pentest   3820

« earlier    

Windows C++ app hosts CLR 4 and invokes .NET assembly (CppHostCLR) sample in C#, C++ for Visual Studio 2010
The code sample uses the CLR 4 hosting APIs to host CLR in a native C++ project, load and invoke .NET assemblies
postexploitation  malware  pentest 
yesterday by whip_lash
AppLocker CLM Bypass via COM – MDSec
I won’t cover the internals of this code here (I recommend you read through Microsoft’s post here if you are interested), but the end-result is that the DLL will load the .NET CLR, followed by a .NET assembly, and pass execution to the specified method.

With this completed, we now have access to .NET, and more importantly, .NET’s reflective capability. Next we need to figure out just where Constrained Language Mode’s on/off switch is.
applocker  postexploitation  windows  pentest 
yesterday by whip_lash
Concealing Network Traffic via Google Translate | Running the Gauntlet
This translate proxying method is often used by the malware if their domain or IP is blocked. The malware uses either Google Translate, Bing Translator, or Yahoo! Babel Fish for this purpose. The malware sends HTTP GET requests using the following strings, where *URL* is the URL they wish to access
malware  pentest  proxy  google 
2 days ago by whip_lash
SySS-Research/Seth: Perform a MitM attack and extract clear text credentials from RDP connections
Perform a MitM attack and extract clear text credentials from RDP connections - SySS-Research/Seth
RDP  mitm  attack  pentest 
2 days ago by plaxx
HTTP Proxy Authentication for Malware | Strategic Cyber LLC
The proxy username and password, when stored in the credential store, are available to any application that runs as the current user. If my target uses Internet Explorer and uses the Remember my credentials option to save retyping, then Meterpreter and Beacon get a free pass to authenticate and communicate through the configured proxy server—no code changes required. Better, these remembered credentials survive a reboot too.
proxy  pentest 
2 days ago by whip_lash
Research on CMSTP.exe – MSitPros Blog
Whenever I have a chance I use my time diving into Windows internal binaries to uncover hidden functionality. This blogpost is dedicated to things I have discovered with the CMSTP.exe binary file.
I found a UAC Bypass using sendkeys and a way to load DLL files from a Webdav server.
pentest  postexploitation  evasion  uac 
3 days ago by whip_lash
Anti-forensic and File-less Malware - Malware - 0x00sec - The Home of the Hacker
One of the most advantageous attributes for a malware to have is survival as a means to maintain persistence and to evade detection by security solutions. Since developing a full-blown piece of malware requires expensive resources, this trait becomes increasingly desireable to continuously remain unknown and undetected.
malware  pentest  tutorial 
3 days ago by whip_lash
GitHub - pwndizzle/c-sharp-memory-injection: A set of scripts that demonstrate how to perform memory injection in C#
A set of scripts that demonstrate how to perform memory injection.

I've tried to make these techniques as simple and opsec safe as possible, avoiding unnecessary memory modifications, process or file creation. I'm no C# expert or memory injection guru so use these examples at your own risk :)
c#  pentest  postexploitation 
3 days ago by whip_lash
In the example below I demonstrate the ability to load an arbitrary exe into csi.exe. This can be loaded from a basic text file. This is done on a PC running Windows Device Guard.
c#  windows  pentest  deviceguard 
3 days ago by whip_lash
From blind XXE to root-level file read access | Honoki
Below, I will outline the thought process that helped me make sense of what I encountered, and that in the end allowed me to elevate what seemed to be a medium-criticality vulnerability into a critical finding.

I will put deliberate emphasis on the various error messages that I encountered in the hope that it can point others in the right direction in the future.
java  security  xxe  pentest 
4 days ago by whip_lash
Detecting reflective DLL loading with Windows Defender ATP - Microsoft Secure
A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading.

In Windows 10 Creators Update, we instrumented function calls related to procuring executable memory, namely VirtualAlloc and VirtualProtect, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP). Based on this instrumentation, we’ve built a model that detects reflective DLL loading in a broad range of high-risk processes, for example, browsers and productivity software.
malware  pentest 
4 days ago by whip_lash
Reflective DLL Injection with PowerShell | clymb3r
The script currently allows you to load a DLL from a local file (and execute it remotely) or retrieving the DLL from a URL. It is also possible and easy to modify the script with a hardcoded DLL byte array; I recommend doing this for any DLL you plan on using often.
powershell  malware  pentest 
4 days ago by whip_lash

« earlier    

related tags

802.1x  @tinkersec  active-directory  activedirectory  ad  amsi  applocker  apt  architecture  att&ck  attack.vectors  attack  automation  aws  backdoor  backups  bash  ble  blog  blue  bluetooth  buster  c#  c2  camera  cell  cert  cgi  challenge  citrix  cli  cloud  company  courses  credentials  ctf  cyb452  cyb608  cyb632  cyb633  cybersecurity  dcom  defense  deserialization  deviceguard  devops  dir  dns  docker  domain  drupal  education  email  evasion  exploit  expoit  files  find  framework  fuzzing  geolocation  github  google  guide  hack  hacking  hardware  howto  humor  ics  imsicatcher  information  infosec  infrastructure  java  javascript  joomla  js  kali  keyboard  learn  learning  links  linux  lists  logging  logs  malware  management  metasploit  meterpreter  mitm  nac  nessus  netsec  online  opensource  operating_system  orchestration  os  oscp  osint  owasp  password  path  pcap  penetration.testing  penetration  pentesting  phar  phishing  php  playground  portsecurity  postexploitation  powershell  practice  privilege_escalation  proxy  python  qubes  radio  rce  rdp  recon  record  red  redteam  remote  replay  research  rtlsdr  saml  scanner  screencapture  sec  secops  security  serverless  service  shell  shodan  simulation  smb  software  spraying  ssh  stingray  stripping  terraform  testing  threat-intelligence  tips  tool  toolkit  tools  tutorial  tweet  twitter  uac  unix  usb  vdi  video  vm  vuln  vulnerable  wap  wasm  web  webapp  webdev  websphere  wifi  windows  wordpress  xml  xss  xxe 

Copy this bookmark: