CredsLeaker - Tool to Display A Powershell Credentials Box

This script will display a powershell credentials box that will ask the user for his credentials. The box cannot be closed only by killing the process will keeps checking the credentials against the DC. When validated, it will close and leak it to a web server outside. How To: 1. Start a web...

Masha and these Bears

Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a prolific, well resourced, and persistent adversary. They are sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile. Our previous post on their 2017 activity stepped...

Sofacy APT Adopts New Tactics and Far East Targets

CANCUN, Mexico – A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti. Researchers at Kaspersky Lab this morning at its Security Analyst Summit, released their updat...

Command injection

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 build 13640. The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal...

CVE-2018-7890

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 build 13640. The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal...

CVE-2018-7890

A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 build 13640. The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal...

ManageEngine Applications Manager Remote Code Execution

This module exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates suppli...

Eclipse Equinoxe OSGi Console Command Execution Exploit

This Metasploit module exploits the Eclipse Equinoxe OSGi Open Service Gateway initiative console fork command to execute arbitrary commands on the remote system.. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework requi...

GitStack Unsanitized Argument RCE

This module exploits a remote code execution vulnerability that exists in GitStack through v2.3.10, caused by an unsanitized argument being passed to an exec function call. This module has been tested on GitStack v2.3.10. This module requires Metasploit: https://metasploit.com/download Current...

Revoke-Obfuscation - PowerShell Obfuscation Detection Framework

Revoke-Obfuscation is a PowerShell v3.0+ compatible PowerShell obfuscation detection framework. Authors Daniel Bohannon @danielhbohannon Lee Holmes @LeeHomes Research Blog Post: https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html White Paper:...

Invoke-Obfuscation - PowerShell Obfuscator

Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. Purpose Attackers and commodity malware have started using extremely basic obfuscation techniques to hide the majority of the command from the command line arguments of powershell.exe. I developed this...

Threat Round Up for Feb 16 - 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 16 and February 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior...

Invoke-Mimikatz Memory Injection Credential Harvesting

Mimikatz is a post-exploitation tool used to perform cerdential harvesting on a Windows machine. An attacker can use Powershell in order to inject and run Mimikatz into the system's memory...

New Research: Crypto-mining Drives Almost 90% of All Remote Code Execution Attacks

It’s early in 2018 and we have already witnessed one of the top contenders in this year’s web application attacks. Continuing the trend from the last months of 2017, crypto-mining malware is quickly becoming attackers’ favorite modus operandi. In December 2017, 88 percent of all remote code...

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners. CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service WLS Security in Oracle WebLogic Server versions 12.2.1.2.0...

Word-based Malware Attack Doesn’t Use Macros

Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free. The attacks do not...

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners. CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service WLS Security in Oracle WebLogic Server versions 12.2.1.2.0...

Eclipse Equinox OSGi Console Command Execution

Exploit Eclipse Equinox OSGi Open Service Gateway initiative console 'fork' command to execute arbitrary commands on the remote system. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'base64' class...

Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy

Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers although probably also useful for sysadmins which sifts through the usually very noisy XML output from the Get-GPOReport cmdlet part of Microsoft's Group Policy module and identifies all the settings defined in...

Targeted Attacks In The Middle East

This blog post is authored by Paul Rascagneres with assistance of Martin Lee. Executive Summary Talos has identified a targeted attacks affecting the Middle East. This campaign contains the following elements, which are described in detail in this article. The use of allegedly confidential decoy...