FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...

Nvidia GeForce Experience Node.js security vulnerability

Application Whitelisting Application whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a whitelist of allowed applications and after that only allow the execution of applications which can be found in that...

Powershell Empire Detection

Binary data powershellempiredetect.nbin...

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution Exploit

Exploit for windows platform in category remote exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote...

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10...

Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1081 Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI serve...

Windows: ManagementObject Arbitrary .NET Serialization RCE（CVE-2017-0160）

Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI server over DCOM using System.Management classes or the Powershell...

CVE-2017-0199: Microsoft Office RTF vulnerability using the PoC-vulnerability warning-the black bar safety net

0x01 description From FireFye detect and publish CVE-2017-0199 since, I have been researching this vulnerability in Microsoft officially released the patch, I decided to release this PoC. I use way possible with other researchers using different methods, the use of the method may be little bit...

Spread banking Trojan the Office 0day Vulnerability(CVE-2017-0199)technical analysis-vulnerability warning-the black bar safety net

Vulnerability overview Microsoft in 4 months of routine patch of 4 on 12, the A Office remote command execution vulnerability, CVE-2017-0199 for the repair, but in fact in the patch before the release there has been more use of this vulnerability in the wild is found, which contains the...

The Word Vulnerability, CVE-2017-0199 dissect that Microsoft patch that you installed? - Vulnerability warning-the black bar safety net

! Foreword Recently, FireEye detects a use of the vulnerability, CVE-2017-0199 malicious OfficeRTF document--earlier this week FreeBuf also reported the vulnerability, without the need to enable Word macros, open a malicious RFT document can be infected with a malicious program. When the user ope...

CVE-2017-0199: analysis Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

FireEye recently detected using CVE-2017-0199 security vulnerabilities malicious Microsoft Office RTF document, be aware of CVE-2017-0199, but had not been disclosed vulnerability. When the user opens that contains the exploit Code of the document, the malicious code will download and execute the...

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

Office Zero Day Delivering FINSPY Spyware to Victims in Russia

Since at least January, unidentified state-sponsored attackers have been targeting victims in Russia with FINSPY spyware delivered in exploits for an Office and WordPad zero-day vulnerability patched on Tuesday by Microsoft. Separately, the same zero-day has been leveraged in financially motivate...

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

PoshC2 - Powershell C2 Server and Implants

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework...

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

Security and Quality Rollup for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: April 11, 2017

Security and Quality Rollup for the .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: April 11, 2017 Note Known issues in this security update After you apply this security update, the PowerShell v3.0+ stop-computer...

Against DeviceGuard: in-depth analysis of the CVE-2017-0007-vulnerability warning-the black bar safety net

Over the past few months, I'm happy and Matt Graeber and Casey Smith together with the study Device Guard user-mode integrity UMCI around it. If you are not familiar with Device Guard, you can read: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide the. I...