Understanding the Ins and Outs of Living off the Land Binaries

Living off-the-land binaries, or “LOLBins,” are not dangerous in nature, but when exploited by cyber criminals, they can wreak havoc on your systems. LOLBins are local tools installed as part of your operating system. We all have them, and we all use them. It […]

Log4Shell Vulnerability

CVE-2021-44228 / Log4Shell Vulnerability Industry: N/A | Level: Tactical | Sources: LunaSec & GitHub-Log4Shell-List   A zero-day exploit has been identified for Java logging library “log4j” that could result in remote code execution. Affected versions include Log4j 2.0-beta9 up to 2.14.1 with service impacts […]

The simplicity of advanced correlation using Anvilogic’s Scenario Creation

For far too long Security Operation Centers have struggled to find that perfect balance of efficacy in alerting while trying to maintain an acceptable threshold of alerts firing into their SEIM. Today, we’re going to be looking into a research article for a FIN6 […]

Abuse EQNEDT32.EXE CVE-2017-11882

Overview of CVE-2017-11882 CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability exists in the old Equation […]

Rubeus createnetonly (Kerberos)

Overview of Rubeus createnetonly The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This […]

Abuse SilentCleanup Task

Overview of Abuse SilentCleanup Task There’s a task in Windows Task Scheduler called “SilentCleanup” which, while it’s executed as Users, automatically runs with elevated privileges. When it runs, it executes the file “%windir%\system32\cleanmgr.exe”. Since it runs as Users, and its possible to control user’s […]

Server-Side Includes(SSI) Injection

Overview of Server-Side Includes(SSI) Injection Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is provided by Server-Side Includes(SSI), which are directives that […]

PowerSploit PsExec for PowerShell

Overview of PowerSploit PsExec PowerSploit PowerShell script (Invoke-PsExec.ps1) from Empire is a function (cmdlet) that lets you execute PowerShell and batch/cmd.exe code asynchronously on target Windows computers, using PsExec.exe.   References https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-PsExec.ps1   Request Access to Use Case Repository

Publicly exposed Docker API

Description Docker is a technology that allows you to perform operating system-level virtualization. An incredible number of companies and production hosts are running Docker to develop, deploy, and run applications inside containers. You can interact with Docker via the terminal and also via remote […]

Unauthenticated Path Traversal – CVE-2020-3452

Description A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software(CVE-2020-3452) could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is […]