CyberSecurityBoard
Sponsor Register Login

New Red Team Technique "RemoteMonologue" Exploits DCOM To Gain NTLM Authentication Remotely

Enter RemoteMonologue, a novel technique unveiled by security researcher Andrew Oliveau that weaponizes Distributed Component Object Model (DCOM) objects to coerce NTLM authentications remotely without payloads or direct access to the Local Security Authority Subsystem Service (LSASS). This approach, detailed in Oliveau’s recent blog, leverages the overlooked complexity of Windows’ Component Object Model (COM) and DCOM to harvest credentials while evading common detection mechanisms. Oliveau discovered that local administrators, armed with the SeTakeOwnershipPrivilege, can seize control of an AppID’s registry key, modify its RunAs value, and force the DCOM object to operate as another user without needing their credentials. Defenders can counter RemoteMonologue by enforcing LDAP signing and channel binding, upgrading to Windows Server 2025 and Windows 11 24H2 (which drop NTLMv1), and mandating SMB signing. RemoteMonologue targets these DCOM objects, supports NetNTLMv1 downgrades, enables the WebClient service for HTTP-based relays, and includes credential spraying and session enumeration modules. As Microsoft tightens the screws on traditional credential theft methods and Endpoint Detection and Response (EDR) systems grow more sophisticated, red teams are pivoting to innovative, fileless attack vectors. With LDAP signing and channel binding unenforced on most domain controllers until Windows Server 2025, and SMB signing optional on non-DC servers, these relays remain viable. Strong passwords thwart cracking, while monitoring DCOM access, registry changes (e.g., RunAs, LmCompatibilityLevel), and WebClient activity offers detection opportunities. By manipulating COM objects’ properties and methods, attackers can trigger authentication requests to controlled systems, capturing NTLMv1 or NTLMv2 hashes for offline cracking or relay attacks. RemoteMonologue underscores DCOM’s potential as a stealthy attack vector, challenging defenders to secure legacy Windows components.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 15:55:17 +0000


Cyber News related to New Red Team Technique "RemoteMonologue" Exploits DCOM To Gain NTLM Authentication Remotely

New Red Team Technique "RemoteMonologue" Exploits DCOM To Gain NTLM Authentication Remotely - Enter RemoteMonologue, a novel technique unveiled by security researcher Andrew Oliveau that weaponizes Distributed Component Object Model (DCOM) objects to coerce NTLM authentications remotely without payloads or direct access to the Local Security ...
1 week ago Cybersecuritynews.com
Ukraine-Russia Cyber Battles Have Real-World Impact - "The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says. ...
6 months ago Darkreading.com
Unix Printing Vulnerabilities Enable Easy DDoS Attacks - "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a ...
6 months ago Darkreading.com CVE-2024-47176 CVE-2024-47076 CVE-2024-47175 CVE-2024-47177
CVE-2024-58071 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
Overtaxed State CISOs Struggle with Budgeting, Staffing - Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to ...
6 months ago Darkreading.com
Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally - Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. Sandworm has targeted ...
2 months ago Darkreading.com CVE-2023-48788 CVE-2024-1709
New Variant of macOS Threat XCSSET Spotted in the Wild - To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware. ...
1 month ago Darkreading.com
How This Security Firm's 'Bias' Is Also Its Superpower - "We are helping our clients simplify their strategies and align them to their actual business objectives so that they have a much easier and more efficient approach to developing not just minimum viable security for whatever their product is, ...
2 months ago Darkreading.com Equation
Attackers Targeting Recruiters With More_Eggs Backdoor - FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers ...
6 months ago Darkreading.com FIN6
DPRK's APT37 Targets Cambodia in Khmer - The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting ...
6 months ago Darkreading.com APT3 APT37
CVE-2025-27636 - Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to ...
1 month ago
Hackers Abuse COM Objects for Fileless Malware Lateral Movements - This technique, detailed in research from March 2025, leverages legitimate Windows functionality to establish persistence and evade traditional security controls, marking a significant evolution in attack methodologies. The technique allows trapped ...
2 weeks ago Cybersecuritynews.com
CVE-2023-26031 - Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to ...
55 years ago Tenable.com
Open Source AI Models: Big Risks for Malicious Code, Vulns - Companies pursing internal AI development using models from Hugging Face and other open source repositories need to focus on supply chain security and checking for vulnerabilities. While the attacks appeared to be proofs-of-concept, their success in ...
2 months ago Darkreading.com
Dragos Expands ICS Platform with New Acquisition - "We grew pretty fast to become the de facto solution in the electric industry as the OT network visibility and segmentation analysis solution, which is extremely important in the case of compliance for the regulation in this industry," ...
6 months ago Darkreading.com
Australian Infrastructure Faces 'Acute' Foreign Threats - "Cyber units from at least one nation state routinely try to explore and exploit Australia’s critical infrastructure networks, almost certainly mapping systems so they can lay down malware or maintain access in the future," Burgess said. ...
1 month ago Darkreading.com
New Email Scam Targets NTLM Hashes in Covert Data Theft Operation - TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive ...
1 year ago Cysecurity.news Black Basta
Calif. Gov. Vetoes AI Safety Bill Aimed at Big Tech Players - "Moreover, the latest independent academic research concludes, large language models like ChatGPT cannot learn independently or acquire new skills, meaning they pose no existential threat to humanity." The coalition also took issue with the ...
6 months ago Darkreading.com
CVE-2012-45971 - 1) McAfee Email and Web Security and Email Gateway contains a flaw related to the /admin/cgi-bin/localadmin script. The issue is due to the script calling the SCMAdmin::AuthManagement::localLogin() function when $ENV{WS_SOURCE_IP} is 127.0.0.1. ...
55 years ago Tenable.com
CVE-2015-8311 - On 2015-09-14, Marcello Duarte disclosed a vulnerability in FreeSWITCH on the Bugtraq mail list. This was assigned CVE-2015-7392 which reads: Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before ...
55 years ago Tenable.com
Xerox Printer Vulnerabilities Enable Credential Capture - "Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," ...
1 month ago Darkreading.com CVE-2024-12510 CVE-2024-12511
Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
1 year ago Helpnetsecurity.com
DrayTek Routers at Risk From 14 New Vulnerabilities - The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, ...
6 months ago Darkreading.com CVE-2024-41592 CVE-2024-41585 CVE-2021-20123 CVE-2021-20124
Why Red Teams Can't Answer Defenders' Most Important Questions - Red teaming is useful for plenty of other things, but it's the wrong protocol for answering this specific question about defense efficacy. By their nature, they only test a few specific variants of a few possible attack techniques that an adversary ...
1 year ago Darkreading.com
Insight Partners, VC Giant, Falls to Social Engineering - "Organizations should establish secure communication channels with partners that can be used to verify such messages received," he advised, adding, "technical methods to prevent the impact of social engineering attacks on an ...
1 month ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)