#research

ALPACA Attack: Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication.

# https://alpaca-attack.com/
# https://thehackernews.com/2021/06/new-tls-attack-lets-attackers-launch.html

# https://github.com/RUB-NDS/alpaca-code/

Beginners Guide to 0day/CVE AppSec Research

Walks through finding open-source web apps, environment setup, debugging for vulns, creating a Blind SQL time-based exploit, and publishing to @ExploitDB/MITRE CVE

https://0xboku.com/2021/09/14/0dayappsecBeginnerGuide.html

#appsec #0day #research

Executing Code Using Microsoft Teams Updater

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/executing-code-using-microsoft-teams-updater/

#teams #redteam #research

Redash Exploiting (CVE-2021-41192)

Redash is a package for data visualization and sharing.
If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.

https://ian.sh/redash

#redash #cve #research

Undetected Azure AD Bruteforce Attack

In late June 2021, Secureworks Counter Threat Unit researchers discovered a flaw in the protocol used by the Azure Active Directory Seamless Single Sign-On feature. This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant.

PoC:
https://github.com/treebuilder/aad-sso-enum-brute-spray

Research:
https://www.secureworks.com/research/undetected-azure-active-directory-brute-force-attacks

#sso #azure #ad #bruteforce #research

An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source

https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278

#ad #pac #s4u2self #research #escalation

Cobalt Strike, a Defender’s Guide

In this research, exposes adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools use to execute mission objectives. In most of cases, the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this articles is to expose the most common techniques from the intrusions track and provide detections. Having said that, not all of Cobalt Strike’s features will be discussed.

# https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
# https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/

#cobaltstrike #research #blueteam

Exploring Windows UAC Bypasses

https://elastic.github.io/security-research/whitepapers/2022/02/03.exploring-windows-uac-bypass-techniques-detection-strategies/article/

#windows #uac #bypass #research

Zabbix SAML Authentication Bypass (CVE-2022-23131)

Research:
https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage

PoC:
https://github.com/jweny/zabbix-saml-bypass-exp

#zabbix #research #auth #bypass #cve

Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime (CVE-2022-26809)

https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime

#windows #rpc #rce #research

SID filter as security boundary between domains?

Microsoft states that "the forest (not the domain) is the security boundary in an Active Directory implementation", meaning that Domain Admins of a child domain is essentially as privileged as Enterprise Admins in a root domain and will have administrative rights in all domains of the forest. Why? We guessed that the default trust between domains inside a forest enables any child domain to trick the root domain to treat child domain users as Enterprise Admins by abusing the SID history (ExtraSids) functionality – this attack/technique is known as "Access Token Manipulation: SID-History Injection" and is explained in a later part of this series.

Kerberos authentication explained (Part 1)
Known AD attacks - from child to parent (Part 2)
SID filtering explained (Part 3)
Bypass SID filtering research (Part 4)
Golden GMSA trust attack - from child to parent (Part 5)
Schema change trust attack - from child to parent (Part 6)
Trust account attack - from trusting to trusted (Part 7)

#ad #trust #kerberus #research

Microsoft Sharepoint RCE (CVE-2022-22005)

https://hnd3884.github.io/posts/cve-2022-22005-microsoft-sharepoint-RCE/

#sharepoint #rce #cve #research

A blueprint for evading industry leading endpoint protection in 2022

In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

#av #edr #evasion #research

💉 From Process Injection to Function Hijacking

This post about FunctionHijacking, a "new" process injection technique built upon Module/Function Stomping, along with experiments to break behavioral based detection of other common process injection techniques.

https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/

#av #evasion #maldev #redteam #research

🔐 Credential Guard Bypass

The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.

Research:
https://itm4n.github.io/credential-guard-bypass/

PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

#lsass #wdigest #credential #guard #research

😈 Fortinet RCE (CVE-2022-40684)

Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the affected system.

Shodan Dork:
product:"Fortinet FortiGate"

Research:
https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/

PoC:
https://github.com/horizon3ai/CVE-2022-40684

Detection for SOC:
https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/

#fortinet #rce #research #poc #exploit

Довольно интересный анализ на примере Аваста

Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass

https://the-deniss.github.io/posts/2022/12/08/hooking-system-calls-in-windows-11-22h2-like-avast-antivirus.html

#research #redteam

☁️ Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust

In this blog we will look at how this trust can be abused by an attacker that obtains Global Admin in Azure AD, to elevate their privileges to Domain Admin in environments that have the Cloud Kerberos Trust set up. Since this technique is a consequence of the design of this trust type, the blog will also highlight detection and prevention measures admins can implement.

https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust

#ad #azure #kerberos #research