October 27, 2016 — KB3197954 (OS Build 14393.351)

October 27, 2016 — KB3197954 OS Build 14393.351 This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Improved reliability of Internet Explorer 11, Start, File Explorer, action center, graphics, and the Windows kernel...

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT

A variant of a remote code execution vulnerability with Internet Explorer's scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static...

SharpSploit - A .NET Post-Exploitation Library Written In C#

SharpSploit is a .NET post-exploitation library written in C that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favorite of mine! While SharpSploit does port...

Threat Roundup for September 14 to September 21

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by...

Threat Roundup for September 7 to September 14

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 7 and 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by...

OilRig APT Continues Its Ongoing Malware Evolution

OilRig, an APT group believed to have ties to Iran, has been spotted in yet another campaign in the Middle East – this time targeting victims within an undisclosed government using an evolved variant of the BondUpdater trojan. The group, which is also called Cobalt Gypsy, Crambus, Helix Kitten or...

PowerShell Obfuscation Ups the Ante on Antivirus

A new malware sample using a rare obfuscation technique has been spotted that uses the features of PowerShell, a tool that comes built in to Microsoft Windows. Analysis from Cylance shows that the tactic succeeds in bypassing most antivirus products. Cylance researchers stumbled across a malware...

Carbon Black Report: Tools of Choice

Quarterly Incident Response Threat Report PowerShell and WMI Remain Tools of Choice for Cyberattacks We’ve long known that PowerShell has been abused, but it is still significant that 100% of respondents say they believe the tool most often helps facilitate lateral movements, followed by WMI at...

PowerShell Front-End for Windows Debugger Engine: DbgShell

The main impetus for DbgShell is that it’s just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people’s needs. Using the built-in scripting language is arcane, limited,...

Ghostscript - Failed Restore Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule /dev/tty' include Msf::Exploit::FILEFORMAT include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initializeinfo =...

iBombShell: A Dynamic Post-Exploitation Remote Shell

PenTestIT RSS Feed Consider you have a shell on a system and other post-exploitation do not work for you as they are being caught by a security solution on the system. Worry not as we now have iBombShell, a dynamic remote shell that can be run on any system that supports PowerShell. The reason th...

Carbon Black Report: 46% of Incident Response Professionals Experience Counter Incident Response

Quarterly Incident Response Threat Report Executive Summary/Highlights Proactive Incident Response Even as a steady drumbeat of headlines keeps the world’s attention focused on cybercrimes such as ransomware and cryptojacking, in the dark corners of the internet, attackers are busy refining their...

Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation

Note: PoC will now hijack the print spooler service - spoolsv.exe - as it required less code then hijacking printfilterpipelinesvc.exe, which was shown in the original video demo Description of the vulnerability The task scheduler service has an alpc endpoint, supporting the method...

Threat Analysis: Recent Attack Technique Leveraging cmd.exe and PowerShell Demonstrates How Attackers Are Using Trusted Microsoft Applications for Malicious Behavior

An attack leveraging cmd.exe and PowerShell was recently investigated by Cb ThreatSight analysts. Our initial investigation discovered that a batch file was executed on the targeted system. This batch file then invoked PowerShell with a base64 encoded command. Decoding the command revealed a seri...

Active Directory Privilege Relationships: BloodHound

BloodHound is a single page Javascript web application, built on top of Linkurious , compiled with Electron , with a Neo4j database fed by a PowerShell ingestor . BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks c...

CVE-2018-8200

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers...

CVE-2018-8200

CVE-2018-8200 is a local security bypass in Windows Device Guard, enabling an attacker to inject malicious code into a PowerShell session by bypassing the Code Integrity Policy. Affected: Windows Server 2016, Windows 10 (and variants). Root cause: Device Guard Code Integrity Policy bypass vulnera...

Oracle Weblogic Server Deserialization Remote Code Execution Exploit

Exploit for multiple platform in category remote exploits This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/exploit/powershell' class MetasploitModule 'Oracle Weblogic Server Deserialization RCE',...

Remote Desktop Caching - Tool To Recover Old RDP (mstsc) Session Information In The Form Of Broken PNG Files

This tool allows one to recover old RDP mstsc session information in the form of broken PNG files. These PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive information on the screen. Blue Team member can reconstruct PNG files to see what an...

Win-PortFwd - Powershell Script To Setup Windows Port Forwarding Using Native Netsh Client

Powershell script to setup windows port forwarding using native netsh client. Install: git clone https://github.com/deepzec/Win-PortFwd.git Usage: .\win-portfwd.ps1 or powershell.exe -noprofile -executionpolicy bypass -file .\win-portfwd.ps1 Note: This script require admin privileges to run, this...