Web安全
通过对证书透明度的时间相关攻击发现域
https://swarm.ptsecurity.com/discovering-domains-via-a-time-correlation-attack/
jscythe:滥用 node.js inspector机制,以强制任何基于 node.js/electron/v8 的进程执行任意 js 代码
https://github.com/evilsocket/jscythe
新的Tomcat内存马-Upgrade型
https://tttang.com/archive/1709/
内网渗透
使用PowerShell在没有MDM服务的情况下发送MDM命令
https://oofhours.com/2022/08/26/send-mdm-commands-without-an-mdm-service-using-powershell/
Suborner:不利用Net user创建不可见Windows账户、模拟劫持现存用户的RID
https://github.com/r4wd3r/Suborner
MSSQL-Analysis-Coerce:强制SQL Server向任意主机身份认证
https://github.com/p0dalirius/MSSQL-Analysis-Coerce
Lsass-Shtinkering:滥用 Windows 错误报告服务转储 LSASS 的新方法
https://github.com/deepinstinct/Lsass-Shtinkering
终端对抗
Elevator:滥用 RPC 和调试对象UAC绕过权限提升
https://github.com/Kudaes/Elevator
滥用HashInfo绕过AppLocker
https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/
RPC-Backdoor:“RPC 后门”的基本实现,旨在模拟某些组使用的 TTP
https://github.com/eladshamir/RPC-Backdoor
滥用异常处理规避EDR检测实现参数欺骗和系统调用号检索
https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf
使用 Microsoft Warbird 在ClipSp.sys中不触发PatchGuard自动解包并执行加密shellcode
https://github.com/KiFilterFiberContext/warbird-hook
禁用CFG以允许攻击者使用睡眠混淆技术来逃避检测
https://icebreaker.team/blogs/sleeping-with-control-flow-guard/
DeathSleep:终止当前线程并在恢复执行之前将其恢复,同时在不执行期间实现页面保护更改的规避技术PoC
https://github.com/janoglezcampos/DeathSleep
ExportDumper:转储PE文件的导出表用于DLL代理
https://github.com/iilegacyyii/ExportDumper
DLL劫持在线查询库
https://hijacklibs.net/
漏洞相关
使用伪造对象绕过英特尔 CET
https://www.offensive-security.com/offsec/bypassing-intel-cet-with-counterfeit-objects/?utm_source=twitter&utm_medium=&utm_campaign=d6813b98-789f-4854-80b2-d6d68d2fc4f0
GitHub Pages Build Pipeline命令注入漏洞
https://blog.nietaanraken.nl/posts/github-pages-command-injection/
Xalan Java XSLT库整数截断
https://bugs.chromium.org/p/project-zero/issues/detail?id=2290
在找到5个不同的漏洞并构建8个EXP后,实现在任何WatchGuard Firebox/XTM 设备上以root 执行预授权远程代码
https://www.ambionics.io/blog/hacking-watchguard-firewalls
CVE-2022-21849:Windows IKE Extension漏洞分析
https://blog.78researchlab.com/53e53729-d728-4635-a58d-08ad8a1f68e4
Windows NFS协议漏洞分析(CVE-2022-34715)
https://mp.weixin.qq.com/s/_-RBo8yrW1dWUgoWTUgI8g
CVE-2022-30216:Windows 服务强制身份认证漏洞,可结合NTLM重放对DC进行RCE
https://www.akamai.com/blog/security/authentication-coercion-windows-server-service
CVE-2022-2586:Linux内核nft_object UAF漏洞EXP
https://www.openwall.com/lists/oss-security/2022/08/29/5
HITBSecConf 2022 Singapore:Settlers of Netlink: Exploiting a limited kernel UAF on Ubuntu 22.04
https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Settlers%20of%20Netlink%20-%20Exploiting%20a%20Limited%20UAF%20on%20Ubuntu%2022.04%20to%20Achieve%20LPE%20-%20Aaron%20Adams.pdf
https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
CVE-2022-2294:WebRTC中的堆溢出在野利用漏洞分析
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-2294.html
CVE-2022-28799:TikTok Android应用程序漏洞可导致一键帐户劫持
https://www.microsoft.com/security/blog/2022/08/31/vulnerability-in-tiktok-android-app-could-lead-to-one-click-account-hijacking/
云安全
Okta管理员将用户名分配给其他的现有用户时,会发生意外的模拟事件
https://permiso.io/blog/s/down-with-idp-impersonate-me
Azure AD 中的 SMTP 匹配滥用
https://www.semperis.com/blog/smtp-matching-abuse-in-azure-ad
CVE-2022-29149:Azure OMI 的提权漏洞分析
https://www.wiz.io/blog/omi-returns-lpe-technical-analysis
其他
GarbageMan:一组通过堆分析来分析.NET二进制文件的工具
https://labs.withsecure.com/tools/garbageman/
Pitraix:基于TOR的现代自我修改跨平台点对点僵尸网络,更新1.2版本提高了隐匿性并添加了实时监控等功能
https://github.com/ThrillQuks/Pitraix/releases/tag/pitraixV1.2
Microsoft-eventlog-mindmap:一组思维导图,详细概述了 Windows、Exchange、Azure 等不同的审计能力
https://github.com/mdecrevoisier/Microsoft-eventlog-mindmap
用于签名的新UEFI CA内存缓解要求
https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation-requirements-for-signing/ba-p/3608714
M01N Team公众号
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
官方攻防交流群
网络安全一手资讯
攻防技术答疑解惑
扫码加好友即可拉群
往期推荐
原文始发于微信公众号(M01N Team):每周蓝军技术推送(2022.8.27-9.2)
