APT

EDR Parallel-asis through Analysis New method for enumerating Syscalls numbers using the Parallel loader Research: https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/ C++ Code Snipped: https://github.com/mdsecactivebreach/ParallelSyscalls C# Code Snipped: https://github.com/cube0x0/ParallelSyscalls #edr #evasion #parallel #csharp

Optimizing Windows Function Resolving: A Case Study Into GetProcAddress https://phasetw0.com/windows-internals/optimizing_function_resolving/ #edr #evasion #winapi #getprocaddress

RemoteNET This library lets you examine, create and interact with remote objects in other .NET processes. It's like System.Runtime.Remoting except the other app doesn't need to be compiled (or consent) to support it. Basically this library lets you mess with objects of any other .NET app without asking for permissions https://github.com/theXappy/RemoteNET #csharp #injection #pentest

Process Injection via KernelCallBackTable Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used. C# Code Snippet: https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13 #edr #evasion #dll #injection #kernelcallbacktable

Domain Persistence – AdminSDHolder https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/ #ad #adminsdholder #redteam

An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278 This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278 #ad #pac #s4u2self #research #escalation

Bypass Defender AV static detection: If you name a malicious file *.log Defender doesn't scan it. UPD: DumpStack (by any file number) can bypass MDE easily with no detection as mimikatz or eicar mode. The malicious file can be shown in the console but not identified as malicious. #defender #evasion #tricks

Phishing With Spoofed Cloud Attachments This article looks at how you can abuse the cloud attachment feature on O365 to make executables (or any other file types) appear as harmless attachments. https://mrd0x.com/phishing-o365-spoofed-cloud-attachments/ #phishing #O365 #abuse

Undetected Azure AD Bruteforce Attack In late June 2021, Secureworks Counter Threat Unit researchers discovered a flaw in the protocol used by the Azure Active Directory Seamless Single Sign-On feature. This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant. PoC: https://github.com/treebuilder/aad-sso-enum-brute-spray Research: https://www.secureworks.com/research/undetected-azure-active-directory-brute-force-attacks #sso #azure #ad #bruteforce #research

AD Security Assessment Active Directory Security Assessment script pulls important security facts from Active Directory and generates nicely viewable reports in HTML format by highlighting the spots that require attention. The script manipulates user data using facts collected with benchmark values. https://github.com/gkm-automation/AD-Security-Assessment #ad #security #assessment #ps1

WMEye A small project I wrote that uses WMI foo to remotely upload shellcode into a WMI Class and execute it by invoking MSBuild. It uses LogFileEventConsumer Class to write the MSBuild Payload. https://github.com/pwn1sher/WMEye #wmi #redteam #tools

PowerRemoteDesktop Have you ever dreamed about having a Remote Desktop Application entirely coded in PowerShell (Even the GUI) ? Well it is now possible with this very first beta release https://github.com/DarkCoderSc/PowerRemoteDesktop #rdp #powershell #tools

Bypass Rate Limits in Web Applications and API's. — What is Rate Limit Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server. —Where to Look for Rate Limit Bugs Place like : — Login/Signup pages — Register Pages — 2FA codes — Confirmation Codes ...and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue. [Bypass 1] - Using Null Chars %00, %0d%0a, %09, %0C, %20, %0 Example: — Bruteforce with snapsec@gmail.com — After some time you will be blocked — Now Bruteforce with snapsec@gmail.com%00 and check if you are able continue bruteforce it [Bypass 2] - Adding Spaces A webserver may strip off extra spaces added to email/username at the backend, Which may allow you to bruteforce the same email by appending an extra space every time you are blocked. [Bypass 3] - Host Header Injection Try Modifying Host header of the request after being blocked by the server Change Host: www,newsite,com Change Host: localhost Change Host: 127.0.0.1 [Bypass 4] - Changing Cookies Try changing Session cookie after being blocked by the server. This can be achieved by figuring out which request is responsible to set session cookies to the user and then use that request to update session cookie everytime you are blocked. [Bypass 5] - X-forwarded-For — dig target,com — Change The X-Forwarded-For: IP Address This may confuse WAF/server/loadbalancer, as if requests are being forwarded to another host but will be forwarded to same target host hence will allow you to bypass the rate limit. [Bypass 6] - Confuse server with correct attempts If the server is blocking you after 20 attempts, Try bruteforcing with 19 attempts and use your credentials to login to your account on 20th attempt and then repeat the process. [Bypass 7] - Updating target Paths Appending random param=value may sometimes bypass rate limit on the endpoint Eg: — Bruteforce /api/v1/users/<id> — Got blocked after 200 attempts — Now Bruteforce /api/v1/users/<id>?xyz=123 — Change the param=value after each 200 attempts [Bypass 8] - IP based Rate limits IP based rate limits can be easily bypassed by changing the Ip address of your machine. The alternative would be using IP Rotate Burp Extension. #web #api #rate #limit #bypass

Bypassing HttpOnly 1. Why phpinfo 2. Stealing ci_session with info.php file 3. PoC Research: https://aleksikistauri.medium.com/bypassing-httponly-with-phpinfo-file-4e5a8b17129b #web #httponly #phpinfo #xss

API Guesser A simple website to guess API Key / OAuth Token When you do pentest / Github recon and find API key / OAuth token but you don't know what API key it is, you can use my website that I built from javascript https://api-guesser.netlify.app Source: https://github.com/daffainfo/apiguesser-web #api #token #osint #bugbounty

Redash Exploiting (CVE-2021-41192) Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. https://ian.sh/redash #redash #cve #research

Our team wishes you and yours a Merry Christmas and a Happy New Year! ❤️

New article "Fuzzing for XSS via nested parsers condition" by our researcher @Psych0tr1a. This techniques allowed us to find a bunch of vulnerabilities in popular web products that no one had noticed before! https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/

Apache APISIX Dashboard — Unauthorized RCE (CVE-2021-45232) Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution. Shodan Dorks:

title:"Apache APISIX Dashboard"

PoC:

curl http://IP:9000/apisix/admin/migrate/export

https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232/ #apache #apisix #cve #poc

VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit (Vortex) A very simple Python framework, inspired by SprayingToolkit, that tries to automate most of the process required to detect, enumerate and attack common O365 and VPN endpoints (like Cisco, Citrix, Fortinet, Pulse, etc...). Features: — User Search and Collection — Password Leaks — Main Domain Identification — Subdomain Search — VPN Endpoint Detection — Password Spraying/Guessing attacks — Search profiles on Social Networks https://github.com/klezVirus/vortex #osint #vpn #enumeration #spraying #tools