Are you a veteran hacker, someone who loves code review, or looking to get your first CVE? Then, I have something to share with you. Let's talk abou  ( 5 min )

Docker is a platform for creating and deploying applications in self-sufficient containers. The installation of Docker is pretty easy in Linux, but this is usually not the case with Windows. In this post, I will show you how to install Docker in Windows 10 or Windows 11 in multiple ways. You'll learn there is indeed a way that makes the Docker Desktop installation in Windows as simple as in Linux. Install Docker on Windows 10 and Windows 11 first appeared on 4sysops.  ( 36 min )

Introduction When a Threat Intelligence Management (TIM) license is present in your Cortex XSOAR environment, the feature to create relationships between indicators is available. This allows you to describe how indicators relate to each other and use this relationship in your automated analysis of a security incident. In the previous blog post in this series, … Continue reading Cortex XSOAR Tips & Tricks – Creating indicator relationships in integrations →  ( 7 min )

The Void Balaur cyber mercenary group has thrived throughout 2022, attacking targets on a global scale with new phishing campaigns.  ( 11 min )

An elusive adversary is attacking high-value targets with impunity using novel malware frameworks and custom-built backdoors.  ( 11 min )

tl;dr You can now have Scout Suite scan not only your cloud environments, but your Kubernetes clusters. Just have your kubeconfig ready and run the following commands: $ pip3 install --user https://github.com/nccgroup/ScoutSuite/archive/develop.zip $ scout kubernetes Background NCC Group’s Container Orchestration Security Service (COSS) practice regularly conducts Kubernetes cluster configuration reviews spanning platform-managed Kubernetes clusters across … Continue reading Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite →  ( 8 min )

Juplink’s RX4-1800 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. An attacker can remotely take over a device after using a targeted or phishing attack to change the router’s administrative password, effectively locking the owner out of their … Continue reading Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414) →  ( 7 min )

PfSense is a free open-source network firewall and router based on FreeBSD. PfSense is known for its reliability and comes with many features that only commercial firewalls offer. PfSense is included in many third-party free software packages. You can install PfSense on both physical and virtual machines. Appliances are also available. How to install the PfSense firewall on a virtual machine first appeared on 4sysops.  ( 34 min )

I know a lot of buzzwords get thrown at you every day with products that want to help you implement Zero Trust, passwordless, adaptive and continuous authentication. But have you matured your identity and access management (IAM) implementation to check any of these initiatives off your list? We recently announced the release of Arculix, the […] The post Implement Arculix for Zero Trust Security and Continuous Authentication appeared first on SecureAuth.  ( 30 min )

Learn how your organization can improve application security by applying secure design patterns, avoiding anti-patterns, and adding security architecture analysis.  ( 11 min )

HTTP header injection is often under-estimated and misclassified as a moderate severity flaw equivalent to XSS or worse, Open Redirection. In this post, I'll share a simple technique I used to take a  ( 4 min )

How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. TL;DR Microsoft Teams stores unencrypted session tokens and cached […] You can’t stop me. MS Teams session hijacking and bypass first appeared on Pen Test Partners.  ( 7 min )

This short blog post explains what each tool does and overviews the use/reason for the release. Release of AutoPoC and SandboxSpy.  ( 3 min )

TLDR: reducing the sound volume level of our TV has no (significant) impact on its electric energy consumption, but reducing the back-lighting does. Here in Belgium, mainstream media is full of news with tips to reduce energy consumption. Some good tips, some bad tips … That’s mainstream media for you 🙂 Recently, there was an […]  ( 10 min )

Blog outlining the new SANS Institute Cloud Security Curriculum

Previous RSA Conference keynote presentations on the most dangerous new attack techniques in use today and how to prepare for the future.  ( 11 min )

Summary of SANS Cybersecurity Leadership Curriculum which is developing cyber security managers and leaders worldwide.  ( 16 min )

Linux powers a vast range of business-critical systems across the globe. From webservers to database platforms, to network hardware to security appliances, Linux can often be found “under the hood” making sure the system just keeps working. FOR577: Linux Incident Response & Analysis course gives incident responders and forensic investigators the knowledge they need to understand how the systems work, how attackers compromise environments and how to respond and investigate in an effective manner.  ( 8 min )

I never thought I will write the part 1a of my old post, but here it is. As usual, I have not explored the below topic in-depth, but have certainly […]  ( 19 min )

Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network. The most common bug pattern noticed among these cases is where a structure or union is allocated in memory, and some of the fields or padding bytes are not initialized before copying it across trust boundaries. The question is, is it possible to perform variant analysis of such bugs? The idea here is to perform a control flow insensitive analysis to track all memory store operations statically. Any memory region never written to is identified as uninitialized when the data from it is copied across trust boundaries. Generalizing the code pattern for analysis Consider the case of CV…

Sentry is an app monitoring tool for DevOps environments that is based on a stack of products such as Snuba, Kafka, and Nginx. It features proactive application monitoring to ensure that issues are addressed before they disrupt production environment. Sentry: App monitoring for DevOps environments first appeared on 4sysops.  ( 33 min )

Learn how ManageEngine ADManager Plus allows easy management for on-premises Active Directory and cloud applications, such as Microsoft 365 and Google Workspace, as well as easy Active Directory automation and permission delegation. Automation for Active Directory, Microsoft 365, and Google Workspace with ManageEngine ADManager Plus first appeared on 4sysops.  ( 38 min )

A few years ago, I read the “Uroburos: The Snake Rootkit” [1] paper written by Artem Baranov and Deresz and was captivated by the hidden kernel-mode Virtual File System (VFS) functionality implemented within Uroburos. Later, I decided to learn Windows device driver programming and thought replicating this functionality within my own rootkit would be an […] The post Developing a Hidden Virtual File System Capability That Emulates the Uroburos Rootkit appeared first on Praetorian.  ( 16 min )

This update adds the option –trim to template process-text-files.py. python-templates_V0_0_8.zip (http)MD5: 6C845823BB8AC4DB42993B994E93AF66SHA256: 20EC1E6540DF31939686CA4B54C5312DF3724EB756B16BA724722C3196BDF93F  ( 9 min )

In the past, Microsoft set up a separate product in WSUS for each version of Windows Server; this meant that admins could easily subscribe to the respective updates. This no longer applies to Windows Server 2022, which shares updates with Azure Stack HCI. The Azure editions of Server 2022 are not covered by them. Get updates for Windows Server 2022 in WSUS first appeared on 4sysops.  ( 33 min )

Modern organizations evolved and took the next step when they became digital. Organizations are using cloud and automation to build a dynamic infrastructure to support more frequent product release and faster innovation. This puts pressure on the IT department to do more and deliver faster. Automated cloud infrastructure also requires a new mindset, a change … Continue reading A Guide to Improving Security Through Infrastructure-as-Code →  ( 16 min )

This version of my strings.py program adds option -N to select strings that end with a NUL character (C-strings). strings_V0_0_8.zip (http)MD5: 29015239E6385FFA63C2E33755C34CD9SHA256: 449AC9AA39A464D7C5883DED3FE9CB21A2E8E700F7763AD4199C25D37DCBD296  ( 9 min )

On a network and need credentials? Try password spraying the domain controller directly. A few years ago, I wrote this password spray tool called gospray that was used succesfully in a couple of engagements since. It does an LDAP bind directly against the domain controller to validate credentials. This doesn’t require an SMB server (or other servers) as target. So, it’s pretty quiet and number of concurrent Go routines is configurable.  ( 1 min )

split-overlap.py is a tool to split a binary file in parts of a given size. For example: split-overlap.py 1000 test.data When test.data is a binary file with size 2500 bytes, the above command will create 2 files of 1000 bytes and one file of 500 bytes. It’s also possible to split a file with some […]  ( 10 min )

Dumping tokens from Microsoft Office desktop applications' memory  ( 2 min )

Did you know there are more than 200 configuration locations for Windows startup programs? These are often used to launch malicious software without user interaction. In this post, you will learn how to discover and change Windows startup programs with Sysinternals autoruns. Change Windows startup programs with Sysinternals Autoruns first appeared on 4sysops.  ( 36 min )

This post will start with the basics of defining scope and how ethical hackers and testers use it in their testing workflow. If you’re already famil  ( 7 min )

Obtaining effective protection by virus scanners requires that they always use the latest definitions. Therefore, Microsoft Defender is not limited to getting its signature updates from the standard source for OS updates. Rather, you may specify several at once. Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell first appeared on 4sysops.  ( 35 min )

A new option was added to limit the amount of requests: -l (–limitrequests). virustotal-search_V0_1_7.zip (http)MD5: BB6E9D480F7BCF0FD3F0CB8EED1B49FESHA256: AEFEB5761A5BBEE998FA20A68213316522C7554796F47EB8C7EB2A5DF1D4E73D  ( 9 min )

By Fredrik Dahlgren, Staff Security Engineer In October 2019, a security researcher found a devastating vulnerability in Tornado.cash, a decentralized, non-custodial mixer on the Ethereum network. Tornado.cash uses zero-knowledge proofs (ZKPs) to allow its users to privately deposit and withdraw funds. The proofs are supposed to guarantee that each withdrawal can be matched against a […]  ( 11 min )

In my previous post, I explained how to enable BitLocker with PowerShell and how to unlock, suspend, resume, and disable BitLocker with PowerShell. You might face various errors while using BitLocker drive encryption. Since most errors are fixed using Group Policy settings, it is worth mentioning that all the BitLocker-related settings are available under the following Group Policy path: Common BitLocker errors first appeared on 4sysops.  ( 36 min )

I tested a small powerbank that I have, and it’s very inefficient. It takes 10.07 Wh to charge: And it delivers 5.95 Wh when I discharge it (5V at 0.250 mA). So I only got 59% back of the energy I put in. This powerbank is quite old, it might have become so inefficient over […]  ( 9 min )

Windows 11 22H2 is the first feature update for this operating system since its release last year. Accordingly, the focus is on removing some rough edges and improving the overall user experience. Nevertheless, the 22H2 release offers some innovations that are welcome for professional use. New features in Windows 11 22H2 for professional users first appeared on 4sysops.  ( 36 min )

We are excited to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! This version includes multiple bug fixes, dependency updates and feature enhancements for AWS, Azure and GCP. It also adds and updates several rules for these three cloud providers, alongside improved finding templates and descriptions. The … Continue reading Tool Release – ScoutSuite 5.12.0 →  ( 6 min )

Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. Adobe Patches for September 2022  For September, Adobe released seven patches addressing 63 in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. A total of 42 of these bugs were reported by ZDI Sr Vulnerability Researcher Mat Powell. The update for InDesign is the largest patch this month, with eight Critical-rated and 10 Important-rated vulnerabilities receiving fixes. The most severe of these could lead to code execution if a specially crafted file is opened on an affected system. The patch for Photoshop fixes 10 CVEs, nine o…

A need for public trust in information systems has driven continuous technological advances and new regulatory requirements, which have in turn made the global cyber threat landscape more complex and connected (see figure 1). As Boards of Directors, regulators, and the public become more aware of this interplay, organizations will need to evolve to address […] The post Framework Selection: How to Architect a Systematic Security Program – Part 1 appeared first on Praetorian.  ( 6 min )

I made a mistake and destroyed my old multimeter. It’s a 30+ year old multimeter, and it had become very dirty because of all the dust it collected while I used it in a home renovation project, years ago. It was still functional, so I used it for years like that. But recently, after discovering […]  ( 9 min )

Introducing CloudFox, a command line tool created to help offensive security professionals find exploitable attack paths in cloud infrastructure.  ( 8 min )

The cyber security solutions are the draw, but there’s so much more to the event of which you’ll want to take advantage.  ( 10 min )

During the summer of 2022, Penumbra Labs, Inc. engaged NCC Group to conduct a cryptographic security assessment of two items: (i) the specification and two implementations of the decaf377 group, and (ii) a methodology and implementation of parameter generation for the Poseidon hash function. Decaf377 is a prime-order group obtained by applying the Decaf construction … Continue reading Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review →  ( 5 min )

This post explains how you can enable BitLocker for Windows 10 and Windows 11 with Intune on multiple computers and devices. Enable BitLocker for Windows 10 and Windows 11 with Intune on multiple computers first appeared on 4sysops.  ( 32 min )

Beyond COM  ( 11 min )

I thought I knew all the ways to call functions without parentheses: alert`1337` throw onerror=alert,1337 Function`x${'alert\x281337\x29'}x``` 'alert\x281337\x29'instanceof{[Symbol['hasInstance']]:eva  ( 5 min )

When I record maldoc analysis videos, I have already analyzed the maldoc prior to recording, and I rehearse the recording. This time, I also recorded the unrehearsed analysis: when I take the first look at a maldoc I’ve not seen before. All in this video:  ( 9 min )

This week I learned about a design flaw with pip download, which allows an adversary to run arbitrary code. I assumed that running pip install means anything could happen, but pip download seems a bit surprising. Both seem useful for red teaming though. Background This post from Yehuda Gelb named Automatic Execution of Code Upon Package Download on Python Package Manager which the Security Now! podcast pointed me towards. The post highlights that just running pip download can compromise your computer.  ( 2 min )

In my last post, I outlined how you can enable BitLocker with PowerShell and manage key protectors. Today, I will cover BitLocker management with PowerShell. In particular, I will describe how you can unlock, suspend, resume, and disable BitLocker with PowerShell. Unlock, suspend, resume, and disable BitLocker with PowerShell first appeared on 4sysops.  ( 35 min )

While on holiday in Feilluns (France, Pyrénées-Orientales) in September 2021, I did search several dolmens. While the dolmen Caouno del Moro is easy to find (it is right next to a road, just follow the signs starting in the village), the nearby dolmen du roc de l’Arca is not so easy to find, as there […]  ( 9 min )

Technical support personnel, engineering teams, and security teams often need access to a remote computer involving both servers and workstations, using a variety of techniques. Three of the most common tools in a Windows environment are Microsoft Remote Desktop (RDP), VMware Console access, and Microsoft Management Console (MMC), but we can also use SMB shares, PowerShell remoting, and PsExec. This article will you give an overview of the most popular ways gaining remote computer access, along with some tips of what you can do if the remote connection fails. Different ways of gaining remote computer access first appeared on 4sysops.  ( 39 min )

In my first blog post covering bugs in Ivanti Avalanche, I covered how I reversed the Avalanche custom InfoRail protocol, which allowed me to communicate with multiple services deployed within this product. This allowed me to find multiple vulnerabilities in the popular mobile device management (MDM) tool. If you aren’t familiar with it, Ivanti Avalanche allows enterprises to manage mobile device and supply chain mobility solutions. That’s why the bugs discussed here could be used by threat actors to disrupt centrally managed Android, iOS and Windows devices. To refresh your memory, the following vulnerabilities were presented in the previous post:  ·       Five XStream insecure deserialization issues, where deserialization was performed on the level of message handling. ·       A race con…

We asked you to take our Unredacter Challenge, in which we asked you to get creative and devise a way to solve our blurred secret message! Watch as Shawn A., one of our Unredacter Challenge winners, showcases his solution.  ( 9 min )

Part 6: What is a Procedure?  ( 24 min )

Partially encrypting victims' files improves ransomware speed and aids evasion. First seen in LockFile, the technique is now being widely adopted.  ( 10 min )

At DEF CON 30 this year we demonstrated some vulnerabilities in electronic flight bags and the potential impact on flight safety. There’s plenty more detail of EFB security issues here. […] DEF CON 30. Hacking EFBs. Engine Performance first appeared on Pen Test Partners.  ( 6 min )

As biodegradable waste contains a lot of water, I was wondering how much mass reduction I can achieve by exposing it to the sun (by evaporating some of the contained water). On a sunny day in March (Belgium), I weighed these fruit peels (I had just consumed the fruit): 66 grams Exposing it to sun […]  ( 9 min )

Jason D. Christopher shares lessons learned through continually helping ICS security teams and their leaders better understand their security posture through measurement.  ( 18 min )

by Juan Garrido Editor’s note: This tool was originally released at Black Hat USA 2022 (Arsenal) in August 2022, and was created by Juan Garrido (@silverhack). Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews … Continue reading Tool Release – Monkey365 →  ( 6 min )

Backing up domain controllers is a crucial part of any disaster recovery plan for organizations leveraging Active Directory on-premises. There are two types of restores: authoritative and nonauthoritative. Which one do you use where? We can perform both using Windows Server Backup. Let's look at this process with the nonauthoritative restore. Recover Active Directory domain controllers with nonauthoritative restore first appeared on 4sysops.  ( 35 min )

tl;dr: Steps to setup a wicked fast SOCKS proxy with a tool called gTunnel written by hotnops  ( 21 min )

This is a small update: when non-hexadecimal characters are found, they are listed before an exception is raised. hex-to-bin_V0_0_6.zip (http)MD5: 9939263DCF538BBF5FC98DB2EC83F247SHA256: 94B2B23BCA5C000CA85EEE8AE1A16AEEDB77E72057111C8207A683BD4DDF4581  ( 9 min )

Have you considered a career as a cybersecurity professional, but weren’t really sure if you had the skillset needed for success? Many of the best security professionals bring non-technical backgrounds. In many cases having a non-technical background can actually be an advantage in the industry.  ( 17 min )

The increased targeting of control systems through impactful cyber-attacks has resulted in an attack surface more widely available and vulnerable to cyber-attacks. These attacks are created and deployed by adversaries-for-hire and rogue nation-states which have the means and motivation to disrupt operations and cause safety impacts. The good news - ICS/OT cyber security defense is totally doable - with an effective team and approach to risk management!  ( 15 min )

BitLocker is a volume encryption technology that was first introduced in Windows Vista and Windows Server 2008. Like other Microsoft products, it also suffers from certain glitches, but many people around the globe rely on BitLocker Drive Encryption (BDE) to protect their data at rest. Enable BitLocker with PowerShell first appeared on 4sysops.  ( 37 min )

Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Editor’s note: This post was originally published on the Fox-IT blog. Introduction  After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper active in the Google … Continue reading Sharkbot is back in Google Play  →  ( 12 min )

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quintin Crist and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by the researcher known as Arimura. The bug is the result of a dynamically allocated buffer created by an NFS function and is present only on Windows Server 2022. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM. This is the third such NFS vulnerability in as many months. The following is a portion of their write-up covering CVE-2022-34715, with a few minimal modifications. A remote code execution vulnerability exists in Windows Network File System.…

Consider an application written in a higher-level language like Python, NodeJS, or C#. This application must handle sensitive data such as banking credentials, credit card data, health information, or network passwords. The application developers have already hardened the application against malicious users and are confident that it is not vulnerable to database injections, account takeovers, […] The post Safeguarding Memory in Higher-Level Programming Languages appeared first on Praetorian.  ( 16 min )

Have you ever seen a promising hacking technique, only to try it out and struggle to find any vulnerable systems or non-duplicate findings? In this post, I'll take a concise look at the most effective  ( 4 min )

This is an update for my tool to perform XOR known plaintext attacks: xor-kpa.py. The tool has been updated for Python 3, and 3 new plaintext have been added, all for Cobalt Strike configurations. cs-key is the header of the configuration entry for the public key. cs-key-dot is the header of the configuration entry for […]  ( 9 min )

Windows Server 2022 has many robust enterprise features that allow IT admins to create resilient and highly available infrastructure services. With transparent failover, admins can take advantage of features found in SMB 3.0 and higher to provide continuous access to file shares. Setting up highly available file shares in Windows Server 2022 first appeared on 4sysops.  ( 35 min )

A small update for my translate.py program. Python function Xor takes now 2 extra, optional arguments: hexadecimal: a boolean, by default False. When True, the key is provided as an hexadecimal string. rotation: an integer, by default 0 This is the number of bytes to rotate the key to the left. For example, when the […]  ( 9 min )

Introduction NCC Group Cryptography Services team assessed security aspects of several implementations of the QUIC protocol. During the course of their reviews, the team found a number of recurrent cryptography side channel findings of arguably negligible privacy risk to users, across these implementations. However, repetition in itself makes these findings somehow worth having a deeper … Continue reading Constant-Time Data Processing At a Secret Offset, Privacy and QUIC →  ( 20 min )

When you get the chance to take a look at the IT systems of financial institutions, telcos, and other big companies, where availability has been a key business concern for decades, you’ll find, that some critical operations run through some obscure systems, in many cases accessed via nostalgic green-on-black terminals, the intricacies of which only … Continued  ( 7 min )

This is an update to plugin plugin_vba_dco.py, improving generalization and adding option -p. You can watch this maldoc analysis video to learn how to use the generalization feature of this plugin: oledump_V0_0_70.zip (http)MD5: D6EC4FD6B7BE60E01A98922BC06A1E8FSHA256: E9EE79501A08E896A601F1AFDDB6D3C05D9A2A1FD5899D44AC422DD79E4EF678  ( 9 min )

I wrote about older Adobe scripting before. I recently discovered that Adobe products support scripting using so-called ExtendScript language with code being stored either in a source-level JSX file, or […]  ( 18 min )

This update to jpegdump.py, my tool to analyze JPEG images, brings 2 small changes: Data between segments can be selected with suffix d. Like this: -s 10d This means: select the data between segments 9 and 10. And when option -E is used to add hash values, repeating hashes are marked with parentheses. jpegdump_V0_0_10.zip (http)MD5: […]  ( 9 min )

I have 2 Bosch 18V “power for all” chargers. A normal charger (AL 1830 CV) and a fast charger (AL 1880 CV). Measuring the power consumption of these 2 chargers in standby mode (plugged into a 230V outlet, but no battery connected) with a GPM-8310 powermeter, I obtained the following results: AL 1830 CV: 476,33 […]  ( 9 min )

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it’s been making its way into some … Continue reading There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities →  ( 18 min )

One challenge with Remote Desktop printing is the issue of drivers. If users want to output documents on locally attached printers, for example, in work-from-home environments, organizations might have to deal with various printer models. Remote Desktop Easy Print offers a solution with a single driver. Setting up Remote Desktop Easy Print first appeared on 4sysops.  ( 34 min )

My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes (VDPs) […] When disclosure goes wrong. People first appeared on Pen Test Partners.  ( 8 min )

Have you ever received the following error message when you tried to sign in on a domain controller? We can't sign you in with this credential because your domain isn't available. Scary, huh? With the help of Active Directory's Directory Services Restore Mode (DSRM), you can recover Active Directory by booting up in safe mode to restore a working configuration of your Active Directory. I hope you still know your DSRM password. If not, I show you how to reset the DSRSM password in this article. Directory Services Restore Mode: DSRM password reset, recover Active Directory first appeared on 4sysops.  ( 38 min )

A new threat actor is spreading infostealer malware through targeted attacks on developers and fraudulent cryptotrading applications.  ( 10 min )

Here is an overview of content I published in August: Blog posts: Update: 1768.py Version 0.0.15 Update: 1768.py Version 0.0.16 YouTube videos: 1768.py’s Sanity Check Videoblog posts: 1768.py?s Sanity Check SANS ISC Diary entries: VBA Maldoc & UTF7 (APT-C-35) YARA 4.2.3 Released Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01 Dealing With False Positives when Scanning […]  ( 9 min )

Throughout September and October, members of NCC Group will be presenting their work at SANS CyberThreat, ResponderCon, BSides St John’s, ICMC, DevOps World, RootCon, and Hexacon. Ollie Whitehouse & Eric Shamper, “Enterprise IR:Live Free, live large” to be presented at Sans CyberThreat (September 12-13 2022) Balazs Bucsay, “Alternative way to detect mikatz” to be presented … Continue reading Conference Talks – September/October 2022 →  ( 7 min )

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? … Continue reading SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250) →  ( 51 min )

When deciding on what type of security assessment to get, an organization should consider how much information they are willing to share. Several types of assessments exist, and the key differentiator is how much access an organization grants the testers from the beginning. The terms blackbox, greybox, and whitebox refer to whether a client chooses […] The post Whitebox Security Assessments: Doing More with More appeared first on Praetorian.  ( 5 min )

I've been hacking browsers for over 15 years and one of the challenges I set myself was to find a SOP bypass or info leak in every major browser. Chrome was the last browser standing…until now. This p  ( 4 min )

In Part 1 of this series, we looked at how to port functionality from the Azure GUI to PowerShell. Specifically, we looked at how to…  ( 14 min )

At present all major operating system kernels are written in C/C++, languages which provide no or minimal assistance in avoiding common security problems. Modern languages such as Rust provide better security guarantees by default and prevent many of the common classes of memory safety security bugs. In this post we will take a brief look … Continue reading Writing FreeBSD Kernel Modules in Rust →  ( 14 min )

Admins can prompt users to change their password at their next login. While it is easy to see the status of the corresponding attribute in AD Users and Computers, the procedure with PowerShell is a bit tricky. On the other hand, enforcing a password change with PowerShell is quite simple. Find AD accounts with ChangePasswordAtLogon, set and enforce password change with PowerShell first appeared on 4sysops.  ( 33 min )

We are increasing prices for Burp Suite Professional and Burp Suite Enterprise Edition, due to a significant increase in costs caused by global inflation. The price of an annual Burp Suite Professiona  ( 3 min )

Running a simple network speed test is often a good start when troubleshooting or verifying network performance. Such a test may measure speeds between two computers or the Internet download speed from an ISP. Many free network performance test tools are readily available for testing network performance. Free network speed test tools first appeared on 4sysops.  ( 33 min )

Overview During the summer, my colleague Derya Yavuz and I published an article on some of the different methods we’ve leveraged to elevate privileges within Active Directory environments. We discussed authentication coercion techniques such as PrinterBug, PetitPotam, and DFSCoerce. One of the techniques we mentioned in that article was performing an NTLM downgrade attack to […] The post NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack appeared first on Praetorian.  ( 13 min )

The post CVE-2022-26113: FortiClient Arbitrary File Write As SYSTEM appeared first on Rhino Security Labs.  ( 4 min )

Cedric Halbronn, Aaron Adams, Alex Plaskett and Catalin Visinescu presented two talks at NCC Con Europe 2022. NCC Con is NCC Group’s annual private internal conference for employees. We have decided to publish these 2 internal presentations as it is expected that the wider security community could benefit from understanding both the approach and methodology … Continue reading NCC Con Europe 2022 – Pwn2Own Austin Presentations →  ( 7 min )

Introduction & Motivation Windows Sandbox is a feature that Microsoft added to Windows back in May 2019. As Microsoft puts it: Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine. The startup is usually very fast and the user experience is great. You can configure it with a .wsb file and then double click that file to start a clean VM. The sandbox can be useful for malware analysis and as we will show in this article, it can also be used for kernel research and driver development. We will take things a step further though and share how we can intercept the boot process and patch the kernel during startup with a bootkit. TLDR: Visit the SandboxBootkit repository to try out the bootkit for yourself. Windows Sandbox for driver development A few years back Jonas L tweeted about the undocumented command CmDiag. It turns out that it is almost trivial to enable test signing and kernel debugging in the sandbox (this part was copied straight from my StackOverflow answer). First you need to enable development mode (everything needs to be run from an Administrator command prompt): CmDiag DevelopmentMode -On Then enable network debugging (you can see additional options with CmDiag Debug): CmDiag Debug -On -Net This should give you the connection string: Debugging successfully enabled. Connection string: -k net:port=50100,key=cl.ea.rt.ext,target=<ContainerHostIp> -v Now start WinDbg and connect to 127.0.0.1: windbg.exe -k net:port=50100,key=cl.ea.rt.ext,target=127.0.0.1 -v Then you start Windows Sandbox and it should connect: Microsoft (R) Windows Debugger Version 10.0.22621.1 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Using NET for debugging Opened WinSock 2.0 Using IPv4 only. Waiting to reconnect... Connected to target 127.0.0.1 on port 50100 on local IP <xxx.xxx.xxx.xxx>. You can get the target MAC address by running .kdtargetmac command. Connected to Windows 10 19041 x64 target at (Sun Aug 7 10:32:11.311 2022 (UTC + 2:00)), ptr64 TRUE Kernel Debugger connection established. Now in order to load your driver you have to copy it into the sandbox and you can use sc create and sc start to run it. Obviously most device drivers will not work/freeze the VM but this can certainly be helpful for research. The downside of course is that you need to do quite a bit of manual work and this is not exactly a smooth development experience. Likely you can improve it with the <MappedFolder> and <LogonCommand> options in your .wsb file. PatchGuard & DSE Running Windows Sandbox with a debugger attached will disable PatchGuard and with test signing enabled you can run your own kernel code. Attaching a debugger every time is not ideal though. Startup times are increased by a lot and software might detect kernel debugging and refuse to run. Additionally it seems that the network connection is not necessarily stable across host reboots and you need to restart WinDbg every time to attach the debugger to the sandbox. Tooling similar to EfiGuard would be ideal for our purposes and in the rest of the post we will look at implementing our own bootkit with equivalent functionality. Windows Sandbox internals recap Back in March 2021 a great article called Playing in the (Windows) Sandbox came out. This article has a lot of information about the internals and a lot of the information below comes from there. Another good resource is Microsoft’s official Windows Sandbox architecture page. Windows Sandbox uses VHDx layering and NTFS magic to allow the VM to be extremely lightweight. Most of the system files are actually NTFS reparse points that point to the host file system. For our purposes the relevant file is BaseLayer.vhdx (more details in the references above). What the article did not mention is that there is a folder called BaseLayer pointing directly inside the mounted BaseLayer.vhdx at the following path on the host: C:\ProgramData\Microsoft\Windows\Containers\BaseImages\<GUID>\BaseLayer This is handy because it allows us to read/write to the Windows Sandbox file system without having to stop/restart CmService every time we want to try something. The only catch is that you need to run as TrustedInstaller and you need to enable development mode to modify files there. When you enable development mode there will also be an additional folder called DebugLayer in the same location. This folder exists on the host file system and allows us to overwrite certain files (BCD, registry hives) without having to modify the BaseLayer. The configuration for the DebugLayer appears to be in BaseLayer\Bindings\Debug, but no further time was spent investigating. The downside of enabling development mode is that snapshots are disabled and as a result startup times are significantly increased. After modifying something in the BaseLayer and disabling development mode you also need to delete the Snapshots folder and restart CmService to apply the changes. Getting code execution at boot time To understand how to get code execution at boot time you need some background on UEFI. We released Introduction to UEFI a few years back and there is also a very informative series called Geeking out with the UEFI boot manager that is useful for our purposes. In our case it is enough to know that the firmware will try to load EFI\Boot\bootx64.efi from the default boot device first. You can override this behavior by setting the BootOrder UEFI variable. To find out how Windows Sandbox boots you can run the following PowerShell commands: > Set-ExecutionPolicy -ExecutionPolicy Unrestricted > Install-Module UEFI > Get-UEFIVariable -VariableName BootOrder -AsByteArray 0 0 > Get-UEFIVariable -VariableName Boot0000 �VMBus File System�VMBus�\EFI\Microsoft\Boot\bootmgfw.efi� From this we can derive that Windows Sandbox first loads: \EFI\Microsoft\Boot\bootmgfw.efi As described in the previous section we can access this file on the host (as TrustedInstaller) via the following path: C:\ProgramData\Microsoft\Windows\Containers\BaseImages\<GUID>\BaseLayer\Files\EFI\Microsoft\Boot\bootmgfw.efi To verify our assumption we can rename the file and try to start Windows Sandbox. If you check in Process Monitor you will see vmwp.exe fails to open bootmgfw.efi and nothing happens after that. Perhaps it is possible to modify UEFI variables and change Boot0000 (Hyper-V Manager can do this for regular VMs so probably there is a way), but for now it will be easier to modify bootmgfw.efi directly. Bootkit overview To gain code execution we embed a copy of our payload inside bootmgfw and then we modify the entry point to our payload. Our EfiEntry does the following: Get the image base/size of the currently running module Relocate the image when necessary Hook the BootServices->OpenProtocol function Get the original AddressOfEntryPoint from the .bootkit section Execute the original entry point To simplify the injection of SandboxBootkit.efi into the .bootkit section we use the linker flags /FILEALIGN:0x1000 /ALIGN:0x1000. This sets the FileAlignment and SectionAlignment to PAGE_SIZE, which means the file on disk and in-memory are mapped one-to-one. Bootkit hooks Note: Many of the ideas presented here come from the DmaBackdoorHv project by Dmytro Oleksiuk, go check it out! The first issue you run into when modifying bootmgfw.efi on disk is that the self integrity checks will fail. The function responsible for this is called BmFwVerifySelfIntegrity and it directly reads the file from the device (e.g. it does not use the UEFI BootServices API). To bypass this there are two options: Hook BmFwVerifySelfIntegrity to return STATUS_SUCCESS Use bcdedit /set {bootmgr} nointegritychecks on to skip the integrity checks. Likely it is possible to inject this option dynamically by modifying the LoadOptions, but this was not explored further Initially we opted to use bcdedit, but this can be detected from within the sandbox so instead we patch BmFwVerifySelfIntegrity. We are able to hook into winload.efi by replacing the boot services OpenProtocol function pointer. This function gets called by EfiOpenProtocol, which gets executed as part of winload!BlInitializeLibrary. In the hook we walk from the return address to the ImageBase and check if the image exports BlImgLoadPEImageEx. The OpenProtocol hook is then restored and the BlImgLoadPEImageEx function is detoured. This function is nice because it allows us to modify ntoskrnl.exe right after it is loaded (and before the entry point is called). If we detect the loaded image is ntoskrnl.exe we call HookNtoskrnl where we disable PatchGuard and DSE. EfiGuard patches very similar locations so we will not go into much detail here, but here is a quick overview: Driver Signature Enforcement is disabled by patching the parameter to CiInitialize in the function SepInitializeCodeIntegrity PatchGuard is disabled by modifying the KeInitAmd64SpecificState initialization routine Bonus: Logging from Windows Sandbox To debug the bootkit on a regular Hyper-V VM there is a great guide by tansadat. Unfortunately there is no known way to enable serial port output for Windows Sandbox (please reach out if you know of one) and we have to find a different way of getting logs out. Luckily for us Process Monitor allows us to see sandbox file system accesses (filter for vmwp.exe), which allows for a neat trick: accessing a file called \EFI\my log string. As long as we keep the path length under 256 characters and exclude certain characters this works great! A more primitive way of debugging is to just kill the VM at certain points to test if code is executing as expected: void Die() { // At least one of these should kill the VM __fastfail(1); __int2c(); __ud2(); *(UINT8*)0xFFFFFFFFFFFFFFFFull = 1; } Bonus: Getting started with UEFI The SandboxBootkit project only uses the headers of the EDK2 project. This might not be convenient when starting out (we had to implement our own EfiQueryDevicePath for instance) and it might be easier to get started with the VisualUefi project. Final words That is all for now. You should now be able to load a driver like TitanHide without having to worry about enabling test signing or disabling PatchGuard! With a bit of registry modifications you should also be able to load DTrace (or the more hackable implementation STrace) to monitor syscalls happening inside the sandbox.  ( 14 min )

Level up your knowledge of university, military and STEM pathways into the cybersecurity industry to start planning your career journey.  ( 10 min )

It was a breath of fresh air, so to speak, to be able to sponsor a live event after the long covid era. And it was even more exciting to show off of our next- generation Arculix platform to many of the 1,500 attendees at the 2022 Gartner IAM event in Las Vegas We got great […] The post Risk-Based Continuous Authentication a Huge Hit at Gartner IAM 2022 appeared first on SecureAuth.  ( 30 min )

Under the term exploit protection, Microsoft brings together several technologies intended to protect against malware attacks. Among them are well-known features such as DEP, which has been around for a long time. While most mechanisms are active by default at the system level, you should still tune the settings for individual apps. Configure Defender exploit protection using PowerShell and Group Policy first appeared on 4sysops.  ( 33 min )

If you just want to read the rules, you can find them here. Our Fall Pwn2Own event has become a bit of a nomad, having gone from Amsterdam to Tokyo to Austin. This year, we’re heading to Toronto to celebrate the 10th anniversary of the contest formerly known as Mobile Pwn2Own. Since 2012, we’ve expanded the contest to include devices beyond phones. This year is no different, with devices typically found on homes and home offices. Pwn2Own Toronto will be held at our Toronto office on December 6-8, 2022. While this year’s contest isn’t being held in conjunction with a conference, we still want contestants to attend in person. In fact, we want them there so much that we’re going to put our money where our mouth is by reimbursing $3,000 for travel expenses for teams that participate in Toront…

Recently I read this excellent post by Evan Sultanik about exploiting pickle files on Trail of Bits. There was also a DefCon30 talk about backdooring pickle files by ColdwaterQ. This got me curious to try out backdooring a pickle file myself. Pickle files - the surprises Surprisingly Python pickle files are compiled programs running in a VM called the Pickle Machine (PM). Opcodes control the flow, and when there are opcodes there is often fun to be had.  ( 2 min )

This is a bug fix version and also adds updated statistics. 1768_v0_0_16.zip (http)MD5: E72E66BE5A66DC2C6E1806DE82DF9B39SHA256: 008E15C617EE94D849A3325643497D216E559609602E97CF2EE41968CCA5D096  ( 9 min )

When you install Windows Server Core in your environment, there is no GUI or desktop experience to manage it. Admins who switch to Server Core from the desktop experience often face a slight learning curve. In this article, I will show you how to join a Server Core machine to an Active Directory (AD) domain with SConfig, PowerShell, or the command prompt. Join Server Core to an Active Directory (AD) domain first appeared on 4sysops.  ( 35 min )

A friend of the site recently suggested that we create a current-issue case study using our updated risk discovery approach. “It’s a great idea,” we replied and immediately started kicking around ideas.

Nicholas Baker’s book Human Smoke brilliantly illustrates a unique approach to historical narrative. It also underscores the need to remember that every artist paints with intent.

In this new age of giant monsters, advanced awareness of classical surprise—that one big tipping moment—no longer suffices.

Accommodate but don’t fight the limitations you can’t control, recognize those you can influence and leverage, and don't imagine you have more free cells than you actually do.

British officer Vladimir Peniakoff’s approach to planning might sound a bit unorthodox at first, but it aligns nicely with Patton’s view of intelligence and speaks to an enduring need to understand front-line conditions.

We need a more flexible game board where players can explore hypergame strategies—in other words, a game board where the strategist can play the hero for a change. We’ve built it.

Not every surprise is a cunning thunderbolt. Some surprises creep up slowly, rusting away former resilience until a simple nudge reveals the rot.