Antonio Cocomazzi
@splintercode.bsky.social
offensive security - windows internals - reverse engineering | X: https://x.com/splinter_code | Mastodon: https://infosec.exchange/@splinter_code | GitHub: https://github.com/antonioCoco | Blog: https://splintercod3.blogspot.com/
Reposted by Antonio Cocomazzi
🚨 Alert: New macOS Malware Variants, FlexibleFerret, Undetected by Apple’s XProtect 🚨
@sentinellabs.bsky.social researchers @philofishal.bsky.social and @hegel.bsky.social have uncovered new variants, which slip past Apple's XProtect, of the DPRK-linked macOS malware, Ferret.
@sentinellabs.bsky.social researchers @philofishal.bsky.social and @hegel.bsky.social have uncovered new variants, which slip past Apple's XProtect, of the DPRK-linked macOS malware, Ferret.
macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
DPRK 'Contagious Interview' campaign continues to target Mac users with new variants of FERRET malware and Github devs with repo spam.
s1.ai
February 3, 2025 at 9:01 PM
🚨 Alert: New macOS Malware Variants, FlexibleFerret, Undetected by Apple’s XProtect 🚨
@sentinellabs.bsky.social researchers @philofishal.bsky.social and @hegel.bsky.social have uncovered new variants, which slip past Apple's XProtect, of the DPRK-linked macOS malware, Ferret.
@sentinellabs.bsky.social researchers @philofishal.bsky.social and @hegel.bsky.social have uncovered new variants, which slip past Apple's XProtect, of the DPRK-linked macOS malware, Ferret.
Reposted by Antonio Cocomazzi
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Very interesting post by Microsoft about the internals of the new Admin Protection feature
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
Evolving the Windows User Model – Introducing Administrator Protection | Microsoft Community Hub
Previously, in part one, we outlined the history of the multi-user model in Windows, how Microsoft introduced features to secure it, and in what ways we got...
techcommunity.microsoft.com
January 29, 2025 at 11:38 AM
Very interesting post by Microsoft about the internals of the new Admin Protection feature
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well
More details here 👇
techcommunity.microsoft.com/blog/microso...
Reposted by Antonio Cocomazzi
Had some fun reviving an old vulnerable driver, read all about it here: decoder.cloud/2025/01/09/t... 🤠
The (Almost) Forgotten Vulnerable Driver
Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even…
decoder.cloud
January 9, 2025 at 11:37 AM
Had some fun reviving an old vulnerable driver, read all about it here: decoder.cloud/2025/01/09/t... 🤠
Reposted by Antonio Cocomazzi
Thanks to a recent post from @ericlawrence.com on Defender and Dev Drive, I was reminded of this amazing research series by @n4r1B
n4r1b.com/posts/2020/0...
I only comprehend ~30% if I'm lucky, but that's a good 10% more than last time I read it 🤣
Still, it's definitely worth reading ;)
n4r1b.com/posts/2020/0...
I only comprehend ~30% if I'm lucky, but that's a good 10% more than last time I read it 🤣
Still, it's definitely worth reading ;)
Dissecting the Windows Defender Driver - WdFilter (Part 1)
In this series of posts I'll be explaining how the Windows Defender main Driver works, in this first post we will look into the initialization and the Process creation notifications among other things
n4r1b.com
December 19, 2024 at 2:06 AM
Thanks to a recent post from @ericlawrence.com on Defender and Dev Drive, I was reminded of this amazing research series by @n4r1B
n4r1b.com/posts/2020/0...
I only comprehend ~30% if I'm lucky, but that's a good 10% more than last time I read it 🤣
Still, it's definitely worth reading ;)
n4r1b.com/posts/2020/0...
I only comprehend ~30% if I'm lucky, but that's a good 10% more than last time I read it 🤣
Still, it's definitely worth reading ;)
Reposted by Antonio Cocomazzi
December 13, 2024 at 7:49 PM
@decoder-it.bsky.social and i noticed that it's no more possible to call NtLoadDriver pointing to an unprivileged regkey such as \REGISTRY\USER
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
December 13, 2024 at 4:11 PM
@decoder-it.bsky.social and i noticed that it's no more possible to call NtLoadDriver pointing to an unprivileged regkey such as \REGISTRY\USER
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇
Reposted by Antonio Cocomazzi
🔮 What does the future hold? Surprises 🎲, certainly, but some of the forces that will shape #2025 can already be discerned in the shadows of 2024. The @sentinellabs.bsky.social team takes a look at what might be coming over the horizon for #cybersecurity this coming year.
🔮 Cybersecurity 2025 Forecast: The landscape is set to become even more volatile, with threat actors exploiting blind spots in cloud-hosted services, AI, and under-monitored technologies. Despite these changes, collective defense stagnantly incentivizes reactive rather than proactive measures.
Cybersecurity 2025 | Preparing for Tomorrow's Threats, Challenges and Strategic Shifts
Explore SentinelLabs' take on what 2025 may bring for cybersecurity, including emerging trends and actionable insights.
s1.ai
December 12, 2024 at 6:04 PM
🔮 What does the future hold? Surprises 🎲, certainly, but some of the forces that will shape #2025 can already be discerned in the shadows of 2024. The @sentinellabs.bsky.social team takes a look at what might be coming over the horizon for #cybersecurity this coming year.
Reposted by Antonio Cocomazzi
Reposted by Antonio Cocomazzi
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
UDRL, SleepMask, and BeaconGate
I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim...
rastamouse.me
November 30, 2024 at 2:05 AM
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
Reposted by Antonio Cocomazzi
Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.
November 29, 2024 at 9:42 PM
Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.
Reposted by Antonio Cocomazzi
November 28, 2024 at 10:28 PM
Reposted by Antonio Cocomazzi
💡Dr. Cristina Cifuentes, the Mother of Decompilation, reflects in her #LABScon2024 keynote on three decades of innovation in reverse engineering.
📺 Watch the full video: s1.ai/LC24-CC
📺 Watch the full video: s1.ai/LC24-CC
November 26, 2024 at 5:57 PM
💡Dr. Cristina Cifuentes, the Mother of Decompilation, reflects in her #LABScon2024 keynote on three decades of innovation in reverse engineering.
📺 Watch the full video: s1.ai/LC24-CC
📺 Watch the full video: s1.ai/LC24-CC
Reposted by Antonio Cocomazzi
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
November 25, 2024 at 5:31 PM
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
Reposted by Antonio Cocomazzi
A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components.
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Hackers abuse Avast anti-rootkit driver to disable defenses
A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components.
www.bleepingcomputer.com
November 23, 2024 at 9:05 PM
A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components.
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Reposted by Antonio Cocomazzi
🚨 New Research Drop:
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
DPRK IT Workers | A Network of Active Front Companies and Their Links to China
SentinelLabs has identified multiple deceptive websites linked to businesses in China fronting for North Korea's fake IT workers scheme.
www.sentinelone.com
November 21, 2024 at 3:00 PM
🚨 New Research Drop:
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
www.sentinelone.com/labs/dprk-it...
Reposted by Antonio Cocomazzi
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
November 20, 2024 at 11:21 AM
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
Reposted by Antonio Cocomazzi
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
Relaying Kerberos over SMB using krbrelayx
www.synacktiv.com
November 20, 2024 at 4:02 PM
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
Reposted by Antonio Cocomazzi
TrustedSec Tech Brief
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
TrustedSec Tech Brief - November 2024
YouTube video by TrustedSec
www.youtube.com
November 19, 2024 at 4:32 PM
TrustedSec Tech Brief
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update
www.youtube.com/watch?v=3mSD...
Reposted by Antonio Cocomazzi
What we saw with Hidden Risk (s1.ai/BNThief), we’ll see plenty more of in 2025: threat actors exploring all the old methods of #macOS persistence because the lazy LaunchAgents way is now too noisy thanks to changes Apple made in Ventura.(1/2)
November 18, 2024 at 7:39 PM
What we saw with Hidden Risk (s1.ai/BNThief), we’ll see plenty more of in 2025: threat actors exploring all the old methods of #macOS persistence because the lazy LaunchAgents way is now too noisy thanks to changes Apple made in Ventura.(1/2)
Reposted by Antonio Cocomazzi
Working on my "new" Kerberos Relay & PortForwarder tool designed for managing also MITM attacks 😇
November 17, 2024 at 3:39 PM
Working on my "new" Kerberos Relay & PortForwarder tool designed for managing also MITM attacks 😇
Reposted by Antonio Cocomazzi
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
November 17, 2024 at 6:49 AM
Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working
Apparently this is built into Chrome/Edge! So cool :)
edge://net-export/
Reposted by Antonio Cocomazzi
CTO at NCSC Summary: week ending November 17th
Zero-days everywhere...
ctoatncsc.substack.com
November 16, 2024 at 11:57 AM
Reposted by Antonio Cocomazzi
November 16, 2024 at 6:12 PM