3098 matches found
Learning PowerShell: The basics
I bet I went about learning PowerShell the wrong way, so I may need your help, readers of this blog. If only to organize my knowledge and use it for the fight against malware and not just to figure out how it was used in malware. The first serious look I had at PowerShell was when I was trying to...
Windows PowerShell Remote Code Execution Vulnerability
A remote code execution vulnerability exists in PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system. In an attack scenario, an attacker could execute malicious code in a PowerShell remote...
Security update for the Windows PowerShell remote code execution vulnerability in Windows Server 2008: July 11, 2017
Security update for the Windows PowerShell remote code execution vulnerability in Windows Server 2008: July 11, 2017 Summary A remote code execution vulnerability exists in PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute...
WinPayloads: Generate Undetectable Windows Payloads!
PenTestIT RSS Feed An older post of mine - MicroSploit dealt with generating backdoored documents for the Office platform. This post is about another open source framework, called WinPayloads which helps you create custom malicious payloads for the Microsoft Windows operating system. What is...
WMI Event Subscription Persistence Exploit
This Metasploit module will create a permanent WMI event subscription to achieve file-less persistence using one of five methods. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell'...
WMI Event Subscription Persistence
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' require 'msf/core/post/windows/powershell' require 'msf/core/post/file' class MetasploitModule 'WMI Event Subscription Persistence',...
Microsoft Windows PowerShell CVE-2017-8565 Remote Code Execution Vulnerability
Description Microsoft Windows PowerShell is prone to a remote code-execution vulnerability. Successfully exploiting this issue may result in the execution of arbitrary code in the context of the affected system. Failed exploit attempts will likely result in denial-of-service conditions...
Windows 2008 July 2017 Multiple Security Updates
The remote Windows host is missing multiple security updates. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a reference to an external entity. ...
Windows 7 and Windows Server 2008 R2 July 2017 Security Updates
The remote Windows host is missing security update 4025337 or cumulative update 4025341. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a...
Windows Server 2012 July 2017 Security Updates
The remote Windows host is missing security update 4025343 or cumulative update 4025331. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a...
KB4025342: Windows 10 Version 1703 July 2017 Cumulative Update
The remote Windows 10 version 1703 host is missing security update KB4025342. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a reference to an...
KB4025344: Windows 10 Version 1511 July 2017 Cumulative Update
The remote Windows 10 version 1511 host is missing security update KB4025344. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a reference to an...
Microsoft .NET Privilege Escalation Vulnerability
Exploit for windows platform in category local exploits Hi @ll, all versions of .NET Framework support to load a COM object as code profiler, enabled via two or three environment variables. From | A profiler DLL is an unmanaged DLL that runs as part of the | common language runtime execution...
Dr0p1t Framework 1.3 - A Framework That Creates An Advanced FUD Dropper With Some Tricks
Have you ever heard about trojan droppers ? In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a stealthy dropper that bypass most AVs and have a lot of tricks! Features Generated executable properties: The executable size is smaller compar...
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...
morphHTA - Morphing Cobalt Strike PowerShell Evil HTA Generator
morphHTA is a Morphing Cobalt Strike PowerShell Evil HTA Generator Usage : usage: morph-hta.py -h --in --out --maxstrlen --maxvarlen --maxnumsplit optional arguments: -h, --help show this help message and exit --in File to input Cobalt Strike PowerShell HTA --out File to output the morphed HTA to...
Adware the series, part 6
In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the...
Windows NSA Information Assurance: Locklevel
Windows NSA Information Assurance LOCKLEVEL was a rapidly built prototype that demonstrates a method for scoring how well Windows systems have implemented some of the NSA Information Assurance top 10 mitigation strategies . This prototype is being shared to encourage industry adoption of these...
Automatically Exercise BloodHound Attack Plan: GoFetch
GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the...