Cyber Criminals Target Kodi Media Player For Malware Distribution

https://packetstormsecurity.com/news/view/29344/Cyber-Criminals-Target-Kodi-Media-Player-For-Malware-Distribution.html

Russian VPNfilter Malware Was A Swiss Army Hacking Knife

https://packetstormsecurity.com/news/view/29349/Russian-VPNfilter-Malware-Was-A-Swiss-Army-Hacking-Knife.html

Facebook Breach Put Data Of 50 Million Users At Risk

https://packetstormsecurity.com/news/view/29359/Facebook-Breach-Put-Data-Of-50-Million-Users-At-Risk.html

Chegg Forces Password Reset On 40 Million Users

https://packetstormsecurity.com/news/view/29362/Chegg-Forces-Password-Reset-On-40-Million-Users.html

Known DLLs

Windows Confidential The Known DLLs Balancing Act

Threat Hunting Weekly Links

Threat Hunting with Bro by Sqrrl

Splunk Notes

The bucket command will slice the Splunk timeline of events into discrete buckets of time determined by the user. The search syntax below will bucket a Splunk timeline into discrete five minute chunks, regardless of the length of the timeline:

bucket _time span=5min

The second method is provided by the Splunk search command "stats." The stats command does many things, but one of the things it does best is sorting data by other data. The following search syntax will show all DNS queries of every host in the Splunk timeline, regardless of the length of the timeline:
 
stats values(dns_query) by source_host

Koadic

Choose your stager.
    regsrvr and mshta seem to work well.
   
After you have a zombie, run other toys
    implant/elevate/bypassuac_
        set payload to 0 on this
   
    Once you have an admin session you can dump the hashes:
        implant/gather/hashdump_sam
       
    You can scan the internal network:
        implant/scan/tcp

Mimikatz works well for me, as long as you have an admin session. You can tell that buy running zombies by itself. Under the ID column, if it has an asterisk (*) that means admin session.


Binary files are stored here: /pentest/post-exploitation/koadic/data/bin
Note: I installed my version through the PTF tool by Dave K.

Jenkins Stuff

Nice collection of things

interesting collection of things to use/ do during your tests. This post is more of a placeholder for me to find it later.

Timehop has a turn now

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users. This awesome probably includes the login details for all of these social media apps. Considering that those are now used to login to other sites, this breach is going to be bigger than first reported.

https://thehackernews.com/2018/07/timehop-data-breach.html

NHS breach

NHS Data Breach Affects 150,000 Patients In England https://packetstormsecurity.com/news/view/29103/NHS-Data-Breach-Affects-150-000-Patients-In-England.html

My Heritage breach

92 Million User Accounts Compromised in MyHeritage Security Breach https://securityzap.com/myheritage-security-breach/

Bigger than previously Thought

http://m.dw.com/en/germany-man-charged-with-producing-biological-weapon-at-home-in-cologne/a-44214079

Linux/x86 Egghunter + access() Shellcode

https://packetstormsecurity.com/files/147990/egghunter.nasm.txt

Linux/ARM Egghunter + /bin/sh Shellcode

https://packetstormsecurity.com/files/147992/linuxarmegg-shellcode.txt

Linux/x86 TCP/4444 Bindshell Shellcode

https://packetstormsecurity.com/files/147991/tcp_bind_shellcode_light.nasm.txt

Windows UAC Protection Bypass

Via Slui File Handler Hijack

https://packetstormsecurity.com/files/148004/bypassuac_sluihijack.rb.txt

Some Assembly tidbits

Recently been having to learn some assembly related things for work, certifications, and the like. This post is mostly for me to keep track of these links, and potentially share items I found on the web, that might help others. Enjoy!


http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
-- Nice little guide for 32-bit assembly. This is not comprehensive, but maent to be a quick resource for some instructions and concepts.

Metasploit Fun

A series of blog posts from BHIS.

https://www.blackhillsinfosec.com/three-simple-disguises-for-evading-antivirus/
https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/
https://www.blackhillsinfosec.com/click-to-enable-content/
https://www.blackhillsinfosec.com/modifying-metasploit-x64-template-for-av-evasion/

Windows WMI Recieve Notification

https://packetstormsecurity.com/files/147498/ms16_014_wmi_recv_notif.rb.txt

Windows Kernel Exploitation Tutorial

Part 8: Use After Free ≈ Packet Storm https://packetstormsecurity.com/files/147491/winpart8-uaf.pdf

Some registy stuff

Registry values starting with a NULL character

Hiding Registry keys with PSReflect

 Beware of non-null-terminated registry strings

Removing Kovter's Hidden Registry Values

Detecting the Undetectable: Windows Registry Attacks

Russian influence operations

With Influence Activities Exposed, the Kremlin Acts Even More Boldly
https://www.thecipherbrief.com/column_article/influence-activities-exposed-kremlin-acts-even-boldly

Linux execve shellcode

Linux/x86 execve(/bin/sh) Shellcode https://packetstormsecurity.com/files/147512/27linuxexec-shellcode.txt

Linux bindshell shellcode

Linux/x86 TCP/9443 Bindshell Shellcode ≈ Packet Storm https://packetstormsecurity.com/files/147565/lin869443-shellcode.txt

/etc/passwd shellcode

Read /etc/passwd Shellcode https://packetstormsecurity.com/files/147585/linuxx86read-shellcode.txt

Reverse TCP shell

https://packetstormsecurity.com/files/147610/linx864444shell-shellcode.txt

Linux Shellcode Generator

Linux/x64 Assembly Shellcode Generator ≈ Packet Storm https://packetstormsecurity.com/files/147143/shellcode-generator.txt

The IoT strikes

http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T

Bad patch, bad patch

Microsoft Fixes Bad Patch That Left Windows 7, Server 2008 Open to Attack https://threatpost.com/microsoft-fixes-bad-patch-that-left-windows-7-server-2008-open-to-attack/130871/

Under Armour Reports Massive Breach

150 Million MyFitnessPal Accounts

https://threatpost.com/under-armour-reports-massive-breach-of-150-million-myfitnesspal-accounts/130863/

https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing

Linux/x86 execve /bin/sh Shellcode

https://packetstormsecurity.com/files/146805/smallestexecve.c

Linux/x86 exit(0) Shellcode

https://packetstormsecurity.com/files/146807/smallestexit.c

Linux/x86 Egghunter Shellcode

https://packetstormsecurity.com/files/146885/linuxegghunter-shellcode.txt

Orbitz turn now

Orbitz Warns 880,000 Payment Cards Suspected Stolen

Sad that my first thought was; "meh, under a million".

https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/

Lexpress for the win

Check out @bohops’s Tweet: https://twitter.com/bohops/status/969388848416460800?ref_src=twcamp%5Eshare%7Ctwsrc%5Eandroid%7Ctwgr%5Edefault%7Ctwcon%5E7090%7Ctwterm%5E3

Quickjack

Advanced Clickjacking & Frame Slicing Attack Tool

https://www.darknet.org.uk/2018/02/quickjack-advanced-clickjacking-frame-slicing-attack-tool/

More credit cards exposed

OnePlus confirms up to 40,000 customers affected by Credit Card Breach http://thehackernews.com/2018/01/oneplus-credicard-hacking.html

Ouch, says the population

Nearly Half of the Norway Population Exposed in HealthCare Data Breach http://thehackernews.com/2018/01/healthcare-data-breach.html

Small Linux shellcode

Linux/x86-64 /bin/sh Shellcode https://packetstormsecurity.com/files/145879/linux24-shellcode.txt

Linux hosts shellcode

Linux/x86-64 Add Mapping In /etc/hosts Shellcode https://packetstormsecurity.com/files/145880/linuxaddmap-shellcode.txt

Linux shellcode

Linux/x86-64 IPTables Flush Shellcode https://packetstormsecurity.com/files/145881/linux86iptablesflush-shellcode.txt