Metasploit Weekly Wrap-Up 01/26/24

Direct Syscalls Support for Windows Meterpreter Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any...

Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique

The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control UAC bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and...

DonPAPI - Dumping DPAPI Credz Remotely

Dumping revelant information on compromised targets without AV detection DPAPI dumping Lots of credentials are protected by DPAPI. We aim at locating those "secured" credentials, and retreive them using : User password Domaine DPAPI BackupKey Local machine DPAPI Key protecting TaskScheduled blob...

What we like about Microsoft Defender for Endpoint

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the...

Chromepass - Hacking Chrome Saved Passwords

Chromepass is a python-based console application that generates a windows executable with the following features: Decrypt Chrome saved paswords Send a file with the login/password combinations remotely email or reverse-http Custom icon Completely undetectable by AntiVirus Engines AV Detection! Du...

Ninja - Open Source C2 Server Created For Stealth Red Team Operations

Ninja C2 is an Open source C2 server created by Purple Team to do stealthy computer and Active directoty enumeration without being detected by SIEM and AVs , Ninja still in beta version and when the stable version released it will contains many more stealthy techinques and anti-forensic to create...

Hershell - Multiplatform Reverse Shell Generator

Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception. Supported OS are: Windows Linux Mac OS FreeBSD and derivatives Why ? Although meterpreter payloads are great,...

Adwind Dodges AV via DDE

This blog post is authored by Paul Rascagneres, Vitor Ventura and with the contribution of Tomislav Pericin and Robert Perica from ReversingLabs. Introduction Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a new spam campaign that is spreading the Adwind 3.0...

Updated GravityRAT Malware Adds Advanced AV Detection

Researchers tracking the evolution of the remote access trojan GravityRAT warn that developers behind the malware have made key changes to the RAT’s code in an attempt to decrease antivirus detection. “We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added...

AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows scripting tool called AutoIt to install a remote access Trojan RAT capable of hijacking browser-based banking sessions. The use of AutoIt, researchers said, reduces the likelihood of antivirus detection...

The Rise of Super-Stealthy Digitally Signed Malware—Thanks to the Dark Web

Guess what's more expensive than counterfeit United States passports, stolen credit cards and even guns on the dark web? It's digital code signing certificates. A recent study conducted by the Cyber Security Research Institute CSRI this week revealed that stolen digital code-signing certificates...

Authenticated WMI Exec Via Powershell

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/post/windows/powershell' require 'msf/core/post/windows/priv' require 'msf/core/exploit/powershell/dotnet' class MetasploitModule...

Cloakify - Data Exfiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Evade AV Detection

Cloakify Toolset - Data Exfiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Defeat Data Whitelisting Controls; Evade AV Detection. Text-based steganography usings lists. Convert any file type e.g. executables, Office, Zip, images into a list of everyday strings. Ve...

Authenticated WMI Exec via Powershell

This module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the...

b374k 3.2.3 2.8 CSRF / Command Injection Vulnerabilities

b374k web shell versions 2.8 and 3.2.3 suffer from a cross site request forgery vulnerability that allows for remote command injection. Vendor: ============================================ github.com/b374k/b374k code.google.com/p/b374k-shell/downloads/list code.google.com/archive/p/b374k-shell/...

Israeli Think-Tank Site Serves Sweet Orange Exploit

Attackers have compromised the website of a prominent Israel-based, Middle East foreign policy-focused think tank, the Jerusalem Center for Public Affairs JCPA. On Friday, researchers from Cyphort reported that the site was serving the Sweet Orange exploit kit via drive-by download. At the time o...

[Weevely v1.1] Stealth tiny PHP web shell

Weevely is a stealth PHP web shell that provides a telnet-like console. It is an essential tool for web application post exploitation , and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones. Weevely is currently included in Backtrack and Backbox...