Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

Powershell: Cannot connect to backup server because some of its components are out of date

Challenge Connect-VBRServer PowerShell cmdlet fails with the error: Connect-VBRServer : Cannot connect to backup server because some of its components are out of date. Cause This issue occurs when the Veeam Backup & Replication Console files on the remote machine where the command was run do not...

How Do You Identify Zero-Days and Fileless Malware? Download (the) RAM.

Banner Source: The ever-handy http://www.downloadmoreram.com. When a tactic becomes less and less effective, its important to shift strategies and adapt. With malware, attackers are doing exactly that. As preventative measures such as antivirus and endpoint detection and response continue to...

nps_payload: Basic Intrusion Detection Avoidance Payload Generator!

PenTestIT RSS Feed This is a short post about npspayload, an open source, python script that helps you create basic payloads that help you avoid or bypass intrusion detection systems. This is a mix of @ben0xa's Not PowerShell nps frameworks and some features of @HackingDave’s unicorn tool. As you...

HoneypotBuster - Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network

Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host. CodeExecution Execute code on a target machine using Import-Module. Invoke-HoneypotBuster HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs...

UPDATE: Luckystrike 2.0!

PenTestIT RSS Feed My first post regarding this malicious Microsoft Office document generator was about an older version. However a few hours ago, an update was released - Luckystrike 2.0! Major highlights for this awesome release include full support for Microsoft Word in addition to a new COM...

Unravelling .NET with the Help of WinDBG

This blog was authored by Paul Rascagneres and Warren Mercer.Introduction.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other...

A week in security (July 10 – July 16)

Last week, we took a look at some of your malware infection stories, took a stroll through the basics of PowerShell, explored a piece of .NET malware, and shone the spotlight on the Petya ransomware family. Elsewhere, the following stories were taking place: Latest updates for Consumers...

NetworkRecon: PowerShell to Identify Network Vulnerabilities!

PenTestIT RSS Feed As PowerShell becomes more prevalent in the Windows environment, so will it's use for vulnerability assessment and penetration tests. I have covered a few of them earlier such as PowerSploit, PSAttack. However none of the ones I mentioned help you detect network vulnerabilities...

WinRM Command Runner

This module runs arbitrary Windows commands using the WinRM Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/winrm/connection' class MetasploitModule 'WinRM Command Runner', 'Description' = %q This...

Virtual Apps and Desktops: Logon Duration in MonitorData.Session Table shows "Null"

Logon Duration inMonitorData.Session Table in Monitoring Database shows "Null" value for all sessions and hence Director does not report Average logon Duration for Sessions. Restarting the Monitoring Service on Delivery Controllers does not fix the issue. We used the below scripts to ensure thatO...

Skype for Business 2016 - Cross-Site Scripting Vulnerability

Exploit for windows platform in category remote exploits Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements:...

Skype for Business 2016 - Cross-Site Scripting

Skype for Business 2016 - Cross-Site Scripting Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements: Originating...

Windows PowerShell Remote Code Execution Vulnerability (KB4025872)

This host is missing an important security update according to Microsoft KB4025872. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescripti...

Microsoft Windows PowerShell Remote Code Execution Vulnerability

Microsoft Windows, etc. are a series of operating systems released by Microsoft, U.S.A. PowerShell is one of the command line programs. A remote code execution vulnerability exists in PowerShell in Microsoft Windows. An attacker can exploit this vulnerability to execute code in a PowerShell remot...

Microsoft Windows Multiple Vulnerabilities (KB4025337)

This host is missing a critical security update according to Microsoft KB4025337 SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Skype for Business 2016 - Cross-Site Scripting

Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements: Originating machine needs Lync 2013 SDK installed as well a...

CVE-2017-8565

Windows PowerShell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability when PSObject wraps a CIM Instance, aka "Windows PowerShel...

CVE-2017-8565

Windows PowerShell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability when PSObject wraps a CIM Instance, aka "Windows PowerShel...

Remote code execution

Windows PowerShell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability when PSObject wraps a CIM Instance, aka "Windows PowerShel...