🔥 Brace yourself #LocalPotato is out 🥔
Our new NTLM reflection attack in local authentication allows for arbitrary file read/write & elevation of privilege.
Patched by Microsoft, but other protocols may still be vulnerable.
cc @decoder_it

Enjoy! 👇

https://www.localpotato.com/localpotato_html/LocalPotato.html

Excited to share my latest research about the #ViceSociety #Ransomware group and the growing #threat of custom-branded ransomware! 🔥

A thread 🧵

The #PolyVice ransomware variant used by the Vice Society group has a robust encryption scheme using #NTRUEncrypt and ChaCha20-Poly1305 algorithms.

We examine the connections between the Vice Society payload and other ransomware strains and variants.
Our analysis reveals that the codebase for the PolyVice variant has been used to build custom-branded payloads for other threat groups as well.

This is significant because it suggests that the Vice Society group is not developing their own ransomware payloads, but rather outsourcing its development.

One of the most rewarding parts was diving into the reversing process and trying to understand the logic of the PolyVice variant's code.

It's an interesting locker implementation.

More juicy details here 👇

https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/

🔥 It's time for my top 10 list of the best blog posts I read in 2022! 🧵

I want to make it clear that this list is subjective and based on my own personal preferences. There are many other great articles and blog posts out there that didn't make it onto my list.

The infosec community is full of talented and knowledgeable individuals, and it's important that we continue to share our insights and experiences with each other to improve as a whole.

Here are my top 10 picks 👇 (ordered by release date)

1. Windows Drivers Reverse Engineering Methodology by @Void_Sec

This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.

https://voidsec.com/windows-drivers-reverse-engineering-methodology/

2. Sandboxing Antimalware Products for Fun and Profit by @GabrielLandau

The concept of nerfing the token of a privileged process in order to bypass Anti-Tamper protections is mindblowing.
I bet this worked against most of EDRs when it was released

https://www.elastic.co/security-labs/sandboxing-antimalware-products

3. Exploring Windows UAC Bypasses: Techniques and Detection Strategies by @sbousseaden

Not lying here saying UAC it's one of my favorite topics
This blogpost details multiple aspects of it, including exploitation primitives and detection opportunities

https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies

4. Bypassing UAC in the most Complex Way Possible! by @tiraniddo

There should be a dedicated Top 10 for all the vulnerabilities reported by James in 2022
This is probably the less relevant but the one i enjoyed most, a way to abuse Kerberos to bypass UAC

https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html

5. Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime by @nachoskrnl and @ophirharpaz

Do you remember the panic back in April when the CVSS 9.8 vuln was released?
This was the main technical ref, great contribution to the community

https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime

6. Why Are My Junctions Not Followed? Exploring Windows Redirection Trust Mitigation by @galdeleon

Symlink attacks have been a major source of privesc vulnerabilities in Windows
This article discusses the mitigations (trying) to address this issue

https://unit42.paloaltonetworks.com/junctions-windows-redirection-trust-mitigation/

7. Using process creation properties to catch evasion techniques by Microsoft

The infosec community has often criticized Microsoft for its wellknown lack of documentation
This article provides valuable information on detecting stealthy process injections

https://www.microsoft.com/en-us/security/blog/2022/06/30/using-process-creation-properties-to-catch-evasion-techniques/

8. The End of PPLdump by @itm4n

The "legendary" tool that forced Microsoft to unexpectedly fix an Admin->Protected Process boundary violation is described in this blog post.
It also details all the changes that were implemented to prevent the attack.

https://itm4n.github.io/the-end-of-ppldump/

9. Stopping Vulnerable Driver Attacks by @dez_

This post discusses a trend among ransomware groups of using vulnerable drivers for kernel code execution and tampering with security solutions
The 65 released YARAs are an invaluable community contribution

https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks

10. Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions by @diversenok_zero

This article highlights the complex decisions and difficulties involved in minifilter driver development and how attackers can exploit them

https://www.huntandhackett.com/blog/bypassing-sysmon

[BONUS] 11. Giving JuicyPotato a second chance: JuicyPotatoNG by @decoder_it and I

I tried to avoid including any of my own research, but reviving JuicyPotato is priceless
Written with my friend Andrea, this details the latest JuicyPotatoNG implementation
https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/

That's a wrap on my top 10 list.
These articles provided valuable insights and knowledge on a variety of security topics, and I'm sure they'll be just as useful for you.
Here's to hoping for even more great content in 2023!
Cheers 🍻

In the next days i will publish the blogposts i enjoyed most in 2022. Including a list of relevant blogposts for the ecrime world.

As a starter, you can check the Top10 published by TrustedSec. A gold mine of knowledge shared there --> https://twitter.com/TrustedSec/status/1604871460178255873

Creating a technical blog post can be a challenging and frustrating task, but the end result is worth it
Not only do these posts serve as valuable resources for anyone, but they also help to advance the field as a whole
Keep sharing your knowledge with the community!