Linux persistence mechanisms are used by an attacker to maintain access to a compromised system, even after reboots or system updates. These allow attackers to regain control of a system without re-exploiting initial vulnerabilities. Persistence methods can vary in sophistication, from simple cron jobs to more advanced kernel-level hooks. Some ... Read More

Specula is a framework that allows for interactive operations of an implant that runs purely in the context of Outlook. It works by setting a custom Outlook homepage via registry keys that calls out to an interactive python web server. This web server serves custom patched vbscript files that will ... Read More

OverviewA remote code execution (RCE) vulnerability in the Ghostscript document conversion toolkit, identified as CVE-2024–29510, is currently being exploited in the wild. Ghostscript, which comes pre-installed on many Linux distributions, is used by various popular software such as ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system. This format ... Read More

https://github.com/elastic/dorothyOverviewOkta is a leading identity and access management (IAM) platform designed to help organizations securely manage and streamline user authentication and authorization. It provides a comprehensive suite of services, including single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and API access management. Okta enables organizations to ensure secure access to ... Read More

OverviewSystem Center Configuration Manager (SCCM), now known as Microsoft Endpoint Configuration Manager, is a comprehensive management solution for deploying, managing, and maintaining Windows-based devices and systems within an organization. It allows IT administrators to efficiently handle tasks such as software distribution, operating system deployment, patch management, endpoint protection, and compliance ... Read More

OverviewOperation FlightNight is one of the latest large attacks utilizing ISOs to trick users into executing malware. This form of phishing has become common over the last few years and is showing no signs of going away. It has been used by actors such as APT29, UNC2633, UNC3922, and more ... Read More

Hunting Impacket — Part 3Overview — Enumeration/System ToolsWelcome back. This is part three of our blog series covering the Impacket example tools. Impacket is a collection of Python classes focused on providing tools to understand and manipulate low-level network protocols. This capability enables you to craft or decode packets of a wide variety of protocols ... Read More

Hunting Impacket — Part 2OverviewWelcome back. This is part two of our blog series covering the Impacket example tools. Impacket is a collection of Python classes focused on providing tools to understand and manipulate low-level network protocols. This capability enables you to craft or decode packets of a wide variety of protocols such ... Read More

Hunting Impacket — Part 1OverviewImpacket is a collection of Python classes focused on providing tools to understand and manipulate low-level network protocols. This capability enables you to craft or decode packets of a wide variety of protocols such as IP, TCP, UDP, ICMP, and even higher-level protocols like SMB, MSRPC, NetBIOS, and others.One of ... Read More

Hunting CVE-2024-30051 Desktop Window Manager Privilege EscalationOverviewCVE-2024-30051 is an out of bound write that has been identified in Desktop Window Manager that can be exploited to achieve privilege escalation to SYSTEM. The bug is a heap overflow in CCommandBuffer::Initialize of dwmcore.dll. This is similar to the Windows DWM Core Library ... Read More