Charming Kitten Sharpens Its Claws with PowerShell Backdoor

The Iranian advanced persistent threat APT Charming Kitten is sharpening its claws with a new set of tools, including a novel PowerShell backdoor and related stealth tactics, that show the group evolving yet again. The new tools may signal that it’s getting ready to pounce on new victims,...

SolarMarker Malware Uses Novel Techniques to Persist on Hacked Systems

In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems. Cybersecurity firm...

Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks

An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group...

Researchers Uncover New Iranian Hacking Campaign Targeting Turkish Users

Details have emerged about a previously undocumented malware campaign undertaken by the Iranian MuddyWater advanced persistent threat APT group targeting Turkish private organizations and governmental institutions. "This campaign utilizes malicious PDFs, XLS files and Windows executables to deplo...

CRT - CrowdStrike Reporting Tool for Azure

This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments. Exchange Online O365: Federation Configuration Federation Trust Client Access...

Mandiant-Azure-AD-Investigator - PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity

This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are "high-fidelity" indicators of compromise, while other artifacts are so called "dual-use" artifacts. Dual-use artifacts may be related to thre...

The vulnerability of the “Copy as curl” function in the Thunderbird email client’s DevTools, as well as in browsers like Firefox and Firefox ESR, allows a hacker to execute arbitrary commands within the system.

The vulnerability of the “Copy as curl” function in the Thunderbird email client’s DevTools, as well as in Firefox and Firefox ESR browsers, is related to the execution of arbitrary commands on the target system due to improper input validation. Exploiting this vulnerability allows a remote...

Active Exploitation of VMware Horizon Servers

This post is co-authored by Charlie Stafford, Lead Security Researcher. We will update this blog with further information as it becomes available. CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Blog's Last Update ---|---|---|---|---|--- CVE-2021-44228 | VMware Advisory |...

Command Injection

firefox-esr is vulnerable to command injection. The constructed curl command from the Copy as curl feature in DevTools is not correctly escaped from PowerShell, allowing an attacker to inject and execute malicious commands...

Microsoft PowerShell Spoofing Vulnerability (Dec 2021) - Windows

This host is missing an important security update for PowerShell Core according to Microsoft security advisory CVE-2021-43896. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Exploit for CVE-2022-21907

CVE-2022-21907 Description 1. This repository detects a...

Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor

An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed "CharmPower" for follow-on post-exploitation. "The actor's attack setup was...

CVE-2022-22744

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt. This bug only affects Thunderbird for Windows. Other operating systems are unaffected.. This vulnerabilit...

Description of the security update for SharePoint Server Subscription Edition: January 11, 2022 (KB5002111)

Description of the security update for SharePoint Server Subscription Edition: January 11, 2022 KB5002111 Summary This security update resolves a Microsoft SharePoint Server remote code execution vulnerability and Microsoft Office remote code execution vulnerability. To learn more about the...

Mozilla Thunderbird < 91.5

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 91.5. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-03 advisory. - Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyso...

Mozilla Firefox 命令注入漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox, which stems from a curl command constructed from the copy-to-curl function in DevTools that is not properly escaped into PowerShell.If pasted into a...

CVE-2021-43896 affecting package powershell 7.0.2-1

CVE-2021-43896 affecting package powershell 7.0.2-1. An upgraded version of the package is available that resolves this issue...

Shellcode-Encryptor - A Simple Shell Code Encryptor/Decryptor/Executor To Bypass Anti Virus

A simple shell code encryptor/decryptor/executor to bypass anti virus. Note: I have completely redone the work flow for creating the bypass, I have found injecting the binary into memory using PowerShell as the most effective method. Purpose To generate a .Net binary containing base64 encoded, AE...

Automox Agent 32 - Local Privilege Escalation Exploit

Exploit Title: Automox Agent 32 - Local Privilege Escalation Date: 13/12/2021 Exploit Author: Greg Foss Writeup: https://www.lacework.com/blog/cve-2021-43326/ Vendor Homepage: https://www.automox.com/ Software Link: https://support.automox.com/help/agents Version: 31, 32, 33 Tested on: Windows 10...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

CVE-2021-44228scanner modified - Deprecated Original Scrip...