Learning PowerShell: basic programs

In the previous posts we have looked at some elementary PowerShell concepts and we have constructed some basic commands to export and compare data. We did this by using an example of certificates being dumped in the “Untrusted” category by some malware. This time we will try to write a program th...

The vulnerability of the PowerShell command interpreter for Windows operating systems allows a hacker to execute arbitrary code.

The vulnerability of the PowerShell command interpreter for Windows operating systems is related to deficiencies in access control during the packaging of CIM instances as PSObjects. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...

The vulnerability of the PowerShell command interpreter for Windows operating systems allows a hacker to execute arbitrary code.

The vulnerability of PowerShell command interpreters on Windows operating systems is related to improper handling of executable files during the renaming process. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

Koadic: An Advanced Windows JScript/VBScript RAT!

PenTestIT RSS Feed All of us know that post-exploitation we need some mechanism to maintain access on the target. One of the most common methods is by installing a trojan. I have tried to maintain a list of similar tools on the malware sources page on this blog. Now, there is a new entrant which...

Learning PowerShell: some basic commands

My first Powershell script The first PowerShell script I wrote see below was a quick fix to remove certificates from the “Untrusted” registry key after a Vonteera infection. After some initial commands, this script basically loops back for every certificate that doesn’t belong under a certain key...

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

Powershell: Cannot connect to backup server because some of its components are out of date

Challenge Connect-VBRServer PowerShell cmdlet fails with the error: Connect-VBRServer : Cannot connect to backup server because some of its components are out of date. Cause This issue occurs when the Veeam Backup & Replication Console files on the remote machine where the command was run do not...

How Do You Identify Zero-Days and Fileless Malware? Download (the) RAM.

Banner Source: The ever-handy http://www.downloadmoreram.com. When a tactic becomes less and less effective, its important to shift strategies and adapt. With malware, attackers are doing exactly that. As preventative measures such as antivirus and endpoint detection and response continue to...

nps_payload: Basic Intrusion Detection Avoidance Payload Generator!

PenTestIT RSS Feed This is a short post about npspayload, an open source, python script that helps you create basic payloads that help you avoid or bypass intrusion detection systems. This is a mix of @ben0xa's Not PowerShell nps frameworks and some features of @HackingDave’s unicorn tool. As you...

HoneypotBuster - Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network

Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host. CodeExecution Execute code on a target machine using Import-Module. Invoke-HoneypotBuster HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs...

UPDATE: Luckystrike 2.0!

PenTestIT RSS Feed My first post regarding this malicious Microsoft Office document generator was about an older version. However a few hours ago, an update was released - Luckystrike 2.0! Major highlights for this awesome release include full support for Microsoft Word in addition to a new COM...

Unravelling .NET with the Help of WinDBG

This blog was authored by Paul Rascagneres and Warren Mercer.Introduction.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other...

A week in security (July 10 – July 16)

Last week, we took a look at some of your malware infection stories, took a stroll through the basics of PowerShell, explored a piece of .NET malware, and shone the spotlight on the Petya ransomware family. Elsewhere, the following stories were taking place: Latest updates for Consumers...

NetworkRecon: PowerShell to Identify Network Vulnerabilities!

PenTestIT RSS Feed As PowerShell becomes more prevalent in the Windows environment, so will it's use for vulnerability assessment and penetration tests. I have covered a few of them earlier such as PowerSploit, PSAttack. However none of the ones I mentioned help you detect network vulnerabilities...

WinRM Command Runner

This module runs arbitrary Windows commands using the WinRM Service This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'net/winrm/connection' class MetasploitModule 'WinRM Command Runner', 'Description' = %q This...

Virtual Apps and Desktops: Logon Duration in MonitorData.Session Table shows "Null"

Logon Duration inMonitorData.Session Table in Monitoring Database shows "Null" value for all sessions and hence Director does not report Average logon Duration for Sessions. Restarting the Monitoring Service on Delivery Controllers does not fix the issue. We used the below scripts to ensure thatO...

Skype for Business 2016 - Cross-Site Scripting Vulnerability

Exploit for windows platform in category remote exploits Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements:...

Skype for Business 2016 - Cross-Site Scripting

Skype for Business 2016 - Cross-Site Scripting Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 Exploit Author: @nyxgeek - TrustedSec Date: 2017-04-10 Vendor Homepage: www.microsoft.com Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower Requirements: Originating...

Windows PowerShell Remote Code Execution Vulnerability (KB4025872)

This host is missing an important security update according to Microsoft KB4025872. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescripti...