Web安全
基于 RNN 神经网络构建的子域名发现工具
https://phoenix-sec.io/2022/07/12/RNN-Subdomain-Discovery.html
hijagger:通过域名抢注从NPM 和 Pypi 仓库中搜索可劫持软件包
https://github.com/firefart/hijagger
Log4j漏洞至今仍被持续利用
https://www.horizon3.ai/the-long-tail-of-log4shell-exploitation/
CISA 关于 2021 年 12 月 Log4j 事件的回顾报告
https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
内网渗透
pretender:通过 DHCPv6 DNS 接管以及 mDNS、LLMNR 和 NetBIOS-NS 欺骗进行中继攻击的工具
https://github.com/RedTeamPentesting/pretender
钻石票据武器化POC
https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/
通过对网络访问帐户进行解密来探索 SCCM
https://blog.xpnsec.com/unobfuscating-network-access-accounts/
SCCM密码解密POC
https://gist.github.com/xpn/5f497d2725a041922c427c3aaa3b37d1
windows-coerced-authentication-methods:强制 Windows 机器通过具有各种协议的RPC 进行身份验证的方法列表
https://github.com/p0dalirius/windows-coerced-authentication-methods
终端对抗
使用 DiagCpl {12C21EA7-2EB8-4B55-9249-AC243DA8C666}的自动提权 COM 对象进行UAC bypass
https://github.com/Wh04m1001/IDiagnosticProfileUAC
构造Word宏绕过Windows Defender
https://medium.com/@lsecqt/showcasing-red-teaming-ttps-weaponizing-custom-made-c2-channel-via-ms-word-macro-fb86a49b89f8
https://medium.com/@lsecqt/showcasing-red-teaming-ttps-weaponizing-custom-made-c2-channel-via-ms-word-macro-part-2-50c05031457b
使用伪造的微软签名绕过AV/EDR
https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/Self-Signed Threat
LOLBAS:keymgr.dll本地凭据提取
Unable to extract credentials via DPAPI or Mimikatz? Don't worry. Microsoft got your back. Just use 'rundll32 keymgr.dll, KRShowKeyMgr' to extract all the stored passwords on the host, be it a target server, FTP or chrome's HTTP creds, microsoft has you covered. #redteam pic.twitter.com/OynOurXgtX
— Chetan Nayak (Brute Ratel C4) (@NinjaParanoid) April 19, 2022
RDPHijack-BOF:使用 WinStationConnect API 进行本地/远程RDP session劫持的Cobalt Strike (BOF)
https://github.com/netero1010/RDPHijack-BOF
Chisel-Strike:.NET XOR 加密的CS aggressor实现快速和高级 socks5 功能
https://github.com/m3rcer/Chisel-Strike
漏洞相关
CVE-2022-26377:使用proxy_ajp对 Tomcat AJP 进行反向代理,可构造 AJP 数据包攻击后端服务
http://noahblog.360.cn/apache-httpd-ajp-request-smuggling/
CVE-2022-29885:Apache Tomcat 集群服务Listener中的拒绝服务漏洞
https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/
CVE-2022-30136:Windows 网络文件系统NFSv4远程代码执行漏洞分析:
https://www.zerodayinitiative.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-network-file-system-v4-remote-code-execution-vulnerability
CVE-2022-33675:Microsoft Azure Site Recovery DLL 劫持漏洞
https://medium.com/tenable-techblog/microsoft-azure-site-recovery-dll-hijacking-cd8cc34ef80c
CVE-2022-26706:深入了解macOS 应用沙盒逃逸漏洞
https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/
PWN prod的1001种方法-60分钟内60个RCE的故事
https://thinkloveshare.com/hacking/1001_ways_to_pwn_prod/
云安全
在 Kubernetes 的 AWS IAM Authenticator 中利用身份验证
https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator
其他
Securing The Law Firm 2022:现实世界中的漏洞管理
https://github.com/northvein/Talks/blob/main/Securing%20The%20Law%20Firm%202022/STLF%20-%20Vulnerability%20Management%20in%20the%20Real%20World%202022%20FINAL2.pptx
从Sysmon中提取历史进程树的脚本
Is #SysInternals Sysmon good for discovering the full historical process tree? Of course! Bored with manual process, I have create simple (but fully working) PowerShell script, displaying the tree in a nicely walkable form. Enjoy: https://t.co/eZFIDBT2lN pic.twitter.com/afsi9A4UzI
— Grzegorz Tworek (@0gtweet) July 1, 2022
https://github.com/gtworek/PSBits/blob/master/DFIR/GetSysmonTree.ps1
CIS软件供应链安全指南
https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf
M01N Team公众号
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
官方攻防交流群
网络安全一手资讯
攻防技术答疑解惑
扫码加好友即可拉群
往期推荐
原文始发于微信公众号(M01N Team):每周蓝军技术推送(2022.7.9-7.15)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论