Antonio Cocomazzi

macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed DPRK 'Contagious Interview' campaign continues to target Mac users with new variants of FERRET malware and Github devs with repo spam.

🚨 Alert: New macOS Malware Variants, FlexibleFerret, Undetected by Apple’s XProtect 🚨

@sentinellabs.bsky.social researchers @philofishal.bsky.social and @hegel.bsky.social have uncovered new variants, which slip past Apple's XProtect, of the DPRK-linked macOS malware, Ferret.

New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...

Also kudos to my friend @decoder-it.bsky.social that was the first to spot those as Admin Protection bypasses

Evolving the Windows User Model – Introducing Administrator Protection | Microsoft Community Hub Previously, in part one, we outlined the history of the multi-user model in Windows, how Microsoft introduced features to secure it, and in what ways we got...

Very interesting post by Microsoft about the internals of the new Admin Protection feature
It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well

More details here 👇
techcommunity.microsoft.com/blog/microso...

The (Almost) Forgotten Vulnerable Driver Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even…

Had some fun reviving an old vulnerable driver, read all about it here: decoder.cloud/2025/01/09/t... 🤠

Dissecting the Windows Defender Driver - WdFilter (Part 1) In this series of posts I'll be explaining how the Windows Defender main Driver works, in this first post we will look into the initialization and the Process creation notifications among other things

Thanks to a recent post from @ericlawrence.com on Defender and Dev Drive, I was reminded of this amazing research series by @n4r1B

n4r1b.com/posts/2020/0...

I only comprehend ~30% if I'm lucky, but that's a good 10% more than last time I read it 🤣

Still, it's definitely worth reading ;)

Working in it .... 😇

www.youtube.com/watch?v=fUqC...

There is also another check later in IopQueryRegistryKeySystemPath that ensures the ImagePath is under the "System" key

In older ntoskrnl (e.g. Win2016 1607) the function IopQueryRegistryKeySystemPath doesn't exist and the "ImagePath" value is retrieved without checks through IopGetRegistryValue(..., "ImagePath",...) in IopBuildFullDriverPath

In newer ntoskrnl.exe there is a check in IopLoadDriver->IopBuildFullDriverPath->IopQueryRegistryKeySystemPath that ensure the "ImagePath" value is under a regkey prefixed with \REGISTRY\MACHINE and if not it returns 0xC00000E5

@decoder-it.bsky.social and i noticed that it's no more possible to call NtLoadDriver pointing to an unprivileged regkey such as \REGISTRY\USER
Even if you have the SeLoadPrivilege you would still require the Admin group to write the required regkey.
Some more technical details below 👇

🔮 What does the future hold? Surprises 🎲, certainly, but some of the forces that will shape #2025 can already be discerned in the shadows of 2024. The @sentinellabs.bsky.social team takes a look at what might be coming over the horizon for #cybersecurity this coming year.

Cobalt Strike Postex Kit The CS 4.10 update saw the introduction of the Postex Kit. This was a bit overshadowed by BeaconGate, which was also added in 4.10 (I wrote about this in my last post). The intention of this post is t...

[BLOG]
Today's post is all about Cobalt Strike's Postex Kit.
rastamouse.me/cobalt-strik...

UDRL, SleepMask, and BeaconGate I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim...

[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.

rastamouse.me/udrl-sleepma...

Relaying DCOM has always intrigued me, so I decided to dive in. Started with a MiTM attack using a fake DNS entry, targeting certificate requests to an ADCS server and relaying to SMB.

Windows.Storage . lol

www.hexacorn.com/blog/2024/11...

💡Dr. Cristina Cifuentes, the Mother of Decompilation, reflects in her #LABScon2024 keynote on three decades of innovation in reverse engineering.

📺 Watch the full video: s1.ai/LC24-CC

Insane work 🔥

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

Hackers abuse Avast anti-rootkit driver to disable defenses A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components.

A new malicious campaign is using a legitimate but old and vulnerable Avast Anti-Rootkit driver to evade detection and take control of the target system by disabling security components.

www.bleepingcomputer.com/news/securit...

DPRK IT Workers | A Network of Active Front Companies and Their Links to China SentinelLabs has identified multiple deceptive websites linked to businesses in China fronting for North Korea's fake IT workers scheme.

🚨 New Research Drop:

🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China

Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association

Report:
www.sentinelone.com/labs/dprk-it...

Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)

Relaying Kerberos over SMB using krbrelayx

Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...

YouTube video by TrustedSec TrustedSec Tech Brief - November 2024

TrustedSec Tech Brief

00:30 - NTLM Hash Disclosure Zero-Day
01:45 - Task Scheduler Vulnerability
02:30 - Exchange Server Issues
03:15 - AD Certificate Services Flaw
04:00 - Vulnerability Breakdown
04:45 - Palo Alto Zero-Day
05:30 - FortiGate VPN Update

www.youtube.com/watch?v=3mSD...

What we saw with Hidden Risk (s1.ai/BNThief), we’ll see plenty more of in 2025: threat actors exploring all the old methods of #macOS persistence because the lazy LaunchAgents way is now too noisy thanks to changes Apple made in Ventura.(1/2)

www.justice.gov/opa/pr/phobo...

Working on my "new" Kerberos Relay & PortForwarder tool designed for managing also MITM attacks 😇

Looks great 🔥 Can't wait to try it out

Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this...

I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working

Apparently this is built into Chrome/Edge! So cool :)

edge://net-export/

CTO at NCSC Summary: week ending November 17th Zero-days everywhere...

Weekly summary is out...

ctoatncsc.substack.com/p/cto-at-ncs...