无psexec构造TrustedInstaller权限Token
https://twitter.com/0gtweet/status/1477342919094939654
https://github.com/gtworek/PSBits/blob/master/VirtualAccounts/TrustedInstallerCmd2.c
通过adminSDHolder实现域持久化
https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/
WMEye: 利用WMI进行无文件横向移动的工具
https://github.com/pwn1sher/WMEye
利用SSRF漏洞攻击Java RMI
https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/
shouganaiyo-loader: 强制向 JVM 进程注入 Agent 的工具
https://research.nccgroup.com/2021/12/29/tool-release-shouganaiyo-loader-a-tool-to-force-jvm-attaches/
利用Azure Policy Guest配置,实现Azure环境持久化
https://cloudbrothers.info/en/azure-persistence-azure-policy-guest-configuration/#include-arc-connected-servers
针对Azure SAS的渗透指南
https://www.netspi.com/blog/technical/web-application-penetration-testing/azure-sas-tokens/
Azure AD Connect 服务器中包含的Azure AD账户可导致Azure AD和本地AD的攻陷
https://twitter.com/lkarlslund/status/1478780584818356230
利用Caddy反代和证书认证,实现C2访问限制管理
https://improsec.com/tech-blog/staging-cobalt-strike-with-mtls-using-caddy
滥用O365添加云插件功能进行钓鱼
https://mrd0x.com/phishing-o365-spoofed-cloud-attachments/
通过Kernel Callbacks 实现Windows 进程注入
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
Inject-Assembly: 注入.NET Assembly到任意进程
https://github.com/kyleavery/inject-assembly
利用WTS系列Windows API远程枚举进程列表
https://dazzyddos.github.io/posts/Remote-Process-Enumeration-with-WTS-Set-Of-APIs/
LOLBAS:利用 Msedge.exe和Chrome.exe命令下载文件
https://twitter.com/mrd0x/status/1478234484881436672
LOLBAS:AccCheckerConsole.exe和accesschkui.exe命令加载DLL
https://twitter.com/bohops/status/1478196067334295557
LOLBAS:format.com命令加载DLL
https://twitter.com/0gtweet/status/1477925112561209344
Windows Defender不会扫描名为DumpStack.log的文件
https://twitter.com/mrd0x/status/1479094189048713219
将C#工具转换为PowerShell
https://icyguider.github.io/2022/01/03/Convert-CSharp-Tools-To-PowerShell.html
win32k CVE-2021-1732 window 对象类型混淆漏洞的分析
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/
FortiGuard Labs 对 Active-Directory CVE-2021-42278/42287 漏洞的分析
https://www.fortinet.com/blog/threat-research/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds
以 PDF 文件作为媒介触发 log4j CVE-2021-44228 漏洞
https://github.com/eelyvy/log4jshell-pdf
未认证H2数据库RCE漏洞
https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
ZDI 评选的 “The Top 5 Bugs Submitted in 2021”
https://www.zerodayinitiative.com/blog/2022/1/5/the-top-5-bugs-submitted-in-2021
Fiora:漏洞PoC框架的图形版
https://github.com/bit4woo/Fiora
M01N Team
聚焦高级攻防对抗热点技术
绿盟科技蓝军技术研究战队
原文始发于微信公众号(M01N Team):每周蓝军技术推送(2021.1.1-1.7)
