Web安全
fastjson 1.2.80 漏洞分析
https://y4er.com/posts/fastjson-1.2.80/
BCS2022-探索JNDI攻击
https://github.com/iSafeBlue/presentation-slides/blob/main/BCS2022-%E6%8E%A2%E7%B4%A2JNDI%E6%94%BB%E5%87%BB.pdf
利用Web3的隐藏攻击面:Netlify的Next.js库通用XSS
https://samcurry.net/universal-xss-on-netlifys-next-js-library/
内网渗透
BloodHound专注于Active Directory,但是缺少对真实场景的考虑
https://blog.syss.com/posts/bloodhound-blindspots/
从Office桌面应用程序中窃取访问令牌
https://mrd0x.com/stealing-tokens-from-office-applications/
从Live Network破解WPA/WPA2的预共享密钥
https://tbhaxor.com/cracking-wpa-psk-using-aircrack/
GetMail:利用NTLM Hash读取Exchange邮件
https://github.com/b0bac/GetMail
ldapnomnom:通过滥用LDAP Ping请求(cLDAP)从DC匿名暴力破解域用户名
https://github.com/lkarlslund/ldapnomnom
终端对抗
规避WinDefender ATP凭据盗窃:内核版本
https://b4rtik.github.io/posts/evading-windefender-atp-credential-theft-kernel-version/
利用GraalVM实现免杀加载器
https://xie.infoq.cn/article/ee227650630be0e362b161333
MasqueradingPEB:通过更改PEB结构中的某些字段伪装合法的Windows二进制文件
https://github.com/D1rkMtr/MasqueradingPEB
ExecRemoteAssembly:支持参数传递的远程执行程序集,并patch AMSI和ETW绕过检测
https://github.com/D1rkMtr/ExecRemoteAssembly
COM可扩展面Moniker,可解释displayname并返回客户端试图定位的真实对象
https://scorpiosoftware.net/2022/09/18/introduction-to-monikers/
https://github.com/zodiacon/MonikerFun
Codecepticon:可以对 C#、VBA/VB6(宏)和PowerShell代码进行混淆的.Net程序
https://github.com/Accenture/Codecepticon
MacOS安全机制以及攻击利用技术
https://www.securing.pl/en/presentation/0-day-up-your-sleeve-attacking-macos-environments/
DylibHijackTest:在MacOS上发现DYLD_INSERT_LIBRARIES劫持
https://github.com/slyd0g/DylibHijackTest
漏洞相关
从Leaking TheHole到Chrome染器RCE
https://medium.com/numen-cyber-labs/from-leaking-thehole-to-chrome-renderer-rce-183dcb6f3078
CVE-2022-36804:Bitbucket Server命令注入漏洞分析
https://www.anquanke.com/post/id/280193
https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/
利用Process Explorer的驱动句柄复制实现内核代码执行
https://www.elastic.co/cn/security-labs/stopping-vulnerable-driver-attacks
CVE-2022-37706:Ubuntu 22.04特权提升EXP
https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
CVE-2022-40286:利用Seagate服务创建SYSTEM Shell
https://www.x86matthew.com/view_post?id=windows_seagate_lpe
ANGRYORCHARD:利用NtUserHardErrorControl将线程提升到KernelMode实现Windows 7-11 内核任意读写
https://github.com/SecIdiot/ANGRYORCHARD
云安全
Azure Cloud Shell命令注入窃取用户的访问令牌
https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens
AttachMe:允许未经授权访问客户云存储卷的OCI漏洞
https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access
CloudFox:云环境态势感知,辅助在云基础设施中找到可利用的攻击路径
https://github.com/BishopFox/cloudfox
Teamsniper:从Microsoft team中抓取敏感信息
https://github.com/xRET2pwn/Teamsniper
其他
MacOS 水坑攻击组合拳分析复现
https://tttang.com/archive/1745/
荷兰情报与安全局 (AIVD) 和军事情报与安全局 (MIVD)的自动化 OSINT 使用情况报告
https://english.ctivd.nl/documents/review-reports/2022/09/19/index
M01N Team公众号
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
官方攻防交流群
网络安全一手资讯
攻防技术答疑解惑
扫码加好友即可拉群
往期推荐
如有侵权请联系:admin#unsafe.sh