PT-2019-1817 · Microsoft · Windows

Name of the Vulnerable Software and Affected Versions: Windows affected versions not specified Description: The issue is related to a component of the Windows operating system, specifically the Win32k component, which has insufficient access restrictions. This can be exploited by an attacker to...

PowerShellArsenal - A PowerShell Module Dedicated To Reverse Engineering

PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is...

Commando VM — Turn Your Windows Computer Into A Hacking Machine

FireEye today released Commando VM, which according to the company, is a "first of its kind Windows-based security distribution for penetration testing and red teaming." When it comes to the best-operating systems for hackers, Kali Linux is always the first choice for penetration testers and...

WinPwn - Automation For Internal Windows Penetrationtest

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensi...

Lazarus Group Widens Tactics in Cryptocurrency Attacks

North Korea-linked APT Lazarus Group has been spotted targeting the cryptocurrency business again, adding Apple users to the mix by using PowerShell scripts to control macOS malware, and honing its Windows strategy. The campaign has been active since at least November 2018, according to an analys...

Thomson Reuters Concourse & Firm Central 2.13.0097 Directory Traversal / Local File Inclusion

Exploit for windows platform in category web applications ''' Exploit Title: Thomson Reuters Concourse & Firm Central 2.13.0097 - Directory Traversal & Local File Inclusion Exploit Author: 0v3rride Vendor Homepage: https://www.thomsonreuters.com/en.html Software Link: Firm Central...

Thomson Reuters Concourse Firm Central 2.13.0097 - Directory Traversal Local File Inclusion

Thomson Reuters Concourse Firm Central 2.13.0097 - Directory Traversal Local File Inclusion ''' Exploit Title: Thomson Reuters Concourse & Firm Central 2.13.0097 - Directory Traversal & Local File Inclusion Date: 02/13/2019 Exploit Author: 0v3rride Vendor Homepage:...

Real World Examples Demonstrating the Need for Mature Threat Hunting

A recent article discussed the keys to becoming a level 4 maturity threat hunting program. This article will bring these concepts into the real world by discussing examples of attacks that required that high level of threat hunting maturity to find them and defend against them. The case studies...

Cryptocurrency businesses still being targeted by Lazarus

It's hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection...

PostgreSQL COPY FROM PROGRAM Command Execution

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pgexecuteserverprogram' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a ne...

BMC Patrol Agent - Privilege Escalation Cmd Execution Exploit

This Metasploit module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verifies that the password of the provided user is correct. This also means if the...

BMC Patrol Agent Privilege Escalation / Command Execution Exploit

This Metasploit module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verifies that the password of the provided user is correct. This also means if the...

Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing

Introduction Malware authors attempt to evade detection by executing their payload without having to write the executable file on the disk. One of the most commonly seen techniques of this "fileless" execution is code injection. Rather than executing the malware directly, attackers inject the...

BMC Patrol Agent Privilege Escalation / Command Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModule Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell @deflater = nil...

August 30, 2018—KB4343889 (OS Build 15063.1292)

August 30, 2018—KB4343889 OS Build 15063.1292 Improvements and fixes This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Addresses an issue that causes win32kfull.sys to stop working Stop 3B when cancelling journal...

KB4467702: Windows 10 Version 1803 and Windows Server Version 1803 November 2018 Security Update

The remote Windows host is missing security update 4467702. It is, therefore, affected by multiple vulnerabilities : - A security feature bypass vulnerability exists in Microsoft JScript that could allow an attacker to bypass Device Guard. CVE-2018-8417 - An elevation of privilege vulnerability...

KB4467696: Windows 10 Version 1703 November 2018 Security Update

The remote Windows host is missing security update 4467696. It is, therefore, affected by multiple vulnerabilities : - A security feature bypass vulnerability exists in Microsoft JScript that could allow an attacker to bypass Device Guard. CVE-2018-8417 - A remote code execution vulnerability...

The vulnerability of Microsoft Visual Studio, the PowerShell command interpreter, and the Microsoft .NET Framework and Microsoft .NET Core software products lies in their user interface-related information representation errors, which allows attackers to perform spear-phishing attacks.

The vulnerability of Microsoft Visual Studio, the PowerShell command interpreter, Microsoft .NET Framework, and Microsoft .NET Core software products is related to information representation errors in the user interface. Exploiting this vulnerability can allow attackers to perform spear-phishing...

KB4467708: Windows 10 Version 1809 and Windows Server 2019 November 2018 Security Update

The remote Windows host is missing security update 4467708. It is, therefore, affected by multiple vulnerabilities : - A security feature bypass vulnerability exists in Microsoft JScript that could allow an attacker to bypass Device Guard. CVE-2018-8417 - A remote code execution vulnerability...

AutoRDPwn v4.8 - The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim's desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply...