July 11, 2017—KB4025333 (Security-only update)

July 11, 2017—KB4025333 Security-only update Improvements and fixes This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Security updates to Windows kernel, ASP.NET, Internet Explorer 11, Windows Search,...

DKMC - Malicious Payload Evasion Tool

Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool rely on PowerShell the execute the final...

Apache Struts 2 REST Plugin XStream Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Struts 2 REST Plugin XStream RCE', 'Description' = %q Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a...

Luckystrike - A PowerShell based utility for the creation of malicious Office macro documents

A PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only. Luckystrike is a menu-drive SET style PowerShell-based generator of malicious .xls and .doc documents. All your payloads are saved into a database for easy...

Monitoring Windows Console Activity (Part 1)

Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control C2 console tools...

Monitoring Windows Console Activity (Part 1)

Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control C2 console tools...

US Government Site Was Hosting Ransomware

As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. Researcher Ankit Anubhav of NewSky Security tweeted the discovery Wednesday, and within hours, the malware link was taken down. It’s...

Powershell-based Windows Security Auditing Toolbox: WINspect

WINspect is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that need further hardening. The main targets for the current version are...

WINspect - Powershell-based Windows Security Auditing Toolbox

WINspect is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that need further hardening. The main targets for the current version are...

Proxy Aware PowerShell C2 Framework: PoshC2

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework...

PDF-XChange Viewer 2.5 (Build 314.0) Code Execution

Exploit Title: PDF-XChange Viewer 2.5 Build 314.0 Javascript API Remote Code Execution Exploit Powershell PDF Exploit Creation Date: 21-08-2017 Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows Exploit Author: Daniele Votta Contact: [email protected] Website:...

Posh-SSH - PowerShell Module for automating tasks on remote systems using SSH

Windows Powershell module that leverages a custom version of the SSH.NET Library http://sshnet.codeplex.com/ to provide basic SSH functionality in Powershell. The main purpose of the module is to facilitate automating actions against one or multiple SSH enabled servers. This module is for Windows...

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7s annual UNITED Summit, were hosting a first-of-its-kind Capture the Flag CTF competition. Whether youre a noob to hacking or a grizzled pro, youll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337...

PDF-XChange Viewer 2.5 Build 314.0 - Code Execution

Exploit Title: PDF-XChange Viewer 2.5 Build 314.0 Javascript API Remote Code Execution Exploit Powershell PDF Exploit Creation Date: 21-08-2017 Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows Exploit Author: Daniele Votta Contact: [email protected] Website:...

Microsoft Word vulnerability: hackers can use the automatic update link to install the malicious software-vulnerability warning-the black bar safety net

According to foreign media news, the SANS Internet Center a freelance security consultant and Handler in Microsoft Word, found a very interesting vulnerability that allows an attacker to abuse the Word program to automatically update the link function. This is one of the default start function,...

Threat Round-up for Aug 11 - Aug 18

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 11 and August 18. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior...

PowerSAP: A PowerShell SAP Security Assessment Tool!

PenTestIT RSS Feed This post is about PowerSAP, a tool that was included in this years BlackHat Arsenal. What I like about this tool is that it does not try to re-invent the wheel and yet keeps it's source code open for all of us to see and understand. The author @Sn0rkY is upfront about this and...

Invoke-CradleCrafter - PowerShell Remote Download Cradle Generator and Obfuscator

Invoke-CradleCrafter is a PowerShell v2.0+ compatible PowerShell remote download cradle generator and obfuscator. Purpose Invoke-CradleCrafter exists to aid Blue Teams and Red Teams in easily exploring, generating and obfuscating PowerShell remote download cradles. In addition, it helps Blue Team...

Advanced Discovery of Privileged Accounts: ACLight

ACLight is a tool for discovering privileged accounts through advanced ACLs Access Lists analysis. It includes the discovery of Shadow Admins in the scanned network. The tool queries the Active Directory AD for its objects’ ACLs and then filters and analyzes the sensitive permissions of each one...

Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read

Posted by James Forshaw, Project Zero For the past couple of months I’ve been presenting my “Introduction to Windows Logical Privilege Escalation Workshop” at a few conferences. The restriction of a 2 hour slot fails to do the topic justice and some interesting tips and tricks I would like to...