| Blog | https://breakdev.org |
| Courses | https://academy.breakdev.org/ |
| GitHub | https://github.com/kgretzky |
| https://twitter.com/mrgretzky |
Friendly reminder to everyone - just booked my ticket to OffensiveCon 2023!
If you are also going, I will be more than happy to grab few beers with you and party together! π»β
π₯ It's time for my top 10 list of the best blog posts I read in 2022! π§΅
I want to make it clear that this list is subjective and based on my own personal preferences. There are many other great articles and blog posts out there that didn't make it onto my list.
The infosec community is full of talented and knowledgeable individuals, and it's important that we continue to share our insights and experiences with each other to improve as a whole.
Here are my top 10 picks π (ordered by release date)
1. Windows Drivers Reverse Engineering Methodology by @Void_Sec
This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.
https://voidsec.com/windows-drivers-reverse-engineering-methodology/
2. Sandboxing Antimalware Products for Fun and Profit by @GabrielLandau
The concept of nerfing the token of a privileged process in order to bypass Anti-Tamper protections is mindblowing.
I bet this worked against most of EDRs when it was released
https://www.elastic.co/security-labs/sandboxing-antimalware-products
3. Exploring Windows UAC Bypasses: Techniques and Detection Strategies by @sbousseaden
Not lying here saying UAC it's one of my favorite topics
This blogpost details multiple aspects of it, including exploitation primitives and detection opportunities
4. Bypassing UAC in the most Complex Way Possible! by @tiraniddo
There should be a dedicated Top 10 for all the vulnerabilities reported by James in 2022
This is probably the less relevant but the one i enjoyed most, a way to abuse Kerberos to bypass UAC
https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
5. Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime by @nachoskrnl and @ophirharpaz
Do you remember the panic back in April when the CVSS 9.8 vuln was released?
This was the main technical ref, great contribution to the community
6. Why Are My Junctions Not Followed? Exploring Windows Redirection Trust Mitigation by @galdeleon
Symlink attacks have been a major source of privesc vulnerabilities in Windows
This article discusses the mitigations (trying) to address this issue
https://unit42.paloaltonetworks.com/junctions-windows-redirection-trust-mitigation/
7. Using process creation properties to catch evasion techniques by Microsoft
The infosec community has often criticized Microsoft for its wellknown lack of documentation
This article provides valuable information on detecting stealthy process injections
8. The End of PPLdump by @itm4n
The "legendary" tool that forced Microsoft to unexpectedly fix an Admin->Protected Process boundary violation is described in this blog post.
It also details all the changes that were implemented to prevent the attack.
https://itm4n.github.io/the-end-of-ppldump/
9. Stopping Vulnerable Driver Attacks by @dez_
This post discusses a trend among ransomware groups of using vulnerable drivers for kernel code execution and tampering with security solutions
The 65 released YARAs are an invaluable community contribution
https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
10. Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions by @diversenok_zero
This article highlights the complex decisions and difficulties involved in minifilter driver development and how attackers can exploit them
https://www.huntandhackett.com/blog/bypassing-sysmon
[BONUS] 11. Giving JuicyPotato a second chance: JuicyPotatoNG by @decoder_it and I
I tried to avoid including any of my own research, but reviving JuicyPotato is priceless
Written with my friend Andrea, this details the latest JuicyPotatoNG implementation
https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/
That's a wrap on my top 10 list.
These articles provided valuable insights and knowledge on a variety of security topics, and I'm sure they'll be just as useful for you.
Here's to hoping for even more great content in 2023!
Cheers π»
π΄ PoCs related:
https://bit.ly/3BPmDjy
π΅Dissection utility - http://msidump.py:
https://bit.ly/3BPmxbG
π Moreover, I'd like to announce that my Modern Initial Access & Evasion Tactics training is now open for registration!
More details here:
https://bit.ly/3VlUbNe
Proof of Concept code and samples presenting emerging threat of MSI installer files. - GitHub - mgeeky/msi-shenanigans: Proof of Concept code and samples presenting emerging threat of MSI installer...
β’οΈ Recently we started seeing Threat Actors abusing MSI Windows Installation files for Initial Access & code execution
π₯ I now release Part 1 insights into how MSIs can be abused, PoCs for π΄ & dissection utility for π΅
π¦ Let me know what you think!
Big kudos to @oj for still working on this! Impressive amount of updates!
Our RPC toolkit (https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit) was updated today with even more stuff from Ben Barnea (@nachoskrnl on Twitter):
* a flowchart describing the various security protections that can stop a remote RPC request
* two new blog posts, one on RPC security and the other on Ben's LSM vulnerabilities
blasty
splinter_code
Mariusz Banach | mgeeky
Ophir Harpaz
Mastodon Users