PowerShell-Suite

This is a PowerShell script called Bypass-UAC, which is designed to bypass User Account Control UAC on Windows systems. The script uses a technique called "auto-elevating IFileOperation COM object method calls" to achieve this. The script supports several methods for bypassing UAC, including:...

Citrix Director displays multiple Hypervisor health alerts

Background Citrix Director displays alerts on the dashboard and other high level views to monitor infrastructure. Alerts from various hypervisors including XenServer and vSphere, help monitor the hypervisor parameters and states. Starting with CVAD 2411, Citrix Director introduces bulk dismissal ...

CHAPS - Configuration Hardening Assessment PowerShell Script

CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The...

Drake Lyrics Used as Calling Card in Malware Attack

A hacker with the handle “Master X” leverages a PowerShell script that contains a reference to singer-songwriter Drake lyric’s “Kiki Do You Love Me” and ultimately delivers a malicious payload to its victims. The campaign is email based; with missives containing a malicious PowerPoint attachment...

CB TAU Threat Intelligence Notification: Formbook Harvests Data By Intercepting Clients

Formbook is an information stealer which has been around for the past few years. Formbook acts as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. The particular sample...

Kaseya VSA agent 9.5 - Privilege Escalation

Exploit Title: Kaseya VSA agent CVE-2017-12410 found by Filip Palian. A a fix was put in place for the original CVE, however it was specific to binaries and not scripts. The root cause for both issues is allowing a low privileged group excessive permissions to a folder used by a elevated process...

Kaseya VSA Agent 9.5 Privilege Escalation

Exploit Title: Kaseya VSA agent CVE-2017-12410 found by Filip Palian. A a fix was put in place for the original CVE, however it was specific to binaries and not scripts. The root cause for both issues is allowing a low privileged group excessive permissions to a folder used by a elevated process...

Microsoft Windows PowerShell Command Execution Exploit

Microsoft Windows PowerShell Command Execution Exploit + Credits: John Page aka hyp3rlinx Vendor www.microsoft.com Product Windows PowerShell Windows PowerShell is a Windows command-line shell designed especially for system administrators. PowerShell includes an interactive prompt and a scripting...

Brand-New SystemBC Proxy Malware Spotted Using SOCKS5 for Stealth

A previously undocumented proxy malware, dubbed “SystemBC,” is upping the stealth game by using SOCKS5 to evade detection. It’s being distributed by the Fallout and RIG exploit kits EKs, according to researchers. Proofpoint researchers said on Thursday that in the most recently tracked example, t...

Microsoft Windows: Turn on PowerShell Script Block Logging

This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or throug...

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide. Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has...

Exploit for Use After Free in Microsoft

CVE-2019-0708-Vulnerability-Scanner Powershell script to run a...

Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

Executive Summary On May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities known as Microarchitectural Data Sampling. An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust...

Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control C&C server. The email was received...

Cloud replica failover fails after upgrade to Veeam Backup & Replication 9.5 Update 4

Challenge After upgrade to Veeam Backup & Replication 9.5 Update 4, starting failover for a Cloud Connect replica in the VMware environment fails with the appliance related error message: Timed out waiting to obtain helper appliance VM IP address Cause Due to a newly introduced issue, the applian...

Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade

DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well. The script currently...

Exploit for Improper Authentication in Phpmyadmin

CVE-2018-12613 Local file inclusion bug due to filter bypass u...

Metamorfo Banking Trojan Keeps Its Sights on Brazil

This blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura. Executive Summary Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card...

Threat Actors Eyeing IQY Files To Peddle Malspam

More threat actors are pushing weaponized Excel web query IQY files to deliver malicious code – as seen in recent campaigns by several major malspam distributors. Researchers at IBM X-Force this week disclosed that both the Necurs Botnet, as well as DarkHydrus and the threat actor behind the Mara...

Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation

Microsoft Windows - Advanced Local Procedure Call ALPC Local Privilege Escalation Note: PoC will now hijack the print spooler service - spoolsv.exe - as it required less code then hijacking printfilterpipelinesvc.exe, which was shown in the original video demo Description of the vulnerability The...