• Open

    Seven Essential Components Of A Top-Tier Attack Surface Management Program
    No content preview  ( 10 min )
  • Open

    This LOLBIN doesn’t exist…
    I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even […]  ( 18 min )
  • Open

    MOVEit! An Overview of CVE-2023-34362
    On May 31st, 2023, Progress disclosed a serious vulnerability in its MOVEit Transfer software. The vulnerability is remotely exploitable, does not require authentication, and impacts versions of the software that are 2023.0.1 (15.0.1) or earlier. We are aware of multiple reports of active exploitation of this vulnerability in the wild, and attackers are already mobilizing […] The post MOVEit! An Overview of CVE-2023-34362 appeared first on Praetorian.  ( 7 min )
  • Open

    Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution
    The contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the…  ( 25 min )
  • Open

    Connect to Exchange Online with PowerShell
    Learn how to connect to Exchange Online PowerShell using multifactor authentication. Connect to Exchange Online with PowerShell first appeared on 4sysops.  ( 13 min )

  • Open

    Using the QCOW2 disk format in Proxmox
    QCOW2 is a virtual disk image format used by Proxmox Virtual Environment (Proxmox VE), an open-source virtualization management platform. In Proxmox VE, QCOW2 is the default virtual disk image format for virtual machines (VMs). Using the QCOW2 disk format in Proxmox first appeared on 4sysops.  ( 15 min )
    Delegate permissions for domain join
    Enabling standard users to connect their PCs to an Active Directory (AD) domain can introduce security risks. Similarly, using a domain admin account for this task is not advisable. An alternative approach is to create a separate account with limited permissions, specifically for domain join operations. Delegate permissions for domain join first appeared on 4sysops.  ( 13 min )
  • Open

    Geek Out: Technology Museums to Visit This Summer
    Check out our recommendations for technology museums to visit this summer.  ( 11 min )
  • Open

    Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence
    Threat actor targets experts in North Korean affairs with spoofed URLs and weaponized Office documents to steal Google and other credentials.  ( 13 min )

  • Open

    Abusing undocumented features to spoof PE section headers
    Introduction Some time ago, I accidentally came across some interesting behaviour in PE files while debugging an unrelated project. I noticed that setting the SectionAlignment value in the NT header to a value lower than the page size (4096) resulted in significant differences in the way that the image is mapped into memory. Rather than following the usual procedure of parsing the section table to construct the image in memory, the loader appeared to map the entire file, including the headers, into memory with read-write-execute (RWX) permissions - the individual section headers were completely ignored. As a result of this behaviour, it is possible to create a PE executable without any sections, yet still capable of executing its own code. The code can even be self-modifying if necessary due to the write permissions that are present by default. One way in which this mode could potentially be abused would be to create a fake section table - on first inspection, this would appear to be a normal PE module containing read-write/read-only data sections, but when launched, the seemingly NX data becomes executable. While I am sure that this technique will have already been discovered (and potentially abused) in the past, I have been unable to find any documentation online describing it. MSDN does briefly mention that the SectionAlignment value can be less than the page size, but it doesn’t elaborate any further on the implications of this. Inside the Windows kernel A quick look in the kernel reveals what is happening. Within MiCreateImageFileMap, we can see the parsing of PE headers - notably, if the SectionAlignment value is less than 0x1000, an undocumented flag (0x200000) is set prior to mapping the image into memory: if(v29->SectionAlignment < 0x1000) { if((SectionFlags & 0x80000) != 0) { v17 = 0xC000007B; MiLogCreateImageFileMapFailure(v36, v39, *(unsigned int *)(v29 + 64), DWORD1(v99)); ImageFailureReason = 55; goto LABEL_81; } if(!MiLegacyImageArchitecture((unsigned __int16)v99)) { v17 = 0xC000007B; ImageFailureReason = 56; goto LABEL_81; } SectionFlags |= 0x200000; } v40 = MiBuildImageControlArea(a3, v38, v29, (unsigned int)&v99, SectionFlags, (__int64)&FileSize, (__int64)&v93); If the aforementioned flag is set, MiBuildImageControlArea treats the entire file as one single section: if((SectionFlags & 0x200000) != 0) { SectionCount = 1; } else { SectionCount = a4->NumberOfSections + 1; } v12 = MiAllocatePool(64, 8 * (7 * SectionCount + (((unsigned __int64)(unsigned int)MiFlags >> 13) & 1)) + 184, (SectionFlags & 0x200000) != 0 ? 0x61436D4D : 0x69436D4D); As a result, the raw image is mapped into memory with all PTEs assigned MM_EXECUTE_READWRITE protection. As mentioned previously, the IMAGE_SECTION_HEADER list is ignored, meaning a PE module using this mode can have a NumberOfSections value of 0. There are no obvious size restrictions on PE modules using this mode either - the loader will allocate memory based on the SizeOfImage field and copy the file contents accordingly. Any excess memory beyond the size of the file will remain blank. Demonstration #1 - Executable PE with no sections The simplest demonstration of this technique would be to create a generic “loader” for position-independent code. I have created the following sample headers by hand for testing: // (64-bit EXE headers) BYTE bHeaders64[328] = { 0x4D, 0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x00, 0x0B, 0x02, 0x0E, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x48, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x60, 0x81, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // (code goes here) }; BYTE bHeaders32[304] = { 0x4D, 0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x4C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x00, 0x02, 0x01, 0x0B, 0x01, 0x0E, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x40, 0x81, 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // (code goes here) }; These headers contain a SectionAlignment value of 0x200 (rather than the usual 0x1000), a SizeOfImage value of 0x100000 (1MB), a blank section table, and an entry-point positioned immediately after the headers. Aside from these values, there is nothing special about the remaining fields: (DOS Header) e_magic : 0x5A4D ... e_lfanew : 0x40 (NT Header) Signature : 0x4550 Machine : 0x8664 NumberOfSections : 0x0 TimeDateStamp : 0x0 PointerToSymbolTable : 0x0 NumberOfSymbols : 0x0 SizeOfOptionalHeader : 0xF0 Characteristics : 0x22 Magic : 0x20B MajorLinkerVersion : 0xE MinorLinkerVersion : 0x1D SizeOfCode : 0x0 SizeOfInitializedData : 0x0 SizeOfUninitializedData : 0x0 AddressOfEntryPoint : 0x148 BaseOfCode : 0x0 ImageBase : 0x140000000 SectionAlignment : 0x200 FileAlignment : 0x200 MajorOperatingSystemVersion : 0x6 MinorOperatingSystemVersion : 0x0 MajorImageVersion : 0x0 MinorImageVersion : 0x0 MajorSubsystemVersion : 0x6 MinorSubsystemVersion : 0x0 Win32VersionValue : 0x0 SizeOfImage : 0x100000 SizeOfHeaders : 0x148 CheckSum : 0x0 Subsystem : 0x2 DllCharacteristics : 0x8160 SizeOfStackReserve : 0x100000 SizeOfStackCommit : 0x1000 SizeOfHeapReserve : 0x100000 SizeOfHeapCommit : 0x1000 LoaderFlags : 0x0 NumberOfRvaAndSizes : 0x10 DataDirectory[0] : 0x0, 0x0 ... DataDirectory[15] : 0x0, 0x0 (Start of code) For demonstration purposes, we will be using some position-independent code that calls MessageBoxA. As the base headers lack an import table, this code must locate and load all dependencies manually - user32.dll in this case. This same payload can be used in both 32-bit and 64-bit environments: BYTE bMessageBox[939] = { 0x8B, 0xC4, 0x6A, 0x00, 0x2B, 0xC4, 0x59, 0x83, 0xF8, 0x08, 0x0F, 0x84, 0xA0, 0x01, 0x00, 0x00, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x3C, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x33, 0xD2, 0x53, 0x56, 0x57, 0x8B, 0x40, 0x0C, 0x33, 0xDB, 0x21, 0x5D, 0xF0, 0x21, 0x5D, 0xEC, 0x8B, 0x40, 0x1C, 0x8B, 0x00, 0x8B, 0x78, 0x08, 0x8B, 0x47, 0x3C, 0x8B, 0x44, 0x38, 0x78, 0x03, 0xC7, 0x8B, 0x48, 0x24, 0x03, 0xCF, 0x89, 0x4D, 0xE8, 0x8B, 0x48, 0x20, 0x03, 0xCF, 0x89, 0x4D, 0xE4, 0x8B, 0x48, 0x1C, 0x03, 0xCF, 0x89, 0x4D, 0xF4, 0x8B, 0x48, 0x14, 0x89, 0x4D, 0xFC, 0x85, 0xC9, 0x74, 0x5F, 0x8B, 0x70, 0x18, 0x8B, 0xC1, 0x89, 0x75, 0xF8, 0x33, 0xC9, 0x85, 0xF6, 0x74, 0x4C, 0x8B, 0x45, 0xE8, 0x0F, 0xB7, 0x04, 0x48, 0x3B, 0xC2, 0x74, 0x07, 0x41, 0x3B, 0xCE, 0x72, 0xF0, 0xEB, 0x37, 0x8B, 0x45, 0xE4, 0x8B, 0x0C, 0x88, 0x03, 0xCF, 0x74, 0x2D, 0x8A, 0x01, 0xBE, 0x05, 0x15, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x1F, 0x6B, 0xF6, 0x21, 0x0F, 0xBE, 0xC0, 0x03, 0xF0, 0x41, 0x8A, 0x01, 0x84, 0xC0, 0x75, 0xF1, 0x81, 0xFE, 0xFB, 0xF0, 0xBF, 0x5F, 0x75, 0x74, 0x8B, 0x45, 0xF4, 0x8B, 0x1C, 0x90, 0x03, 0xDF, 0x8B, 0x75, 0xF8, 0x8B, 0x45, 0xFC, 0x42, 0x3B, 0xD0, 0x72, 0xA9, 0x8D, 0x45, 0xC4, 0xC7, 0x45, 0xC4, 0x75, 0x73, 0x65, 0x72, 0x50, 0x66, 0xC7, 0x45, 0xC8, 0x33, 0x32, 0xC6, 0x45, 0xCA, 0x00, 0xFF, 0xD3, 0x8B, 0xF8, 0x33, 0xD2, 0x8B, 0x4F, 0x3C, 0x8B, 0x4C, 0x39, 0x78, 0x03, 0xCF, 0x8B, 0x41, 0x20, 0x8B, 0x71, 0x24, 0x03, 0xC7, 0x8B, 0x59, 0x14, 0x03, 0xF7, 0x89, 0x45, 0xE4, 0x8B, 0x41, 0x1C, 0x03, 0xC7, 0x89, 0x75, 0xF8, 0x89, 0x45, 0xE8, 0x89, 0x5D, 0xFC, 0x85, 0xDB, 0x74, 0x7D, 0x8B, 0x59, 0x18, 0x8B, 0x45, 0xFC, 0x33, 0xC9, 0x85, 0xDB, 0x74, 0x6C, 0x0F, 0xB7, 0x04, 0x4E, 0x3B, 0xC2, 0x74, 0x22, 0x41, 0x3B, 0xCB, 0x72, 0xF3, 0xEB, 0x5A, 0x81, 0xFE, 0x6D, 0x07, 0xAF, 0x60, 0x8B, 0x75, 0xF8, 0x75, 0x8C, 0x8B, 0x45, 0xF4, 0x8B, 0x04, 0x90, 0x03, 0xC7, 0x89, 0x45, 0xEC, 0xE9, 0x7C, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xE4, 0x8B, 0x0C, 0x88, 0x03, 0xCF, 0x74, 0x35, 0x8A, 0x01, 0xBE, 0x05, 0x15, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x27, 0x6B, 0xF6, 0x21, 0x0F, 0xBE, 0xC0, 0x03, 0xF0, 0x41, 0x8A, 0x01, 0x84, 0xC0, 0x75, 0xF1, 0x81, 0xFE, 0xB4, 0x14, 0x4F, 0x38, 0x8B, 0x75, 0xF8, 0x75, 0x10, 0x8B, 0x45, 0xE8, 0x8B, 0x04, 0x90, 0x03, 0xC7, 0x89, 0x45, 0xF0, 0xEB, 0x03, 0x8B, 0x75, 0xF8, 0x8B, 0x45, 0xFC, 0x42, 0x3B, 0xD0, 0x72, 0x89, 0x33, 0xC9, 0xC7, 0x45, 0xC4, 0x54, 0x65, 0x73, 0x74, 0x51, 0x8D, 0x45, 0xC4, 0x88, 0x4D, 0xC8, 0x50, 0x50, 0x51, 0xFF, 0x55, 0xF0, 0x6A, 0x7B, 0x6A, 0xFF, 0xFF, 0x55, 0xEC, 0x5F, 0x5E, 0x5B, 0xC9, 0xC3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x48, 0x89, 0x7C, 0x24, 0x20, 0x41, 0x54, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x40, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x33, 0xFF, 0x45, 0x33, 0xFF, 0x45, 0x33, 0xE4, 0x45, 0x33, 0xC9, 0x48, 0x8B, 0x48, 0x18, 0x48, 0x8B, 0x41, 0x30, 0x48, 0x8B, 0x08, 0x48, 0x8B, 0x59, 0x10, 0x48, 0x63, 0x43, 0x3C, 0x8B, 0x8C, 0x18, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xCB, 0x8B, 0x69, 0x24, 0x44, 0x8B, 0x71, 0x20, 0x48, 0x03, 0xEB, 0x44, 0x8B, 0x59, 0x1C, 0x4C, 0x03, 0xF3, 0x8B, 0x71, 0x14, 0x4C, 0x03, 0xDB, 0x85, 0xF6, 0x0F, 0x84, 0x80, 0x00, 0x00, 0x00, 0x44, 0x8B, 0x51, 0x18, 0x33, 0xC9, 0x45, 0x85, 0xD2, 0x74, 0x69, 0x48, 0x8B, 0xD5, 0x0F, 0x1F, 0x40, 0x00, 0x0F, 0xB7, 0x02, 0x41, 0x3B, 0xC1, 0x74, 0x0D, 0xFF, 0xC1, 0x48, 0x83, 0xC2, 0x02, 0x41, 0x3B, 0xCA, 0x72, 0xED, 0xEB, 0x4D, 0x45, 0x8B, 0x04, 0x8E, 0x4C, 0x03, 0xC3, 0x74, 0x44, 0x41, 0x0F, 0xB6, 0x00, 0x33, 0xD2, 0xB9, 0x05, 0x15, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x35, 0x0F, 0x1F, 0x00, 0x6B, 0xC9, 0x21, 0x8D, 0x52, 0x01, 0x0F, 0xBE, 0xC0, 0x03, 0xC8, 0x42, 0x0F, 0xB6, 0x04, 0x02, 0x84, 0xC0, 0x75, 0xEC, 0x81, 0xF9, 0xFB, 0xF0, 0xBF, 0x5F, 0x75, 0x08, 0x41, 0x8B, 0x3B, 0x48, 0x03, 0xFB, 0xEB, 0x0E, 0x81, 0xF9, 0x6D, 0x07, 0xAF, 0x60, 0x75, 0x06, 0x45, 0x8B, 0x23, 0x4C, 0x03, 0xE3, 0x41, 0xFF, 0xC1, 0x49, 0x83, 0xC3, 0x04, 0x44, 0x3B, 0xCE, 0x72, 0x84, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xC7, 0x44, 0x24, 0x20, 0x75, 0x73, 0x65, 0x72, 0x66, 0xC7, 0x44, 0x24, 0x24, 0x33, 0x32, 0x44, 0x88, 0x7C, 0x24, 0x26, 0xFF, 0xD7, 0x45, 0x33, 0xC9, 0x48, 0x8B, 0xD8, 0x48, 0x63, 0x48, 0x3C, 0x8B, 0x94, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x03, 0xD0, 0x8B, 0x7A, 0x24, 0x8B, 0x6A, 0x20, 0x48, 0x03, 0xF8, 0x44, 0x8B, 0x5A, 0x1C, 0x48, 0x03, 0xE8, 0x8B, 0x72, 0x14, 0x4C, 0x03, 0xD8, 0x85, 0xF6, 0x74, 0x77, 0x44, 0x8B, 0x52, 0x18, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x33, 0xC0, 0x45, 0x85, 0xD2, 0x74, 0x5B, 0x48, 0x8B, 0xD7, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x0F, 0xB7, 0x0A, 0x41, 0x3B, 0xC9, 0x74, 0x0D, 0xFF, 0xC0, 0x48, 0x83, 0xC2, 0x02, 0x41, 0x3B, 0xC2, 0x72, 0xED, 0xEB, 0x3D, 0x44, 0x8B, 0x44, 0x85, 0x00, 0x4C, 0x03, 0xC3, 0x74, 0x33, 0x41, 0x0F, 0xB6, 0x00, 0x33, 0xD2, 0xB9, 0x05, 0x15, 0x00, 0x00, 0x84, 0xC0, 0x74, 0x24, 0x66, 0x90, 0x6B, 0xC9, 0x21, 0x8D, 0x52, 0x01, 0x0F, 0xBE, 0xC0, 0x03, 0xC8, 0x42, 0x0F, 0xB6, 0x04, 0x02, 0x84, 0xC0, 0x75, 0xEC, 0x81, 0xF9, 0xB4, 0x14, 0x4F, 0x38, 0x75, 0x06, 0x45, 0x8B, 0x3B, 0x4C, 0x03, 0xFB, 0x41, 0xFF, 0xC1, 0x49, 0x83, 0xC3, 0x04, 0x44, 0x3B, 0xCE, 0x72, 0x92, 0x45, 0x33, 0xC9, 0xC7, 0x44, 0x24, 0x20, 0x54, 0x65, 0x73, 0x74, 0x4C, 0x8D, 0x44, 0x24, 0x20, 0xC6, 0x44, 0x24, 0x24, 0x00, 0x48, 0x8D, 0x54, 0x24, 0x20, 0x33, 0xC9, 0x41, 0xFF, 0xD7, 0xBA, 0x7B, 0x00, 0x00, 0x00, 0x48, 0xC7, 0xC1, 0xFF, 0xFF, 0xFF, 0xFF, 0x41, 0xFF, 0xD4, 0x48, 0x8B, 0x5C, 0x24, 0x60, 0x48, 0x8B, 0x6C, 0x24, 0x68, 0x48, 0x8B, 0x74, 0x24, 0x70, 0x48, 0x8B, 0x7C, 0x24, 0x78, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5C, 0xC3 }; As a side note, several readers have asked how I created this sample code (previously used in another project) which works correctly in both 32-bit and 64-bit modes. The answer is very simple: it begins by storing the original stack pointer value, pushes a value onto the stack, and compares the new stack pointer to the original value. If the difference is 8, the 64-bit code is executed - otherwise, the 32-bit code is executed. While there are certainly more efficient approaches to achieve this outcome, this method is sufficient for demonstration purposes: mov eax, esp ; store stack ptr push 0 ; push a value onto the stack sub eax, esp ; calculate difference pop ecx ; restore stack cmp eax, 8 ; check if the difference is 8 je 64bit_code 32bit_code: xxxx 64bit_code: xxxx By appending this payload to the original headers above, we can generate a valid and functional EXE file. The provided PE headers contain a hardcoded SizeOfImage value of 0x100000 which allows for a maximum payload size of almost 1MB, but this can be increased if necessary. Running this program will display our message box, despite the fact that the PE headers lack any executable sections, or any sections at all in this case: Demonstration #2 - Executable PE with spoofed sections Perhaps more interestingly, it is also possible to create a fake section table using this mode as mentioned earlier. I have created another EXE which follows a similar format to the previous samples, but also includes a single read-only section: The main payload has been stored within this read-only section and the entry-point has been updated to 0x1000. Under normal circumstances, you would expect the program to crash immediately with an access-violation exception due to attempting to execute read-only memory. However, this doesn’t occur here - the target memory region contains RWX permissions and the payload is executed successfully: Notes The sample EXE files can be downloaded here. The proof-of-concepts described above involve appending the payload to the end of the NT headers, but it is also possible to embed executable code within the headers themselves using this technique. The module will fail to load if the AddressOfEntryPoint value is less than the SizeOfHeaders value, but this can easily be bypassed since the SizeOfHeaders value is not strictly enforced. It can even be set to 0, allowing the entry-point to be positioned anywhere within the file. It is possible that this feature was initially designed to allow for very small images, enabling the headers, code, and data to fit within a single memory page. As memory protection is applied per-page, it makes sense to apply RWX to all PTEs when the virtual section size is lower than the page size - it would otherwise be impossible to manage protections correctly if multiple sections resided within a single page. I have tested these EXE files on various different versions of Windows from Vista to 10 with success in all cases. Unfortunately it has very little practical use in the real world as it won’t deceive any modern disassemblers - nonetheless, it remains an interesting concept.  ( 22 min )
  • Open

    Logistics for a Remote Company
    Logistics and shipping devices across the world can be a challenging task, especially when dealing with customs regulations. For the past few years, I have had the opportunity to learn about these complex processes and how to manage them efficiently. As a Practice Manager at Doyensec, I was responsible for building processes from scratch and ensuring that our logistics operations ran smoothly. Since 2018, I have had to navigate the intricate world of logistics and shipping, dealing with everything from international regulations to customs clearance. Along the way, I have learned valuable lessons and picked up essential skills that have helped me manage complex logistics operations with ease. In this post, I will share my experiences and insights on managing shipping devices across the wo…  ( 4 min )
  • Open

    Bypassing CSP via DOM clobbering
    You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now detec  ( 4 min )

  • Open

    Analyzing nested, obfuscated PHP files…
    Many PHP webshells are encrypted, encoded, obfuscated in many different ways, but most use a rudimentary approach relying on engaging the same sequence of code ‘hiding’ routines repetitively, sequences that […]  ( 19 min )

  • Open

    How to Spot and Prevent an Eclipse Attack
    Studies of blockchain architectures often start with the consensus algorithms and implicitly assume that information flows perfectly through the underlying peer-to-peer network, and peer discovery is sound and fully decentralized. In practice this is not always the case. A few years ago, a team of researchers looked at the Bitcoin1 and Ethereum2 networks in two […]  ( 68 min )
  • Open

    Install and configure Windows Server Backup in Windows Server 2022
    If you are running Windows Server 2022, or an older version of Windows Server, you can leverage a native backup feature called Windows Server Backup. It comes at no additional cost to the Windows Server license, which you already have. Install and configure Windows Server Backup in Windows Server 2022 first appeared on 4sysops.  ( 14 min )
  • Open

    Cybersecurity Jobs: Cloud Security Analyst (Japanese)
    クラウドセキュリティアナリストの主な業務や、スキルアップのためのSANSのおすすめのコースを紹介します!  ( 8 min )

  • Open

    Analysing PS2EXE executables…
    In my older posts I have shown how to deal with ‘encrypted’ or otherwise ‘protected’ script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate […]  ( 18 min )
  • Open

    Audit the Security Posture of DevOps with HackerOne Source Code Assessments
    No content preview  ( 10 min )
  • Open

    Eurocrypt 2023: Death of a KEM
    Last month I was lucky enough to attend Eurocrypt 2023, which took place in Lyon, France. It was my first chance to attend an academic cryptography conference and the experience sat somewhere in between the familiar cryptography of the Real World Crypto conference and the abstract world of black holes and supergravity conferences which I […]  ( 69 min )
  • Open

    On Detection: From Tactical to Functional
    No content preview
  • Open

    CVE-2023-24941: Microsoft Network File System Remote Code Execution
    In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Quinton Crist, Guy Lederfein, and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Network File Service (NFS). This bug was originally discovered by Wei in Kunlun Lab with Cyber KunLun. The vulnerability is triggered when handling incoming NFSv4.1 calls containing utf8strings when the server is low on memory. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted call to an affected server. The following is a portion of their write-up covering CVE-2023-24941, with a few minimal modifications. A remote code execution vulnerability has been reported in Microsoft Network File System (NFS). The vulner…
  • Open

    Join Windows 11 to an Active Directory domain
    There are several ways for Windows PCs to join an Active Directory domain. These include the interactive method via the System Properties applet, netdom.exe, and PowerShell. Other options include a provisioning package, an answer file, or an offline domain join by importing an ODJ file. Join Windows 11 to an Active Directory domain first appeared on 4sysops.  ( 14 min )
  • Open

    Women in Cybersecurity (WiCyS) Joins Forces with SANS Security Awareness
    Guest editors from WiCyS will be producing the monthly OUCH! Newsletter.  ( 9 min )

  • Open

    Reversing Pickles with r2pickledec
    R2pickledec is the first pickle decompiler to support all instructions up to protocol 5 (the current). In this post we will go over what Python pickles are, how they work and how to reverse them with Radare2 and r2pickledec. An upcoming blog post will go even deeper into pickles and share some advanced obfuscation techniques. What are pickles? Pickles are the built-in serialization algorithm in Python. They can turn any Python object into a byte stream so it may be stored on disk or sent over a network. Pickles are notoriously dangerous. You should never unpickle data from an untrusted source. Doing so will likely result in remote code execution. Please refer to the documentation for more details. Pickle Basics Pickles are implemented as a very simple assembly language. There are only 68 i…  ( 8 min )
  • Open

    SCP from remote to local
    The Secure Copy Protocol (SCP) command is a widely used command line utility that enables users to securely copy files and directories between two systems over a secure shell (SSH) connection. Let's look at copying files and entire directories with SCP from remote to local systems. SCP from remote to local first appeared on 4sysops.  ( 14 min )
  • Open

    Radare2 Power Ups | Delivering Faster macOS Malware Analysis With r2 Customization
    Learn how to customize radare2 with user-defined aliases, macros and functions for faster and easier binary diffing and analysis.  ( 16 min )
  • Open

    Reverse Engineering Coin Hunt World’s Binary Protocol
    Introduction We are going to walk through the process we took to reverse engineer parts of the Android game Coin Hunt World. Our goal was to identify methods and develop tooling to cheat at the game. Most of the post covers reverse engineering the game’s binary protocol and using that knowledge to create tooling for […]  ( 85 min )

  • Open

    A Year In HackerOne’s Bug Bounty Program
    No content preview  ( 12 min )
  • Open

    Dacpac and Bacpac in SQL Server
    When it comes to migrating a SQL Server database from one environment to another, admins tend to rely heavily on native SQL backup (BAK) files. It works, but also has a lot of problems. For instance, a BAK file created by a new version of SQL Server cannot be imported directly to a previous SQL Server version. Furthermore, the native backup (BAK) file contains the complete database (including all user data), so it poses a data privacy risk when you want to replicate a production database in a development environment. The Dacpac and Bacpac packages are an answer to the above problems. Dacpac and Bacpac in SQL Server first appeared on 4sysops.  ( 17 min )
  • Open

    Transforming search sentences to query Elastic SIEM with OpenAI API
    In this blog post, we will explore how a powerful language model by OpenAI can automate the last step and bridge the gap between human language questions and SIEM query language.  ( 11 min )
  • Open

    Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)
    Introduction Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices. The application contains numerous features, including allowing teachers to transfer files to/from students and remotely viewing the contents of student screens. Generally speaking, the architecture of the […]  ( 80 min )

  • Open

    Understanding Kubernetes Persistent Volumes
    Persistent volumes allow administrators to configure persistent data locations for stateful applications. They allow containerized applications to store data beyond the lifecycle of individual containers or pods. This makes it possible to retain data even after a pod restart or update. With Kubernetes, persistent volumes are storage locations provisioned by an administrator or dynamically created using StorageClasses. Understanding Kubernetes Persistent Volumes first appeared on 4sysops.  ( 13 min )
  • Open

    XSS in WordPress via open embed auto discovery
    Introduction Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires ... The post XSS in WordPress via open embed auto discovery appeared first on research.securitum.com.  ( 6 min )

  • Open

    ChatGPT Plugin Exploit Explained: From Prompt Injection to Accessing Private Data
    If you are building ChatGPT plugins, LLM agents, tools or integrations this is a must read. This post explains how the first exploitable Cross Plugin Request Forgery was found in the wild and the fix which was applied. Indirect Prompt Injections Are Now A Reality With plugins Indirect Prompt Injections are now a reality in the ChatGPT ecosystem. The real-world examples and demos provided by others and myself to raise awarness about this increasing problem have been mostly amusing and harmless, like making Bing Chat speak like a pirate, make ChatGPT add jokes at the end or having it do a Rickroll when reading YouTube transcripts.  ( 5 min )

  • Open

    BalenaEtcher (alias Etcher): Burn OS image to a USB drive
    Etcher, also known as BalenaEtcher, is a tool for copying operating systems and burning the OS image onto removable external media, such as USB drives or SD cards. Etcher is an open-source, free tool. Etcher supports Windows (version 7 and above), macOS (Yosemite and above), and all major Linux distributions. BalenaEtcher (alias Etcher): Burn OS image to a USB drive first appeared on 4sysops.  ( 12 min )
  • Open

    Tool Release: Code Query (cq)
    Code Query is a new, open source universal code security scanning tool. CQ scans code for security vulnerabilities and other items of interest to security-focussed code reviewers. It outputs text files containing references to issues found, into an output directory. These output files can then be reviewed, filtered by unix command line tools such as […]  ( 62 min )
  • Open

    A Visual Summary of SANS AI Cybersecurity Summit 2023
    SANS Cybersecurity Blog pertaining to a summary of the SANS AI Cybersecurity Summit 2023  ( 10 min )
    Cybersecurity Jobs: Technical Director (Japanese)
    テクニカルディレクターの主な業務や、スキルアップのためのSANSのおすすめのコースを紹介します!  ( 7 min )

  • Open

    Cockpit: GUI administration for Linux
    Cockpit is a Linux tool that allows you to perform system administration tasks via a graphical user interface (GUI), namely, a web browser. Traditionally, Linux administration was done using the command line, and a good sysadmin was characterized by the number of commands he knew well. Cockpit as a GUI tool aims to lower the barrier of entry for new sysadmins on Linux while making it easier for everyone with a friendly, clickable interface. In this article, I'll take a look at Cockpit, its features, advantages, limitations, and disadvantages. Cockpit: GUI administration for Linux first appeared on 4sysops.  ( 17 min )
  • Open

    Ethereum Virtual Machine Internals – Part 2
    Part 2 of the EVM Internals series, exploring how data structures are persisted between contract calls. The post Ethereum Virtual Machine Internals – Part 2  appeared first on NetSPI.  ( 28 min )
  • Open

    CowCloud
    A common challenge technical teams (e.g. penetration testers) face is centralized deployment and pipelining execution of security tools. It is possible that at some point you have thought about customising several tools, buying their commercial licenses, and allowing a number of people to run the tools from AWS. The problem is that this means you […]  ( 64 min )
  • Open

    Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight
    During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. Part of Pwn2Own competitions involves a random drawing for order. Not only does the team selected first get the full award if they are successful, but the subsequent entries are also more likely to have bug collisions. That means if three teams show up with the same exploit, only the first one randomly selected will get full credit. That’s not exactly what happened during the event, but some bug collisions did occur. In fact, there were four unique bugs used by the three different teams. Let’s take a look at the vulnerabilitie…
  • Open

    Power Up Your Pen Tests: Creating Burp Suite Extensions with the New Montoya API
    Learn how to power up your pen tests by using the new Montoya API to create Burp Suite extensions from scratch.  ( 16 min )
  • Open

    Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII
    A Brazilian threat actor is targeting users of over 30 Portuguese financial institutions with custom backdoors.  ( 16 min )
  • Open

    A Visual Summary of SANS Cybersecurity Leadership Summit 2023
    SANS Cybersecurity Blog pertaining to a summary of the SANS Cybersecurity Leadership Summit 2023  ( 9 min )

  • Open

    GUEST BLOG: Governments Across The World Are Mandating Vulnerability Disclosure So Why Are Companies Sitting On Their Hands?
    No content preview  ( 10 min )
  • Open

    Change Windows network profiles between public and private
    Windows has three types of network profiles: domain, private, and public. The former is automatically assigned to all computers that are members of an AD domain, and this cannot be changed. On the other hand, you can switch between private and public to activate the associated security settings. Change Windows network profiles between public and private first appeared on 4sysops.  ( 13 min )
  • Open

    Beyond Procedures: Digging into the Function Call Stack
    No content preview
  • Open

    Enforce Zero Trust in Microsoft 365 – Part 3: Introduction to Conditional Access
    This blog post is the third blog post of a series dedicated to Zero Trust security in Microsoft 365. In the first two blog posts, we set the basics by going over the free features of Azure AD that can be implemented in an organization that starts its Zero Trust journey in Microsoft 365. We … Continue reading Enforce Zero Trust in Microsoft 365 – Part 3: Introduction to Conditional Access →  ( 12 min )
  • Open

    EFB vulnerability in Lufthansa’s Lido eRouteManual
    Almost all commercial airlines now use electronic flight bags (EFBs) to drive efficiency and safety in their operations. We’ve been testing the security of EFBs and their apps, here’s our […] EFB vulnerability in Lufthansa’s Lido eRouteManual first appeared on Pen Test Partners.  ( 10 min )

  • Open

    DeXRAY, DFIR, and the art of ambulance chasing…
    Pretty much all of my DeXRAY posts ever published been focusing on new versions of this tool being released. Today I will talk about the ‘making of the sausages’ part […]  ( 20 min )
  • Open

    FOSS BloodHound 4.3.1 release
    No content preview
  • Open

    Poll: How reliable are chatGPT and Bing Chat?
    There is no denying that Google has been the most crucial resource for IT professionals for the past two decades. Most IT professionals are adept problem solvers, and there are only a handful of IT issues that cannot be resolved by the vast resources of the internet. As AI-powered search engines continue to emerge, a question arises: will Google be replaced by GPT-4-based chatbots and search engines like chatGPT and Bing Chat? Poll: How reliable are chatGPT and Bing Chat? first appeared on 4sysops.  ( 10 min )
  • Open

    Content Discovery: Understanding Your Web Attack Surface
    Attack Surface Management (ASM) tools find quite a lot of vulnerabilities on the Web. This really isn’t surprising, given that HTTP/S is by far the most common and broadest of all the services comprising the Internet. In fact, Web-based issues represent the majority of the findings about which our Managed Service Providers (MSPs) inform our […] The post Content Discovery: Understanding Your Web Attack Surface appeared first on Praetorian.  ( 10 min )
  • Open

    OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
    Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering – Attacking the Linux kernel. Slides The slides for the talk can be downloaded below: libslub libslub can be downloaded from here. Abstract The abstract for the talk was as follows: Over the last year the Exploit Development […]  ( 63 min )
    Tool Release: Code Credential Scanner (ccs)
    Code Credential Scanner is a new open source tool designed to detect hardcoded credentials, or credentials present in configuration files within a repository. These represent a serious security issue, and can be extremely hard to detect and manage. The tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage […]  ( 63 min )
  • Open

    Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit
    North Korean APT group focuses on file reconnaissance and information exfiltration with latest variant of RandomQuery malware.  ( 11 min )
  • Open

    Trusted publishing: a new benchmark for packaging security
    Read the official announcement on the PyPI blog as well! For the past year, we’ve worked with the Python Package Index to add a new, more secure authentication method called “trusted publishing.” Trusted publishing eliminates the need for long-lived API tokens and passwords, reducing the risk of supply chain attacks and credential leaks while also […]  ( 15 min )
  • Open

    Top 5 Reasons to Attend SANS Blue Team Summit 2023
    SANS Blue Team Summit 2023 is virtual, completely free, and is full of actionable talks from world-class blue team experts.  ( 10 min )

  • Open

    Exploring Overfitting Risks in Large Language Models
    In the following blog post, we explore how overfitting can affect Large Language Models (LLMs) in particular, since this technology is used in the most promising AI technologies we see today (chatGPT, LLaMa, Bard, etc). Furthermore, by exploring the likelihood of inferring data from the dataset, we will determine how much we can trust these […]  ( 69 min )
  • Open

    In Brief: Chariot Alignment with FDA Section 524B.1
    Chariot is more than a product; it’s a partnership that combines automated monitoring and human analysis to identify externally-accessible security risks. In light of the FDA’s latest requirements for in-market device security (summarized in Section 524B), Praetorian’s customers are having success leveraging the Chariot Managed Service as a cost-effective and scalable approach to satisfying Section […] The post In Brief: Chariot Alignment with FDA Section 524B.1 appeared first on Praetorian.  ( 5 min )
  • Open

    Finding Evil WMI Event Consumers with Disk Forensics
    WMI event consumers will continue to be abused in the wild as long as organizations fail to discover and remediate them. While live collection and analysis is preferable to scale efforts across a network, this post covered disk-based artifacts and tools available for use during deeper forensic investigations. A KAPE target exists to collect the required files for offline analysis, making it an easy check to perform during incident response forensic investigations.  ( 19 min )
    what-is-CVSS
    CVSS stands for the Common Vulnerability Scoring System and is explained in this blog.  ( 14 min )

  • Open

    GUEST BLOG: Vulnerability Disclosure Adoption In The Consumer IoT space Is Lagging, But What About Elsewhere?
    No content preview  ( 8 min )
  • Open

    Proxmox Backup Server: Install and configure
    Previously, I discussed built-in snapshots and backup features in Proxmox VE. Today, I will have a look at Proxmox Backup Server. Proxmox Backup Server is an enterprise-ready backup and recovery solution for VMs, containers, and physical servers. It supports deduplicated and incremental backups to reduce network load and increase storage efficiency. Proxmox Backup Server: Install and configure first appeared on 4sysops.  ( 16 min )
    What is Windows 10 S mode? How does Windows 11 S mode differ?
    Windows 11 S mode builds on its predecessor, Windows 10 S mode. It is a streamlined version of Windows 11, designed to provide a secure, fast, and easy-to-use computing experience. In this article, we will explore the key features and benefits of Windows 11 S mode and compare them to Windows 10 S mode. In addition, you will learn how to disable Windows 11 S mode. What is Windows 10 S mode? How does Windows 11 S mode differ? first appeared on 4sysops.  ( 14 min )
  • Open

    The Paillier Cryptosystem with Applications to Threshold ECDSA
    You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely. Contents RSA Encryption Refresher and Notation We’ll […]  ( 87 min )
  • Open

    Security Distilled: Building a First-Principles Approach to Understanding Security
    No content preview
  • Open

    All your building are belong to us
    TL;DR Building Management Systems (BMS) bring new risks to businesses that haven’t had previous experience of  securing Operational Technology (OT) While there might not be direct financial gain from hacking […] All your building are belong to us first appeared on Pen Test Partners.  ( 11 min )
  • Open

    Cybersecurity Jobs: OSINT investigator/Analyst (Japanese)
    OSINT調査員/アナリストの主な業務や、スキルアップのためのSANSのおすすめのコースを紹介します!  ( 7 min )

  • Open

    CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver
    This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor. His successful demonstration earned him $80,000 and 8 points towards Master of Pwn. All Pwn2Own entries are accompanied by a full whitepaper describing the vulnerabilities being used and how they were exploited. The following blog is an excerpt from that whitepaper detailing CVE-2023-20869 and CVE-2023-20870 with minimal modifications. Prior to being patched by VMware, a pair of vulnerabilities existed within the implementation of the virtual Bluetooth USB device…
  • Open

    Pulseway 9.2: Remote monitoring with workflow automation
    Discover the Pulseway 9.2 update, offering enhanced IT management features, such as policy redesign, workflow automation improvements, remote control enhancements, and more. Pulseway 9.2: Remote monitoring with workflow automation first appeared on 4sysops.  ( 13 min )
  • Open

    LABScon Replay | Does This Look Infected 2 (APT41)
    Mandiant researchers Van Ta and Rufus Brown take us on a journey of discovery into the compromise of multiple U.S. Government networks by APT41.  ( 18 min )
  • Open

    Rigging the Vote: Uniqueness in Verifiable Random Functions
    This blog post presents a whirlwind overview of Verifiable Random Functions (VRFs) as used by several leading-edge blockchains, and shows how a very interesting and recently found implementation oversight causes the VRF’s assurance of uniqueness to fall apart. As VRFs are commonly used for selecting blockchain consensus voting committees, this can result in a rigged […]  ( 67 min )

  • Open

    Blue teaming – it’s DATa complicated…
    A decade ago blue teaming was … easy (this is a really bad joke, I know!). In fairness, we had less targets, less programming languages to deal with, less platforms, […]  ( 18 min )
  • Open

    Medical Devices: A Hardware Security Perspective
    Medical device security is gaining more attention for several reasons. The conversation often gets connected to device safety, that is, the degree to which the risk of patient harm is limited by preventing or controlling for device malfunction. Device security expands the scope of safety by supposing a malicious attacker is causing or exploiting the […]  ( 70 min )
  • Open

    Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond
    At first, I didn’t plan to write an article about the problems with bug bounty programs. This was supposed to be a standard technical blogpost describing an interesting bug in the Linux Kernel i915 driver allowing for a linear Out-Of-Bound read and write access (CVE-2023-28410). Moreover, I’m not even into bug bounty programs, mostly because […]  ( 21 min )
  • Open

    A More Complete Exploit for Fortinet CVE-2022-42475
    Learn about our unique research focused on CVE-2022-42475 and how an exploit can be built to target a single specific FortiGate appliance running a single specific version of FortiOSbug.  ( 24 min )
  • Open

    How to map a network drive with PowerShell
    If you want to assign a drive letter to file shares via the command line, you can use PowerShell instead of net.exe. The SmbShare module's cmdlets can display, connect, and disconnect shared drives. PowerShell also supports newer SMB features, such as QUIC and Compression. How to map a network drive with PowerShell first appeared on 4sysops.  ( 12 min )

  • Open

    Google Chrome V8 ArrayShift Race Condition Remote Code Execution
    By Javier Jimenez Overview This post describes a method of exploiting a race condition in the V8 JavaScript engine, version 9.1.269.33. The vulnerability affects the following versions of Chrome and Edge: Google Chrome versions between 90.0.4430.0 and 91.0.4472.100. Microsoft Edge versions between 90.0.818.39 and 91.0.864.41. The vulnerability occurs when one of the TurboFan jobs generates a ... Read more Google Chrome V8 ArrayShift Race Condition Remote Code Execution The post Google Chrome V8 ArrayShift Race Condition Remote Code Execution appeared first on Exodus Intelligence.  ( 18 min )
    Why Choose Exodus Intelligence for Enhanced Vulnerability Management?
    In the contemporary digital landscape, vulnerability management teams and analysts are overwhelmed by countless alerts, data streams, and patch recommendations. The sheer volume of information is daunting and frequently misleading. Ideally, the systems generating these alerts should streamline and prioritize the information. While AI systems and products are not yet mature enough to effectively filter ... Read more Why Choose Exodus Intelligence for Enhanced Vulnerability Management?  The post Why Choose Exodus Intelligence for Enhanced Vulnerability Management?  appeared first on Exodus Intelligence.  ( 5 min )
  • Open

    From DA to EA with ESC5
    There’s a new, practical way to escalate from Domain Admin to Enterprise Admin.  ( 15 min )
  • Open

    Decoding the HackerOne Code of Conduct
    As the industry continues to rapidly evolve, it is on HackerOne to try to ensure that we align with the industry norms of Code of Conduct management.  ( 7 min )
  • Open

    ENow Active Directory Monitoring & Reporting
    ENow Active Directory Monitoring & Reporting provides quick, granular visibility into your Active Directory environment so IT pros can proactively mitigate issues before they escalate into major problems for your organization. ENow Active Directory Monitoring & Reporting first appeared on 4sysops.  ( 14 min )
  • Open

    ChatGPT Plugins: Data Exfiltration via Images & Cross Plugin Request Forgery
    This post shows how a malicious website can take control of a ChatGPT chat session and exfiltrate the history of the conversation. Plugins, Tools and Integrations With plugins, data exfiltration can happen by sending too much data into the plugin in the first place. More security controls and insights on what is being sent to the plugin are required to empower users. However, this post is not about sending too much data to a plugin, but about a malicious actor who controls the data a plugin retrieves.  ( 3 min )
  • Open

    Real World Crypto 2023 Recap
    Last month, hundreds of cryptographers descended upon Tokyo for the first Real World Crypto Conference in Asia. As in previous years, we dispatched a handful of our researchers and engineers to present and attend the conference. What sets RWC apart from other conferences is that it strongly emphasizes research, collaborations, and advancements in cryptography that […]  ( 13 min )
  • Open

    LABScon Replay | Malshare: 10 Years of Running a Public Malware Repository
    Silas Cutler, founder of MalShare, explores some of the challenges and rewards of developing and maintaining a free malware repository for researchers.  ( 20 min )
  • Open

    It’s always DNS, here’s why…
    Introduction There’s an old adage in network and Internet support: When something breaks in any network “it was DNS”. Sadly it’s usually true. …or at least it is when you […] It’s always DNS, here’s why… first appeared on Pen Test Partners.  ( 11 min )

  • Open

    Using Docker with NAS and NFS
    To access remote storage from Docker containers, you must understand how Docker works with network-attached storage (NAS) and the Network File System (NFS) protocol. In this guide, I will explore the benefits of using Docker with NAS and NFS, and then I will explain how to set up an NFS share to access it from a Docker container. For demonstration, I will use TrueNAS with NFSv4. Using Docker with NAS and NFS first appeared on 4sysops.  ( 13 min )
  • Open

    Introducing Windows Notification Facility’s (WNF) Code Integrity
    By Yarden Shafir, Senior Security Engineer WNF (Windows Notification Facility) is an undocumented notification mechanism that allows communication inside processes, between processes, or between user mode processes and kernel drivers. Similar to other notification mechanisms like ETW (Event Tracing for Windows) and ALPC (Advanced Local Procedure Call), WNF communication happens over different “channels,” each representing […]  ( 13 min )
  • Open

    NETGEAR Routers: A Playground for Hackers?
    A detailed analysis on multiple vulnerabilities which were identified on the NETGEAR Nighthawk WiFi 6 Router (RAX AX2400) and may exist on other NETGEAR router models.  ( 82 min )
  • Open

    Introducing CS2BR pt. I – How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs
    If you know all about CS, BRC4 and BOFs you might want to skip this introduction and get right into the problem statement. You can also jump right to the solution. Introduction When we conduct Red Team assessments at NVISO, we employ a wide variety of proprietary and open source tools. One central component in … Continue reading Introducing CS2BR pt. I – How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs →  ( 13 min )
    We’re celebrating our 10th anniversary!
    From 5 people to almost 220 people. From working from our founders’ apartment to five offices in four countries. From an unknown challenger to being a reference in multiple fields in cyber security. As a company, NVISO has come a long way since 2013 and we want to take a moment to celebrate what we have accomplished together so far.  ( 7 min )

  • Open

    Indirect Prompt Injection via YouTube Transcripts
    As discussed previously the problem of Indirect Prompt Injections is increasing. They start showing up in many places. A new unique one that I ran across is YouTube transcripts. ChatGPT (via Plugins) can access YouTube transcripts. Which is pretty neat. However, as expected (and predicted by many researches) all these quickly built tools and integrations introduce Indirect Prompt Injection vulnerabilities. Proof of Concept Here is how it looks with ChatGPT end to end with a demo example.  ( 1 min )

  • Open

    Da Li’L World of DLL Exports and Entry Points, Part 6
    I love looking at clusters of files, because it’s the easiest way to find patterns. In the last part of this series I focused on Nullsoft installers (DLLs!) only, and […]  ( 19 min )
    Matlab persistent lolbin – 2 years too late, but always…
    I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of […]  ( 18 min )
  • Open

    FDA's New Cybersecurity Requirements: Are You Prepared as a Medical Device Manufacturer?
    No content preview  ( 10 min )
  • Open

    Fork off: Three ways to deal with forking processes
    Have you ever tested a Linux application that forks into multiple processes? Isn’t it a pain? Whether you’re debugging, trying to see a process crash, or trying to write an exploit, it can be super duper annoying! In a few days, I’m giving a talk at NorthSec in Montreal. I asked some co-workers to review my slides, and they commented that I have some neat techniques to deal with forking, so I thought I’d share a couple! Spoiler alert: The last one is the best, so you can just skip to that. :)  ( 11 min )
  • Open

    Using AWS Lambda functions with Docker containers
    Back in 2020 at the AWS annual learning conference, re:Invent, one of the big announcements concerned AWS Lambda container image support for Docker and the Open Container Initiative (OCI). AWS Lambda, as a service, has always been popular, with its simple process of uploading code and not having to worry about provisioning servers. However, you might be a company that is invested in container technology, and it is not so easy to utilize Lambda. With the support for Lambda functions with container images, you can now enjoy this functionality. Using AWS Lambda functions with Docker containers first appeared on 4sysops.  ( 19 min )
  • Open

    Enforce Zero Trust in Microsoft 365 – Part 2: Protect against external users and applications
    In the first blog post of this series, we have seen how strong authentication, i.e., Multi-Factor Authentication (MFA), could be enforced for users using a free Azure Active Directory subscription within the Microsoft 365 environment. In this blog post, we will continue to harden the configuration of our Azure AD tenant to enforce Zero Trust … Continue reading Enforce Zero Trust in Microsoft 365 – Part 2: Protect against external users and applications →  ( 10 min )
  • Open

    Netflix MH370: The plane that wasn’t hacked
    I’m a sucker for a good documentary, but the recent Netflix MH370: The Plane That Disappeared had me shouting at the screen. The first episode talks about the most widely […] Netflix MH370: The plane that wasn’t hacked first appeared on Pen Test Partners.  ( 9 min )
  • Open

    Adversarial Prompting: Tutorial and Lab
    To learn more about Prompt Engineering and Prompt Injections I put together this tutorial + lab for myself. It is as a Jupyter Notebook to experiement and play around with this novel attack technique, learn and experiment. The examples reach from simple prompt engineering scenarios, such as changing the output message to a specific text, to more complex adversarial prompt challenges such as JSON object injection, HTML injection/XSS, overwriting mail recipients or orders of an OrderBot and also data exfiltration.  ( 1 min )
  • Open

    Blog - The 2023 SANS Spring Cyber Solutions Fest Is Right Around the Corner
    Spring into the season with SANS and our expert speakers at our Cyber Solutions Fest!  ( 11 min )
    Cybersecurity Jobs: Cybersecurity Analyst/Engineer (Japanese)
    サイバーセキュリティアナリスト/エンジニアの主な業務や、スキルアップのためのSANSのおすすめのコースを紹介します!  ( 8 min )

  • Open

    PE Section names – re-visited, again, in 2023
    In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that […]  ( 18 min )
    An Elf walks into the bar…
    Windows 11’s advapi32.dll includes interesting export functions: ElfBackupEventLogFileA ElfBackupEventLogFileW ElfChangeNotify ElfClearEventLogFileA ElfClearEventLogFileW ElfCloseEventLog ElfDeregisterEventSource ElfFlushEventLog ElfNumberOfRecords ElfOldestRecord ElfOpenBackupEventLogA ElfOpenBackupEventLogW ElfOpenEventLogA ElfOpenEventLogW ElfReadEventLogA ElfReadEventLogW ElfRegisterEventSourceA ElfRegisterEventSourceW ElfReportEventA ElfReportEventAndSourceW ElfReportEventW And I […]  ( 18 min )
  • Open

    Auditing and restricting NTLM authentication using Group Policy
    NTLM is an insecure authentication protocol that is still found in many environments. Using Group Policy and effective logging, admins can audit the environment and restrict the use of NTLM across the domain. Auditing and restricting NTLM authentication using Group Policy first appeared on 4sysops.  ( 13 min )
  • Open

    Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers
    Availability of leaked Babuk source code is fuelling a proliferation of file lockers targeting VMware ESXi.  ( 13 min )
  • Open

    A Visual Summary of SANS Small Business Cyber Summit 2023
    SANS Cybersecurity Blog pertaining to a summary of the SANS Small Business Cyber Summit 2023  ( 9 min )

  • Open

    Real World Cryptography Conference 2023 – Part I
    The annual Real World Cryptography Conference organized by the IACR recently took place in Tokyo, Japan. On top of 3 days of excellent talks, RWC was preceded by the 2nd annual FHE.org Conference and the Real World Post-Quantum Cryptography Workshop and followed by the High Assurance Crypto Software Workshop. Nearly all of NCC Group’s Cryptography […]  ( 71 min )
  • Open

    First Time Valid Bugs Smashed in April 2023!
    No content preview  ( 8 min )
  • Open

    ScriptRunner Portal Edition R5—New Query configuration and Action configuration
    ScriptRunner provides a centralized management interface for PowerShell scripts, allowing users, even with little or no scripting experience, to automate IT tasks. The most recent release, ScriptRunner Portal Edition R5, introduces many new refinements to the platform, including the introduction of Query and Action configuration into the portal. ScriptRunner Portal Edition R5—New Query configuration and Action configuration first appeared on 4sysops.  ( 14 min )
  • Open

    C2 and the Docker Dance: Mythic 3.0’s Marvelous Microservice Moves
    Introducing Mythic 3.0 — Title by ChatGPT  ( 21 min )
  • Open

    Video: Prompt Injections - An Introduction
    There are many prompt engineering classes and currently pretty much all examples are vulnerable to Prompt Injections. Especially Indirect Prompt Injections are dangerous as we discussed before. Indirect Prompt Injections allow untrusted data to take control of the LLM (large language model) and give an AI a new instructions, mission and objective. Bypassing Input Validation Attack payloads are natural language. This means there are lots of creative ways an adversary can inject malicious data that bypass input filters and web application firewalls.  ( 1 min )
  • Open

    FOR589: Cybercrime Intelligence
    FOR589: Dark Web Threat Hunting & Blockchain Forensics course teaches students how to hunt for threat intelligence within the cybercriminal underground using Human Intelligence (HUMINT) elicitation techniques and blockchain analytics tools to trace criminal cryptocurrency transactions. Following the completion of the course, each student will be prepared to social engineer cybercriminals, produce dark web intelligence, provide unique intelligence support to incident response cases, extract cryptocurrency artifacts from mobile and computer devices, negotiate with ransomware operators on behalf of a client, support Law Enforcement partners with attribution efforts, and investigate Anti-Money Laundering (AML) cases involving cryptocurrency transactions on and off the Blockchain.  ( 16 min )
    Blog - Stronger Together: Recapping RSA Conference 2023
    SANS Institute cements its position as a thought leader in cybersecurity at one of the biggest infosec gatherings of the year.  ( 11 min )

  • Open

    Prove Your Worth: How to Measure Cybersecurity ROI and Impress Your Board
    No content preview  ( 8 min )
  • Open

    Move a VM from XenServer to Hyper-V with StarWind V2V Converter
    This guide drives you through the procedure of moving a VM from XenServer to a Hyper-V running on Windows Server 2022 with the free tool StarWind V2V Converter. For a guest OS, we use Windows Server 2019. Move a VM from XenServer to Hyper-V with StarWind V2V Converter first appeared on 4sysops.  ( 13 min )
  • Open

    The May 2023 Security Update Review
    It’s patch Tuesday once again, and Adobe and Microsoft have released their monthly batch of security updates. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. Adobe Patches for May 2023 For May, Adobe released a single bulletin for Substance 3D Painter addressing 11 Critical-rated and 3 Important-rated vulnerabilities. All of these bugs were found and reported by ZDI vulnerability researcher Mat Powell. The most severe of these issues would allow an attacker to execute arbitrary code on an affected system if they can convince a user to open a specially-crafted file. None of the bugs fixed by Ado…

  • Open

    Protecting Critical Infrastructure: A Tale of Two National Cybersecurity Strategies
    The term “special relationship,” coined by Winston Churchill, describes the close, longstanding alliance between the United States and the United Kingdom. It has been applied to cooperation during war, to trade and commerce, and even to intelligence sharing. That special relationship has clearly influenced the two nations’ recent policy papers on national cybersecurity. The U.K. […] The post Protecting Critical Infrastructure: A Tale of Two National Cybersecurity Strategies appeared first on Synack.  ( 7 min )

  • Open

    Scoping Adventures: How to Get the Most Out of Your Synack Pentesting
    Scoping Adventures is a series of blogs about some of the more interesting penetration tests that the Synack Customer Success teams have worked on over the last few months. Each blog outlines how we engage with the client to achieve the best results from a pentest. Pentesters love colors—red, blue, purple, black, white and grey […] The post Scoping Adventures: How to Get the Most Out of Your Synack Pentesting appeared first on Synack.  ( 11 min )

  • Open

    Applying Strategic Thinking in Your Pentesting Program
    The Synack Platform & Five Pillars of Strategic Pentesting Why You Need to Think Strategically It’s no great revelation that tactics, techniques, and procedures utilized by nefarious hackers hacking activities are evolving on a daily basis. In 2022, 18,828 common vulnerabilities and exposures (CVEs) were published. At the same time, organization attack surfaces are expanding. […] The post Applying Strategic Thinking in Your Pentesting Program appeared first on Synack.  ( 7 min )

  • Open

    The U.S. has a new cybersecurity strategy. What’s next for CISOs?
    One week ago, the Biden administration unveiled its long-awaited U.S. National Cybersecurity Strategy, with an eye toward centralizing government cyber resources and holding IT vendors more accountable for their digital defenses. Now that the ink is dry on the 35-page document, top officials like Acting National Cyber Director Kemba Walden are busy putting it into […] The post The U.S. has a new cybersecurity strategy. What’s next for CISOs? appeared first on Synack.  ( 7 min )

  • Open

    Sorry, No Case Studies—But . . .
    A friend of the site recently suggested that we create a current-issue case study using our updated risk discovery approach. “It’s a great idea,” we replied and immediately started kicking around ideas.

  • Open

    The Pointillism of Daily Events
    Nicholas Baker’s book Human Smoke brilliantly illustrates a unique approach to historical narrative. It also underscores the need to remember that every artist paints with intent.

  • Open

    Getting Ready for What’s Next
    In this new age of giant monsters, advanced awareness of classical surprise—that one big tipping moment—no longer suffices.

  • Open

    Manage Your ‘Free Cells’ Mindfully
    Accommodate but don’t fight the limitations you can’t control, recognize those you can influence and leverage, and don't imagine you have more free cells than you actually do.

  • Open

    Popski’s Planning
    British officer Vladimir Peniakoff’s approach to planning might sound a bit unorthodox at first, but it aligns nicely with Patton’s view of intelligence and speaks to an enduring need to understand front-line conditions.

  • Open

    Time for a New Game Board
    We need a more flexible game board where players can explore hypergame strategies—in other words, a game board where the strategist can play the hero for a change. We’ve built it.

  • Open

    The Survivors Exceeded the Minimum
    Not every surprise is a cunning thunderbolt. Some surprises creep up slowly, rusting away former resilience until a simple nudge reveals the rot.
2023-06-08T00:43:55.049Z osmosfeed 1.15.1