Browse Source

Update

pull/13/head
rmusser01 5 years ago
parent
commit
4d7007826f
37 changed files with 1724 additions and 1537 deletions
  1. +10
    -1
      Draft/ATT&CK-Stuff/Collection.md
  2. +6
    -2
      Draft/ATT&CK-Stuff/Credential_Access.md
  3. +3
    -0
      Draft/ATT&CK-Stuff/Discovery.md
  4. +1
    -1
      Draft/ATT&CK-Stuff/Execution.md
  5. +5
    -0
      Draft/AnonOpsecPrivacy.md
  6. +3
    -0
      Draft/Attacking Defending Android -.md
  7. +6
    -0
      Draft/Attacking Defending iOS -.md
  8. +10
    -11
      Draft/Basic Security Information.md
  9. +2
    -1
      Draft/Building A Pentest Lab.md
  10. +6
    -1
      Draft/CTFs_Wargames.md
  11. +2
    -1
      Draft/Car Hacking.md
  12. +2
    -1
      Draft/Courses_Training.md
  13. +9
    -3
      Draft/Cryptography & Encryption.md
  14. +5
    -1
      Draft/Data AnalysisVisualization.md
  15. +195
    -153
      Draft/Defense.md
  16. +12
    -1
      Draft/Documentation & Reports -.md
  17. +3
    -1
      Draft/Exfiltration.md
  18. +146
    -175
      Draft/Exploit Development.md
  19. +56
    -50
      Draft/Forensics Incident Response.md
  20. +17
    -5
      Draft/Fuzzing Bug Hunting.md
  21. +50
    -0
      Draft/Game Hacking.md
  22. +8
    -1
      Draft/Interesting Things Useful stuff.md
  23. +25
    -19
      Draft/Malware.md
  24. +29
    -8
      Draft/Network Attacks & Defenses.md
  25. +11
    -6
      Draft/Open Source Intelligence.md
  26. +7
    -5
      Draft/Phishing.md
  27. +1
    -5
      Draft/Phyiscal Security.md
  28. +9
    -0
      Draft/Policy-Compliance.md
  29. +126
    -41
      Draft/Privilege Escalation & Post-Exploitation.md
  30. +28
    -17
      Draft/Programming - Languages Libs Courses References.md
  31. +123
    -85
      Draft/Red-Teaming.md
  32. +76
    -57
      Draft/Reverse Engineering.md
  33. +6
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  34. +6
    -8
      Draft/UX Design - Because we all know how sexy pgp is.md
  35. +374
    -166
      Draft/Web & Browsers.md
  36. +23
    -24
      Draft/Wireless Networks & RF.md
  37. +323
    -687
      Draft/things-added.md

+ 10
- 1
Draft/ATT&CK-Stuff/Collection.md View File

@ -29,10 +29,14 @@
#### Linux
* [LaZagne](https://github.com/AlessandroZ/LaZagne/blob/master/README.md)
* The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
* [PCredz](https://github.com/lgandx/PCredz)
* This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
#### Mac
* [Lazagne](https://github.com/AlessandroZ/LaZagne)
* The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
* [PCredz](https://github.com/lgandx/PCredz)
* This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
#### Windows
* [LaZagne](https://github.com/AlessandroZ/LaZagne/blob/master/README.md)
@ -45,6 +49,9 @@
* Extracts passwords from a KeePass 2.x database, directly from memory.
* [KeeThief](https://github.com/HarmJ0y/KeeThief)
* Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
* [PCredz](https://github.com/lgandx/PCredz)
* This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
-------------------------------
@ -195,6 +202,7 @@
* [xwd - Wikipedia](https://en.wikipedia.org/wiki/Xwd)
* [xwd - dump an image of an X window - manpage](https://www.x.org/releases/X11R7.5/doc/man/man1/xwd.1.html)
#### Mac
* MITRE
* On OSX, the native `command screencapture` is used to capture screenshots.
@ -204,7 +212,8 @@
* [Using Problem Steps Recorder (PSR) Remotely with Metasploit](https://cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/)
* [Collection - Empire](http://www.powershellempire.com/?page_id=283)
* [Capturing Screenshots with PowerShell and .NET](https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/)
* [jsmpeg-vnc](https://github.com/phoboslab/jsmpeg-vnc)
* A low latency, high framerate screen sharing server for Windows and client for browsers
-------------------------------


+ 6
- 2
Draft/ATT&CK-Stuff/Credential_Access.md View File

@ -35,8 +35,10 @@ Memory corruption is for wussies
* This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system.
## Bash History
-------------------------------
## Bash History
* [Bash History - ATT&CK](https://attack.mitre.org/wiki/Technique/T1139)
* Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.
@ -54,7 +56,7 @@ Memory corruption is for wussies
* Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.Cylance Cleaver
* A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.BlackHillsInfosec Password Spraying
* [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray)
* DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
* DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain.
* [Simplifying Password Spraying - Spiderlabs](https://www.trustwave.com/Resources/SpiderLabs-Blog/Simplifying-Password-Spraying/)
@ -299,6 +301,8 @@ Memory corruption is for wussies
* Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.
* [tcpflow](https://github.com/simsong/tcpflow)
* tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows.
* [3snake](https://github.com/blendin/3snake)
* Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run. Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.
#### OS X
* [OS X Yosemite Has A Secret Packet Sniffer](https://jacobsalmela.com/2014/11/23/os-x-yosemite-secret-packet-sniffer/)


+ 3
- 0
Draft/ATT&CK-Stuff/Discovery.md View File

@ -491,6 +491,9 @@ get-WmiObject -list | where {$_.name -match “Printer”}
* On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the `system_profiler` gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
* [Get OS X System Info from the Command Line](http://teczd.com/2015/09/23/osx-get-system-info-from-command-line/)
* [Using System Profiler in Terminal](http://macstuff.beachdogs.org/blog/?p=21)
* [Orchard](https://github.com/its-a-feature/Orchard)
* Live off the land for macOS. This program allows users to do Active Directory enumeration via macOS' JXA (JavaScript for Automation) code. This is the newest version of AppleScript, and thus has very poor documentation on the web.
#### Windows
* MITRE


+ 1
- 1
Draft/ATT&CK-Stuff/Execution.md View File

@ -17,7 +17,7 @@
* [osascript - SS64](https://ss64.com/osx/osascript.html)
* [AppleScript - Wikipedia](https://en.wikipedia.org/wiki/AppleScript)
* [Introduction to AppleScript Language Guide - developer.apple](https://developer.apple.com/library/content/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html)
* [Javascript for Automation - Release Notes 10.10 - dev.apple](https://developer.apple.com/library/content/releasenotes/InterapplicationCommunication/RN-JavaScriptForAutomation/Articles/OSX10-10.html)


+ 5
- 0
Draft/AnonOpsecPrivacy.md View File

@ -39,6 +39,10 @@
* [Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
* [What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
* [Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
#### end Sort
@ -59,6 +63,7 @@
* [DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data](https://www.youtube.com/watch?v=NjuhdKUH6U4)
* [Can you track me now? - Defcon20](https://wEww.youtube.com/watch?v=DxIF66Tcino)
* [Phones and Privacy for Consumers - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer)](http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyerhttps://ritter.vg/blog-deanonymizing_amm.html)
* [Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
* **Browser Related**
* [Panopticlick](https://panopticlick.eff.org/)
* Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software.


+ 3
- 0
Draft/Attacking Defending Android -.md View File

@ -37,6 +37,9 @@
* [ARM Inject](https://github.com/evilsocket/arminject)
* An application to dynamically inject a shared object into a running process on ARM architectures and hook API calls.
* [apk-anal](https://github.com/mhelwig/apk-anal)
* Android APK analyzer based on radare2 and others.
https://github.com/doridori/Android-Security-Reference
* [Android-Vulnerabilities-Overview](https://github.com/CHEF-KOCH/Android-Vulnerabilities-Overview)


+ 6
- 0
Draft/Attacking Defending iOS -.md View File

@ -27,6 +27,12 @@
[Mobile Application Penetration Testing Cheat Sheet](https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet)
* [iOS 11.1.2 (15B202) Jailbreak - Coalfire labs](https://github.com/Coalfire-Research/iOS-11.1.2-15B202-Jailbreak)
* [Myriam](https://github.com/GeoSn0w/Myriam)
* A vulnerable iOS App with Security Challenges for the Security Researcher inside you.
* [objection](https://github.com/sensepost/objection)
* objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
* Redo formatting
#### End Cull


+ 10
- 11
Draft/Basic Security Information.md View File

@ -14,9 +14,8 @@
* **101**
* [Learning the Ropes 101: Introduction - zsec.uk](https://blog.zsec.uk/101-intro/)
* [InfoSec Newbie List by Mubix](https://gist.github.com/mubix/5737a066c8845d25721ec4bf3139fd31)
* [infosec_getting_started](https://github.com/gradiuscypher/infosec_getting_started)
* A collection of resources/documentation/links/etc to help people learn about Infosec and break into the field.
* **Careers in Information Security**
* **General**
* [NICE Cybersecurity Workforce Framework](https://www.nist.gov/itl/applied-cybersecurity/national-initiative-cybersecurity-education-nice/nice-cybersecurity)
@ -24,14 +23,14 @@
* [Infosec Tools of the Trade: Getting Your Hands Dirty](http://www.irongeek.com/i.php?page=videos/bsidesnashville2017/bsides-nashville-2017-green00-infosec-tools-of-the-trade-getting-your-hands-dirty-jason-smith-and-tara-wink)
* In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
* [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
* **Becoming a Penetration Tester**
* [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
* So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
* [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
* [How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
* [Attacking Big Business](https://www.cyberis.co.uk/blog/attacking-big-business)
* **Becoming a Penetration Tester**
* [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
* So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
* [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
* [How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
* [Attacking Big Business](https://www.cyberis.co.uk/blog/attacking-big-business)
* **General**
* [Mozilla Enterprise Information Security](https://infosec.mozilla.org/)


+ 2
- 1
Draft/Building A Pentest Lab.md View File

@ -83,4 +83,5 @@
* [Setting Up A Penetration Testing Lab - Rapid7](https://kb.help.rapid7.com/docs/setting-up-a-penetration-testing-lab)
* [Building a Pentest Lab - stan.gr](http://www.stan.gr/2013/03/building-pentest-lab.html)
* [SANS Webcast: Building Your Own Super Duper Home Lab](https://www.youtube.com/watch?v=uzqwoufhwyk&app=desktop)
* [Pentesting In The Cloud - primalsecurity](http://www.primalsecurity.net/pentesting-in-the-cloud/)
* Instantiating a Kali linux on Amazons EC2

+ 6
- 1
Draft/CTFs_Wargames.md View File

@ -109,9 +109,14 @@ General
* OverTheWire provides several wargames publicly/freely available. All very good quality. Highly recommended.
* [Smash the Stack Wargames](http://smashthestack.org/)
* Smash the stack hosts several public wargames of very good quality for free use. Highly recommended.
* [WTHack OnlineCTF](https://onlinectf.com)
* [IO](http://io.netgarage.org/)
* [Pwnable.kr](http://pwnable.kr/)
* [pwnable.tw](http://pwnable.tw/)
* [Gracker](http://gracker.org)
* [ROP Wargames](https://game.rop.sh/)
* **Writeups**
* [CTF Writeups](https://github.com/ctfs/write-ups)
* [CTF write-ups 2015](https://github.com/ctfs/write-ups-2015)
* [CTF write-ups 2017](https://github.com/ctfs/write-ups-2017)
* [Pwning (sometimes) with style Dragons’ notes on CTFs](http://j00ru.vexillium.org/blog/24_03_15/dragons_ctf.pdf)

+ 2
- 1
Draft/Car Hacking.md View File

@ -33,7 +33,8 @@ Seriously check this first ---> [Awesome Vehicle Security List(github awesome li
* [Cyber-attacks on vehicles P-I!](http://dn5.ljuska.org/napadi-na-auto-sistem-1.html)
* [Cyber-attacks on vehicles P-II!](http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html)
* [An Introduction to the CAN Bus: How to Programmatically Control a Car: Hacking the Voyage Ford Fusion to Change A/C Temperature](https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377)
* [CC1101-FSK](https://github.com/trishmapow/CC1101-FSK)
* Jam and replay attack on vehicle keyless entry systems.


+ 2
- 1
Draft/Courses_Training.md View File

@ -182,7 +182,8 @@ These classes are all focused on computer/information security. If you're lookin
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
* [hacker101](https://github.com/Hacker0x01/hacker101)
* Hacker101 is structured as a set of video lessons -- some covering multiple topics, some covering a single one -- and can be consumed in two different ways. You can either watch them in the order produced as in a normal class ([§](https://github.com/Hacker0x01/hacker101#sessions) Sessions), or you can watch individual videos ([§](https://github.com/Hacker0x01/hacker101#vulnerabilities) Vulnerabilities). If you're new to security, we recommend the former; this provides a guided path through the content and covers more than just individual bugs.
* [Security_Ninjas_AppSec_Training](https://github.com/opendns/Security_Ninjas_AppSec_Training)
* OpenDNS application security training program. This hands-on training lab consists of 10 fun real world like hacking exercises, corresponding to each of the OWASP Top 10 vulnerabilities. Hints and solutions are provided along the way. Although the backend for this is written in PHP, vulnerabilities would remain the same across all web based languages, so the training would still be relevant even if you don’t actively code in PHP.
### Wireless


+ 9
- 3
Draft/Cryptography & Encryption.md View File

@ -67,6 +67,10 @@ https://a16z.com/2018/02/10/crypto-readings-resources/
* crypto101
https://conversations.im/xeps/multi-end.html
* [TLS 1.3 Implementations](https://github.com/tlswg/tls13-spec/wiki/Implementations)
* [Encryption 101, RSA 001 (The maths behind it) - IoTh1nkN0t](https://0x00sec.org/t/encryption-101-rsa-001-the-maths-behind-it/1921)
### End Sort
@ -102,6 +106,7 @@ https://conversations.im/xeps/multi-end.html
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
* [A Graduate Course in Applied Cryptography - Dan Boneh and Victor Shoup](http://toc.cryptobook.us/)
* Version 0.3 - posted Dec. 9, 2016
* [Discovering Smart Contract Vulnerabilities with GOATCasino - NCCGroup](https://www.nccgroup.trust/us/our-research/discovering-smart-contract-vulnerabilities-with-goatcasino/?style=Cyber+Security)
* **Crypto Frameworks/Libraries/Protocols**
* [OMEMO Multi-End Message and Object Encryption](https://conversations.im/omemo/)
* OMEMO is an XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. It is an open standard based on a Double Ratchet and PEP which can be freely used and implemented by anyone. The protocol has been audited by a third party.
@ -168,17 +173,18 @@ https://conversations.im/xeps/multi-end.html
----------------------
### Specific Attacks
* **BEAST**
* **CRIME**
* **CBC Bit-Flipping Attack**
* [CBC Byte Flipping Attack—101 Approach](http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/)
* **FREAK**
* [Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
* **Padding Oracle**
* [Automated Padding Oracle Attacks with PadBuster](https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html)
* [PadBuster v0.3 and the .NET Padding Oracle Attack](https://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html)
* **ROBOT Attack**
* [ROBOT Attack](https://robotattack.org/)
* ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server. In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption. We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today's Internet.
* [robot-detect](https://github.com/robotattackorg/robot-detect)
* Proof of concept attack and detection for ROBOT (Return Of Bleichenbacher's Oracle Threat).


+ 5
- 1
Draft/Data AnalysisVisualization.md View File

@ -14,7 +14,7 @@
### To Do
* Split into Data visualization/Working with data
* Edward Tufte Books
#### Sort
@ -24,6 +24,10 @@
[Just-Metadata](https://github.com/ChrisTruncer/Just-Metadata)
* Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.
* [NewsDiffs](https://github.com/ecprice/newsdiffs)
* Automatic scraper that tracks changes in news articles over time.
* [Active Directory Control Paths](https://github.com/ANSSI-FR/AD-control-paths)
* Control paths in Active Directory are an aggregation of "control relations" between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like "Who can get 'Domain Admins' privileges ?" or "What resources can a user control ?" and even "Who can read the CEO's emails ?".
Apache Nifi - supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic.


+ 195
- 153
Draft/Defense.md View File

@ -1,4 +1,4 @@
z# Defense
# Defense
## In Progress
@ -16,7 +16,9 @@ z# Defense
* [Malicious USB](#malusb)
* [Network](#network)
* [OS X](#osx)
* [Phishing](#phishing)
* [Ransomware](#ransom)
* [User Awareness Training](#uat)
* [Web](#web)
* [WAF(#waf)
* [Windows](#windows)
@ -24,50 +26,15 @@ z# Defense
### Sort
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/
* [Windows ISV Software Security Defenses - msdn](https://msdn.microsoft.com/en-us/library/bb430720.aspx)
* [Common misconfigurations that lead to a breach - Justin Tharpe](https://www.youtube.com/watch?v=fI3mycr5cPg)
* [Mitigate threats by using Windows 10 security features](https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10)
* [SANS Institute Security Consensus Operational Readiness Evaluation](https://www.sans.org/media/score/checklists/LinuxCheatsheet_2.pdf)
https://www.auditscripts.com/free-resources/critical-security-controls/
* [Windows ISV Software Security Defenses - msdn](https://msdn.microsoft.com/en-us/library/bb430720.aspx)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)
* [Security Guide for Developers](https://github.com/FallibleInc/security-guide-for-developers)
* [Windows Server guidance to protect against speculative execution side-channel vulnerabilities](https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution?t=1&cn=ZmxleGlibGVfcmVjc18y&refsrc=email&iid=149b9032665345ba890ba51d3bf0d519&fl=4&uid=150127534&nid=244%20281088008)
* [SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b#content)
* "SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.
* [simplewall](https://github.com/henrypp/simplewall)
* Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.
* [Certificate Transparency](https://www.certificate-transparency.org/)
* [What is Certificate Transparency?](https://www.certificate-transparency.org/what-is-ct)
* [PhishingKitHunter](https://github.com/t4d/PhishingKitHunter)
* PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
* [Catching phishing before they catch you](https://blog.0day.rocks/catching-phishing-using-certstream-97177f0d499a)
* [CIRClean](http://circl.lu/projects/CIRCLean/#technical-details)
* CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
* [Github](https://github.com/CIRCL/Circlean)
* [Enable Attack surface reduction - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction)
* Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
* [Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/?source=mmpc)
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* [The Evolution of Protected Processes – Part 1: Pass-the-Hash Mitigations in Windows 8.1](https://www.crowdstrike.com/blog/evolution-protected-processes-part-1-pass-hash-mitigations-windows-81/)
* [The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services](https://www.crowdstrike.com/blog/evolution-protected-processes-part-2-exploitjailbreak-mitigations-unkillable-processes-and/)
* [Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)](https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/)
* Add User Awareness Training
@ -126,10 +93,21 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
### <a name="baseline"></a>(General) Baselining
--------------------
### Certificates (X.509)
* [Certificate Transparency](https://www.certificate-transparency.org/)
* [What is Certificate Transparency?](https://www.certificate-transparency.org/what-is-ct)
-----------------
### <a name="firewall"></a>Firewalls
* [Assimilator](https://github.com/videlanicolas/assimilator)
* The first restful API to control all firewall brands. Configure any firewall with restful API calls, no more manual rule configuration. Centralize all your firewalls into one API.
* [simplewall](https://github.com/henrypp/simplewall)
* Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.
-----------------
### <a name="hardening"></a>(General) Hardening
@ -192,6 +170,8 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
-----------------
### <a name="network"></a>Network
* [Defending the Enterprise Against Network Infrastructure Attacks - Paul Coggin - Troopers15](https://www.youtube.com/watch?v=K0X3RDf5XK8)
@ -213,6 +193,18 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
------------------
### <a name="phishing"></a> Phishing
* [Mercure](https://github.com/synhack/mercure)
* Mercure is a tool for security managers who want to teach their colleagues about phishing.
* [PPRT](https://github.com/MSAdministrator/PPRT)
* This module is used to report phishing URLs to their WHOIS/RDAP abuse contact information.
* [PhishingKitHunter](https://github.com/t4d/PhishingKitHunter)
* PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
* [Catching phishing before they catch you](https://blog.0day.rocks/catching-phishing-using-certstream-97177f0d499a)
* [Tracking Newly Registered Domains - SANS](https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/)
@ -221,9 +213,27 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
* [Decryptonite](https://github.com/DecryptoniteTeam/Decryptonite)
* Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
-------------------
### <a name="uat"></a>User Awareness Training
---------------------
### Web
* [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877)
* [AWS Lambda - IAM Access Key Disabler](https://github.com/te-papa/aws-key-disabler)
* The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
* [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)
-----------------
### <a name="waf"></a>WAF
@ -300,17 +310,146 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
* [Protecting Privileged Domain Accounts: Network Authentication In-Depth](https://digital-forensics.sans.org/blog/2012/09/18/protecting-privileged-domain-accounts-network-authentication-in-depth)
* [Active Directory: Real Defense for Domain Admins](https://www.irongeek.com/i.php?page=videos/derbycon4/t213-active-directory-real-defense-for-domain-admins-jason-lang)
* Did your AD recently get owned on a pentest? It’s always fun to see an unknown entry show up in your Domain Admins group (#fail). Come learn how to truly protect your organization’s IT crown jewels from some of the most popular AD attacks. If you’re stuck trying to figure out what to do with null sessions, pass the hash techniques, or protecting your Domain Admins, then you will want to be here.
* **AppLocker**
* [Script Rules in AppLocker - technet](https://technet.microsoft.com/en-us/library/ee460958.aspx)
* [DLL Rules in AppLocker](https://technet.microsoft.com/en-us/library/ee460947.aspx)
* [Application Whitelisting Using Microsoft AppLocker](https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm)
* [Harden Windows with AppLocker – based on Case study Part 1 - oddvar.moe](https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/)
* [Harden Windows with AppLocker – based on Case study part 2 - oddvar.moe](https://oddvar.moe/2017/12/21/harden-windows-with-applocker-based-on-case-study-part-2/)
* **Auditing Account Passwords/Privileges**
* [Account lockout threshold - technet](https://technet.microsoft.com/en-us/library/hh994574.aspx)
* [Password Policy - technet](https://technet.microsoft.com/en-us/library/hh994572.aspx)
* [AccessChk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk)
* As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
* **AppLocker**
* [Script Rules in AppLocker - technet](https://technet.microsoft.com/en-us/library/ee460958.aspx)
* [DLL Rules in AppLocker](https://technet.microsoft.com/en-us/library/ee460947.aspx)
* [Application Whitelisting Using Microsoft AppLocker](https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm)
* [Harden Windows with AppLocker – based on Case study Part 1 - oddvar.moe](https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/)
* [Harden Windows with AppLocker – based on Case study part 2 - oddvar.moe](https://oddvar.moe/2017/12/21/harden-windows-with-applocker-based-on-case-study-part-2/)
* **Auditing Account Passwords/Privileges**
* [Account lockout threshold - technet](https://technet.microsoft.com/en-us/library/hh994574.aspx)
* [Password Policy - technet](https://technet.microsoft.com/en-us/library/hh994572.aspx)
* [AccessChk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk)
* As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
* **Guarded Fabric/Shielded VMs**
* [Guarded fabric and shielded VMs](https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node)
* [Shielded VMs – additional considerations when running a guarded fabric - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/04/21/shielded-vms-additional-considerations-when-running-a-guarded-fabric/)
* [Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric](https://blogs.technet.microsoft.com/datacentersecurity/2017/03/14/shielded-vms-a-conceptual-review-of-the-components-and-steps-necessary-to-deploy-a-guarded-fabric/)
* [Step-by-step: Quick reference guide to deploying guarded hosts](https://blogs.technet.microsoft.com/datacentersecurity/2016/06/08/step-by-step-quick-reference-guide-to-deploying-guarded-hosts/)
* [Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016 - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2016/03/21/configuring-guarded-hosts-with-virtual-machine-manager-2016/)
* [Guarded Fabric Deployment Guide for Windows Server 2016](https://gallery.technet.microsoft.com/Shielded-VMs-and-Guarded-98d2b045)
* [Step by Step – Configuring Key Protection for the Host Guardian Service in Windows Server 2016](https://blogs.technet.microsoft.com/datacentersecurity/2016/03/28/configuring-key-protection-service-for-host-guardian-service-in-windows-server-2016/)
* [Why use shielded VMs for your privileged access workstation (PAW) solution?](https://blogs.technet.microsoft.com/datacentersecurity/2017/11/29/why-use-shielded-vms-for-your-privileged-access-workstation-paw-solution/)
* [Frequently Asked Questions About HGS Certificates](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/09/frequently-asked-questions-about-hgs-certificates/)
* [Join Host Guardian Servers to an existing bastion forest](https://blogs.technet.microsoft.com/datacentersecurity/2017/03/07/join-host-guardian-servers-to-an-existing-bastion-forest/)
* [Step by Step: Shielding existing VMs without VMM - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2016/09/01/step-by-step-shielding-existing-vms-without-vmm/)
* [Step-by-step: Quick reference guide to deploying guarded hosts](https://blogs.technet.microsoft.com/datacentersecurity/2016/06/08/step-by-step-quick-reference-guide-to-deploying-guarded-hosts/)
* [Step by Step – Shielded VM Recovery - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2016/06/07/step-by-step-shielded-vm-recovery/)
* **Group Policy**
* [The 10 Windows group policy settings you need to get right](http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html?page=2)
* [Group Policy for WSUS - grouppolicy.biz](http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/)
* [GPO Best Policies - grouppolicy.biz](http://www.grouppolicy.biz/best-practices/)
* [Securing Windows with Group Policy Josh - Rickard - Derbycon7](https://www.youtube.com/watch?v=Upeaa2rgozk&index=66&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [Guidance on Deployment of MS15-011 and MS15-014 - blogs.technet](https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/)
* [MS15-011 & MS15-014: Hardening Group Policy - blogs.technet](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/)
* **Hardening**
* [Awesome Windows Domain Hardening](https://github.com/PaulSec/awesome-windows-domain-hardening)
* A curated list of awesome Security Hardening techniques for Windows.
* [Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 - technet](https://technet.microsoft.com/en-us/library/hh125921.aspx)
* [Harden windows IP Stack](https://www.reddit.com/r/netsec/comments/2sg80a/how_to_harden_windowsiis_ssltls_configuration/)
* [Secure Host Baseline](https://github.com/iadgov/Secure-Host-Baseline)
* Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
* [Second section good resource for hardening windows](http://labs.bitdefender.com/2014/11/do-your-bit-to-limit-cryptowall/)
* [Secure-Host-Baseline](https://github.com/iadgov/Secure-Host-Baseline)
* Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
* [SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b#content)
* "SAMRi10" tool is a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.
* [Enable Attack surface reduction - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction)
* Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
* [Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/?source=mmpc)
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer)
* Investigate malicious Windows logon by visualizing and analyzing Windows event log
* [Software Restriction Policies - docs.ms](https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies)
* This topic for the IT professional describes Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8, and provides links to technical information about SRP beginning with Windows Server 2003.
* [Detecting Lateral Movement through Tracking Event Logs - JPCERTCC](https://www.jpcert.or.jp/english/pub/sr/ir_research.html)
* [Detecting Lateral Movements in Windows Infrastructure - CERT-EU](http://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf)
* **Just Enough Administration (JEA)**
* [Just Enough Administration - docs.ms](https://docs.microsoft.com/en-us/powershell/jea/overview)
* [Just Enough Administration: Windows PowerShell security controls help protect enterprise data - msdn](https://msdn.microsoft.com/en-us/library/dn896648.aspx)
* [JEA Pre-requisites](https://docs.microsoft.com/en-us/powershell/jea/prerequisites)
* [JEA Role Capabilities](https://docs.microsoft.com/en-us/powershell/jea/role-capabilities)
* [JEA Session Configurations](https://docs.microsoft.com/en-us/powershell/jea/session-configurations)
* [Registering JEA Configurations](https://docs.microsoft.com/en-us/powershell/jea/register-jea)
* [Using JEA](https://docs.microsoft.com/en-us/powershell/jea/using-jea)
* [JEA Security Considerations](https://docs.microsoft.com/en-us/powershell/jea/security-considerations)
* [Auditing and Reporting on JEA](https://docs.microsoft.com/en-us/powershell/jea/audit-and-report)
* [Just Enough Administration Samples and Resources](https://github.com/PowerShell/JEA)
* Just Enough Administration (JEA) is a PowerShell security technology that provides a role based access control platform for anything that can be managed with PowerShell. It enables authorized users to run specific commands in an elevated context on a remote machine, complete with full PowerShell transcription and logging. JEA is included in PowerShell version 5 and higher on Windows 10 and Windows Server 2016, and older OSes with the Windows Management Framework updates.
* **LLMNR/NBNS**
* [Conveigh](https://github.com/Kevin-Robertson/Conveigh)
* Conveigh is a Windows PowerShell LLMNR/NBNS spoofer detection tool. LLMNR/NBNS requests sent by Conveigh are not legitimate requests to any enabled LLMNR/NBNS services. The requests will not result in name resolution in the event that a spoofer is present.
* [Respounder](https://github.com/codeexpress/respounder)
* Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.
* **Local Administrator Password Solution**
* [Microsoft security advisory: Local Administrator Password Solution](https://support.microsoft.com/en-us/help/3062591/microsoft-security-advisory-local-administrator-password-solution-laps)
* [Local Administrator Password Solution - technet](https://technet.microsoft.com/en-us/mt227395.aspx)
* The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords.
* [Introduction to Microsoft LAPS (Local Administrator Password Solution)](https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/)
* [Set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory](Introduction to Microsoft LAPS (Local Administrator Password Solution) - 4sysops)(https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/)
* [FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1 - 4sysops](https://4sysops.com/archives/faqs-for-microsoft-local-administrator-password-solution-laps/)
* [FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 2 - 4sysops](https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/)
* **Office Documents/Macros/DDE/Flavor-of-the-week**
* [Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields](https://technet.microsoft.com/library/security/4053440)
* [Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016](https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b)
* [New feature in Office 2016 can block macros and help prevent infection (2016)](https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/?source=mmpc)
* [Block or unblock external content in Office documents - support.office](https://support.office.com/en-us/article/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795)
* [CIRClean](http://circl.lu/projects/CIRCLean/#technical-details)
* CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
* [Github](https://github.com/CIRCL/Circlean)
* [Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - docs.ms](https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440)
* **Passwords**
* [Domain Password Audit Tool (DPAT)](https://github.com/clr2of8/DPAT)
* This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking. The report is an HTML report with clickable links.
* [Tutorial Video & Demo](https://www.blackhillsinfosec.com/webcast-demo-domain-password-audit-tool/)
* [Azure AD and ADFS best practices: Defending against password spray attacks](https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/)
* **Privileged Access Workstation**
* [How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations](https://myignite.microsoft.com/sessions/54896)
* As part of the security strategy to protect administrative privilege, Microsoft recommends using a dedicated machine, referred to as PAW (privileged access workstation), for administrative tasks; and using a separate device for the usual productivity tasks such as Outlook and Internet browsing. This can be costly for the company to acquire machines just for server administrative tasks, and inconvenient for the admins to carry multiple machines. In this session, we show you how MSIT uses shielded VMs on the new release of Windows client to implement a PAW.
* [Privileged Access Workstation(PAW) - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/)
* [PAW host buildout - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/17/paw-host-buildout/)
* [How to deploy a VM template for PAW - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/11/01/how-to-create-a-vm-template-for-paw/)
* **PowerShell**
* [Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)](https://www.youtube.com/watch?v=WOC8vC2KoNs&index=12&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Powershell Security at Enterprise Customers - blogs.msdn](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
* [More Detecting Obfuscated PowerShell](http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/)
* [Revoke-Obfuscation - tool](https://github.com/danielbohannon/Revoke-Obfuscation)
* PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
* [Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk](https://www.youtube.com/watch?v=7XnkDsOZM3Y&index=16&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [PSRecon](https://github.com/gfoss/PSRecon/)
* 🚀 PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
* [Detecting and Preventing PowerShell Downgrade Attacks - leeholmes](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)
* **SMB**
* [SMB Security Best Practices - US CERT](https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices)
* [SMB Packet Signing](https://technet.microsoft.com/en-us/library/cc180803.aspx)
* [Secure SMB Connections](http://techgenix.com/secure-smb-connections/)
* [Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014](https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a)
* [Require SMB Security Signatures - technet.ms](https://technet.microsoft.com/en-us/library/cc731957.aspx)
* [SMB 3.0 (Because 3 > 2) - David Kruse](http://www.snia.org/sites/default/orig/SDC2012/presentations/Revisions/DavidKruse-SMB_3_0_Because_3-2_v2_Revision.pdf)
* **USB Detection**
* [BEAMGUN](https://github.com/JLospinoso/beamgun)
* A rogue-USB-device defeat program for Windows.
* **Tools**
* [Artillery](https://github.com/BinaryDefense/artillery)
* Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems.
* **Visualization/Tracking/Reporting**
* General
* [Userline](https://github.com/THIBER-ORG/userline)
* This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source and destination logons as well as session duration.
* [VOYEUR](https://github.com/silverhack/voyeur)
* VOYEUR's main purpose is to automate several tasks of an Active Directory build review or security assessment. Also, the tool is able to create a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies like Microsoft Remote Administration tools. (Just .Net Framework 2.0 and Office Excel if you want a useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, security consultants or security researchers who want to quickly analyze threats in Active Directory Services.
* **WMI**
* **General**
* [Managing WMI security - technet](https://technet.microsoft.com/en-us/library/cc731011(v=ws.11).aspx)
* [Maintaining WMI Security - msdn](https://msdn.microsoft.com/en-us/library/aa392291(v=vs.85).aspx)
* [Simple WMI Trace Viewer in PowerShell](https://chentiangemalc.wordpress.com/2017/03/24/simple-wmi-trace-viewer-in-powershell/)
* [An Insider’s Guide to Using WMI Events and PowerShell](https://blogs.technet.microsoft.com/heyscriptingguy/2012/06/08/an-insiders-guide-to-using-wmi-events-and-powershell/)
* **Tools**
* [Uproot](https://github.com/Invoke-IR/Uproot)
* Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module
* [WMIEvent](https://github.com/Invoke-IR/WMIEvent)
* A PowerShell module to abstract the complexities of Permanent WMI Event Subscriptions
* **Auditing Processes**
* [Know your Windows Processes or Die Trying - sysforensics](https://sysforensics.org/2014/01/know-your-windows-processes/)
* [TaskExplorer](https://objective-see.com/products/taskexplorer.html)
@ -339,111 +478,14 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
* **Event Forwarding**
* [Windows Event Forwarding Guidance](https://github.com/palantir/windows-event-forwarding)
* Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
* **Guarded Fabric/Shielded VMs**
* [Guarded fabric and shielded VMs](https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node)
* [Shielded VMs – additional considerations when running a guarded fabric - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/04/21/shielded-vms-additional-considerations-when-running-a-guarded-fabric/)
* [Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric](https://blogs.technet.microsoft.com/datacentersecurity/2017/03/14/shielded-vms-a-conceptual-review-of-the-components-and-steps-necessary-to-deploy-a-guarded-fabric/)
* [Step-by-step: Quick reference guide to deploying guarded hosts](https://blogs.technet.microsoft.com/datacentersecurity/2016/06/08/step-by-step-quick-reference-guide-to-deploying-guarded-hosts/)
* [Step by Step – Configuring Guarded Hosts with Virtual Machine Manager 2016 - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2016/03/21/configuring-guarded-hosts-with-virtual-machine-manager-2016/)
* [Guarded Fabric Deployment Guide for Windows Server 2016](https://gallery.technet.microsoft.com/Shielded-VMs-and-Guarded-98d2b045)
* [Step by Step – Configuring Key Protection for the Host Guardian Service in Windows Server 2016](https://blogs.technet.microsoft.com/datacentersecurity/2016/03/28/configuring-key-protection-service-for-host-guardian-service-in-windows-server-2016/)
* [Why use shielded VMs for your privileged access workstation (PAW) solution?](https://blogs.technet.microsoft.com/datacentersecurity/2017/11/29/why-use-shielded-vms-for-your-privileged-access-workstation-paw-solution/)
* [Frequently Asked Questions About HGS Certificates](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/09/frequently-asked-questions-about-hgs-certificates/)
* [Join Host Guardian Servers to an existing bastion forest](https://blogs.technet.microsoft.com/datacentersecurity/2017/03/07/join-host-guardian-servers-to-an-existing-bastion-forest/)
* [Step by Step: Shielding existing VMs without VMM - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2016/09/01/step-by-step-shielding-existing-vms-without-vmm/)
* [Step-by-step: Quick reference guide to deploying guarded hosts](https://blogs.technet.microsoft.com/datacentersecurity/2016/06/08/step-by-step-quick-reference-guide-to-deploying-guarded-hosts/)
* [Step by Step – Shielded VM Recovery - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2016/06/07/step-by-step-shielded-vm-recovery/)
* **Group Policy**
* [The 10 Windows group policy settings you need to get right](http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html?page=2)
* [Group Policy for WSUS - grouppolicy.biz](http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/)
* [GPO Best Policies - grouppolicy.biz](http://www.grouppolicy.biz/best-practices/)
* [Securing Windows with Group Policy Josh - Rickard - Derbycon7](https://www.youtube.com/watch?v=Upeaa2rgozk&index=66&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [Guidance on Deployment of MS15-011 and MS15-014 - blogs.technet](https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/)
* **Hardening**
* [Awesome Windows Domain Hardening](https://github.com/PaulSec/awesome-windows-domain-hardening)
* A curated list of awesome Security Hardening techniques for Windows.
* [Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 - technet](https://technet.microsoft.com/en-us/library/hh125921.aspx)
* [Enable Attack surface reduction(Win10)- docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction)
* [Harden windows IP Stack](https://www.reddit.com/r/netsec/comments/2sg80a/how_to_harden_windowsiis_ssltls_configuration/)
* [Secure Host Baseline](https://github.com/iadgov/Secure-Host-Baseline)
* Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
* [Second section good resource for hardening windows](http://labs.bitdefender.com/2014/11/do-your-bit-to-limit-cryptowall/)
* [Secure-Host-Baseline](https://github.com/iadgov/Secure-Host-Baseline)
* Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. iadgov
* **Just Enough Administration (JEA)**
* [Just Enough Administration - docs.ms](https://docs.microsoft.com/en-us/powershell/jea/overview)
* [Just Enough Administration: Windows PowerShell security controls help protect enterprise data - msdn](https://msdn.microsoft.com/en-us/library/dn896648.aspx)
* [JEA Pre-requisites](https://docs.microsoft.com/en-us/powershell/jea/prerequisites)
* [JEA Role Capabilities](https://docs.microsoft.com/en-us/powershell/jea/role-capabilities)
* [JEA Session Configurations](https://docs.microsoft.com/en-us/powershell/jea/session-configurations)
* [Registering JEA Configurations](https://docs.microsoft.com/en-us/powershell/jea/register-jea)
* [Using JEA](https://docs.microsoft.com/en-us/powershell/jea/using-jea)
* [JEA Security Considerations](https://docs.microsoft.com/en-us/powershell/jea/security-considerations)
* [Auditing and Reporting on JEA](https://docs.microsoft.com/en-us/powershell/jea/audit-and-report)
* [Just Enough Administration Samples and Resources](https://github.com/PowerShell/JEA)
* Just Enough Administration (JEA) is a PowerShell security technology that provides a role based access control platform for anything that can be managed with PowerShell. It enables authorized users to run specific commands in an elevated context on a remote machine, complete with full PowerShell transcription and logging. JEA is included in PowerShell version 5 and higher on Windows 10 and Windows Server 2016, and older OSes with the Windows Management Framework updates.
* **LLMNR/NBNS**
* [Conveigh](https://github.com/Kevin-Robertson/Conveigh)
* Conveigh is a Windows PowerShell LLMNR/NBNS spoofer detection tool. LLMNR/NBNS requests sent by Conveigh are not legitimate requests to any enabled LLMNR/NBNS services. The requests will not result in name resolution in the event that a spoofer is present.
* **Local Administrator Password Solution**
* [Microsoft security advisory: Local Administrator Password Solution](https://support.microsoft.com/en-us/help/3062591/microsoft-security-advisory-local-administrator-password-solution-laps)
* [Local Administrator Password Solution - technet](https://technet.microsoft.com/en-us/mt227395.aspx)
* The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD) - without additional computers. Each organization’s domain administrators determine which users, such as helpdesk admins, are authorized to read the passwords.
* [Introduction to Microsoft LAPS (Local Administrator Password Solution)](https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/)
* [Set up Microsoft LAPS (Local Administrator Password Solution) in Active Directory](Introduction to Microsoft LAPS (Local Administrator Password Solution) - 4sysops)(https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/)
* [FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1 - 4sysops](https://4sysops.com/archives/faqs-for-microsoft-local-administrator-password-solution-laps/)
* [FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 2 - 4sysops](https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/)
* **Office Documents/Macros/DDE/Flavor-of-the-week**
* [Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields](https://technet.microsoft.com/library/security/4053440)
* [Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016](https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b)
* [Block or unblock external content in Office documents - support.office](https://support.office.com/en-us/article/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795)
* **Privileged Access Workstation**
* [How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations](https://myignite.microsoft.com/sessions/54896)
* As part of the security strategy to protect administrative privilege, Microsoft recommends using a dedicated machine, referred to as PAW (privileged access workstation), for administrative tasks; and using a separate device for the usual productivity tasks such as Outlook and Internet browsing. This can be costly for the company to acquire machines just for server administrative tasks, and inconvenient for the admins to carry multiple machines. In this session, we show you how MSIT uses shielded VMs on the new release of Windows client to implement a PAW.
* [Privileged Access Workstation(PAW) - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/)
* [PAW host buildout - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/17/paw-host-buildout/)
* [How to deploy a VM template for PAW - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/11/01/how-to-create-a-vm-template-for-paw/)
* **PowerShell**
* [Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)](https://www.youtube.com/watch?v=WOC8vC2KoNs&index=12&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Powershell Security at Enterprise Customers - blogs.msdn](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
* [More Detecting Obfuscated PowerShell](http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/)
* [Revoke-Obfuscation - tool](https://github.com/danielbohannon/Revoke-Obfuscation)
* PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
* [Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk](https://www.youtube.com/watch?v=7XnkDsOZM3Y&index=16&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [PSRecon](https://github.com/gfoss/PSRecon/)
* 🚀 PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
* [Detecting and Preventing PowerShell Downgrade Attacks - leeholmes](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)
* **SMB**
* [SMB Security Best Practices - US CERT](https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices)
* [SMB Packet Signing](https://technet.microsoft.com/en-us/library/cc180803.aspx)
* [Secure SMB Connections](http://techgenix.com/secure-smb-connections/)
* [Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014](https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a)
* [Require SMB Security Signatures - technet.ms](https://technet.microsoft.com/en-us/library/cc731957.aspx)
* [SMB 3.0 (Because 3 > 2) - David Kruse](http://www.snia.org/sites/default/orig/SDC2012/presentations/Revisions/DavidKruse-SMB_3_0_Because_3-2_v2_Revision.pdf)
* **USB Detection**
* [BEAMGUN](https://github.com/JLospinoso/beamgun)
* A rogue-USB-device defeat program for Windows.
* **Tools**
* [Artillery](https://github.com/BinaryDefense/artillery)
* Artillery is a combination of a honeypot, monitoring tool, and alerting system. Eventually this will evolve into a hardening monitoring platform as well to detect insecure configurations from nix systems.
* **Visualization/Tracking/Reporting**
* General
* [Userline](https://github.com/THIBER-ORG/userline)
* This tool automates the process of creating logon relations from MS Windows Security Events by showing a graphical relation among users domains, source and destination logons as well as session duration.
* [VOYEUR](https://github.com/silverhack/voyeur)
* VOYEUR's main purpose is to automate several tasks of an Active Directory build review or security assessment. Also, the tool is able to create a fast (and pretty) Active Directory report. The tool is developed entirely in PowerShell (a powerful scripting language) without dependencies like Microsoft Remote Administration tools. (Just .Net Framework 2.0 and Office Excel if you want a useful and pretty report). The generated report is a perfect starting point for well-established forensic, incident response team, security consultants or security researchers who want to quickly analyze threats in Active Directory Services.
* **WMI**
* **General**
* [Managing WMI security - technet](https://technet.microsoft.com/en-us/library/cc731011(v=ws.11).aspx)
* [Maintaining WMI Security - msdn](https://msdn.microsoft.com/en-us/library/aa392291(v=vs.85).aspx)
* [Simple WMI Trace Viewer in PowerShell](https://chentiangemalc.wordpress.com/2017/03/24/simple-wmi-trace-viewer-in-powershell/)
* [An Insider’s Guide to Using WMI Events and PowerShell](https://blogs.technet.microsoft.com/heyscriptingguy/2012/06/08/an-insiders-guide-to-using-wmi-events-and-powershell/)
* **Tools**
* [Uproot](https://github.com/Invoke-IR/Uproot)
* Uproot is a Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. For more details on WMI Event Subscriptions please see the WMIEventing Module
* [WMIEvent](https://github.com/Invoke-IR/WMIEvent)
* A PowerShell module to abstract the complexities of Permanent WMI Event Subscriptions
* [Mitigate threats by using Windows 10 security features](https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10)
* [Windows Server guidance to protect against speculative execution side-channel vulnerabilities](https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution?t=1&cn=ZmxleGlibGVfcmVjc18y&refsrc=email&iid=149b9032665345ba890ba51d3bf0d519&fl=4&uid=150127534&nid=244%20281088008)


+ 12
- 1
Draft/Documentation & Reports -.md View File

@ -16,6 +16,11 @@
### Start
* [How I read a research paper](https://muratbuffalo.blogspot.com/2013/07/how-i-read-research-paper.html?m=1
-----
### <a name="writing">Writing</a>
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
@ -128,4 +133,10 @@ Other Materials:
* [Request a CVE ID](http://cve.mitre.org/cve/request_id.html#cna_coverage)
* [My first CVE-2016-1000329 in BlogPHP](https://www.stevencampbell.info/2016/12/my-first-cve-2016-1000329-in-blogphp/)
* **Dealing with the press/journalists:**
* [Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)
* [Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)
----------------
### Sample Documents
* [Pentest/Red Team Offering Documents - mubix](https://drive.google.com/drive/folders/0ByiDshWJ_PnZdnJZQ0h3MWZyRUk)

+ 3
- 1
Draft/Exfiltration.md View File

@ -115,7 +115,9 @@ Sort tools into categories of type, i.e. physical network, wireless(types thereo
* [Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)
* [Using DNS to Break Out of Isolated Networks in a AWS Cloud Environment](https://dejandayoff.com/using-dns-to-break-out-of-isolated-networks-in-a-aws-cloud-environment/)
* Customers can utilize AWS' DNS infrastructure in VPCs (enabled by default). Traffic destined to the AmazonProvidedDNS is traffic bound for AWS management infrastructure and does not egress via the same network links as standard customer traffic and is not evaluated by Security Groups. Using DNS exfiltration, it is possible to exfiltrate data out of an isolated network.
* [Evasions used by The Shadow Brokers' Tools DanderSpritz and DoublePulsar (Part 2 of 2) - forcepoint](https://blogs.forcepoint.com/security-labs/evasions-used-shadow-brokers-tools-danderspritz-and-doublepulsar-part-2-2)
* [Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
* **Stenography**
* [imagejs](https://github.com/jklmnn/imagejs)
* imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.


+ 146
- 175
Draft/Exploit Development.md View File

@ -64,50 +64,18 @@
* Add more sites to Acquiring Old/Vulnerable Software
* More sites to structured learning
* Add ARM stuff
* Add more on Borrowed-Instruction-Set Computing
#### Sort:
* [ADI vs ROP](https://lazytyped.blogspot.it/2017/09/adi-vs-rop.html)
* [BISC: Borrowed Instructions Synthetic Computation](https://github.com/trailofbits/bisc)
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation course.
* [Offset-DB](http://offset-db.com/)
* This website provide you a list of useful offset that you can use for your exploit.
* [Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
* [Epson Vulnerability: EasyMP Projector Takeover (CVE-2017-12860 / CVE-2017-12861)](https://rhinosecuritylabs.com/research/epson-easymp-remote-projection-vulnerabilities/)
* [Code Execution (CVE-2018-5189) Walkthrough On JUNGO Windriver 12.5.1](https://www.fidusinfosec.com/jungo-windriver-code-execution-cve-2018-5189)
#### Sort:
* [Android Security Ecosystem Investments Pay Dividends for Pixel](https://android-developers.googleblog.com/2018/01/android-security-ecosystem-investments.html)
* [Funky File Formats - Advanced Binary Exploitation](http://media.ccc.de/browse/congress/2014/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini.html#video)
https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations
https://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
* [Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - Slides](https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf)
* [Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
* [Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
* [MSRC-Security-Research Github](https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations)
* [Differential Slicing: Identifying Causal Execution Differences for Security Applications](http://bitblaze.cs.berkeley.edu/papers/diffslicing_oakland11.pdf)
* [Modern Binary Attacks and Defences in the Windows Environment: Fighting Against Microsoft EMET in Seven Rounds]()
* [sandbox-attacksurface-analysis-tools](https://github.com/google/sandbox-attacksurface-analysis-tools)
* This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
* [SCANSPLOIT](https://github.com/huntergregal/scansploit)
* Exploit using barcodes, QRcodes, earn13, datamatrix
* [Automating VMware RPC Request Sniffing - Abdul-Aziz Hariri - ZDI](https://www.zerodayinitiative.com/blog/2018/1/19/automating-vmware-rpc-request-sniffing)
* In this blog, I will discuss how I was able to write a PyKD script to sniff RPC requests that helped me tremendously while writing VMware RPC exploits.
* [kernelpop](https://github.com/spencerdodd/kernelpop)
* kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on OSX and Linux
* [Vulnserver - my KSTET exploit (delivering the final stage shellcode through the active server socket) - ewilded.blogspot](https://ewilded.blogspot.com/2018/01/vulnserver-my-kstet-exploit-delivering.html)
* [IOHIDeous](https://github.com/Siguza/IOHIDeous)
* A macOS kernel exploit based on an IOHIDFamily 0day.
* [Writeup](https://siguza.github.io/IOHIDeous/)
https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* [ADI vs ROP](https://lazytyped.blogspot.it/2017/09/adi-vs-rop.html)
#### End Sort
@ -119,6 +87,7 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* **General**
* **101**
* **Articles/Papers/Talks/Writeups**
* [Vulnserver - my KSTET exploit (delivering the final stage shellcode through the active server socket) - ewilded.blogspot](https://ewilded.blogspot.com/2018/01/vulnserver-my-kstet-exploit-delivering.html)
* **Educational/Informative**
* [A brief history of Exploitation - Devin Cook](http://www.irongeek.com/i.php?page=videos/derbycon4/t514-a-brief-history-of-exploitation-devin-cook)
* [Mechanization of Exploits](https://github.com/REMath/literature_review/blob/master/mechanization_of_exploits.org)
@ -140,6 +109,8 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory, accesses to unaddressable memory (including outside of allocated heap units and heap underflow and overflow), accesses to freed memory, double frees, memory leaks, and (on Windows) handle leaks, GDI API usage errors, and accesses to un-reserved thread local storage slots. Dr. Memory operates on unmodified application binaries running on Windows, Linux, Mac, or Android on commodity IA-32, AMD64, and ARM hardware.
* **Miscellaneous**
* [OneRNG](http://moonbaseotago.com/onerng/theory.html)
* [Offset-DB](http://offset-db.com/)
* This website provide you a list of useful offset that you can use for your exploit.
---------------
### <a name="acquire">Acquiring Old/Vulnerable Software</a>
@ -203,7 +174,7 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
#### Jump Oriented Programming
* [Jump-Oriented Programming: A New Class of Code-Reusegghunte](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf)
* [Attacking x86 Windows Binaries by Jump Oriented Programming](http://www.uni-obuda.hu/users/szakala/INES%202013%20pendrive/61_ines2013.pdf)
* [Jumping the Fence Comparison and Improvements for Existing Jump Oriented Programming Tools - John Dunlap - Derbycon7](https://www.youtube.com/watch?v=eRICJ_bEC54&index=15&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
@ -261,7 +232,7 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* [Interpreter Exploitation: Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
* [Understanding JIT Spray](http://blog.cdleary.com/2011/08/understanding-jit-spray/)
* [Writing JIT-Spray Shellcode For Fun And Profit](https://packetstormsecurity.com/files/86975/Writing-JIT-Spray-Shellcode-For-Fun-And-Profit.html)
* [The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines](http://users.ics.forth.gr/~elathan/papers/ndss15.pdf)
------------------
@ -456,7 +427,11 @@ Other:
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
* [OWASP ZSC](https://github.com/viraintel/OWASP-ZSC)
* OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.
* [Shellen](https://github.com/merrychap/shellen)
* Shellen is an interactive shellcoding environment. If you want a handy tool to write shellcodes, then shellen may be your friend. Shellen can also be used as an assembly or disassembly tool. keystone and capstone engines are used for all of shellen's operations. Shellen only works on python3. python2 support may appear in the future.
* **Encoders**
* [Context-keyed Payload Encoding](http://uninformed.org/?v=all&a=42&t=sumry)
* A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing attack traffic somewhere along the route from an attacker to their target, filtering on commonly used payload instructions. The use of a payload encoder may be easily detected and blocked as well as opening up the opportunity for the payload to be decoded for further analysis. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may make use of the inherent functionality of the decoder stub to decode the payload of a suspected exploit in order to inspect the contents of that payload and make a control decision about the network traffic. This paper presents a new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic however should be unable to decode the payload due to lack of the contextual keying information.
* **Obfuscators**
* [UniByAv](https://github.com/Mr-Un1k0d3r/UniByAv)
* UniByAv is a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly. The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode.
@ -482,7 +457,7 @@ Other:
* **Stack Protections**
* **Reference Material**
* [Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
* **DEP/SEHop/ASLR**
* **DEP/SEHop/ASLR/NX**
* [Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
* [Preventing the Exploitation of SEH Overwrites](http://uninformed.org/?v=all&a=24&t=sumry)
* This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations.
@ -506,6 +481,8 @@ Other:
* [Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](https://blogs.technet.microsoft.com/srd/2009/02/02/preventing-the-exploitation-of-structured-exception-handler-seh-overwrites-with-sehop/)
* [Structured Exception Handling - TechNet](https://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx)
* [Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass ](https://www.ptsecurity.com/upload/corporate/ww-en/download/defeating-xpsp2-heap-protection.pdf)
* [x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique](http://users.suse.com/~krahmer/no-nx.pdf)
* The x86-64 CPU platform (i.e. AMD64 or Hammer) introduces new features to protect against exploitation of buffer overflows, the so called No Execute(NX) or Advanced Virus Protection (A VP). This non-executable enforcement of data pages and the ELF64 SystemV ABI render common buffer overflow exploitation techniques useless. This paper describes and analyzes the protection mechanisms in depth. Research and tar get platform was a SUSE Linux 9.3 x86-64 system but the results can be expanded to non-Linux systems as well.
* **DeviceGuard**
* [Bypassing Device Guard with .NET Assembly Compilation Methods](http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html)
* **EMET/Control Flow Guard**
@ -548,7 +525,35 @@ Other:
* **Papers**
* **Tools**
* **Miscellaneous**
* **Adobe**
* [Pwning Adobe Reader with XFA](http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf)
* [Adobe Reader Escape... or how to steal research and be lame.](http://sandboxescaper.blogspot.be/2018/01/adobe-reader-escape-or-how-to-steal.html)
* **Barcodes**
* [SCANSPLOIT](https://github.com/huntergregal/scansploit)
* Exploit using barcodes, QRcodes, earn13, datamatrix
* **Borrowed Instruction Programs**
* [BISC: Borrowed Instructions Synthetic Computation](https://github.com/trailofbits/bisc)
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation course.
* **BroadPwn**
* [A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn/)
* [Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU](https://comsecuris.com/blog/posts/luaqemu_bcm_wifi/)
* [Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets](https://blog.exodusintel.com/2017/07/26/broadpwn/)
* [Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn2/)
* **Cisco**
* [Cisco IOS MIPS GDB remote serial protocol implementation](https://github.com/artkond/ios_mips_gdb)
* A hacky implementation of GDB RSP to aid exploit development for MIPS based Cisco routers
* [Cisco ASA Episode 3: A Journey In Analysing Heaps by Cedric Halbronn - BSides Manchester2017](https://www.youtube.com/watch?v=ADYdToi6Wn0&index=21&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
* **Glibc**
* [Glibc Adventures: The Forgotten Chunks](http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf)
* Exploiting Glibc
* **Hypervisor**
* [Compromise-as-a-Service: Our PleAZURE.](https://www.troopers.de/events/troopers14/49_compromise-as-a-service_our_pleazure/)
* This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!
* **Java Specific**
* [Exploiting Memory Corruption Vulnerabilities in the Java Runtime](https://media.blackhat.com/bh-ad-11/Drake/bh-ad-11-Drake-Exploiting_Java_Memory_Corruption-WP.pdf)
* **Macros**
* [It All Swings Around - Malicious Macros](http://sketchymoose.blogspot.com/2015/02/it-all-swings-round-malicious-macros.html)
* Writeup and explanation of random Macro exploits
* **<a name="linuxspec">Linux Specific Exploit Development</a>**
* **101**
* **Articles/Blogposts/Writeups**
@ -556,13 +561,17 @@ Other:
* [Linux ASLR integer overflow: Reducing stack entropy by four](http://hmarco.org/bugs/linux-ASLR-integer-overflow.html)
* A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. This is a writeup of the bug and how to fix it.
* [Linux GLibC Stack Canary Values](https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/)
* [Painless intro to the Linux userland heap](https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap/)
* [Linux Heap Exploitation Intro Series: Used and Abused – Use After Free](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-used-and-abused-use-after-free/)
* [Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-the-magicians-cape-1-byte-overflow/)
* [Shellshock bug writeup by lcamtuf](http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html)
* [Adventures in Xen Exploitation](https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/)
* "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)."
* **Educational/Informative**
* [Return into Lib(C) Theory Primer(Security-Tube)](http://www.securitytube.net/video/257)
* [64-bit Linux Return-Oriented Programming - Standford](https://crypto.stanford.edu/~blynn/rop/)
* [Understanding glibc malloc](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/)
* **Heap**
* [Painless intro to the Linux userland heap](https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap/)
* [Linux Heap Exploitation Intro Series: Used and Abused – Use After Free](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-used-and-abused-use-after-free/)
* [Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-the-magicians-cape-1-byte-overflow/)
* **Kernel Exploit Development**
* [Linux Kernel Exploitation Paper Archive - xairy](https://github.com/xairy/linux-kernel-exploitation)
* **Papers**
@ -572,13 +581,31 @@ Other:
* Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017)
* [Build a database of libc offsets to simplify exploitation](https://github.com/niklasb/libc-database)
* **Miscellaneous**
* **OS X Specific**
* [OS X Kernel-mode Exploitation in a Weekend](http://uninformed.org/?v=all&a=37&t=sumry)
* Apple's Mac OS X operating system is attracting more attention from users and security researchers alike. Despite this increased interest, there is still an apparent lack of detailed vulnerability development information for OS X. This paper will attempt to help bridge this gap by walking through the entire vulnerability development process. This process starts with vulnerability discovery and ultimately finished with a remote code execution. To help illustrate this process, a real vulnerability found in the OS X wireless device driver is used.
* **<a name="osx-specific"></a>OS X Specific**
* **101**
* **Articles/Blogposts/Papers/Writeups**
* [IOHIDeous](https://github.com/Siguza/IOHIDeous)
* A macOS kernel exploit based on an IOHIDFamily 0day.
* [Writeup](https://siguza.github.io/IOHIDeous/)
* [OS X Kernel-mode Exploitation in a Weekend](http://uninformed.org/?v=all&a=37&t=sumry)
* Apple's Mac OS X operating system is attracting more attention from users and security researchers alike. Despite this increased interest, there is still an apparent lack of detailed vulnerability development information for OS X. This paper will attempt to help bridge this gap by walking through the entire vulnerability development process. This process starts with vulnerability discovery and ultimately finished with a remote code execution. To help illustrate this process, a real vulnerability found in the OS X wireless device driver is used.
* **Educational/Informative**
* **Tools**
* **PDF**
* [Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
* **RPC**
* [Automating VMware RPC Request Sniffing - Abdul-Aziz Hariri - ZDI](https://www.zerodayinitiative.com/blog/2018/1/19/automating-vmware-rpc-request-sniffing)
* In this blog, I will discuss how I was able to write a PyKD script to sniff RPC requests that helped me tremendously while writing VMware RPC exploits.
* **Software into Hardware back into Software**
* [Exploiting the DRAM rowhammer bug to gain kernel privileges](http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html)
* "Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
* [Program for testing for the DRAM "rowhammer" problem](https://github.com/google/rowhammer-test)
* **<a name="winspec">Windows Specific</a>**
* **101**
* **Articles/Blogposts/Writeups**
* [Writing Exploits for Win32 Systems from Scratch](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/)
* [Exploiting MS14-066](http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/)
* [MS17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver - blog.trendmicro](http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/)
* **Educational/Informative**
* **Papers**
* [Getting out of Jail: Escaping Internet Explorer Protected Mode](http://uninformed.org/?v=all&a=39&t=sumry)
@ -659,6 +686,13 @@ Other:
* [BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks](http://cd80.ca/files/bubble.pdf)
* Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks.
------------
### Android
* [Android Security Ecosystem Investments Pay Dividends for Pixel](https://android-developers.googleblog.com/2018/01/android-security-ecosystem-investments.html)
------------
### <a name="antifuzz"></a>Anti-Debugging/Fuzzing
* [Intro to Anti-Fuzzing](https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/()
@ -695,34 +729,6 @@ Check out the 'Reverse Engineering" Section's Tools list for a lot of useful too
### Adobe Reader
* [Pwning Adobe Reader with XFA](http://siberas.de/presentations/SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf)
* [Adobe Reader Escape... or how to steal research and be lame.](http://sandboxescaper.blogspot.be/2018/01/adobe-reader-escape-or-how-to-steal.html)
### Broadpwn
* [A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn/)
* [Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU](https://comsecuris.com/blog/posts/luaqemu_bcm_wifi/)
* [Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets](https://blog.exodusintel.com/2017/07/26/broadpwn/)
* [Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn2/)
--------------------
### Buffer Overflows
* [x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique](http://users.suse.com/~krahmer/no-nx.pdf)
* The x86-64 CPU platform (i.e. AMD64 or Hammer) introduces new features to protect against exploitation of buffer overflows, the so called No Execute(NX) or Advanced Virus Protection (A VP). This non-executable enforcement of data pages and the ELF64 SystemV ABI render common buffer overflow exploitation techniques useless. This paper describes and analyzes the protection mechanisms in depth. Research and tar get platform was a SUSE Linux 9.3 x86-64 system but the results can be expanded to non-Linux systems as well. search engine tag: SET-krahmer-bccet-2005.
----------------------
### Cisco
* [Cisco IOS MIPS GDB remote serial protocol implementation](https://github.com/artkond/ios_mips_gdb)
* A hacky implementation of GDB RSP to aid exploit development for MIPS based Cisco routers
* [Cisco ASA Episode 3: A Journey In Analysing Heaps by Cedric Halbronn - BSides Manchester2017](https://www.youtube.com/watch?v=ADYdToi6Wn0&index=21&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
-----------------------
### <a name="decomp">Decompilers & Disassemblers</a>
* **List**
@ -801,101 +807,52 @@ Check out the 'Reverse Engineering" Section's Tools list for a lot of useful too
* [x64dbg](http://x64dbg.com/)
* [An introduction to x64dbg](http://reverseengineeringtips.blogspot.com/2015/01/an-introduction-to-x64dbg.html)
### Eternal Blue
* [MS17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver - blog.trendmicro](http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/)
* [MS17-010 worawit](https://github.com/worawit/MS17-010)
----------------
### <a name="collection"></a>Exploit Collections/Repository
* [XiphosResearch PoC Exploits](https://github.com/XiphosResearch/exploits)
* Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
* [exploit-db.org](https://www.exploit-db.org)
* [Proof of concept exploits / tools for Epson vulnerabilities: CVE-2017-12860 and CVE-2017-12861](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/Epson)
* [Exploits for Unitrends version 9.1.1 and earlier ; all by Dwight Hohnstein](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/Unitrends)
* [All AIX exploits written by Hector Monsegur](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/IBM)
* [The Exploit Database Git Repository](https://github.com/offensive-security/exploit-database)
* The official Exploit Database repository
* [CVE-2017-10271](https://github.com/kkirsche/CVE-2017-10271)
* Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)
* [CVE-2018-0802](https://github.com/rxwx/CVE-2018-0802)
* This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as: cmd.exe /c%TMP%\file.exe.
* **Exploit Collections**
* [XiphosResearch PoC Exploits](https://github.com/XiphosResearch/exploits)
* Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
* [exploit-db.org](https://www.exploit-db.org)
* [All AIX exploits written by Hector Monsegur](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/IBM)
* [The Exploit Database Git Repository](https://github.com/offensive-security/exploit-database)
* The official Exploit Database repository
* **PoC Collections**
* [PoC for CVE-2018-0802 And CVE-2017-11882](https://github.com/Ridter/RTF_11882_0802)
* [MS17-010 worawit](https://github.com/worawit/MS17-010)
* [explodingcan](https://github.com/danigargu/explodingcan)
* An implementation of NSA's ExplodingCan exploit in Python
* [CVE-2017-10271 identification and exploitation. Unauthenticated Weblogic RCE.](https://github.com/c0mmand3rOpSec/CVE-2017-10271)
* [Chimay-Red](https://github.com/BigNerd95/Chimay-Red)
* Working POC of Mikrotik exploit from Vault 7 CIA Leaks
* [Writeup](https://github.com/BigNerd95/Chimay-Red/blob/master/docs/ChimayRed.pdf)
* [Proof of concept exploits / tools for Epson vulnerabilities: CVE-2017-12860 and CVE-2017-12861](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/Epson)
* [Exploits for Unitrends version 9.1.1 and earlier ; all by Dwight Hohnstein](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/exploits/Unitrends)
* [CVE-2017-10271](https://github.com/kkirsche/CVE-2017-10271)
* Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)
* [CVE-2018-0802](https://github.com/rxwx/CVE-2018-0802)
* This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as: cmd.exe /c%TMP%\file.exe.
* [Epson Vulnerability: EasyMP Projector Takeover (CVE-2017-12860 / CVE-2017-12861)](https://rhinosecuritylabs.com/research/epson-easymp-remote-projection-vulnerabilities/)
* [Code Execution (CVE-2018-5189) Walkthrough On JUNGO Windriver 12.5.1](https://www.fidusinfosec.com/jungo-windriver-code-execution-cve-2018-5189)
### Glibc
Glibc
* [Glibc Adventures: The Forgotten Chunks](http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf)
* Exploiting Glibc
----------------
### <a name="gpu"></a>GPU Exploits / Research
* [A Study of Overflow Vulnerabilities on GPUs](https://www.aimlab.org/haochen/papers/npc16-overflow.pdf)
* [Jellyfish - GPU rootkit PoC by Team Jellyfish ](https://github.com/x0r1/jellyfish)
* Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.
### Hypervisor
* [Compromise-as-a-Service: Our PleAZURE.](https://www.troopers.de/events/troopers14/49_compromise-as-a-service_our_pleazure/)
* This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!
### Java
* [Exploiting Memory Corruption Vulnerabilities in the Java Runtime](https://media.blackhat.com/bh-ad-11/Drake/bh-ad-11-Drake-Exploiting_Java_Memory_Corruption-WP.pdf)
### Jump-Oriented Programming
* [Jumping the Fence Comparison and Improvements for Existing Jump Oriented Programming Tools - John Dunlap - Derbycon7](https://www.youtube.com/watch?v=eRICJ_bEC54&index=15&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
### Keyed Payloads
* [Context-keyed Payload Encoding](http://uninformed.org/?v=all&a=42&t=sumry)
* A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing attack traffic somewhere along the route from an attacker to their target, filtering on commonly used payload instructions. The use of a payload encoder may be easily detected and blocked as well as opening up the opportunity for the payload to be decoded for further analysis. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may make use of the inherent functionality of the decoder stub to decode the payload of a suspected exploit in order to inspect the contents of that payload and make a control decision about the network traffic. This paper presents a new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic however should be unable to decode the payload due to lack of the contextual keying information.
### \*alloc/Heap
* [shadow :: De Mysteriis Dom jemalloc](https://github.com/CENSUS/shadow)
* shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android's libc, Firefox, FreeBSD's libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets: Android 6 and 7 libc (ARM32 and ARM64); Firefox (x86 and x86-64) on Windows and Linux;
* [Overview of Android's jemalloc structures using shadow](https://github.com/CENSUS/shadow/blob/master/docs/android_heap.md)
* In this document we explore Android's jemalloc structures using shadow. A simplified view of the heap is presented here. The intention of this document is to get you started with jemalloc structures and shadow's commands.
* [MALLOC DES-MALEFICARUM - blackngel](http://phrack.org/issues/66/10.html)
* Understanding the Heap - Sploitfun
* [Syscalls used by malloc](https://sploitfun.wordpress.com/2015/02/11/syscalls-used-by-malloc/)
* [Understanding glibc malloc](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/)
* [Understanding the heap by breaking it](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf)
* [Automated vulnerability analysis of zero sized heap allocations](http://www.hackitoergosum.org/2010/HES2010-jvanegue-Zero-Allocations.pdf)
* [Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
* [Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
* [Linux Heap Exploitation Intro Series – (BONUS) printf might be leaking!](https://sensepost.com/blog/2018/linux-heap-exploitation-intro-series-bonus-printf-might-be-leaking/)
* [Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-riding-free-on-the-heap-double-free-attacks/)
### Macros
* [It All Swings Around - Malicious Macros](http://sketchymoose.blogspot.com/2015/02/it-all-swings-round-malicious-macros.html)
* Writeup and explanation of random Macro exploits
### PDF
* [Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
----------------
### <a name="gpu"></a>GPU Exploits / Research
* [A Study of Overflow Vulnerabilities on GPUs](https://www.aimlab.org/haochen/papers/npc16-overflow.pdf)
* [Jellyfish - GPU rootkit PoC by Team Jellyfish ](https://github.com/x0r1/jellyfish)
* Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.
### ROP
* [ROPs are for the 99% - Yang Yu](https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf)
* [OptiROP: The art of hunting ROP gadgets](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf)
* [Video](https://www.youtube.com/watch?v=_3uBybBpq48)
* This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
* **Tools**
* [ropa](https://github.com/orppra/ropa)
* ropa is a Ropper-based GUI that streamlines crafting ROP chains. It provides a cleaner interface when using Ropper as compared to the command line. It can provide a smoother workflow for crafting the rop chain in the GUI, then exporting the final chain in the desired format. For those used to using CLI, this tool may serve as a cleaner interface to filter out the relevant gadgets.
* [Ropper](https://github.com/sashs/ropper)
* You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly ropper uses the awesome Capstone Framework.
### RowHammer
* [Exploiting the DRAM rowhammer bug to gain kernel privileges](http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html)
* "Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
* [Program for testing for the DRAM "rowhammer" problem](https://github.com/google/rowhammer-test)
@ -912,31 +869,10 @@ Glibc
* [nt!`_SEP_`TOKEN_PRIVILEGES - Single Write EoP Protect - Kyriakos 'kyREcon' Economou](http://anti-reversing.com/Downloads/Sec_Research/ntoskrnl_v10.0.15063_nt!_SEP_TOKEN_PRIVILEGES-Single_Write_EoP_Protect.pdf)
* TL;DR: Abusing enabled token privileges through a kernel exploit to gain EoP it won't be enough anymore as from NT kernel version 10.0.15063 are 'checked' against the privileges present in the token of the calling process. So you will need two writes
### UAF Writeups
* [Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player](http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/)
* "The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight."
* [ Use-After-Silence: Exploiting a quietly patched UAF in VMware - Abdul-Aziz Hariri](https://www.thezdi.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware)
### UEFI
* See BIOS/UEFI Page
### Shellshock
* [Shellshock bug writeup by lcamtuf](http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html)
### Windows
* [Exploiting MS14-066](http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/)
### Xen
* [Adventures in Xen Exploitation](https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/)
* "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)."
#### Writeups that haven't been sorted
* [Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
* [Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit](http://eshunrd.blogspot.com/2011/09/linux-kernel-26362-econet-privilege.html)
* [Coding Malware for Fun and Not for Profit (Because that would be illegal)](http://www.malwaretech.com/2014/04/coding-malware-for-fun-and-not-for.html)
* [Exploiting BadIRET vulnerability - CVE-2014-9322, Linux kernel privilege escalation](http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
@ -967,6 +903,41 @@ Glibc
* [A New CVE-2015-0057 Exploit Technology](https://www.exploit-db.com/docs/39660.pdf)
* [PLASMA PULSAR](https://github.com/stealth/plasmapulsar/blob/master/README.md)
* This document describes a generic root exploit against kde.
* **ROP**
* stuff
* [ROPs are for the 99% - Yang Yu](https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf)
* [OptiROP: The art of hunting ROP gadgets](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf)
* [Video](https://www.youtube.com/watch?v=_3uBybBpq48)
* This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
* **Tools**
* [ropa](https://github.com/orppra/ropa)
* ropa is a Ropper-based GUI that streamlines crafting ROP chains. It provides a cleaner interface when using Ropper as compared to the command line. It can provide a smoother workflow for crafting the rop chain in the GUI, then exporting the final chain in the desired format. For those used to using CLI, this tool may serve as a cleaner interface to filter out the relevant gadgets.
* [Ropper](https://github.com/sashs/ropper)
* You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly ropper uses the awesome Capstone Framework.
* **UAF**
* [Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player](http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/)
* "The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight."
* [ Use-After-Silence: Exploiting a quietly patched UAF in VMware - Abdul-Aziz Hariri](https://www.thezdi.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware)
* **Extended: \*alloc/Heap**
* [shadow :: De Mysteriis Dom jemalloc](https://github.com/CENSUS/shadow)
* shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android's libc, Firefox, FreeBSD's libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets: Android 6 and 7 libc (ARM32 and ARM64); Firefox (x86 and x86-64) on Windows and Linux;
* [Overview of Android's jemalloc structures using shadow](https://github.com/CENSUS/shadow/blob/master/docs/android_heap.md)
* In this document we explore Android's jemalloc structures using shadow. A simplified view of the heap is presented here. The intention of this document is to get you started with jemalloc structures and shadow's commands.
* [MALLOC DES-MALEFICARUM - blackngel](http://phrack.org/issues/66/10.html)
* Understanding the Heap - Sploitfun
* [Syscalls used by malloc](https://sploitfun.wordpress.com/2015/02/11/syscalls-used-by-malloc/)
* [Understanding glibc malloc](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/)
* [Understanding the heap by breaking it](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf)
* [Automated vulnerability analysis of zero sized heap allocations](http://www.hackitoergosum.org/2010/HES2010-jvanegue-Zero-Allocations.pdf)
* [Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
* [Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
* [Linux Heap Exploitation Intro Series – (BONUS) printf might be leaking!](https://sensepost.com/blog/2018/linux-heap-exploitation-intro-series-bonus-printf-might-be-leaking/)
* [Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-riding-free-on-the-heap-double-free-attacks/)


+ 56
- 50
Draft/Forensics Incident Response.md View File

@ -10,29 +10,23 @@
* Update ToC
https://forensiccontrol.com/resources/free-software/
* [Forensic Imager Tools: You don't have the Evidence - Shmoocon 2014](https://www.youtube.com/watch?v=zYYCv21I-1I)*
* [Attrition Forensics](http://2014.video.sector.ca/video/110334184)
* [Happy DPAPI!](http://blog.digital-forensics.it/2015/01/happy-dpapi.html)
Ghiro
* [Forensic Imager Tools: You don't have the Evidence - Shmoocon 2014](https://www.youtube.com/watch?v=zYYCv21I-1I)*
* [Attrition Forensics](http://2014.video.sector.ca/video/110334184)
* [ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
* [Rapier](https://code.google.com/p/rapier/)
* RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst
* [triage-ir](https://code.google.com/p/triage-ir/)
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
* [Fully Integrated Defense Operation (FIDO)](https://github.com/Netflix/Fido)
* FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
* [MIG: Mozilla InvestiGator](https://http://mig.mozilla.org/)
* Mozilla's real-time digital forensics and investigation platform.
* [Invoke-IR](http://www.invoke-ir.com/)
* [Practical Comprehensive Bounds on Surreptitious Communication Over DNS](http://www.icir.org/vern/papers/covert-dns-usec13.pdf)
* Better security -> Mean time to detect/Mean time to respond
#### End Sort
@ -46,8 +40,11 @@ Ghiro
--------------
### <a name="ir"></a>Incident Response
* **101**
* Better security --> Mean time to detect & Mean time to respond
* [Introduction to DFIR](https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/)
* [Computer Security Incident Handling Guide - NIST](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
* [Basics of Incident Handling - Josh Rickard](https://msadministrator.github.io/presentations/basics-of-incident-handling.html)
* [Introduction to DFIR - Scott J Roberts](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180)
* **Articles/Papers/Talks/Writeups**
* [No Easy Breach: Challenges and Lessons Learned from an Epic Investigation](https://archive.org/details/No_Easy_Breach#)
* [An Incident Handling Process for Small and Medium Businesses - SANS 2007](https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791)
@ -59,6 +56,7 @@ Ghiro
* [Fraud detection and forensics on telco networks - Hack.lu 2016](https://www.youtube.com/watch?v=09EAWT_F1ZA&app=desktop)
* [Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](https://www.youtube.com/watch?v=qF06PFcezLs)
* This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
* [SANS Institute Security Consensus Operational Readiness Evaluation](https://www.sans.org/media/score/checklists/LinuxCheatsheet_2.pdf)
* **Windows**
* [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
@ -77,10 +75,8 @@ Ghiro
* [IRMA - Incident Response & Malware Analysis](http://irma.quarkslab.com/index.html)
* IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).
* **Miscellaneous**
* [Human Hunting](http://www.irongeek.com/i.php?page=videos/bsidessf2015/108-human-hunting-sean-gillespie)
* Much of what appears to be happening in information security seems to be focused on replacing humans with magic boxes and automation rather than providing tools to augment human capabilities. However, when we look at good physical security we see technology is being used to augment human capabilities rather than simply replace them. The adversary is human so we are ultimately looking for human directed behaviors. If analysts don't know how to go looking for evil without automated detection tools then they are not going to be able to effectively evaluate if the detection tools are working properly or if the deployment was properly engineered. An over reliance on automated detection also puts organizations in a position of paying protection money if they want to remain secure. We should be spending more resources on honing analyst hunting skills to find human adversaries rather than purchasing more automated defenses for human adversaries to bypass.
* [Human Hunting](http://www.irongeek.com/i.php?page=videos/bsidessf2015/108-human-hunting-sean-gillespie)
* Much of what appears to be happening in information security seems to be focused on replacing humans with magic boxes and automation rather than providing tools to augment human capabilities. However, when we look at good physical security we see technology is being used to augment human capabilities rather than simply replace them. The adversary is human so we are ultimately looking for human directed behaviors. If analysts don't know how to go looking for evil without automated detection tools then they are not going to be able to effectively evaluate if the detection tools are working properly or if the deployment was properly engineered. An over reliance on automated detection also puts organizations in a position of paying protection money if they want to remain secure. We should be spending more resources on honing analyst hunting skills to find human adversaries rather than purchasing more automated defenses for human adversaries to bypass.
@ -331,49 +327,59 @@ http://www.iosresearch.org/
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* [NVbit : Accessing Bitlocker volumes from linux](http://www.nvlabs.in/index.php?/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html)
* **Educational**
* [Happy DPAPI!](http://blog.digital-forensics.it/2015/01/happy-dpapi.html)
* **General**
* [SANS CHEAT SHEET- Windows Artifact Analysis](https://uk.sans.org/posters/windows_artifact_analysis.pdf)
* **Tools**
* **Active Directory Focused**
* [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
* [BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
* Who has rights over a given object (computer, user account, etc.) ?
* Who can read a given mailbox ?
* Which are the accounts with domain admin rights ?
* Who has extended rights (userForceChangePassword, SendAs, etc.) ?
* What are the changes done on an AD between two points in time ?
* **Artifact Collection**
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector)
* This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
* [FastIR Collector on advanced threats](http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf)
* [triage-ir](https://code.google.com/p/triage-ir/)
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
* [Rapier](https://code.google.com/p/rapier/)
* RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst
* **Autoruns**
* [AutoRuns PowerShell Module](https://github.com/p0w3rsh3ll/AutoRuns)
* AutoRuns module was designed to help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.
* [WMI_Forensics](https://github.com/davidpany/WMI_Forensics)
* This repository contains scripts used to find evidence in WMI repositories
* [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
* [Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
* [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
* [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
* [DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
* [BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
* Who has rights over a given object (computer, user account, etc.) ?
* Who can read a given mailbox ?
* Which are the accounts with domain admin rights ?
* Who has extended rights (userForceChangePassword, SendAs, etc.) ?
* What are the changes done on an AD between two points in time ?
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector)
* This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
* [FastIR Collector on advanced threats](http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf)
* [Windows Attribute changer](http://www.petges.lu/home/)
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer)
* Investigate malicious Windows logon by visualizing and analyzing Windows event log
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* **DPAPI**
* [DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* **File Systems**
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* **Memory Acquisition**
* [Margarita Shotgun](https://github.com/ThreatResponse/margaritashotgun)
* Python Remote Memory Aquisition
* **Pre-Fetch**
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
* **Powershell**
* [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
* **Program Execution**
* [Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
* **WMI Focused**
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* [WMI_Forensics](https://github.com/davidpany/WMI_Forensics)
* This repository contains scripts used to find evidence in WMI repositories
* **Miscellaneous**
* [Windows Attribute changer](http://www.petges.lu/home/)
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone


+ 17
- 5
Draft/Fuzzing Bug Hunting.md View File

@ -22,17 +22,16 @@
#### sort
https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* Add Descriptions/generals to types of fuzzing
* [0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
* [FuzzManager](https://github.com/MozillaSecurity/FuzzManager)
* With this project, we aim to create a management toolchain for fuzzing. Unlike other toolchains and frameworks, we want to be modular in such a way that you can use those parts of FuzzManager that seem interesting to you without forcing a process upon you that does not fit your requirements.
* [COMRaider](http://sandsprite.com/iDef/COMRaider/)
* ActiveX Fuzzing tool with GUI, object browser, system scanner, and distributed auditing capabilities
* [Github](https://github.com/dzzie/COMRaider)
* [Basic fuzzing framework](https://www.cert.org/vulnerability-analysis/tools/bff-download.cfm)
* [Fuzzing 101 (Part 1)]()
* [Fuzzing 101 (Part 2)](https://vimeo.com/5237484)
* [Differential Slicing: Identifying Causal Execution Differences for Security Applications](http://bitblaze.cs.berkeley.edu/papers/diffslicing_oakland11.pdf)
* Abstract —A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observe d difference and the causal path of differences that led from thos e input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference
#### end sort
@ -121,6 +120,10 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* [MFFA - Media Fuzzing Framework for Android](https://github.com/fuzzing/MFFA)
* [android-afl](https://github.com/ele7enxxh/android-afl)
* Fuzzing Android program with american fuzzy lop (AFL)
* [Droid Application Fuzz Framework](https://github.com/ajinabraham/Droid-Application-Fuzz-Framework)
* Droid Application Fuzz Framework (DAFF) helps you to fuzz Android Browsers and PDF Readers for memory corruption bugs in real android devices. You can use the inbuilt fuzzers or import fuzz files from your own custom fuzzers. DAFF consist of inbuilt fuzzers and crash monitor. It currently supports fuzzing the following applications:
* [MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)](https://github.com/fuzzing/MFFA)
* The main idea behind this project is to create corrupt but structurally valid media files, direct them to the appropriate software components in Android to be decoded and/or played and monitor the system for potential issues (i.e system crashes) that may lead to exploitable vulnerabilities. Custom developed Python scripts are used to send the malformed data across a distributed infrastructure of Android devices, log the findings and monitor for possible issues, in an automated manner. The actual decoding of the media files on the Android devices is done using the Stagefright command line interface. The results are sorted out, in an attempt to find only the unique issues, using a custom built triage mechanism.
* **Browser Bug Hunting/Fuzzing**
* [Browser Bug Hunting and Mobile](http://slides.com/revskills/fzbrowsers#/)
* [Grinder - Fuzzer](https://github.com/stephenfewer/grinder)
@ -143,10 +146,15 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* Main repository to pull all Cisco ASA-related projects.
* [asafw](https://github.com/nccgroup/asafw)
* Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
* **COM Fuzzing**
* [COMRaider](http://sandsprite.com/iDef/COMRaider/)
* ActiveX Fuzzing tool with GUI, object browser, system scanner, and distributed auditing capabilities
* [Github](https://github.com/dzzie/COMRaider)
* **File Formats Bug Hunting/Fuzzing**
* [Practical File Format Fuzzing](http://www.irongeek.com/i.php?page=videos/derbycon3/3301-practical-file-format-fuzzing-jared-allar)
* File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.
* [File Format Fuzzing in Android](https://deepsec.net/docs/Slides/2015/File_Format_Fuzzing_in_Android_-Alexandru_Blanda.pdf)
* [Funky File Formats - Advanced Binary Exploitation](http://media.ccc.de/browse/congress/2014/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini.html#video)
* **Network Protocols Bug Hunting/Fuzzing**
* **Articles/Writeups**
* [Fuzzing proprietary protocols with Scapy, radamsa and a handful of PCAPs](https://blog.blazeinfosec.com/fuzzing-proprietary-protocols-with-scapy-radamsa-and-a-handful-of-pcaps/)
@ -172,6 +180,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* Network accessible medical devices are ubiquitous in today’s clinical environment. These devices can be of great aid to healthcare profes- sionals in assessing, treating and monitoring a patient’s condition. However, they can also fall victim to a number of systemic vulnerabili- ties that can expose personal health information or PHI, compromise the integrity of patient data in transit, and affect the availability of the devices themselves. This talk looks at the methodology and approach to penetration testing of modern medical devices. It will provide an overview of the various stages of a medical device assessment, including discovery and analysis of a device’s remote and local attack surface, reverse engineering and exploitation of proprietary network protocols, vulner- ability discovery in network services, compromising supporting sys- tems, attacking common wireless protocols, exploitation of hardware debug interfaces and bus protocols and assessing proprietary wireless technologies. It will also cover a number of real world vulnerabilities that the speaker has discovered during medical device penetration testing assessments. These include weak cryptographic implementations, device impersonation and data manipulation vulnerabilities in pro- prietary protocols, unauthenticated database interfaces, hardcoded credentials/keys and other sensitive information stored in firmware/ binaries and the susceptibility of medical devices to remote denial of service attacks. The talk will conclude with some suggestions on how some of the most common classes of medical device vulnerabilities might be reme- diated by vendors and also how hospitals and other healthcare provid- ers can defend their medical devices in the meantime.
* **OS X Bug Hunting/Fuzzing**
* [There's a lot of vulnerable OS X applications out there](https://vulnsec.com/2016/osx-apps-vulnerabilities/)
* **PDF**
* [0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
* **RTP**
* [ohrwurm](http://mazzoo.de/blog/2006/08/25#ohrwurm)
* ohrwurm is a small and simple RTP fuzzer, I tested it on a small number of SIP phones, none of them did withstand.
@ -214,7 +224,9 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* Diffing libs in Win7 compared to Win8 to id vuln dlls.
* [Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* Is what it says on the tin.
* **Patch Analysis**
* [Microsoft Patch Analysis for Exploitation - Stephen Sims](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims)
* Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction.
-----------------
### Non-Specific Tools(Don't explicitly fit into above sections)


+ 50
- 0
Draft/Game Hacking.md View File

<
@ -20,6 +20,51 @@ Fix ToC
* [Awesome Gamedev](https://github.com/Calinou/awesome-gamedev)
* A collection of free software and free culture resources for making amazing games.
* [EFF FAQ on Reverse Engineering Legalities](https://www.eff.org/issues/coders/reverse-engineering-faq)
* This FAQ details information that may help reverse engineers reduce their legal risk. *Use this information as a guide, not actual legal advice.*
* [Hack.lu 2017: (Workshop) Reverse Engineering a MMORPG](https://www.slideshare.net/AntoninBeaujeant/reverse-engineering-a-mmorpg)
* This workshop covers the basics of reverse engineering a (M)MORPG. The target is [Pwn Adventure 3](http://www.pwnadventure.com/), an intentionally-vulnerable MMORPG developed by [Vector35](https://vector35.com/).
[Hack the Vote 2016 CTF "The Wall" Solution](https://zerosum0x0.blogspot.com/2016/11/hack-vote-wall-solution.html) | A write-up for a 2016 CTF challenge
involving the multiplayer, open source Minecraft clone, Minetest.
[Deciphering MMORPG Protocol Encoding](https://stackoverflow.com/questions/539812/deciphering-mmorpg-protocol-encoding)
[Reverse Engineering of a Packet Encryption Function of a Game](https://reverseengineering.stackexchange.com/questions/8816/reverse-engineering-of-a-packet-encryption-function-of-a-game)