.NET GAC and NIC hijacking for lateral movement - ...

Hacking
io_uring Rootkit Bypasses Linux Security Tools - ARMO
ARMO reveals how io_uring enables rootkits to bypass major Linux security tools like Falco, and Defender. Learn about the Curing rootkit and detection strategies.
lwthiker/curl-impersonate: curl-impersonate: A special build of curl that can impersonate Chrome & Firefox
curl-impersonate: A special build of curl that can impersonate Chrome & Firefox - lwthiker/curl-impersonate
FunnyWolf/Viper: A Unified Platform for Adversary Emulation and Red Team Operations
A Unified Platform for Adversary Emulation and Red Team Operations - FunnyWolf/Viper
DosX-dev/Astral-PE: Astral-PE is a low-level mutator (headers obfuscator) for native Windows PE files (x32/x64)
Astral-PE is a low-level mutator (headers obfuscator) for native Windows PE files (x32/x64) - DosX-dev/Astral-PE
wietze/ArgFuscator.net: ArgFuscator.net is an open-source, stand-alone web application that helps generate obfuscated command lines for common system-native executables.
ArgFuscator.net is an open-source, stand-alone web application that helps generate obfuscated command lines for common system-native executables. - wietze/ArgFuscator.net
WorstFit: Unveiling Hidden Transformers in Windows ANSI!
📌 This is a cross-post from DEVCORE. The research was first published at Black Hat Europe 2024. Personally, I would like to thank splitline, the co-author of this research & article, whose help
hardenedlinux/userland-exec: Userland exec PoC to be used as attack vector technique
Userland exec PoC to be used as attack vector technique - hardenedlinux/userland-exec
devttys0/delink
xaitax/TotalRecall: This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.
This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots. - xaitax/TotalRecall
two06/CerealKiller: .NET deserialization hunter
.NET deserialization hunter.
Kudaes/Shelter: ROP-based sleep obfuscation to evade memory scanners
ROP-based sleep obfuscation to evade memory scanners - Kudaes/Shelter
Scheduled Task Tampering
Microsoft recently published an article that documented how the HAFNIUM threat actor leveraged a flaw in how scheduled tasks are stored in the registry to hide their presence.
Listen to the whispers: web timing attacks that actually work
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping
The Definitive Guide to Linux Process Injection | Akamai
In this blog post, we document Linux process injection techniques, and explain how to detect and mitigate them.
SELinux bypasses | Klecko Blog
This post aims at giving an overview of what SELinux is, how it is implemented, and how to bypass it, from the point of view of Android kernel exploitation.
Octoberfest7/Secure_Stager: An x64 position-independent shellcode stager that verifies the stage it retrieves prior to execution
An x64 position-independent shellcode stager that verifies the stage it retrieves prior to execution - Octoberfest7/Secure_Stager
aapooksman/certmitm: A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.
A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application. - aapooksman/certmitm
Critical Vulnerabilities Discovered in Automated Tank Gauge Systems | Bitsight
Recent investigation by Bitsight TRACE has discovered multiple critical 0-day vulnerabilities across six ATG systems from five different vendors.
Kudaes/DInvoke_rs: Dynamically invoke arbitrary unmanaged code
Dynamically invoke arbitrary unmanaged code.
The (Anti-)EDR Compendium
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from di…
Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051)
In this blog post, I will explain a vulnerability in the Microsoft Windows Desktop Windows Manager (DWM) Core library that I analyzed when the exploit for Core Impact was being developed. This vulnerability allows an unprivileged attacker to execute code as a DWM user with Integrity System privileges (CVE-2024-30051).
Shellcodes database for study cases
Mainframes: structure and features of penetration testing | Securelist
We explain how mainframes work, potential attack vectors, and what to focus on when pentesting such systems.
foorilla/allinfosecnews_sources: A list of online news & info sources in the InfoSec/Cybersecurity space
A list of online news & info sources in the InfoSec/Cybersecurity space - foorilla/allinfosecnews_sources
deepinstinct/ShimMe
Malware development part 1 - basics – 0xPat blog – Red/purple teamer
Introduction This is the first post of a series which regards development of malicious software. In this series we will explore and try to implement multiple techniques used by malicious applications to execute code, hide from defenses and persist. Let’s create a C++ application that will run malicious shellcode while trying to not be caught by AV software. Why C++ and not C# or PowerShell script? Because it’s much more difficult to analyze compiled binary when compared to managed code or script. For the purpose of this and following articles we will use MS Visual Studio 2017 or 2019 on Windows 10.
Hiding in plain sight (part 2) - Abusing the dynamic linker
A stealthy process stomping method compatible with UNIX-like systems with anti-forensic enhancements for Linux.