Case Study: A Cryptomining Attack — With an Assist From Advanced Malware Techniques

In Carbon Black's Quarterly Incident Response Threat Report QIRTR, some of the world’s leading incident response IR professionals reported seeing an uptick in lateral movement, counter incident response, and island-hopping attacks from motivated nation-states. In the case study below, Kroll notes...

How to enable the Firewall rules required by Veeam ONE on the Windows Server Core OS

Challenge Veeam ONE cannot collect any data due to closed Firewall rules on the Windows Server Core OS side. Cause Due to the Windows Server Core OS limitations, it is impossible to enable the necessary Firewall rules required by Veeam ONE using Windows Firewall UI. Solution Enable the rules CMD...

Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT

A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files. The SettingContent-ms file format was introduced in Windows 10; it allows a user to create...

Microsoft PowerShell Core Security Feature Bypass Vulnerability (Jul 2018) - Linux

This host is missing an important security update for PowerShell Core according to Microsoft security advisory CVE-2018-8356. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Microsoft PowerShell Core Security Feature Bypass Vulnerability (Jul 2018) - Mac OS X

This host is missing an important security update for PowerShell Core according to Microsoft security advisory CVE-2018-8356. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Microsoft PowerShell Core Security Feature Bypass Vulnerability (Jul 2018) - Windows

This host is missing an important security update for PowerShell Core according to Microsoft security advisory CVE-2018-8356. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Carbon Black Report: China, Russia & North Korea Launching Sophisticated, Espionage-Focused Cyberattacks

Even as a steady drumbeat of headlines keeps the world’s attention focused on cybercrimes, such as ransomware and cryptojacking, in the dark corners of the internet, attackers are busy refining their craft. According to the world’s top incident response IR professionals, cyberattackers are honing...

PoshRat Command Control Attempt

PoshRat is an open source tool that uses evasions techniques for reverse interactive PowerShell. A remote attacker can send malicious file that triggers the vulnerability...

Microsoft Releases Patch Updates for 53 Vulnerabilities In Its Software

It's time to gear up your systems and software for the latest July 2018 Microsoft security patch updates. Microsoft today released security patch updates for 53 vulnerabilities, affecting Windows, Internet Explorer IE, Edge, ChakraCore, .NET Framework, ASP.NET, PowerShell, Visual Studio, and...

July 10, 2018—KB4338819 (OS Build 17134.165)

July 10, 2018—KB4338819 OS Build 17134.165 Note This release also contains updates for Microsoft HoloLens OS Build 17134.165 released July 10, 2018. Improvements and fixes This update includes quality improvements. No new operating system features are being introduced in this update. Key changes...

Device Guard Code Integrity Policy Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code...

Microsoft Windows PowerShell CVE-2018-8327 Remote Code Execution Vulnerability

Description Microsoft Windows PowerShell is prone to a remote code-execution vulnerability. Successfully exploiting this issue may result in the execution of arbitrary code in the context of the affected process. Failed exploit attempts will likely result in denial-of-service conditions...

THRecon - Threat Hunting Reconnaissance Toolkit

Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromi...

Active Directory Reconnaissance: ADRecon

ADRecon is a tool which extracts various artifacts as highlighted below out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD...

Ikeext-Privesc - Windows IKEEXT DLL Hijacking Exploit Tool

This tool is intended for automatically detecting and exploiting the IKE and AuthIP IPsec Keyring Modules Service IKEEXT Missing DLL vulnerability. Description A major weakness is present in Windows Vista, 7, 8, Server 2008, Server 2008 R2 and Server 2012, which allows any authenticated user to...

Executing Meterpreter on Windows 10 and Bypassing Antivirus

One of my Labs colleagues recently published an article on the Coalfire Blog about executing an obfuscated PowerShell payload using Invoke-CradleCrafter. This was very useful, as Windows Defender has upped its game lately and is now blocking Metasploits Web Delivery module. I wanted to demonstrat...

MalwLess - Test Blue Team Detections Without Running Any Attack

MalwLess is an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique...

LNK-Kisser - PowerShell Link Payload Generator

Making FUD Shortcut .lnk payloads with LNK-KISSER to remote execute malicious code. Shortcut-Payload-Generator Exploiting Powershell to make ShortCut Payloads fud. There is too much of awsome tricks there , u can make it better ^^. For Ex : Killing tcpview , taskmanager ..etc while downloading. S...

Bring Your Own Land (BYOL) – A Novel Red Teaming Technique

Introduction One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” LotL techniques by attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to execute attacks...

CVE-2018-8201

CVE-2018-8201 describes a security feature bypass in Microsoft Device Guard that could allow a local attacker to inject malicious code into a Windows PowerShell session. Affected products include Windows Server 2016 and Windows 10 (including Windows 10 servers). The vulnerability stems from bypas...