house, thinking it’s the real one. You monitor their actions to learn their techniques and better secure your actual house.

Technical Example

You deploy a honeypot server within your corporate network that mimics a database server. It contains no real data but appears authentic to attackers. When an attacker tries to access it, their activities (such as IP, methods, and tools) are logged for analysis.

Types of Honeypots

1. Production Honeypot
Used to improve overall security by distracting attackers from real systems.
Example: A fake customer login page for a banking website.

2. Research Honeypot
Used for studying attack methods and gathering intelligence.
Example: A honeypot server that simulates IoT devices to study botnet attacks.

Usage

- Intrusion Detection: Identify unauthorized access attempts.

- Threat Intelligence: Understand attackers' tools, techniques, and goals.

- Deception Strategy: Divert attackers away from real resources.

- Vulnerability Testing: Study how attackers exploit weaknesses.

Benefits

1. Early Threat Detection: Identifies threats before they reach critical systems.

2. Data Collection: Offers valuable insights into attack patterns and behaviors.

3. Improved Defense: Helps in identifying security gaps and improving defenses.

4. Resource Efficiency: Reduces the workload on actual systems by diverting attacks.

5. Training Ground: Useful for security teams to practice handling real-world threats.

Limitations

1. Limited Scope: Cannot detect attacks on systems outside the honeypot.

2. Risk of Exploitation: If not properly isolated, attackers could use the honeypot to attack real systems.

3. Resource Intensive: Requires setup, monitoring, and maintenance.

Ref: Santosh Nandakumar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑AI-SOC. Radiant Security AI.

I have had many conversations (and still have) about Security for AI, especially about how AI-SOC can affect and help the SOC team and processes. At the same time, We have been (xTriage) running Radiant Security AI as AI-SOC (and more) for over a year, and the results arrived on time with HUGH successes!

During the AI-SOC journey with Radiant Security AI, we found many advantages about it. Below are some of them (in a nutshell):

1️⃣ Proactive Threat Hunting: AI-SOC leverages real-time data analysis and threat intelligence to proactively detect emerging threats, even before they appear in known threat databases.

2️⃣ Precision in Incident Detection: AI models analyze massive datasets and correlate events across multiple layers (network, endpoints, cloud, identities), reducing detection blind spots.

3️⃣ Scalability: AI-SOC can handle the massive influx of security alerts and scale effortlessly with an organization's growth without requiring linear increases in human resources.

4️⃣ Behavioral Anomaly Detection: AI identifies subtle deviations from normal behavior patterns that traditional systems often overlook, ensuring early detection of insider threats and zero-day exploits.

5️⃣ Hyperautomation: Combining AI with SOAR platforms enables faster and smarter incident response. Automated workflows triage and contain incidents without waiting for human intervention.

6️⃣ Continuous Learning and Adaptation: AI algorithms evolve with each new threat encountered, continuously improving their accuracy and relevance in detecting sophisticated attacks.

7️⃣ Enhanced Collaboration: AI-SOC tools facilitate collaboration across security tiers (T1-T3), presenting data and insights in clear, actionable formats tailored to the expertise level of the analyst.

8️⃣ Integrated Multi-Vendor Ecosystem: With support for seamless integration into existing ecosystems (e.g., XDR tools, SIEMs, SOAR), AI-SOC ensures minimal workflow disruption.

9️⃣ Reduction in False Positives: By understanding context and correlating events, AI dramatically reduces false positives, allowing analysts to focus on genuine threats.

🔟 Cost Efficiency: By automating repetitive tasks and reducing the need for manual intervention, AI-SOC optimizes resource utilization and lowers the overall cost of operations.

In the end, T1/T2 is not chasing after massive FPs or useless alerts - They are now doing advanced tasks.

Ref: Elli Shlomo
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Another Red Team Pack:

𝐑𝐞𝐝 𝐓𝐞𝐚𝐦 𝐓𝐨𝐨𝐥𝐬 🔥

🔴 RECONNAISSANCE:
- RustScan ==> https://lnkd.in/ebvRfBNy
- NmapAutomator ==> https://lnkd.in/gu5wxzf6
- AutoRecon ==> https://lnkd.in/g3DeG6YT
- Amass ==> https://lnkd.in/e7V569N5
- CloudEnum ==> https://lnkd.in/ePHDeGZv
- Recon-NG ==> https://lnkd.in/edwaXFjS
- AttackSurfaceMapper ==> https://lnkd.in/ebbcj6Rm
- DNSDumpster ==> https://dnsdumpster.com/

🔴 INITIAL ACCESS:
- SprayingToolKit ==> https://lnkd.in/eBSAPz5z
- o365Recon ==> https://lnkd.in/eJwCx-Ga
- Psudohash ==> https://lnkd.in/gcaxV6fR
- CredMaster ==> https://lnkd.in/gtMEDVuS
- DomainPasswordSpray ==> https://lnkd.in/guWj4TYv
- TheSprayer ==> https://lnkd.in/gZVuQYiv
- TREVORspray ==> https://lnkd.in/gHgcbjgV

🔴 DELIVERY:
- o365AttackToolKit ==> https://lnkd.in/etCCYi8y
- EvilGinx2 ==> https://lnkd.in/eRDPvwUg
- GoPhish ==> https://lnkd.in/ea26dfNg
- PwnAuth ==> https://lnkd.in/eqecM7de
- Modlishka ==> https://lnkd.in/eds-dR5C

🔴 COMMAND AND CONTROL:
- PoshC2 ==> https://lnkd.in/eqSJUDji
- Sliver ==> https://lnkd.in/ewN9Nday
- SILENTTRINITY ==> https://lnkd.in/eeZGbYMs
- Empire ==> https://lnkd.in/egAPa8gY
- AzureC2Relay ==> https://lnkd.in/efmh2t3g
- Havoc C2 ==> https://lnkd.in/gEFp2iym
- Mythic C2 ==> https://lnkd.in/gnCGwfWk

🔴 CREDENTIAL DUMPING:
- MimiKatz ==> https://lnkd.in/etEGfvJK
- HekaTomb ==> https://lnkd.in/eJx5Ugu5
- SharpLAPS ==> https://lnkd.in/eA28n9FT
- Net-GPPPassword ==> https://lnkd.in/e3CTez5A
- PyPyKatz ==> https://lnkd.in/eeb5b6Tz

🔴 PRIVILEGE ESCALATION:
- SharpUp ==> https://lnkd.in/etR2Pe_n
- MultiPotato ==> https://lnkd.in/eq53PXcJ
- PEASS ==> https://lnkd.in/eWA66akh
- Watson ==> https://lnkd.in/eZfYMSMX
- Bat-Potato ==> https://lnkd.in/gjziyG8q

🔴 DEFENSE EVASION:
- Villain ==> https://lnkd.in/gquyGFm5
- EDRSandBlast ==> https://lnkd.in/e8g8zYFT
- SPAWN - Cobalt Strike BOF ==> https://lnkd.in/e223PbqZ
- NetLoader ==> https://lnkd.in/ef5wCD4y
- KillDefenderBOF ==> https://lnkd.in/eVd54HUp
- ThreatCheck ==> https://lnkd.in/eHvSPakR
- Freeze ==> https://lnkd.in/eNUh3zCi
- GadgetToJScript ==> https://lnkd.in/egPQBBXJ

🔴 PERSISTENCE:
- SharPyShell ==> https://lnkd.in/eXm8h8Bj
- SharpStay ==> https://lnkd.in/erRbeFMj
- SharpEventPersist ==> https://lnkd.in/e_kJFNiB

🔴 LATERAL MOVEMENT:
- SCShell ==> https://lnkd.in/e256fC8B
- MoveKit ==> https://lnkd.in/eR-NUu_U
- ImPacket ==> https://lnkd.in/euG4hTTs

🔴 EXFILTRATION:
- SharpExfiltrate ==> https://lnkd.in/eGC4BKRN
- DNSExfiltrator ==> https://lnkd.in/epJ-s6gp
- Egress-Assess ==> https://lnkd.in/eXGFPQRJ

Ref: Adnan Alam
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Understanding the Network Protocol Stack Simplified 🛠️

Networking is the backbone of modern communication, but the variety of protocols can feel overwhelming. Here's a clean breakdown of the Network Protocol Stack, from physical data transmission to application-level interactions:

🟪 Application Layer (L5-L7)
Where user-facing magic happens! Think web browsing, secure communication, and directory services (e.g., HTTP, TLS, DNS).

🟦 Transport Layer (L4)
Handles data delivery, reliable (TCP) or quick (UDP). New protocols like QUIC ensure modern needs are met.

🟥 Network Layer (L3)
Focuses on routing and addressing, whether through IPv4 or IPv6, with security layers like IPsec keeping it safe.

🟩 Data Link Layer (L2)
Close to hardware , responsible for switching, VLANs, and WiFi connectivity.

Ref: Fadi Kazdar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑𝐄𝐥𝐞𝐯𝐚𝐭𝐞 𝐘𝐨𝐮𝐫 𝐓𝐞𝐜𝐡 𝐉𝐨𝐮𝐫𝐧𝐞𝐲: 𝐄𝐬𝐬𝐞𝐧𝐭𝐢𝐚𝐥 𝐑𝐞𝐬𝐨𝐮𝐫𝐜𝐞𝐬 𝐟𝐨𝐫 𝐆𝐫𝐨𝐰𝐭𝐡 𝐚𝐧𝐝 𝐂𝐞𝐫𝐭𝐢𝐟𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐮𝐜𝐜𝐞𝐬𝐬
Whether you’re looking to break into tech, grow your expertise, or prepare for certifications, use these resources to help you level up:

🎯 Microsoft Learn: https://lnkd.in/ge973G3j
Explore interactive, self-paced modules on Azure, Microsoft 365, Power Platform, and more.

🎯 Microsoft Virtual Training Days: https://lnkd.in/g2B_2Yq3
Free, instructor-led events with opportunities to earn free certification exam vouchers!

🎯 GitHub Learning Lab: https://lab.github.com/
Dive into Git basics, open-source contributions, and DevOps workflows.

🎯 Microsoft Educator Center: https://lnkd.in/gFcX5xdm
Focused on education technology, this resource is excellent for educators learning Teams and Office 365 tools.

🎯 Azure DevOps Labs: https://lnkd.in/gi4uekjB
Get practical experience with CI/CD pipelines, infrastructure as code, and governance—all for free!

🎯 AI for Good & Responsible AI Training: https://lnkd.in/gtXfexiY
Learn about cutting-edge AI applications and ethical AI practices.

Ref: Mohamad Hamadi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑𝐇𝐨𝐰 𝐀𝐭𝐭𝐚𝐜𝐤𝐞𝐫𝐬 𝐇𝐚𝐜𝐤 𝐂𝐈/𝐂𝐃 𝐏𝐢𝐩𝐞𝐥𝐢𝐧𝐞𝐬 👇

I recently watched one of DEFCON's talk of this year "Your CI CD Pipeline Is Vulnerable, But It's Not Your Fault" by Elad Pticha, Oreen Livni and was really impressed by the attack vector (link in comments)

𝐋𝐞𝐭'𝐬 𝐬𝐞𝐞 𝐡𝐨𝐰 𝐢𝐭 𝐰𝐨𝐫𝐤𝐬

Github workflows are part of the CI/CD (Continous Integration/Continous Deployment) ecosystem that lets developers automate their workflow

For example: once a commit is made to the repo -> the code is scanned with a tool -> if the tests pass -> code is pushed to test/production

Now the interesting part is that (if the repo maintainer uses input that you control) inside the workflow, this can lead to command injection in the pipeline

𝐖𝐡𝐢𝐜𝐡 𝐦𝐞𝐚𝐧𝐬 𝐲𝐨𝐮 𝐦𝐚𝐲 𝐛𝐞 𝐚𝐛𝐥𝐞 𝐭𝐨 𝐭𝐚𝐤𝐞 𝐨𝐯𝐞𝐫 𝐭𝐡𝐞 𝐫𝐞𝐩𝐨

In the example bellow, the pipeline uses the title of an issue as part of a bash echo command

That means anyone can create a issue named $(𝐰𝐡𝐨𝐚𝐦𝐢) and execute commands in the CI/CD

If you can do that -> you can abuse the command injection to steal the repo's Github token, read secrets or push malicious code

Ref: Andrei Agape
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑🔐Cracking the Secrets of JWT Hacking 🔍

Are you ready to uncover the vulnerabilities in JSON Web Tokens (JWTs) and learn how to secure them effectively? 🌐 Here’s a detailed guide on JWT hacking and best practices to safeguard them:

💡 Common JWT Vulnerabilities:

1️⃣ Weak Signing Algorithm (e.g., none): Exploiting algorithms like HS256 or RS256 with insecure configurations.
2️⃣ Key Disclosure: Using predictable or publicly exposed keys for token signing.
3️⃣ JWT Manipulation: Modifying the header or payload to escalate privileges or bypass authentication.
4️⃣ Lack of Expiration: Tokens without expiry enable unauthorized access for extended periods.
5️⃣ Insufficient Signature Validation: Failure to properly validate JWT signatures.

🛠️ JWT Hacking Techniques:
• Header Tampering: Altering the algorithm to “none” to bypass signature verification.
• Key Cracking: Brute-forcing weak or mismanaged secrets.
• Replay Attacks: Reusing captured tokens to impersonate users.
• Payload Tampering: Modifying claims (e.g., admin: true) to escalate privileges.
• Algorithm Downgrade Attacks: Switching from a strong algorithm (RS256) to a weaker one (HS256) if the server mishandles keys.
• Client-Side Storage Exploitation: Stealing tokens stored in localStorage or sessionStorage via XSS.

✅ How to Secure JWTs:

🔒 Use Strong Algorithms: Always use strong algorithms like RS256 with secure key management.
⏳ Set Expiry Times: Define short-lived tokens with the exp claim to reduce exposure.
📜 Enforce Algorithm Validation: Ensure the server validates the specified algorithm and rejects “none.”
🔑 Implement Secure Key Storage: Store signing keys securely (e.g., in environment variables or vaults).
🔍 Monitor Token Usage: Log and monitor API requests for anomalies or unusual token behavior.
🔄 Rotate Secrets Regularly: Frequently update your keys to limit exposure in case of leaks.
🧱 Protect Client-Side Storage: Use HTTP-only, Secure cookies instead of localStorage or sessionStorage.

💻 Top Tools for JWT Testing:

🛠️ jwt.io – Decode, debug, and test tokens.
🛠️ Burp Suite – Intercept API requests and test JWT-based flows.
🛠️ Postman – Manual testing for API endpoints using JWT.
🛠️ HackTools – A browser extension with JWT cracking utilities.
🛠️ John the Ripper – Brute-force JWT secrets.
🛠️ JARM Tool – Analyze JWT for misconfigurations and vulnerabilities.

🔗 Additional Tips:

🔵 Avoid storing sensitive data directly in the JWT payload, even if encrypted.
🔵 Validate tokens at every API endpoint.
🔵 Beware of Cross-Site Scripting (XSS) attacks that could expose JWTs.

🔐 JSON Web Tokens (JWTs) are powerful tools for modern applications, but they come with risks. Whether you’re a developer or penetration tester, mastering JWT security is critical for keeping your systems safe. 🚀

Ref: in pdf
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑OSINT Tools for the Dark Web:

Dark Web Search Engine Tools
Katana - https://github.com/adnane-X-tebbaa/Katana

OnionSearch - https://github.com/megadose/OnionSearch

Darkdump - https://github.com/josh0xA/darkdump

Ahmia Search Engine - ahmia.fi, https://github.com/ahmia/ahmia-site

Darkus - https://github.com/Lucksi/Darkus

Tools to get onion links
Hunchly - https://www.hunch.ly/darkweb-osint/

Tor66 - http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/fresh

Darkweblink - darkweblink.com, http://dwltorbltw3tdjskxn23j2mwz2f4q25j4ninl5bdvttiy4xb6cqzikid.onion

Tools to scan onion links
Onionscan - https://github.com/s-rah/onionscan

Onioff - https://github.com/k4m4/onioff

Onion-nmap - https://github.com/milesrichardson/docker-onion-nmap

Tools to crawl data from the Dark Web
TorBot - https://github.com/DedSecInside/TorBot

TorCrawl - https://github.com/MikeMeliz/TorCrawl.py

VigilantOnion - https://github.com/andreyglauzer/VigilantOnion

OnionIngestor - https://github.com/danieleperera/OnionIngestor

Darc - https://github.com/JarryShaw/darc

Midnight Sea - https://github.com/RicYaben/midnight_sea

Prying Deep - https://github.com/iudicium/pryingdeep

Miscellaneous
DeepDarkCTI - https://github.com/fastfire/deepdarkCTI

@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑🟥🟥Azure Firewall 🟥🟥

🚀 Azure Firewall is a stateful, cloud-native network security service designed to secure your Azure workloads and ensure compliance in today’s threat-laden digital landscape.

🔑 Key Features You Need to Know:
1️⃣ Application and Network Rule Filtering
• Define rules based on FQDNs, ports, and protocols to control inbound and outbound traffic.
• Layer 7 filtering for advanced application-level protection.

2️⃣ Threat Intelligence-Based Filtering
• Leverage Microsoft Threat Intelligence to block malicious IPs and domains automatically.
• Get real-time threat updates for proactive defense.

3️⃣ Built-in High Availability
• No need for load balancers—Azure Firewall is built for redundancy and 99.95% SLA.

4️⃣ Dynamic Scalability
• Scales automatically to handle high traffic volumes, ensuring uninterrupted security.

5️⃣ Centralized Policy Management
• Manage security policies across multiple Azure Firewalls using Azure Firewall Manager.

6️⃣ Logging and Analytics
• Monitor traffic patterns with deep logging and analytics in Azure Monitor and Sentinel.

7️⃣ Hybrid and Multi-Cloud Support
• Secure traffic between on-premises, Azure, and other cloud providers using ExpressRoute and VPN Gateway.

💡 Advanced Scenarios with Azure Firewall:
✔ Network Address Translation (NAT): Protect public-facing services with DNAT/SNAT rules.
✔ Integration with Private Link: Secure connections to Azure PaaS services.
✔ Zero Trust Network Security: Enforce strict segmentation and access controls.

📈 Why Choose Azure Firewall?
🔒 Enterprise-grade security with TLS inspection and IDPS (Intrusion Detection & Prevention System).
🌍 Globally distributed for large-scale enterprise needs.
⚡ Effortless integration with Azure Security Center, Azure Virtual WAN, and Third-party SIEM tools.

Ref: Mahesh Girhe
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁