Dan danzek

This document serves to provide resources to help Prevent, Detect, and Respond to MS Teams-based Initial Access, with a heavy focus on MS Teams > RMM/QuickAssist attacks.

Teams

Restricting 3rd Party Access

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

Original report

Affected Vendor: OpenPrinting
Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
Affected Version: All versions <= 2.0.1 (latest release) and master.
Significant ICS/OT impact? no
Reporter: Simone Margaritelli [[email protected]]
Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Update: I've disabled comments as of 2025-01-26 to avoid everyone having notifications for something a year on if someone wants to suggest a correction. Folks are free to email to suggest corrections still, of course.

	#!/usr/bin/env python3

	import requests
	import urllib3
	import xml.etree.ElementTree as ET
	from datetime import datetime, timezone
	import sys
	import uuid
	from xml.sax.saxutils import escape

	# ================================================
	# Sysmon & Windows Event Log Configuration Script
	# ================================================

	# Check for administrative privileges
	$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
	$principal = New-Object Security.Principal.WindowsPrincipal($currentUser)
	if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
	Write-Host "This script requires administrative privileges. Please run as an administrator." -ForegroundColor Red
	exit 1

	[
	"928350122843193385",
	"1185047194261274665",
	"956202276408688650",
	"956104664821157918",
	"1185047092478095443",
	"1185046791826178099",
	"1185047045413797898",
	"928483283698851901",
	"1185047444619284641",

	#!/usr/bin/env python3

	import ctypes
	import time
	import threading

	def test():
	def access(path):
	f = open(path, 'rb')
	__ = f.read(8192)

	There appears to be a string encoded in the binary payload:
	https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01#file-hashes-txt-L115

	Which functions as a killswitch:

	https://piaille.fr/@zeno/112185928685603910

	Thus, one workaround for affected systems might be to add this to `/etc/environment`:

	```

	from __future__ import annotations

	import re
	from itertools import cycle

	MAX_SETTINGS = 128


	def load_mapping(filename: str) -> dict[int, int]:
	"""Processes textual Volatility memmap output into a page mapping."""

Dan danzek

Teams

Restricting 3rd Party Access

Cloudflare

FAQ on the xz-utils backdoor (CVE-2024-3094)

Background