Maximilian Barz’s Post

Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console Attackers are leveraging a new infection technique called GrimResource that exploits MSC files. By crafting malicious MSC files, they can achieve full code execution within the context of mmc.exe (Microsoft Management Console) upon a user click. #cyberattack #malicioussoftware #microsoft #crosssitescripting #vulnerability #cybersecurity #cve

Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console: Attackers are leveraging a new infection technique called GrimResource that exploits MSC files. By crafting malicious MSC files, they can achieve full code execution within the context of mmc.exe (Microsoft Management Console) upon a user click.  It offers several advantages for attackers by bypassing the need for macros (disabled by default) and providing low-security warnings, […] The post Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

#ThreatLocker, Allowlisting using a Zero Trust approach will block unknown executables from running. "This file redirects to an HTML file and utilizes the 'search-ms' protocol to access an LNK file on a remote server," a company blog post explained. "Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions." The PowerShell script as mentioned above not have been allowed to execute breaking the cyber kill chain.

Have just completed "Introduction to Antivirus" on TryHackMe [+] Contents Summary: - Antivirus history - Features: + Scanner: Real-time scanning for malicious files, emails, memory, Windows registry, API/System calls generally, ... + Detection: > Signature-based detection is the traditional AV technique that looks for predefined malicious patterns and signatures within files (hash/bytecode, strings, rules (such as Yara), ...) (Static Analysis) > Heuristic detection is a more advanced technique that includes various behavioral methods to analyze suspicious files.  Such as: changes in file system, Windows Registry, Processes interactions, Starting/Stopping services, ... > Dynamic detection is a technique that includes monitoring the system calls and APIs, analyzes in an isolated/virtualized environment where the system is fully monitored to detect changes, ... and finally create signatures. - Fingerprinting AV: After initial access, It's a must to check/identify Host/Network-based security solutions before any attempt to applying persistence, privilege escalation techniques, or lateral movement (pivoting to other hosts/networks). - Online AV scanners: It allows users to upload files to be scanned with over 70 antivirus detection engines, returning the result with a report in deep details interesting to Malware Analysts. #tryhackme #cybersecuritytraining #cyberawareness #cyberdefense #ethicalhacking #computersecurity #enumeration #exploit #exploitdevelopment #shell #shellcode #offensivesecurity #cyberattacks #cyberprotection #python #malware #malwareattacks #malwareattack #apt #redteam #redteaming #script #scripting #scriptwriting #virus #persistence #exploit #exploitation #windowssecurity #backdoor #windowsadmin #windowssystemadministration #windowsinternals #kernel #windowskernel #malwaredevelopment #injection #redteam #redteaming #redteamer #antivirus #virustotal #detection

Living Off The Land techniques. Use cases, why attackers are leveraging them to stay under the radar and bypassing EDR and staying persistent. #cybersecurity #pentesting #lotl #redteaming Read this story from Shawn Voong on Medium:

Exploiting GitHub: A Sophisticated Malware Distribution Tactic Exposed! Imagine a scenario where GitHub, a hub for millions of developers, becomes a conduit for malware. This isn't hypothetical—it's happening. Recent findings highlight a critical misuse of GitHub's file upload feature, transforming a standard tool into a malware dissemination channel, cleverly disguised under the guise of legitimacy. Why This Matters to You The misuse of GitHub to distribute malware via what appear to be trusted sources like Microsoft's repositories is not just a breach of trust; it's a major security loophole. This exploitation affects all of us—developers, businesses, and casual users alike. Detailed Breakdown of the Malware Mechanism 1. Abusing GitHub's File Upload in Comments: Threat actors attach malicious files to comments on GitHub commits or issues. These files, linked to reputable repositories, can deceive users into believing they are legitimate, which dramatically increases the likelihood of malware downloads. 2. The Illusion of Credibility: Files linked to names like Microsoft give the malware an appearance of authenticity. Unsuspecting users downloading these files might believe they are genuine updates or necessary patches. 3. Persistence and Accessibility: Once a file is uploaded, its URL remains active indefinitely, even if the comment it was attached to is deleted. This means malicious files can be accessed and downloaded long after their initial posting, making it difficult to contain the spread. In-Depth Analysis from the McAfee Report The McAfee report sheds light on a particularly pernicious malware called Redline Stealer. It's disguised as benign software updates but carries a dangerous payload. The malware leverages Lua bytecode to execute malicious activities discreetly, making detection challenging even for seasoned cybersecurity tools. The ingenuity doesn't stop there: • The malware is embedded in an MSI installer that seems innocuous. • Upon execution, the installer uses complex methods like scheduled tasks and custom scripts to ensure persistence on the victim's system. These techniques highlight the malware's sophisticated evasion capabilities and its potential for widespread damage. What Can Be Done? Understanding the nature of this threat is crucial. The McAfee report provides a comprehensive look at the techniques employed by this malware, offering valuable insights into its operation and suggestions for countermeasures. For a deeper understanding, I recommend reviewing the full McAfee report (https://lnkd.in/gEupmNCG). It's an essential resource for anyone involved in cybersecurity. By studying detailed reports like McAfee's and staying updated on the latest threats, we can better defend our systems and data against sophisticated cyber attacks. #GitHubSecurity #MalwareThreat #RedlineStealer #McAfeeReport #CyberAttackPrevention #GitHubMalware

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. More on this news here: https://lnkd.in/dsDe7Gt4 #CyberResilience #CloudSecurity #SecurityCompliance

#Malware_analysis Analyzing & Patching a DLL Reverse Shell https://lnkd.in/eASwkjEh

Couple of days ago, we posted bout "fake software packages" and today we are bringing to your attention about a "malicious package" that was identified. CVE-2024-29415: Popular Node.js Package ‘node-ip’ Exposes Millions to Potential SSRF Attacks A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2024-29415, has been discovered in the widely-used Node.js package ‘ip,’ which retrieves IPv4 addresses. With over 19 million downloads weekly, this package's isPublic() function incorrectly classifies certain private IP addresses as public, exposing systems to SSRF attacks. Versions up to 2.0.1 are affected. This issue stems from an incomplete fix for CVE-2023-42282 and improper IP parsing.   For more details, check out the comments section 👇   Developers use such packages on a day to day basis and it's getting highly critical and also difficult to ensure the security of these. Either you are building new features now or already built, continuous security of your software libraries and dependencies is critical using proper tools. This should be part of your "holistic application security approach". No wonder applications have vulnerabilities as the core components or building blocks are insecure themselves and the developers are just building using those, just common sense, isn't it? So it's very important for CISOs and security teams to provide proper tools to the developers to identify such issues right from early stages of application development and also continuously. Days were gone where CISOs and Security teams used to focus more on infrastructure and basic application security! With FLYINGDUCK, within 'just a few seconds' we can identify where such malicious packages are being used 'across your code base', show the 'associated CVEs' and a 'secure remediation path'. Help your devs save a bunch of time with quick identification and remediation so they can focus on building their features. #codetocloudsecurity #softwaresupplychainsecurity #aspm #appsec #continuoussecurity #engineeringleaders #ciso

🎉 Completed TryHackMe room "DLL HIJACKING" Link to the room: https://lnkd.in/dkUs_akQ DLL hijacking, also known as DLL preloading or binary planting, is a technique used by attackers to exploit the way Windows searches for and loads Dynamic Link Libraries (DLLs) in an application. This technique takes advantage of a vulnerability where an application improperly loads a DLL, allowing the attacker to execute malicious code. 1. SEARCH ORDER: Application's directory System directory (C:\Windows\System32\) 16-bit system directory (C:\Windows\System\) Windows Directory (C:\Windows\) Current Directory Directories listed in %PATH% environment variable 2.Find vulnerable application Use process hacker,find applications that does not specify the full path to the DLL,allowing windows to search for the DLL in various directories. 3.Exploitation: Place a malicious DLL with the same name as the legitimate DLL in a directory that the application will search before it finds the legitimate one. How to generate that malicious DLL? Using tools like metasploit(msfvenom) or self-generated malicious DLLs can be crafted using programming languages like C/C++, C#, or even PowerShell..etc..(nowadays RUST is famous). These DLLs can include various payloads, such as backdoors, keyloggers, or custom exploit code. 4. Final Result: When the user launches the vulnerable application, the application attempts to load the required DLL.Since the attacker's malicious DLL is located in a directory that is searched before the legitimate DLL's directory, Windows loads the attacker's DLL instead of the intended one. Happy Hacking :) #dllhijacking #dllhacking #AVevasion #EDRevasion #evasiontechniques #bypassAV #redteaming #malware #malwaredevelopment #malwaredeveloper #ethicalhacking #cybersecurity #skilldevelopment