Investigating a SharePoint Compromise: IR Tales from the Field

Executive summary Rapid7’s Incident Response team recently investigated a Microsoft Exchange service account with domain administrator privileges. Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire...

Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia

Last December, we discovered a new group targeting Russian businesses and government agencies with ransomware. Further investigation into this group's activity suggests a connection to other groups currently targeting Russia. We have seen overlaps not only in indicators of compromise and tools, b...

Exploit for Use of Password Hash With Insufficient Computational Effort in Redhat Enterprise_Linux

CVE-2024-3183-POC POC for CVE-2024-3183 FreeIPA Rosting Imp...

OPENSUSE-SU-2024:14142-1 python310-impacket-0.11.0-3.3 on GA media

These are all security issues fixed in the python310-impacket-0.11.0-3.3 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:13200-1 python310-impacket-0.11.0-2.1 on GA media

These are all security issues fixed in the python310-impacket-0.11.0-2.1 package on the GA media of openSUSE Tumbleweed...

Go-Secdump - Tool To Remotely Dump Secrets From The Windows Registry

Package go-secdump is a tool built to remotely extract hashes from the SAM registry hive as well as LSA secrets and cached hashes from the SECURITY hive without any remote agent and without touching disk. The tool is built on top of the library go-smb and use it to communicate with the Windows...

NTLM Relay Gat - Powerful Tool Designed To Automate The Exploitation Of NTLM Relays

NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of...

ToddyCat is making holes in your infrastructure

We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files LoFiSe and PcExter. This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts th...

Microsoft Windows 10.0.17763.5458 Privilege Escalation

Exploit Title : EXPLOIT Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability CVE-2024-21338 This module requires Metasploit: https://metasploit.com/download Author : E1.Coders Contact : E1.Coders at Mail dot RU Security Risk : High require 'msf/core' class...

MultiDump - Post-Exploitation Tool For Dumping And Extracting LSASS Memory Discreetly

MultiDump is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python. Blog post: https://xre0us.io/posts/multidump MultiDump supports LSASS dump via ProcDump.exe or comsvc.dll, it offers two...

RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage

The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant PCA to execute malicious commands. "The Program Compatibility Assistant Service pcalua.exe is a Windows service designed to identify and address...

Living off the land with native SSH and split tunnelling

TL;DR Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is common The attack only needs minimal set-up and commands Quicker and more cost effective for an attacker than using C2 infrastructure Reduces likelihood of Blue team detection...

Exploit for CVE-2021-42278

This is a Python script for exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate a Domain Administrator DA from a standard domain user. The script uses the Impacket library to interact with the Active Directory. The script has several components: 1. samtheadmin.py: This is the main script...

Exploit for Improper Input Validation in Microsoft

CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulne...

WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution

Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution Date: 9/27/2023 Exploit Author: ItsSixtyN3in Vendor Homepage: https://webcatalog.io/en/ Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe Version: 48.4.0 Tested on: Windows CVE : CVE-2023-42222...

CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK

The Computer Emergency Response Team of Ukraine CERT-UA has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. The activity, which was detected by the...

Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft

PoC for the ThemeBleed CVE-2023-38146 exploit Windows 11 Them...

New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government

An unnamed Southeast Asian government has been targeted by multiple China-nexus threat actors as part of espionage campaigns targeting the region over extended periods of time. "While this activity occurred around the same time and in some instances even simultaneously on the same victims'...

Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks

A malicious toolset dubbed Spacecolon is being deployed as part of an ongoing campaign to spread variants of the Scarab ransomware across victim organizations globally. "It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing R...

MSSqlPwner - An Advanced And Versatile Pentesting Tool Designed To Seamlessly Interact With MSSQL Servers And Based On Impacket

MSSqlPwner is an advanced and versatile pentesting tool designed to seamlessly interact with MSSQL servers and based on Impacket. The MSSqlPwner tool empowers ethical hackers and security professionals to conduct comprehensive security assessments on MSSQL environments. With MSSqlPwner, users can...