MacOS hacking part 8: dlopen() code loading + finding target PIDs. Simple C (Intel, ARM) examples - cocomelonc
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
A tool that automates the delivery of malware from external attackers to target employees’ Microsoft Teams inbox has been released.| Help Net Security
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
﷽| cocomelonc
Discover how penetration testers use cURL to bypass web security defenses, manipulate HTTP requests, and uncover vulnerabilities. Learn advanced techniques, real-world examples, and ethical best practices.| Lipson Thomas
﷽| cocomelonc
﷽| cocomelonc
During a Red Team engagement, we compromised an AWS account containing a Confluence instance hosted on an EC2 virtual machine. Although we fully compromised the machine hosting the Confluence instance, we did not have valid credentials to log in but were able to interact with the underlying database. This led us to study the structure of the Confluence database and the mechanism for generating API tokens.| Quarkslab's blog
Failing to meet CMMC requirements can result in immediate and long-term business risks, particularly for organizations in the Department of Defense (DoD) DIB supply chain.| fortreum.com
During an assumed breach ops via a virtual desktop interface, we discovered a wildcard allow firewall rule for the Azure Blob Storage service. We proved that even with restrictions in place, it was still possible to reach the Internet. Afterwards, we thought of abusing this firewall misconfiguration (recommended by Microsoft) in a much more useful way. To demonstrate that I built a SOCKS5 proxy that uses blobs to tunnel traffic to the target's internal network.| Quarkslab's blog
A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025.| Quarkslab's blog
﷽| cocomelonc
Over the last decade, I’ve seen the industry embrace red teaming, with more and more organizations employing red teams to help augment their security function. While I don’t love that so much of the industry still appears to be hung up on red teaming basically being “a more advanced penetration test”, I am happy to see more and more organizations taking this proactive step to evaluate and improve their security.| dade
I can’t sit here and pretend to have the experience necessary to give prescriptive advice on how to build and run a successful Red Team function at your organization. While I’ve been an early hire for two red team functions at two different organizations, it has not yet been my responsibility to ensure the success of the function. However, being involved early, I was able to see first hand multiple things that threatened the function. Additionally, I’ve been involved in the broader red ...| dade
﷽| cocomelonc
﷽| cocomelonc
A quick post about making a more cost effective cover implant using a common wired mouse.| Aura Research Division
In my previous blog post I demonstrated a method for persisting a Linux LKM rootkit across reboots by leveraging systemd-modules-load. For this method to work, we needed to add the evil module into the /usr/lib/modules/$(uname -r) directory and then run depmod. As I pointed out in the article, while the LKM could hide the module… Continue reading A Little More on LKM Persistence→| Righteous IT
Last time we quickly ran through the method for cracking the cookies issued by an instance of PHP issuing outputs from mt_rand(). However, the method used was flawed. We can do better just by attacking the problem some more. First, a basic optimisation to solve two problems at once. When running early attack code, I […]| Sharp Security
﷽| cocomelonc
﷽| cocomelonc
Our latest post focuses on the command and control (C2) software frameworks used by professional offensive security red teams and criminal organizations alike. We dived into the source code of multiple high-profile, open-source C2s and discovered vulnerabilities in most of them. In this post, we provide a brief overview of C2 concepts, review the details of the frameworks' identified vulnerabilities (with nifty reproduction gifs included!), and conclude with some final thoughts about the curr...| Include Security Research Blog
Introducing the fix-stomped-imports Binary Ninja plugin, allowing you to reconstruct a stomped Import Address Table when reverse engineering.| LRQA Nettitude Labs
The actual largest date that can be represented in an EXT4 file system is 2446-05-10 22:38:55. Curious about why? Read on for a breakdown of how EXT4 timestamps are encoded, or skip ahead to “…| Righteous IT
Blogs related to information security.| 3xpl01tc0d3r.blogspot.com
﷽| cocomelonc
Using CSS and social engineering to identify juicy targets when performing watering hole attacks| Mixing watering hole attacks with history leak via CSS |
Finding a way to reuse R/W/X memory with VBA and how to avoid crashes| VBA: overwriting R/W/X memory in a reliable way |
As per a survey, 68% of companies believe that Red Teaming outperforms Blue Teaming. What if your organization's defenses were stress-tested not through routine audits| WeSecureApp :: Securing Offensively
﷽| cocomelonc
SharpConflux, a .NET application built to facilitate Confluence exploitation during Red Team and Penetration Testing engagements.| LRQA Nettitude Labs
In the context of a Red Team assessment, in this post I’ll look at some options for using SOCKS to gain external access to an internal network. I’ll cover the obvious methods and why I’m overlooking them, a crude method using standard tools (this post) and a more refined approach using modified tools (in part 2). […] The post Reverse port forwarding SOCKS proxy via HTTP proxy (part 1) appeared first on Portcullis Labs.| Portcullis Labs
By way of an introduction to our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests. Background to Active Directory integration […] The post An offensive introduction to Active Directory on UNIX appeared first on Portcullis Labs.| Portcullis Labs
Presentation on Active Directory integration solutions for UNIX (as given at Black Hat Europe 2018). Over the past fifteen years there’s been an uptick in “interesting” UNIX infrastructures being integrated into customers’ existing AD forests. Whilst the threat models enabled by this should be quite familiar to anyone securing a heterogeneous Windows network, they may […] The post Where 2 worlds collide: Bringing Mimikatz et al to UNIX appeared first on Portcullis Labs.| Portcullis Labs
Presentation on logging and auditing strategies (as given at Secure South West 11). Building on my blog post on Cisco’s security blog entitled The Importance of Logs, I put together a presentation that picks apart some of the practical aspects of building a successful logging capability focusing on the need to document “good” and curate […] The post The importance of logs: You won’t see what you don’t log appeared first on Portcullis Labs.| Portcullis Labs
Yet another security platform being pwned by trivial vulnerabilities (CVE-2024-22107 & CVE-2024-22108)| A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108) |
Data stolen, systems crippled, reputation tarnished. A cyberattack's impact goes far beyond the initial breach. "Beyond Breach" explores the real-world aftermath| WeSecureApp :: Securing Offensively
Article describing an alternative method to trigger shellcode execution| VBA: having fun with macros, overwritten pointers & R/W/X memory |
Umpteenth time that you will see a lateral movement based on DCOM. This time it's Visual Studio.| Developers are juicy targets: DCOM & Visual Studio |
Combination of small snippets of code to simulate getprocaddress avoiding dangerous functions| VBA: resolving exports in runtime without NtQueryInformationProcess or GetPro...
Article describing how to decode/decrypt source code protected with Nu-Coder| Beating an old PHP source code protector |
Load shared object (PHP extension) from memory| Spice up your persistence: loading PHP extensions from memory |
Detecting NoVNC for phishing campaigns| Thoughts on the use of noVNC for phishing campaigns |
Advanced persistent threats are highly sophisticated and targeted cyber attacks that can have far-reaching consequences for organizations and individuals| WeSecureApp :: Securing Offensively
