Web安全
WebSockets CSWSH劫持技术分析,通过握手绕过同源策略
https://www.blackhillsinfosec.com/cant-stop-wont-stop-hijacking-websockets
泄露ObjRefs利用HTTP .NET Remoting 实现代码发布
https://github.com/codewhitesec/HttpRemotingObjRefLeak
https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/
Ruby语言环境下的反序列化漏洞利用链构造
https://blog.includesecurity.com/2024/03/discovering-deserialization-gadget-chains-in-rubyland/
Gungnir:持续监测新颁发的SSL/TLS证书的证书透明度
https://github.com/g0ldencybersec/gungnir
内网渗透
Exchange 不安全权限配置在 AD 中的攻击面
https://posts.specterops.io/pwned-by-the-mail-carrier-0750edfad43b
滥用AD域AdminSDHolder实现持久化
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
DNS-Tunnel-Keylogger:使用DNS隧道回传信息的键盘记录器
https://github.com/Geeoon/DNS-Tunnel-Keylogger
Tor 的新 WebTunnel 桥模仿 HTTPS 流量来逃避审查
https://www.bleepingcomputer.com/news/security/tors-new-webtunnel-bridges-mimic-https-traffic-to-evade-censorship
终端对抗
武器化Windows线程池实现DLL代理加载
https://fin3ss3g0d.net/index.php/2024/03/18/weaponizing-windows-thread-pool-apis-proxying-dll-loads/
ADPT:DLL劫持代理工具
https://github.com/Kudaes/ADPT
RustRedOps:基于Rust语言的进攻性武器开发代码库
https://github.com/joaoviictorti/RustRedOps
grimreaper:结合常规与特殊APC调用的内存混淆技术
https://github.com/realoriginal/grimreaper
NoArgs:借助API Hook动态操纵和隐藏进程参数
https://github.com/oh-az/NoArgs
SymProcAddress:零 EAT 接触方式检索函数地址
https://github.com/MzHmO/SymProcAddress
GamingServiceEoP:利用Xbox游戏服务组件中的任意文件夹移动漏洞提权POC
https://github.com/Wh04m1001/GamingServiceEoP
Windows与Linux操作系统进程加载器架构分析对比
https://github.com/ElliotKillick/windows-vs-linux-loader-architecture
revng-c:rev.ng开源的二进制分析框架与反编译器
https://github.com/revng/revng-c
漏洞相关
CVE-2024-20696:Windows Libarchive RCE漏洞补丁分析
https://clearbluejar.github.io/posts/patch-tuesday-diffing-cve-2024-20696-windows-libarchive-rce/
CVE-2023-36424:Windows 内核池 (clfs.sys) 损坏权限升级漏洞利用POC
https://github.com/Nassim-Asrir/CVE-2023-36424
串联nday漏洞攻陷系统第一篇:CVE-2023-3079 Chrome 渲染器RCE漏洞
https://blog.theori.io/chaining-n-days-to-compromise-all-part-1-chrome-renderer-rce-1afccf56721b
浏览器漏洞分析利用集合
https://twitter.com/binitamshah/status/1770875914240328084
Fortinet FortiWLM近期漏洞修补与未授权RCE漏洞利用分析
https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
GhostRace:利用与缓解预测执行过程的条件竞争
https://download.vusec.net/papers/ghostrace_sec24.pdf
云安全
ActionsCacheBlasting:GitHub Actions缓存投毒POC代码
https://github.com/AdnaneKhan/ActionsCacheBlasting
NamespaceHound:保护多租户 K8s 集群
https://www.wiz.io/blog/introducing-namespacehound-for-cross-tenant-violation-assessments
https://github.com/wiz-sec-public/namespacehound/
通过Azure部署脚本滥用用户分配的托管标识实现权限提升
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-user-assigned-managed-identities-via-deployment-scripts/
Miaow:使用 ARM 模板部署在Azure中权限提升的POC
https://github.com/SecureHats/miaow/
FindMeAccess:查找不同资源、客户端ID与用户代理间的Azure/M365 MFA认证要求差别
https://github.com/absolomb/FindMeAccess
AzureEnum:新的Azure环境安全配置审计工具
https://blog.syss.com/posts/introducing-azurenum/
https://github.com/SySS-Research/azurenum
通过恶意AWS活动来发现网络钓鱼活动
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/#pivoting-on-ip-addresses-discovering-a-phishing-campaign
社工钓鱼
SVG文件在新兴钓鱼活动中的滥用
https://cofense.com/blog/svg-files-abused-in-emerging-campaigns/
人工智能和安全
通过分析绕过已有CVE漏洞,攻击Anything LLM应用
https://basu-banakar.medium.com/hacking-anything-llm-via-reversing-cves-duplicates-4fbfde67463f
提示词注入攻击下大语言模型翻译的扩展行为
https://aclanthology.org/2024.scalellm-1.2/
ChatGPT 生态系统中的安全漏洞允许访问第三方网站上的帐户和敏感数据
https://salt.security/blog/security-flaws-within-chatgpt-extensions-allowed-access-to-accounts-on-third-party-websites-and-sensitive-data
其他
Sentinel2ATTACKv2:由微软Sentinel SIEM告警抽取ATT&ACK映射
https://github.com/chihebchebbi/Sentinel2ATTACKv2
波耐蒙研究所发布《2024年网络安全行业人工智能现状分析报告》
https://mixmode.ai/state-of-ai-in-cybersecurity-2024/
SO-CON 2024会议Slide材料
https://github.com/SpecterOps/presentations/tree/master/SO-CON%202024
M01N Team公众号
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
官方攻防交流群
网络安全一手资讯
攻防技术答疑解惑
扫码加好友即可拉群
往期推荐
如有侵权请联系:admin#unsafe.sh