Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response EDR software by means of a Bring Your Own Vulnerable Driver BYOVD attack. "The AuKill tool abuses an outdated version of the driver used by version...

Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response EDR software by means of a Bring Your Own Vulnerable Driver BYOVD attack. "The AuKill tool abuses an outdated version of the driver used by version...

New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads

A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidarhttps://thehackernews.com/2023/01/t...

FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for...

FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for...

MalVirt: .NET Malware Loaders Spread through Malvertising Attacks

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary MalVirt is a cluster of virtualized .NET malware loaders are distributed through malvertising attacks that use obfuscated virtualization and the Windows Process Explorer driver to evade anti-analysis and...

Backstab - A Tool To Kill Antimalware Protected Processes

Have these local admin credentials but the EDR is standing in the way? Unhooking or direct syscalls are not working against the EDR? Well, why not just kill it? Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer ProcExp driver, which...

VolExp - Volatility Explorer

This program allows the user to access a Memory Dump. It can also function as a plugin to the Volatility Framework https://github.com/volatilityfoundation/volatility. This program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump or access...

Remote Process Explorer 1.0.0.16 Denial Of Service

Exploit Title: Remote Process Explorer v1.0.0.16 - Denial of Service PoC and SEH overwritten Crash PoC Discovery by: Rafael Pedrero Discovery Date: 2019-01-30 Vendor Homepage: http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16 Software Link :...

Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)

Remote Process Explorer 1.0.0.16 - Buffer Overflow PoC SEH Overwrite Exploit Title: Remote Process Explorer v1.0.0.16 - Denial of Service PoC and SEH overwritten Crash PoC Discovery by: Rafael Pedrero Discovery Date: 2019-01-30 Vendor Homepage:...

Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite Exploit

Exploit Title: Remote Process Explorer v1.0.0.16 - Denial of Service PoC and SEH overwritten Crash PoC Discovery by: Rafael Pedrero Vendor Homepage: http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16 Software Link :...

Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)

Exploit Title: Remote Process Explorer v1.0.0.16 - Denial of Service PoC and SEH overwritten Crash PoC Discovery by: Rafael Pedrero Discovery Date: 2019-01-30 Vendor Homepage: http://lizardsystems.com/action.php?action=home&product=rpexplorer&version=1.0.0.16 Software Link :...

Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation

Microsoft Windows - Advanced Local Procedure Call ALPC Local Privilege Escalation Note: PoC will now hijack the print spooler service - spoolsv.exe - as it required less code then hijacking printfilterpipelinesvc.exe, which was shown in the original video demo Description of the vulnerability The...

ArcGIS Server 10.3.1: RMIClassLoader RCE

Using an Esri-provided image on Azure's Marketplace, ArcGIS Server 10.3.1 started Java's rmid on port 1098 and explicitly set the property java.rmi.server.useCodebaseOnly equal to false. Screenshot: https://www.dropbox.com/s/xz9ugal3ixnfh1c/10.3.1rmiduseCodebaseOnly%3Dfalse.png?dl=0 As discussed ...

Adware the series, the final: Tools section

So far in this series, we have handed you some methods to recognize and remediate adware. We used this diagram as a guideline. During this journey, we have touched upon several free tools that we used to get some insight on what type of infection we were dealing with and where the adware could be...

The process cannot access the file because it is being used by another process

Antivirus Interference Antivirus software can cause access issues similar to those documented in this article. Such interference often occurs when security software detects a Veeam process attempting to access a file and simultaneously locks the file for inspection, coinciding with the Veeam...

Microsoft's Process Explorer added VirusTotal Multi-Antivirus Scanner support

Process Explorer, a part of the Microsoft’s Sysinternals suite of applications is an alternate task manager for Windows, which offers far more features than 'on-board'. Microsoft’s Windows Sysinternal Suite has released the latest version of Process Explorer v16.0 that has an awesome feature whic...

Sysinternals Process Explorer DLL Hijack

/ Exploit Title: Sysinternals Process Explorer DLL Hijacking on x86 Windows systems wow64cpu.dll Date: 27 Aug 2010 Author: miom Software Link: http://technet.microsoft.com/sysinternals/bb896653.aspx Version: Process Explorer v12.04 Tested on: Windows XP SP3 x86 This exploit targets x86 Windows...

ICQ 6.5 URL Search Hook (Windows Explorer) Remote BOF PoC

No description provided by source. ?php / ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ If the resulting file is placed on the desktop, against ex. xp sp3 process...

CVE-2005-2679

Buffer overflow in Sysinternals Process Explorer 9.23, and other versions before 9.25, allows local users to execute arbitrary code via a long CompanyName field in the VersionInfo information in a running process...