This week in infosec: links
github.com/splunk/melting-cobalt - A tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IP’s.
github.com/BishopFox/sliver - Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary.
github.com/mdecrevoisier/Windows-auditing-mindmap - Windows auditing mindmap provides a simplified view of Windows Event logs and auditing capacities that enables defenders to enhance visibility for different purposes:
- Log collection (eg: into a SIEM)
- Threat hunting
- Forensic / DFIR
- Troubleshooting
blogs.juniper.net/en-us/enterprise-cloud-and-transformation/apache-http-server-cve-2021-42013-and-cve-2021-41773-exploited - Apache HTTP Server CVE-2021-42013 and CVE-2021-41773 Exploited in the Wild
search4faces.com - Thanks to technology of neural networks and machine learning, we will help you to find the right person or a lookalike in a few seconds. The result is the reference to the profile of the found person in the social network vk.com or ok.ru, TikTok and Clubhouse, and in the near future also in Instagram and others).
github.com/Tylous/ZipExec - ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it. This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.
github.com/herwonowr/exprolog - ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)
github.com/ly4k/PrintNightmare - Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.