内网渗透
两种通过滥用ManageCA权限,获取(CA)域证书服务器的技术
https://www.blackarrow.net/ad-cs-from-manageca-to-rce/
SPN-jacking: WriteSPN权限滥用研究
https://shenaniganslabs.io/2022/02/10/SPN-jacking.html
KrbRelay: Kerberos Relaying攻击框架
https://github.com/cube0x0/KrbRelay
利用CVE-2021-43893对域控写入文件
https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-controller-using-cve-2021-43893/
BackupOperatorToDa: Backup Operator用户组远程dump域控 Sam工具
https://github.com/mpgn/BackupOperatorToDA
master_librarian: 扫描Unix/*BSD/Linux 系统Libraries中存在的公开漏洞
https://github.com/CoolerVoid/master_librarian
终端对抗
TymSpecial:shellcode加载器
https://github.com/ChadMotivation/TymSpecial
WindowsNoExec: 滥用现有的命令执行代码,无需分配执行内存
https://www.x86matthew.com/view_post?id=windows_no_exec&s=09
运行时执行shellcode的新方法:滥用已存在内存空间
https://billdemirkapi.me/exception-oriented-programming-abusing-exceptions-for-code-execution-part-1/
利用 Object Overloading 技术,向 Windows Built-in 进程注入代码绕过 EDR 的检测
https://blog.xpnsec.com/object-overloading/
Process Overwriting: PE注入新技术
https://github.com/hasherezade/process_overwriting
模拟PPL进程token的研究
https://jsecurity101.medium.com/exploring-token-members-part-2-2a09d13cbb3
在非特权进程中查找高权限具柄捕获权限提升和UAC绕过操作
https://aptw.tf/2022/02/10/leaked-handle-hunting.html
LOLBAS: wlrmdr.exe Windows登陆提醒程序命令执行
https://twitter.com/0gtweet/status/1493963591745220608
利用notepadd++插件实现持久化
https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
武器化开发相关Libraries盘点
https://captmeelo.com/redteam/maldev/2022/02/16/libraries-for-maldev.html
漏洞相关
Vmware View Planner以及vRealize漏洞挖掘思路
https://swarm.ptsecurity.com/hunting-for-bugs-in-vmware-view-planner-and-vrealize-business-for-cloud/
CVE-2022-21907:HTTP协议栈远程代码执行漏洞分析
https://www.fortinet.com/blog/threat-research/analysis-of-microsoft-cve-2022-21907
CVE-2022-0435: Linux内核TIPC模块远程栈溢出漏洞分析
https://blog.immunityinc.com/p/a-remote-stack-overflow-in-the-linux-kernel/
Paralleles Desktop虚拟机逃逸漏洞分析
https://dawnslab.jd.com/pd-exploit-blog1/
云安全
窃取Azure AD域主机Identities;创建虚假Identities
https://o365blog.com/post/deviceidentity/?s=09
Azure function apps攻击技术
https://medium.com/xm-cyber/10-ways-of-gaining-control-over-azure-function-apps-7e7b84367ce6
利用 Kubesploit & KubiScan 开源工具扫描 Kubernetes 的漏洞
https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-testing-with-open-source/
其他
供应链安全:通过注册npm代码库管理员的过期邮箱域名,获取该库的管理权限
https://thehackerblog.com/zero-days-without-incident-compromising-angular-via-expired-npm-publisher-email-domains-7kZplW4x/#the-tldr-summary–high-level-points
Ghostbuster: 搜索AWS账户下云主机IP的DNS绑定情况,可判断是否存在子域名接管
https://blog.assetnote.io/2022/02/13/dangling-eips/
PDFRip:PDF密码爆破工具
https://github.com/mufeedvh/pdfrip
2021 BlackHat Europe 会议 PPT 公开
https://www.blackhat.com/eu-21/briefings/schedule/
M01N Team
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
原文始发于微信公众号(M01N Team):每周蓝军技术推送(2022.2.12-2.18)
