Benjamin-Yves Trapp BenjiTrapp

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.
They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.
I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

How to protect your ~/.kube/ configuration

I had a need to protect my Kubernetes config file on my computer against accidental or malicious change or reading, so I came up with this way of protecting the config files.

How it works

The ~/.kube folder is mounted using encfs. By using the --ondemand flag it will automatically ask for the encryption key/password when accessed and keep

Spring Boot makes database migration with Flyway or Liquibase almost effortless - but by default it will use the spring.datasource.* credentials when running the migrations, which kinda suggests that this user should have ALL PRIVILEGES on the schema. This is risky, because... well if you find this page, you probably familiar with poor little Bobby Tables.

Spring Boot also makes it possible to configure separate credentials for running database migrations with the spring.flyway.* or spring.liquibase.* properties.

I prefer app credetials this way: an app owner with ALL PRIVILEGES to run the migrations and an app user with least privileges, mostly CRUD or some limited EXECUTE for the app itself.

	This is a list of the domains used in the contact email addresses found in the Fortinet dump file as published by Belsen Group and analysed by Kevin Beaumont on Mastodon : https://cyberplace.social/@GossiTheDog/113834848200229959
	Some of these domains may just be the domains of free email services or services providers working for the actual victims.

	AE
	----------------------------------------------------------------------
	acsllc.ae
	aisdubai.ae
	alhamra.ae
	alrayan.ae
	alshirawi.ae

	#include <stdio.h>
	#include <stdint.h>
	// Philips Sonicare NFC Head Password calculation by @atc1441 Video manual: https://www.youtube.com/watch?v=EPytrn8i8sc
	uint16_t CRC16(uint16_t crc, uint8_t *buffer, int len) // Default CRC16 Algo
	{
	while(len--)
	{
	crc ^= *buffer++ << 8;
	int bits = 0;
	do

	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'

	# Source: https://gist.github.com/9774cf9d4d39b02bb01db928d9f3a0d2

	####################################################
	# Kubernetes Native Policy Management With Kyverno #
	# https://youtu.be/DREjzfTzNpA #
	####################################################

	# Referenced videos:
	# - How to apply policies in Kubernetes using Open Policy Agent (OPA) and Gatekeeper: https://youtu.be/14lGc7xMAe4
	# - K3d - How to run Kubernetes cluster locally using Rancher k3s: https://youtu.be/mCesuGk-Fks

	Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
	Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
	Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

	'VBA Macro that detects hooks made by EDRs
	'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


	Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
	Dim address As LongPtr