In Part 3 we are looking at Function Apps.  ( 6 min )

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Jason McFadyen of the Trend Micro Research Team detail a recently patched code execution vulnerability in the Microsoft Windows operating system. The bug was originally discovered and reported to Microsoft by Yuki Chen. A stack buffer overflow vulnerability exists in Windows Network File System. A remote attacker can exploit this vulnerability by sending specially crafted RPC packets to a server, resulting in code execution in the context of SYSTEM. The following is a portion of their write-up covering CVE-2022-26937, with a few minimal modifications. A stack buffer overflow vulnerability exists in Windows Network File System. The vulnerability is due to improper handling of crafted RPC …

With Arculix, SecureAuth’s next-gen platform, we’ve totally reimagined how identity and access management should be implemented. The SecureAuth you needed in 2005 isn’t the SecureAuth you need today. Arculix is architected and designed to make it simpler for administrators to apply modern authentication journeys, where users must access on-premise and cloud resources from anywhere and […] The post The New SecureAuth Begins Now with Arculix appeared first on SecureAuth.  ( 3 min )

Search highlights display a colorful icon in the Windows 10 search bar. If you hover the mouse over the icon, a news overview of a selected topic opens. In Windows 11 22H2, this is integrated directly into the search field. However, the feature can be deactivated using a GPO. Deactivating search highlights in Windows 10/11 using Group Policy first appeared on 4sysops.  ( 5 min )

SANS Instructor Doc Blackburn - "We cannot solve today’s complex cyber issues with only people with extensive technical backgrounds. We need business professionals, law enforcement, project managers, and legal professionals just to name a few."  ( 8 min )

Ug_0Security asked, and I am answering 🙂 Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one […]  ( 2 min )

Intro and Prior Work  ( 6 min )

Introduction When you use the Cortex XSOAR API in your automations, playbooks or custom scripts, the first place you will start is the API documentation to see which API endpoints are available. But what if you cannot find an API Endpoint for the task you want to automate in the documentation? In this blog post … Continue reading Cortex XSOAR Tips & Tricks – Discovering undocumented API endpoints →  ( 4 min )

In a previous post, you learned how to troubleshoot 401 – Unauthorized: Access is denied due to invalid credentials. In this post, we will cover how to troubleshoot HTTP Error 403.14 – Forbidden in Internet Information Services (IIS). Troubleshoot HTTP Error 403.14 – Forbidden in IIS first appeared on 4sysops.  ( 8 min )

Here is an overview of content I published in May: Blog posts: Update: oledump.py Version 0.0.66 Update: cs-parse-traffic.py Version 0.0.5 Update: zipdump.py Version 0.0.22 Update: oledump.py Version 0.0.67 Update: base64dump.py Version 0.0.21 Update: pecheck.py Version 0.7.15 Update: re-search.py Version 0.0.20 Update: pdf-parser.py Version 0.7.6 Update: 1768.py Version 0.0.14 Update: Python Templates Version 0.0.7 PoC: Cobalt […]  ( 3 min )

Background The vulnerability allows unauthenticated remote code execution (RCE). Exploitation occurs by sending an HTTP request with an attack payl  ( 4 min )

In this three part blog series we will explore attack paths that emerge out of Managed Identity assignments in three Azure services.  ( 8 min )

This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.  ( 7 min )

Remote Desktop is the preferred method for accessing Windows computers remotely in an interactive session. The feature is disabled by default and can be enabled in various ways. These include the settings app, group policies, Windows Admin Center, and WMI using PowerShell. Activate Remote Desktop in Windows 11 and Windows Server 2022 (GUI, WAC, WMI, and GPO) first appeared on 4sysops.  ( 7 min )

With file handlers being yet again a topic du jour it was only natural to try answering a question — how many file protocols are really out there? I tried […]  ( 2 min )

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with the associated technical advisories below: … Continue reading Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552) →  ( 5 min )

Accessing a major critical infrastructure network is very appealing to cybercriminals, as they can maximize societal impact and demand large ransom sums to fix tampered systems. With recent high-profile attacks, including that against the Colonial Pipeline in March 2021, it has become clear that the organizations handling critical infrastructure networks are now in the firing line. Critical infrastructure is vulnerable to both threat groups that are evolving their tactics and public scrutiny if they do not remain transparent when an attack occurs.  ( 6 min )

After a year of running a private Vulnerability Disclosure Program (VDP), Beiersdorf is announcing the launch of its public VDP. HackerOne met with Kai Widua, Chief Information Security Officer (CISO) at Beiersdorf, to learn about the challenges they face in retail security.  ( 5 min )

A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery. In my previous blog, I highlighted a tool named IO Ninja and shared why it is helpful when working with Inter-Process Communications (IPC). In this blog, I would like to show you how this tool helped me find two vulnerabilities: CVE-2021-4198 and CVE-2021-4199 in Bitdefender’s antivirus software on Windows. The exploit I wrote targets a named pipe used by the Vulnerability.scan.exe process. The first vulnerability results in a denial-of-service on almost any process within the AV. The second result…

Congratulations to NCC Group researcher Jeremy Boone, who was recently recognized for both the Highest Quality Report, as well as the Most Eligible Reports, as an invited researcher to the Intel Circuit Breaker program! From Intel: “This exclusive event invited a select group of security researchers to hunt vulnerabilities in the 11th Gen Intel® Core™ … Continue reading NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program →  ( 1 min )

The AWS Serverless Application Model, also referred to as AWS SAM, is an open-source framework that allows you to build your serverless applications quickly and easily. Throughout this guide, we will look at the benefits of AWS SAM and how it works, including a fully working example to demonstrate. We have lots to cover, so let's get started! Getting started with the AWS Serverless Application Model (AWS SAM) first appeared on 4sysops.  ( 9 min )

SANS Cybersecurity Blog pertaining to a summary of the SANS ICS Security Summit  ( 5 min )

This blog seta out to review tools that can index SMB shares and search file names as well as common patterns of data that would indicate sensitive information disclosure.  ( 13 min )

SANS Senior Instructor Jake Williams answers questions about the newly discovered zero-day vulnerability Follina.  ( 6 min )

One of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies…  ( 9 min )

A captive portal is one of the more interesting topics in the Wifi hacking arena. If you’re not familiar with what a captive portal is or…  ( 6 min )

New Platform Incorporates Advanced Risk Intelligence and Comprehensive Behavioral Modeling for Frictionless User Experience and Strong Security IRVINE, Calif. – June 1, 2022 – SecureAuth, a leader in access management and authentication, unveiled the launch of Arculix™ – a game-changing platform that for the first time combines orchestration, leading-edge passwordless technology, and continuous authentication. The […] The post SecureAuth Launches Arculix for Next-Generation Passwordless Authentication and Identity Orchestration appeared first on SecureAuth.  ( 4 min )

One of the problems with enterprise security is that it has typically been challenging to configure. However, Microsoft Defender for Business offers a simplified configuration process that helps SMBs ease the burdens of implementing best practice policies to protect corporate devices. Setting up Microsoft Defender for Business with a simplified configuration first appeared on 4sysops.  ( 6 min )

Introduction When using the Cortex XSOAR API in your automations, playbooks or custom scripts, knowing which API endpoints are available and how to use them is key. In a previous blog post in this series, we showed you where you could find the API documentation in Cortex XSOAR. The documentation was available on the server … Continue reading Cortex XSOAR Tips & Tricks – Exploring the API using Swagger Editor →  ( 4 min )

Disclaimer: I know this isn’t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much […] Follina 0day exploit. Malicious code execution in Office docs first appeared on Pen Test Partners.  ( 3 min )

SANS Instructor Nick Mitropoulos - "Always be prepared, never underestimate attackers, and keep on training and learning new ways and techniques to constantly become better."  ( 7 min )

This month, members of NCC Group will be presenting their technical work & training courses at the following conferences: NCC Group, “Training: Mastering Container Security,” to be presented at 44CON (June 13-15 2022) NCC Group, “Training: Google Cloud Platform (GCP) Security Review,” to be presented at 44CON (June 13-16 2022) Jennifer Fernick (NCC Group), Christopher … Continue reading Conference Talks – June 2022 →  ( 3 min )

In this blog post, NCC Group considers some of these features and the corresponding product design decisions for the current generation of Espressif’s ESP32 microcontrollers. The ESP32 is a platform commonly used in the broad span of IoT products that NCC Group assesses regularly and one that has continued to develop its hardware and SDK security features over multiple product generations.  ( 12 min )

From September 28th through October 23rd, 2020, Lantern – in partnership with the Open Technology Fund – engaged NCC Group to conduct a security assessment of the Lantern client. Lantern provides a proxy in order to circumvent internet censorship. This assessment was open ended and time-boxed, providing a best-effort security analysis in a fixed amount … Continue reading Public Report – Lantern and Replica Security Assessment →  ( 2 min )

Congratulations to NCC Group researcher Juan Garrido, who was recently named amongst Microsoft’s most valuable security researchers on the MSRC 2022 Q1 Security Researcher Leaderboard! This honour, recognized quarterly by the Microsoft Researcher Recognition Program, is offered to security researchers who have discovered and shared security vulnerabilities in Microsoft products under coordinated vulnerability disclosure. Juan … Continue reading NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard →  ( 1 min )

In a previous post, you learned how to troubleshoot HTTP Error 500 – Internal server error. In this post, we will look into how to fix HTTP Error 503 – The service is unavailable. How to fix HTTP Error 503 – The service is unavailable first appeared on 4sysops.  ( 8 min )

Intro In this blogpost we discuss a zero-day topic for finding privilege escalation vulnerabilities discovered by Ahmad Mahfouz. It abuses applications like Software Center, which are typically used in large-scale environments for automated software deployment performed on demand by regular (i.e. unprivileged) users. Since the topic resulted in a possible attack surface across many different … Continue reading CVE Farming through Software Center – A group effort to flush out zero-day privilege escalations →  ( 3 min )

A true story on taking over a client’s Azure tenant via a successful phish.  TL;DR A tempting phish got lots of users to disclose their passwords, and a lack of […] Your cloud? My cloud now first appeared on Pen Test Partners.  ( 7 min )

SANS Instructor Matt Edmondson - "Imposter syndrome is real, so don’t let that discourage you. We ALL have those feelings. A lot."  ( 6 min )

Keeper Connection Manager provides a privileged access management solution that enables organizations to share connections for RDP, SSH, VNC, Kubernetes, and MySQL endpoints securely. The solution supports remote workers and bolsters compliance initiatives. Privileged access management with Keeper Connection Manager first appeared on 4sysops.

Introduction Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD). This post will dive … Continue reading Detecting BCD Changes To Inhibit System Recovery →

As the saying goes, a picture is worth a thousand words. In order to improve your documentation and uplevel red team and pentest reporting, it’s useful to add date and time information to screenshots and script logs. This helps the Blue Team (and yourself) reviewing past activity, reports and when deconflicting activity is required. Depending on the shell that is used there are different ways to go about it. Let’s cover three common ones.  ( 1 min )

Lessons Learned Slides Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11 Lesson 3 - Detection Reality People and Honey tokens are THE BEST detective tool you have. Go buy a Thinkst Canary, they detect me more than any multi-million dollar EDR. Period. Let me clarify something quickly before I get roasted. I am not saying that EDR (Endpoint Detection and Response) agents don’t have a place, it’s just that they have taken over for Anti-Virus for being mostly preventative and response oriented. Do EDRs detect things? Sure, but in my pentesting and red teaming experience they rarely catch any of the actions I do outside of touching LSASS. Which to be fair, is what a lot of malware and APT actors do. But it won’t stay that way, and Sysmon is f…  ( 2 min )

Security.txt is a security mechanism that allows your organization to provide its vulnerability disclosure policy and contact information in a standar  ( 6 min )

Many IT professionals and others run VMware lab environments for learning, certification prep, evaluation, and other use cases. They often use commodity hardware not found on the VMware hardware compatibility list. This leads to driver issues, especially with network adapters. Community Networking Driver for ESXi provides drivers for otherwise unsupported NICs. Install ESXi network drivers for Intel e1000 and Intel I220 / I221 / I225/ I226 chipsets first appeared on 4sysops.  ( 6 min )

Recently I’ve been hearing about malware mounting ISOs as a method of bypassing AV and EDR. For example this article from Bleeping Computer - “Uptick Seen in ISO Email Attachments Delivering Malware” posted December 23rd, 2019, or DARK Reading - “ChromeLoader Malware Hijacks Browsers with ISO Files” posted May 27th, 2022. The problem I found with these articles and many like it didn’t really offer any sort of method to protect yourself or you company from ISO mounted malware, so I went to try to find a solution myself (couldn’t be that hard right?). Turns out that if you google for “Stop Windows from Mounting ISOs” or something similar you get a bunch of MSDN articles for people trying to solve the same issue for one reason or another. After a lot of googling I found this article on Winaer…  ( 2 min )

I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now. I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands. In this video, a malicious beacon is terminated by sending it a sleep […]  ( 3 min )

In April and May 2022, NCC Group Cryptography Services engaged in a security and cryptography assessment reviewing Microsoft’s contributions to the go-cose library, a Go library implementing signing and verification for CBOR Object Signing and Encryption (COSE), as specified in RFC 8152. This library focuses on a minimal feature set to enable the signing and verification of … Continue reading Public Report – go-cose Security Assessment →  ( 1 min )

Some small updates to my Python templates. python-templates_V0_0_7.zip (http)MD5: 46EE756206A0A941F7B29C3551FF48FFSHA256: 5158046371E8E925AB7A158827496BA971F24F5FE0A232AC0FDF0B10427DB98B  ( 3 min )

Here is a small update of my tool to analyze Cobalt Strike beacons. 1768_v0_0_14.zip (http)MD5: 6E8494125F4DDB044556182C8A196DD1SHA256: D8CFCC735666D90BB160E30C7AD7100B0520FAC2929277E7B1DAD1CFFD0B3EC8  ( 3 min )

This new version of pdf-parser fixes a couple of bug and has a work around for non compliant PDFs. pdf-parser_V0_7_6.zip (http)MD5: 3B6F837AF147422B1256596BCA69D737SHA256: 34379A9987B2286706AF4C43AC72C93611AE3E9C0C571DD729EBB09C7A707A0D  ( 3 min )

This new version of re-search.py brings input & output encoding to option –encoding (this was input encoding only in prior versions). re-search_V0_0_20.zip (http)MD5: AA8091E9F9D7C639CDB3D71C842DE6C3SHA256: 78290F2D06D29514C2BAF95BFE9EF95AF4DDE9798EA0EE27EB800DCF4D99786A  ( 3 min )

This new version of pecheck.py, my tool to analyze PE files, brings some extra information on overlays: pecheck-v0_7_15.zip (http)MD5: 8D85E40E4770D9F29C08CBE3D7BE57F0SHA256: 596848BC8BD03936604212E4CBE9545A03EE629BE6125D08A4E28068F1952961  ( 3 min )

If your Internet Information Services (IIS) produces a 500 – Internal server error, your website is in serious trouble. Debugging an IIS 500 – Internal server error can take some time, so you'd better be prepared for the worst-case scenario. You don't want to research how to deal with this error under time pressure. Debugging an IIS 500 – Internal server error first appeared on 4sysops.  ( 7 min )

No content preview  ( 7 min )

SANS Institute's FOR509 Enterprise Cloud Forensics and Incident Response transitioned from a 4-day course to a 6-day course in May 2022. With this release comes new content, updates to existing content, and a multi-cloud capstone challenge that will test your knowledge at the end of the week.  ( 5 min )

Intro  ( 4 min )

2+ years ago from the date of this blog post I wrote my initial blog post where I started becoming familiar with Apple’s Endpoint Security…  ( 5 min )

A new typosquatting attack against the PyPI repository targets enterprise Macs with a distinctive obfuscation method.  ( 6 min )

The PowerShell module psansible.Inventory allows you to simplify the dynamic creation of your Ansible inventory with the help of an Ansible inventory script. You can retrieve data from your preferred sources, structure the data, and create a standardized Ansible inventory. Create an Ansible inventory file with psansible.inventory and an Ansible inventory script in PowerShell first appeared on 4sysops.  ( 8 min )

As is probably clear from our blog and public talks  aviation cyber security is an area of huge interest to us. Some of us are also light aircraft pilots, so […] 747 Hackathon first appeared on Pen Test Partners.  ( 7 min )

Current Vendor: SerComm Vendor URL: https://www.sercomm.com Systems Affected: SerComm h500s Versions affected: lowi-h500s-v3.4.22 Authors: Diego Gómez Marañón & @rsrdesarrollo CVE Identifier: CVE-2021-44080 Risk: 6.6(Medium)- AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The h500s is a router device manufactured by SerComm and packaged by a few telecoms providers in Spain (and possibly other regions) to provide CPE DSL network connectivity and … Continue reading Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080) →  ( 2 min )

Important reviewer traits for providing a great code review include prior knowledge and experience, expertise, background context, attention to detail, and written communication skills. As a reviewer on PullRequest, I need to quickly gain context when I’m reviewing a project for the first time. But as is the case for any engineer new to a team, some context is gained over time.  ( 5 min )

Microsoft does not provide a WinPE bootable disk as an ISO, so you have to create it yourself. During this process, you can also add language packages or tools. Create a WinPE bootable disk with Windows 11 first appeared on 4sysops.  ( 7 min )

The post CVE-2022-25237: Bonitasoft Authorization Bypass and RCE appeared first on Rhino Security Labs.  ( 4 min )

Fuchsia is a general-purpose open-source operating system created by Google. It is based on the Zircon microkernel written in C++ and is currently under active development. The developers say that Fuchsia is designed with a focus on security, updatability, and performance. As a Linux kernel hacker, I decided to take a look at Fuchsia OS and assess it from the attacker's point of view. This article describes my experiments.  ( 23 min )

Introduction In this blog post, I will take you through the steps that I performed to get code execution on a Windows kiosk host using ONLY Microsoft Edge. Now, I know that there are many resources out there for breaking out of kiosks and that in general it can be quite easy, but this technique … Continue reading Breaking out of Windows Kiosks using only Microsoft Edge →  ( 6 min )

In this blog post, we take the reader on a journey through a bypass of a new eBPF-based observability and mitigation tool named Tetragon, developed in the two hours after the tool was first set up, as a hopefully instructive lesson on the importance of security fundamentals.  ( 15 min )

In this blog post, we take the reader on a journey through a bypass of a new eBPF-based observability and mitigation tool named Tetragon, developed in the two hours after the tool was first set up, as a hopefully instructive lesson on the importance of security fundamentals.  ( 15 min )

Get to know Nico Dekens, SANS Certified Instructor for the Cyber Defense curriculum.  ( 6 min )

Every environment is unique and needs custom detections tailored to the environment and its threats. In this article, we go into the items discussed in our third webcast, Threat-Informed Detection Engineering.  ( 8 min )

If you’re a forward-looking CEO, CFO, COO, CTO, CISO, director, or department head who’s wondering what unwanted presents tomorrow might bring for you, contact us. We’re ready to help you map your next generation of systemic risk scenarios today.

In part 2, we turn to the “is” of identity and review how it ties into labeling. We conclude by showing how linguistic structures such as these can help us unpack propagandistic language.

Traditionally, IT may delegate permissions in Active Directory Users and Computers (ADUC) to managers or other users who need to create new accounts. However, with Power Automate for Desktop, IT admins have another tool that may prove helpful in delegating Active Directory tasks, such as creating Active Directory users. Create Active Directory users with Power Automate for Desktop first appeared on 4sysops.  ( 6 min )

In current times, security measures have become increasingly important for the continuity of our businesses, to guarantee the safety for our clients and to confirm our company’s reputation. While thinking of security, our minds will often jump to the ISO/IEC 27001:2013 and ISO/IEC 27002:2013 standards. Especially in Europe & Asia, these have been the leading … Continue reading What ISO27002 has in store for 2022 →  ( 4 min )

Why do we need strong passwords? Passwords are stored by using a one-way hashing algorithm to generate a representation of the original password on a securely designed system. Authentication mechanisms […] Password policy guidance first appeared on Pen Test Partners.  ( 7 min )

Introduction We’ve written about the appalling security of smart sex toys over the years. Finally, an invite came to give a talk on the subject to a TEDx audience. I […] We need to talk about sex toys and cyber security first appeared on Pen Test Partners.  ( 8 min )

In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]  ( 3 min )

Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]  ( 4 min )

In my previous post, you learned how to troubleshoot HTTP Error 503. Today, we will look into how to troubleshoot 401 – Unauthorized: Access is denied due to invalid credentials in Internet Information Services (IIS). Troubleshoot 401 – Unauthorized: Access is denied due to invalid credentials in IIS first appeared on 4sysops.  ( 7 min )

Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]  ( 4 min )

This improved experience reduces time to launch, which is vital when your organization is up against an urgent timeline to complete a pentest due to a  ( 4 min )

MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.  ( 5 min )

(The version of Ghidra used in this article is 10.1.2. For the Go string recovery tool release, skip ahead to Ghostrings Release.) Introduction A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many … Continue reading earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts →  ( 22 min )

Introduction Ghostrings is a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis. A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many of the constant string values … Continue reading Tool Release – Ghostrings →  ( 5 min )

In my last article, we created a new VM for Kali Linux, mounted the ISO file to its virtual DVD drive, and changed the boot order so that the VM could boot from the virtual DVD drive. Here, I will show how to start and stop a Hyper-V with PowerShell. You'll also learn how to disable secure boot with PowerShell. Start and stop a Hyper-V VM with PowerShell first appeared on 4sysops.  ( 3 min )

TL;DR Galleon Systems’ GPS NTP time server had a command injection vulnerability in the firmware of their NTS GPS device which could allow total control of the device through the […] Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) first appeared on Pen Test Partners.  ( 5 min )

Software developers using GitLab CI are being targeted with malware through a typosquatting attack, putting downstream users at risk.  ( 6 min )

In this guide, I'll take a closer look at the process of restoring a BitLocker-encrypted drive from an image backup. Along the way, you'll learn about a solution for BitLocker backups that allows you to avoid re-encryption of the system drive after the restore. Restore BitLocker-encrypted drives from image backup first appeared on 4sysops.  ( 5 min )

Pwn2Own Vancouver for 2022 is underway, and the 15th anniversary of the contest has already seen some amazing research demonstrated. Stay tuned to this blog for updated results, picture, and videos from the event. We’ll be posting it all here - including the most recent Master of Pwn leaderboard. Jump to Day One results; Jump to Day Two results; Jump to Day Three results Here are the current standings for the Master of Pwn: Current as of May 18, 17:00 Pacific Day One - May 18, 2022 SUCCESS - Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points. Hector “p3rr0” Peralta demonstrates a improper configuration bug on Microsoft Teams by launching calc. SUCCESS - Billy Jheng Bing-Jhong (@st424204), Muh…

How Are Bug Bounty Programs and Vulnerability Disclosure Programs Different? Let’s start with the similarities. Both bug bounties and VDPs aim to  ( 6 min )

In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.  ( 7 min )

EntropyCapture extracts the DPAPI optional entropy using API hooking.  ( 3 min )

If, at logon, you receive an error message that the trust relationship between a workstation and the primary domain failed, and you cannot logon, there are several ways to deal with the issue. These solutions also work on Windows 11 systems, where you may still log on, but the network connections tray icon in the system claims that the computer is part of an unidentified network. When the trust relationship between a workstation and the primary AD domain fails first appeared on 4sysops.

Cybersecurity is no longer just about technology, it's about people.  ( 6 min )

Welcome to Pwn2Own Vancouver 2022! This year marks the 15th anniversary of the contest, and we plan on celebrating by putting some amazing research on display. For this year’s event, we have 17 contestants attempting to exploit 21 targets across multiple categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here. The complete schedule for the contest is below (all times Pacific [GMT -7:00]). Note: All times subject to change - You can see the results and live updates here once they become available. Entries marked with a 📷 icon will be live-streamed on YouTube, Twitch, and Twitter. Wednesday, May 18, 2022 0930: Hector “p3rr0” Peralta targeting Microsoft Teams in the Enterprise Communications categ…

Exchange administrators should know the maximum possible mailbox size in the environment they are managing, whether on-prem or in the cloud. In an on-prem installation, admins can use this information to prevent excessive database growth. In the cloud, excessive mailbox sizes might require an upgrade of the M365 plan. The configuration of the mailbox quota is possible both in the Exchange admin center (EAC) and via Exchange PowerShell. Configure mailbox size and quota in Exchange 2016/2019 and Exchange Online first appeared on 4sysops.  ( 6 min )

By Francesco Bertolaccini Rellic is a framework for analyzing and decompiling LLVM modules into C code, implementing the concepts described in the original paper presenting the Dream decompiler and its successor, Dream++. It recently made an appearance on this blog when I presented rellic-headergen, a tool for extracting debug metadata from LLVM modules and turning […]  ( 6 min )

A guide to relaying credentials everywhere in 2022 NTLM relay is a well-known technique that has been with us for many years and never seems to go away. Almost every article about NTLM relay could start with that phrase. It could be a cliché but it’s almost true. The first implementation of this attack date […] The post We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere appeared first on SecureAuth.  ( 17 min )

"Word". We heard that a lot of you have been having problems finding a truly dope vulnerable web application to wave your scanner at. As makers of the web's OG vulnerability scanner, we couldn't be le  ( 3 min )

In this new post of my Hyper-V management series, I will explain how create a Hyper-VM with PowerShell. How to create a Hyper-V VM with PowerShell first appeared on 4sysops.  ( 4 min )

Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique […] Got the security controls wrong in OT and maritime? Watch as engineers work around them first appeared on Pen Test Partners.  ( 5 min )

Summary of SANS Cybersecurity Leadership Curriculum which is developing cyber security managers and leaders worldwide.  ( 9 min )

Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks →  ( 4 min )

Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks →  ( 4 min )

Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops with trusted BLE device functionality. … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks →  ( 4 min )

This new version of base64dump adds decoding of netbios name encoding with lowercase letters. base64dump_V0_0_21.zip (http)MD5: 5701B6D9691E366ED5E2EE6D06689012SHA256: BE939E0225C83319A31A096DA29C1CA9D3C575DCCE9C1795814B335BD0871E92  ( 3 min )

With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced with an attacker set on escaping to Ring-0.  ( 8 min )

For better or worse, however, not everyone processes conflict and competition the same way. This is where things get interesting (and potentially dangerous).

ldapsearch is a extremely powerful tool, especially for Windows Active Directory enumeration. It’s one of my primary tools when performing pentesting or red teaming against an environment with Active Directory, but also comes in quiet handy to know as many times it can come default installed or part of a base image, so its a bit Living-Off-The-Land-esq. Another point towards ldapsearch is that it’s easy to forget that Active Directory isn’t the only LDAP server in most environments and the ability to utilize a tool like this can come in extremely handy. If you want to find Active Directory LDAP servers, use the following command: $ dig -t SRV _ldap._tcp.dc._msdcs.sittingduck.info Basic Usage -x Basic Authentication, you usually use this if you are going to include a username and password…  ( 8 min )

This new version of oledump.py brings support for user defined properties and an update to plugin plugin_msg_summary.py Office documents with VSTO applications have user defined properties. These properties can be extracted with my plugin plugin_medata.py, but not with the current version of olefile.However, the development version of olefile can be used to extract these properties. […]  ( 3 min )

* Caveats apply. Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog" blog post is a devious way of exploiting Kerberos to elevate privileged on a local  Windows machine. All it requires is write access to local computer's domain account to modify the msDS-AllowedToActOnBehalfOfOtherIdentity LDAP attribute to add another account's SID. You can then use that account with the Services For User (S4U) protocols to get a Kerberos service ticket for the local machine as any user on the domain including local administrators. From there you can create a new service or whatever else you need to do. The key is how you write to the LDAP server under the local computer's domain account. There's been various approaches usually abusing authen…  ( 5 min )

Failed Request Tracing is the most important IIS feature for diagnosing and troubleshooting any problem. It helps you determine what is exactly going on with your requests and why, provided you could reproduce the problem after enabling the failed request tracing feature. IIS Failed Request Tracing first appeared on 4sysops.  ( 9 min )

Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading audit  ( 3 min )

NVISO is proud to announce that it has successfully qualified as an APT Response service provider and is now recommended on the website of the German Federal Office for Information Security (BSI).   Advanced Persistent Threats (APT) are typically described as attack campaigns in which highly skilled, often state-sponsored, intruders orchestrate targeted, long-term attacks. Due to their … Continue reading NVISO approved as APT Response Service Provider →  ( 3 min )

This is just a bugfix version. zipdump_v0_0_22.zip (http)MD5: 68F9F3809E4E1F9ADE4A4C3835CDF475SHA256: 92ED372579001C826D5AF31615B8334CC798FF2DA4AF8B7C46267BF7D995C757  ( 3 min )

A comment on the previous post about deploying Chrome extensions posed the question of whether PowerShell could be used to remove Chrome extensions. Remove or block Chrome extensions with PowerShell first appeared on 4sysops.  ( 6 min )

Earlier this week, Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. We are excited about this announcement and applaud the players involved. It will accelerate momentum towards eliminating passwords entirely in the future. And to be a […] The post SecureAuth Welcomes Apple, Google, and Microsoft’s Commitment to Passwordless by FIDO Alliance   appeared first on SecureAuth.  ( 4 min )

SANS Cybersecurity Blog pertaining to a summary of the SANS Neurodiversity in Cybersecurity Summit  ( 5 min )

EIP-3b20d7b3 A command injection vulnerability exists within the web management interface of the D-Link DIR-1260 Wi-Fi router that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local ... Read more D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability The post D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability appeared first on Exodus Intelligence.  ( 1 min )

Visualizing data is integral to threat research. See how we used this timeline analysis tool to track activity in the Ukrainian cyber conflict.  ( 7 min )

Certificate-based authentication is an extremely robust and secure mechanism for validating a user's identity. However, until recently, you had to deploy Active Directory Federation Services (AD FS) to make it available for Azure AD. Microsoft has recently introduced an Azure AD certificate-based authentication service (Azure CBA), which significantly simplifies implementing certificate-based authentication. Azure AD certificate-based user authentication first appeared on 4sysops.  ( 6 min )

Below are the writeups for two vulnerabilities I discovered in Solana rBPF, a self-described “Rust virtual machine and JIT compiler for eBPF programs”. These vulnerabilities were responsibly disclosed according to Solana’s Security Policy and I have permission from the engineers and from the Solana Head of Business Development to publish these vulnerabilities as shown below.  ( 14 min )

By applying well-known fuzzing techniques to a popular target, I found several bugs that in total yielded over $200K in bounties. In this article I will demonstrate how powerful fuzzing can be when applied to software which has not yet faced sufficient testing.  ( 33 min )

A misunderstood but deeply important feature to lock down when deploying workloads in cloud. Learn about Cloud Instance Metadata Services (IMDS) in this blog post.  ( 9 min )

ol{margin:0;padding:0}table td,table th{padding:0}.RmvCPDuePa-c3{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left;height:11pt}.RmvCPDuePa-c0{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.RmvCPDuePa-c7{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.RmvCPDuePa-c2{padding-top:0pt;padding-bottom:0pt;line-height:1.0;text-align:left}.RmvCPDuePa-c6{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.RmvCPDuePa-c4{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.RmvCPDuePa-c1{color:inherit;text-decoration:inherit}.RmvCPDuePa-c5{border:1px solid black;margin:5px}.title…  ( 2 min )

It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their exploits still work or were patched out. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. Adobe Patches for May 2022 For May, Adobe released five bulletins addressing 18 CVEs in Adobe CloudFusion, InCopy, Framemaker, InDesign, and Adobe Character Animator. A total of 17 of these CVEs were reported by ZDI vulnerability researcher Mat Powell. The largest of these patches is the fix for Framemaker with 1…

A Security Survey on How to Close Your Organization's Attack Resistance Gap  ( 6 min )