Web安全
NetNTLM泄露攻击在2024年仍有危害性
https://badoption.eu/blog/2024/04/25/netntlm.html
内网渗透
BloodHound 中的 ADCS 攻击路径
https://medium.com/specter-ops-posts/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf
https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-2-ac7f925d1547
利用默认DCOM权限来拦截和中继用户身份验证实现“SilverPotato”权限升级和 RCE
https://decoder.cloud/2024/04/24/hello-im-your-domain-admin-and-i-want-to-authenticate-against-you/
SCCM利用面分析、复现手段与检测建议
https://www.guidepointsecurity.com/blog/sccm-exploitation-compromising-network-access-accounts/
终端对抗
利用线程池机制安全实现C2睡眠混淆
https://whiteknightlabs.com/2024/04/30/sleeping-safely-in-thread-pools/
PartyLoader:无线程shellcode注入工具
https://github.com/itaymigdal/PartyLoader
利用WriteProcessMemory实现进程自注入的新方法
https://revflash.medium.com/its-morphin-time-self-modifying-code-sections-with-writeprocessmemory-for-edr-evasion-9bf9e7b7dced
AutoAppDomainHijack:自动化AppDomain持久化载荷生成工具
https://github.com/nbaertsch/AutoAppDomainHijack
ETW-ByeBye:不使用PPL权限禁用ETW-TI事件源
http://www.legacyy.xyz/defenseevasion/windows/2024/04/24/disabling-etw-ti-without-ppl.html
通过 CR3 操作从内核写入任意进程内存
https://github.com/Kharos102/ReadWriteDriverSample
使用高信誉服务作为 C2 通信隧道
https://github.com/FuzzySecurity/SAFACon-Vienna/blob/main/SAFA-LaunderingC2Traffic.pdf
SharpGraphView:微软Graph API 后开发工具包,受在野滥用启发
https://github.com/mlcsec/SharpGraphView
漏洞相关
CVE-2024-0200:GitHub.com官网凭据泄露漏洞挖掘思路披露
https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
CVE-2024-2887:Chrome浏览器V8与WASM引擎中的内存代码执行漏洞
https://www.zerodayinitiative.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in-google-chrome
Windows 11 24H2 中的 CFG 缓解机制增强分析
https://ynwarcs.github.io/Win11-24H2-CFG
Windows 11 24H2中内核地址空间布局随机化 (KASLR)绕过新方式
https://exploits.forsale/24h2-nt-exploit/
云安全
规避安全机制,在微软365云环境中安全执行密码喷射
https://labs.jumpsec.com/why-sneak-when-you-can-walk-through-the-front-door/
滥用 Azure 存储帐户读/写权限进行权限升级和横向移动
https://medium.com/@tamirye94/not-the-access-you-asked-for-how-azure-storage-account-read-write-permissions-can-be-abused-75311103430f
https://github.com/Tamirye/Find-SensitiveAzStorageAccounts
利用LogonUserW挂钩从Azure等IAM 提供商窃取明文凭据
https://blog.2h0ng.wiki/2024/04/27/LogonUserW%20Hooking/
通过Azure应用程序实现一键式 Azure 租户接管,实现钓鱼
https://falconforce.nl/arbitrary-1-click-azure-tenant-takeover-via-ms-application/
Azure Kubernetes 服务中的bootstrap令牌利用
https://www.synacktiv.com/en/publications/so-i-became-a-node-exploiting-bootstrap-tokens-in-azure-kubernetes-service
使用 Microsoft Entra 临时访问通行证进行横向移动和本地哈希转储
https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/
人工智能和安全
致命注射:我们如何黑入微软的医疗聊天机器人
https://www.breachproof.net/blog/lethal-injection-how-we-hacked-microsoft-ai-chat-bot
LLM渗透:对LLM集成Agent业务的RCE利用
https://www.blazeinfosec.com/post/llm-pentest-agent-hacking/
其他
DLS 2024议题:红队评估操作中的OPSEC错误示例分析
https://swisskyrepo.github.io/Drink-Love-Share-Rump/
JA4TScan:JA4标准的TCP 指纹识别工具发布
https://medium.com/foxio/ja4t-tcp-fingerprinting-12fb7ce9cb5a
https://github.com/FoxIO-LLC/ja4tscan
针对Docker Hub 的协同攻击植入了数百万个恶意存储库
https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/
研究人员利用软件包投毒攻入谷歌公司
https://observationsinsecurity.com/2024/04/25/how-i-hacked-into-googles-internal-corporate-assets/
M01N Team公众号
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
官方攻防交流群
网络安全一手资讯
攻防技术答疑解惑
扫码加好友即可拉群
往期推荐
原文始发于微信公众号(M01N Team):每周蓝军技术推送(2024.4.27-5.10)
