BeyondTrust Privilege Management for Windows 安全漏洞

BeyondTrust Privilege Management for Windows is a software for restricting user privileges by BeyondTrust USA. A security vulnerability exists in BeyondTrust Privilege Management for Windows prior to version 25.4.270.0, which originates in wmic.exe could lead to an anti-tamper protection bypass...

CISA issues warning to US businesses: Beware of China's state-sponsored cyber actor

The US Cybersecurity and Infrastructure Security Agency CISA has an urgent message for US businesses: watch out for Volt Typhoon, a threat actor sponsored by the Peoples Republic of China PRC. The agency's joint Cybersecurity Advisory CSA published last week highlights a cluster of tactics,...

Windows Installed AntiVirus Enumeration

This module will enumerate the AV products detected by WMIC Module Options msf use post/windows/gather/enumav msf postenumav show actions ...actions... msf postenumav set ACTION msf postenumav show options ...show and set options... msf postenumav run This module requires Metasploit:...

ezEmu - Simple Execution Of Commands For Defensive Tuning/Research

ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers ", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry. Windows See /Linux for ELF ezEmu is compiled as...

Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks

Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year. Dubbed Astaroth, the malware trojan has been making the rounds since at...

Dismantling a fileless campaign: Microsoft Defender ATP’s Antivirus exposes Astaroth attack

The prevailing perception about fileless threats, among the security industry’s biggest areas of concern today, is that security solutions are helpless against these supposedly invincible threats. Because fileless attacks run the payload directly in memory or leverage legitimate system tools to r...

Threat Analysis: Recent Attack Technique Leveraging cmd.exe and PowerShell Demonstrates How Attackers Are Using Trusted Microsoft Applications for Malicious Behavior

An attack leveraging cmd.exe and PowerShell was recently investigated by Cb ThreatSight analysts. Our initial investigation discovered that a batch file was executed on the targeted system. This batch file then invoked PowerShell with a base64 encoded command. Decoding the command revealed a seri...

Microsoft WMIC Malicious XSL Downloader

A vulnerability exists in Microsoft WMIC interface. Successful exploitation of this vulnerability could allow a remote attacker to run malicious code and infect the target system...

Petya Is Not Ransomware, It's a 'Wiper'

The outbreak of the ExPetr malware isn’t a ransomware attack, but more precisely, it’s a wiper attack that sabotaged PCs globally, overwriting their Master Boot Record forever. That’s the analysis of security experts from Kaspersky Lab and Comae Technologies who shared their latest research on th...

Dealing with Petya

Akamai is aware of and is tracking the malware threat known as "Petya". Petya is ransomware spread using several methods, including PSexec, Windows Management Instrumentation Command-line WMIC, and the EternalBlue exploit used by the WannaCry family of ransomware. The malware spreads via port 139...

FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery

FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery !-- + Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/FTP-VOYAGER-SCHEDULER-CSRF-REMOTE-CMD-EXECUTION.txt + ISR: ApparitionSec Vendor: ============== solarwinds.com...

Ghostscript 9.20 - Filename Command Execution

Ghostscript 9.20 - Filename Command Execution + + Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/GHOSTSCRIPT-FILENAME-COMMAND-EXECUTION.txt + ISR: ApparitionSec + Vendor: =============== ghostscript.com Product:...

Windows Management Instrumentation (WMI) Remote Command Execution

This Metasploit module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic...

Windows Gather Run WMIC Commands

This module executes WMIC commands on the specified host. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Windows Gather Run WMIC Commands', 'Description' = %q This module executes WMIC command...

Windows Execute net user /ADD CMD

Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars 1 UPPER, 1 lower, 1 digit/special This...

Windows Execute net user /ADD

Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars 1 UPPER, 1 lower, 1 digit/special This...