BackBox News
Latest news and insights on Security
Company Blogs
Hacking Tools
- Shodan-Dorks - Dorks for Shodan; a powerful tool used to search for Internet-connected devices
- Pegasus-Pentest-Arsenal - A Comprehensive Web Application Security Testing Toolkit That Combines 10 Powerful Penetration Testing Features Into One Tool
- Witcher - Managing GitHub Advanced Security (GHAS) Controls At Scale
- ByeDPIAndroid - App To Bypass Censorship On Android
- API-s-for-OSINT - List Of API's For Gathering Information About Phone Numbers, Addresses, Domains Etc
- Firecrawl-Mcp-Server - Official Firecrawl MCP Server - Adds Powerful Web Scraping To Cursor, Claude And Any Other LLM Clients
- Deep-Live-Cam - Real Time Face Swap And One-Click Video Deepfake With Only A Single Image
- CAMEL - The First And The Best Multi-Agent Framework. Finding The Scaling Law Of Agents
- Liam - Automatically Generates Beautiful And Easy-To-Read ER Diagrams From Your Database
- SubGPT - Find Subdomains With GPT, For Free
Exploit DB
- [local] TightVNC 2.8.83 - Control Pipe Manipulation
- [remote] ProSSHD 1.2 20090726 - Denial of Service (DoS)
- [webapps] Laravel Pulse 1.3.1 - Arbitrary Code Injection
- [local] Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege
- [remote] ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
- [remote] Grandstream GSD3710 1.0.11.13 - Stack Overflow
- [webapps] CloudClassroom PHP Project 1.0 - SQL Injection
- [remote] Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
- [local] macOS LaunchDaemon iOS 17.2 - Privilege Escalation
- [remote] Apache Tomcat 10.1.39 - Denial of Service (DoS)
Stealthy AD CS Reconnaissance
/in General NewsEver since Will Schroeder and Lee Christensen from SpecterOps have released their seminal Active Directory Certificate Services (AD CS) research, it has been a popular avenue for Windows domain privilege escalation used by security professionals and threat actors alike.
Such attack paths usually begin with the enumeration of published certificate templates by means of LDAP queries to a domain controller (or COM / RPC requests to a certificate authority). However, in mature environments LDAP traffic is monitored, both on the client (API hooking, ETW) as well as server side (query logging, SACL based audit policies), for known tool behavior and malicious activities. To evade these detections, attackers use selective queries, obfuscate their requests, leverage native utilities and have developed new enumeration techniques with corresponding tooling based on alternative protocols (ADWS).
Wouldn’t it be convenient to use another – less monitored – data source to learn the same information?
Registry Certificate Template Cache
This is what Cedric Van Bockhaven and Max Grim from Outflank have presented in their The Registry Rundown talk at Troopers. They discovered that the local registry contains a certificate template cache:
AD CS is a gift that keeps on giving (ESC13, ESC14, ESC15) with new misconfigurations being discovered on a regular basis. It therefore seemed natural to plug this new data source into an existing analysis framework to reuse its capabilities and structured data output.
Extend Existing Tooling
This idea was realized by introducing a new
certipycommand to parse TrustedSec’s reg_query BOF output as well as the text-based Windows registry (.reg) file format.Using the
reg_queryBOFAssuming you have code execution as a low privileged user on a domain-joined Windows machine, collect the cached certificate template meta data from the local registry using:
One missing piece of information is whether the certificate template is actually published to a certificate authority. This still has to be queried via LDAP:
Passing the returned comma separated list of published template names, the previously captured registry query output and a set of SIDs, belonging to owned principals, allows familiar analysis using certipy:
Using
regedit.exeIf you instead have interactive access to a compromised client and want to use the native
regedit.exeutility to live off the land and better blend into the target environment, you can File > Export the relevant registry branch to a.regfile.Changing the
-formattoregallows parsing of this too:What’s next?
Of course, being aware of available certificate templates is only the first step. Obtaining a valid certificate while avoiding possible honey pots, detections based on suspicious ticket options during PKINIT or Kerberos traffic from an unusual process is left as an exercise for the sophisticated attacker.
As for detection, the same mechanism (a custom SACL on the relevant registry keys) as for detecting local SCCM reconnaissance can be employed.
Happy red teaming.
Compass Security Blog – Read More
8Base Ransomware Data Leak Sites Seized in International Law Enforcement Operation
/in General NewsSource: The Nation
A coordinated law enforcement operation has taken down the dark web data leak and negotiation sites associated with the 8Base ransomware gang.
Visitors to the data leak site are now greeted with a seizure banner that says: “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor
The Hacker News – Read More
Gcore Radar report reveals 56% year-on-year increase in DDoS attacks
/in General NewsLuxembourg, Luxembourg, 11th February 2025, CyberNewsWire
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update
/in General NewsApple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
This
The Hacker News – Read More
Apple and Google take down malicious mobile apps from their app stores
/in General NewsApple and Google have pulled as many as 20 apps from their respective apps for carrying a data-stealing malware.
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
XE Group Shifts From Card Skimming to Supply Chain Attacks
/in General NewsThe likely Vietnam-based threat actor has been using two zero-days in VeraCore’s warehouse management software in some of its latest cyberattacks.
darkreading – Read More
Guilty Plea in Hacking of the SEC’s X Account That Caused Bitcoin Value Spike
/in General NewsPost Content
darkreading – Read More
120K Victims Compromised in Memorial Hospital Ransomware Attack
/in General NewsAfter claiming responsibility for the ransomware attack in 2024, the “Embargo” ransomware group posted 1.15 terabytes of stolen data to its public Tor site.
darkreading – Read More
Who’s using AI the most? The Anthropic Economic Index breaks down the data
/in General NewsNew Anthropic study uncovers AI’s true impact on modern workforce: 57% augmentation vs 43% automation across industries, based on analysis of 4 million Claude interactions.Read More
Security News | VentureBeat – Read More
8Base ransomware site taken down as Thai authorities arrest 4 connected to operation
/in General NewsThe leak site for the 8Base ransomware gang was taken down Monday and replaced with a banner by multiple law enforcement agencies.
The Record from Recorded Future News – Read More