Tarrask malware uses scheduled tasks for defense evasion

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team DART in collaboration with the Microsoft Threat Intelligence Cent...

Tarrask malware uses scheduled tasks for defense evasion

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team DART in collaboration with the Microsoft Threat Intelligence Cent...

ICMP-TransferTools - Transfer Files To And From A Windows Host Via ICMP In Restricted Network Environments

ICMP-TransferTools is a set of scripts designed to move files to and from Windows hosts in restricted network environments. This is accomplished using a total of 4 different files, consisting of a python server and powershell client for each transfer direction Download & Upload. The only dependen...

Chinese APT group targets financial institutions in the campaign “Operation Cache Panda”

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Chinese threat actor APT10 conducted a series of large-scale supply chain attacks that exclusively targeted the financial software systems of Taiwanese financial institutions from the end of November 2021 until the middle of...

Exploit for CVE-2021-1675

CVE-2021-1675 / CVE-2021-34527 Impacket implementation of the...

LDAP-Password-Hunter - Password Hunter In The LDAP Infamous Database

It happens that due to legacy services requirements or just bad security practices password are world-readable in the LDAP database by any user who is able to authenticate. LDAP Password Hunter is a tool which wraps features of getTGT.py Impacket and ldapsearch in order to look up for password...

wmiexec-RegOut - Modify Version Of Impacket Wmiexec.Py, Get Output(Data,Response) From Registry, Don'T Need SMB Connection, Also Bypassing Antivirus-Software In Lateral Movement Like WMIHACKER

Modify version of impacket wmiexec.py,wmipersist.py. Got outputdata,response from registry, don't need SMB connection, but I'm in the bad code : Specially Thanks to: @rootclay, wechat: xiangshan Overview In original wmiexec.py, it get response from smb connection port 445,139. Unfortunately, some...

Kerbrute - An Script To Perform Kerberos Bruteforcing By Using Impacket

An script to perform kerberos bruteforcing by using the Impacket library. When is executed, as input it receives a user or list of users and a password or list of password. Then is performs a brute-force attack to enumerate: Valid username/passwords pairs Valid usernames Usernames without...

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update By Taylor Mullins, Mo Cashman and Raj Samani · January 20, 2022 Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not only...

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update By Taylor Mullins, Mo Cashman and Raj Samani · January 20, 2022 Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not only...

Destructive malware targeting Ukrainian organizations

Microsoft Threat Intelligence Center MSTIC has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. Microsoft is aware of the ongoing geopolitical events in Ukraine and...

Metasploit Wrap-Up

Dump Windows secrets from Active Directory This week, our very own Christophe De La Fuente added an important update to the existing Windows Secret Dump module. It is now able to dump secrets from Active Directory, which will be very useful for Metasploit users. This new feature uses the Director...

Lsarelayx - NTLM Relaying For Windows Made Easy

lsarelayx is system wide NTLM relay tool designed to relay incoming NTLM based authentication to the host it is running on. lsarelayx will relay any incoming authentication request which includes SMB. Since lsarelayx hooks into existing application authentication flows, the tool will also attempt...

Exploit for CVE-2021-42278

Pachine Python implementation for CVE-2021-42278 Active Dire...

Exploit for CVE-2021-1675

Impacket implementation of CVE-2021-1675...

DonPAPI - Dumping DPAPI Credz Remotely

Dumping revelant information on compromised targets without AV detection DPAPI dumping Lots of credentials are protected by DPAPI. We aim at locating those "secured" credentials, and retreive them using : User password Domaine DPAPI BackupKey Local machine DPAPI Key protecting TaskScheduled blob...

PKINITtools - Tools For Kerberos PKINIT And Relaying To AD CS

This repository contains some utilities for playing with PKINIT and certificates. The tools are built on minikerberos and impacket. Accompanying blogpost with more context: https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/ Installation These tools are only compatible with Python 3.5+...

Exploit for CVE-2021-1675

C and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527...

Exploit for CVE-2021-1675

PrintNightmare Python implementation for PrintNightmare CVE-...

The vulnerability of the smbserver.py component in the Python3 Impacket networking module, related to name mangling for path restrictions, allows a hacker to gain access to sensitive data, compromise its integrity, and cause service failures.

The vulnerability of the smbserver.py component in the Python3 Impacket networking module is related to incorrect processing of the "../" path. Exploiting this vulnerability can allow an attacker to gain access to confidential data, compromise its integrity, and cause service failures...