Web安全
protoburp:Burp Suite扩展实现自定义Protobuf消息的编解码以及模糊测试
https://github.com/doyensec/protoburp
Session-Hijacking-Visual-Exploitation:通过注入恶意JavaScript代码劫持用户会话的工具
https://github.com/doyensec/Session-Hijacking-Visual-Exploitation/
Web条件竞争攻击的深入研究
https://portswigger.net/research/smashing-the-state-machine
内网渗透
目前Windows内置SMB服务器SMB协议版本选择
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368
目前Windows内置阻止SMB进行NTLM认证的策略
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206
从普通域用户到Azure AD全局管理员
https://www.shaunography.com/from-domain-user-to-domain-admin-da-from-da-to-global-admin-ga.html
GPODDITY:通过NTLM中继手段等利用GPO
https://github.com/synacktiv/GPOddity
https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more
从NTAuthCertificates到白银证书
https://decoder.cloud/2023/09/05/from-ntauthcertificates-to-silver-certificate/
终端对抗
使用SSPI Datagram上下文绕过UAC
https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html?m=1
apppoolcreddecrypt:不使用appcmd.exe解密IIS App Pool凭据
https://github.com/xpn/RandomTSScripts/tree/master/apppoolcreddecrypt
POSTDump:ReactOS minidump函数(如 nanodump)的 C#实现,避免调用MiniDumpWriteDump API规避检测
https://github.com/YOLOP0wn/POSTDump
SharpShellPipe:通过命名管道与SMB协议与远程Shell交互的轻量级C# demo
https://github.com/DarkCoderSc/SharpShellPipe
ETWListicle:从进程中Dump ETW提供程序
https://github.com/whokilleddb/ETWListicle
滥用echo_driver.sys驱动实现内核任意地址读写
https://github.com/YOLOP0wn/EchoDrv
调试Windows隔离用户模式(IUM)进程
https://blog.quarkslab.com/debugging-windows-isolated-user-mode-ium-processes.html
漏洞相关
CVE-2023-35359:Windows文件历史服务本地提权漏洞分析与PoC
https://ssd-disclosure.com/ssd-advisory-file-history-service-fhsvc-dll-elevation-of-privilege/
CVE-2023-38146:Windows主题远程代码执行漏洞PoC
https://github.com/gabe-k/themebleed
Windows系统驱动器在模拟期间被链接替换可导致权限提升漏洞
https://bugs.chromium.org/p/project-zero/issues/detail?id=2451
CVE-2023-35001:Ubuntu内核提权漏洞分析
https://www.synacktiv.com/en/publications/old-bug-shallow-bug-exploiting-ubuntu-at-pwn2own-vancouver-2023
云安全
容器逃逸的7种方式
https://www.panoptica.app/research/7-ways-to-escape-a-container
Microsoft云存储安全威胁矩阵
https://www.microsoft.com/en-us/security/blog/2023/09/07/cloud-storage-security-whats-new-in-the-threat-matrix/
其他
规避基于网页签名的钓鱼检测
https://www.r-tec.net/r-tec-blog-evade-signature-based-phishing-detections.html
mellon:针对工控协议OSDP的攻击工具
https://github.com/BishopFox/mellon
M01N Team公众号
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
官方攻防交流群
网络安全一手资讯
攻防技术答疑解惑
扫码加好友即可拉群
往期推荐
每周蓝军技术推送(2023.9.2-9.8)
每周蓝军技术推送(2023.8.26-9.1)
每周蓝军技术推送(2023.8.19-8.25)
原文始发于微信公众号(M01N Team):每周蓝军技术推送(2023.9.9-9.15)
