Security Review #198

Golden SAML has been known for its extraction of signing certificates from Active Directory Federation Services (AD FS) and its use of those certificates to forge SAML authentication responses. In this post, we present a new application of Golden SAML- in Microsoft Entra ID and without the use of AD FS.

An attacker can abuse write access to the altSecurityIdentities attribute of an AD computer or user to add an explicit certificate mapping referring to a certificate in the attacker's possession, and then use this certificate to authenticate as the said computer or user.

Mail-in-the-Middle (Maitm for short) takes advantage of the typos that people make when they enter email addresses. If we positioned ourselves in between the sender of an email and the legitimate recipient, we may be able to capture plenty of information about the business, including personally identifiable information, email verification processes, etc

We provide several KQL queries used to identify post-intrusion operations such as certutil remote download, group addition, database discovery etc.

In this post we'll discuss several elements of analysis and improvement of cURL's fuzzing code, including how we identified important areas of the codebase lacking coverage, and then modified the fuzzing code to hit these missed areas.

In this post, we'll share how using retryable tickets may allow unexpected race conditions and result in out-of-order execution bugs. What's more, we've created a new Slither detector for this issue.

This article aims to explore the details of CVE-2023-51467 and explain the process of constructing an exploit leading to Remote Code Execution.

Recently a Smart Pet Feeder landed in my home. Out of curiosity, I have decided to check how secure this IoT device is and also extended this "research" to another brand and model.

In this article, we are going to try exploiting stacked based buffer overflow for one of the old Windows application Easy RM to MP3 converter.

In this post I share the details of CVE-2023-42942, a race condition issue in the system service xpcroleaccountd, that could be exploited for root privilege escalation.

In this article, we will talk about Privilege Tokens and manipulating them in order to disable Windows Defender.

In this article, we explain how to (with an assist from AI) identify and mitigate security risks in video content by searching for API keys or other sensitive tokens.

In this article, we're going to take on a hardened Windows 11 instance that has been fully updated. We will first review the hardening script, then try different ways to bypass security controls.

I decided to contribute the protocol detection to the Nmap codebase and write a short tutorial to show how you can do the same for other unrecognized protocols

In this post we will discuss and show how a prompt injection payload can contain conditional instructions for certain situations. We will provide an example of a malicious email that triggers different attacker controlled results based on who views the content with Copilot.

How I provide arguments to a DLL I execute via rundll32.exe ? Bits and pieces of information exist out there. This post assembles this scattered information and presents it in a hopefully easy-to-digest way.

In this post I describe the adventure I had in figuring out how I could export a function from a DLL (compiled for 32bit architecture) using the actual name of this function.

This article presents my findings while researching CVE-2023-20078, an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.

We provide technical details regarding a recent surge in the distribution of prominent malware through PDF files. We detail the infection chain and go through all the processes, from initial access to exfiltration and persistence. We will also provide all relevant IOCs.

In this blog post, we are going to focus on making our lives as DFIR analysts easier when dealing with browsers that keep records of almost everything that happens on them.

This post details steps and tools that can be used in order to recover data and logs from a broken VMDK appliance.

In this article, we will be dissecting a fraud page; and figuring out how to map it to its originating phishing kit. Succeeding that, we will have a nice indicator to spot and tag them accordingly and maybe have some fun with the functionality on the way.

In this post, we'll walk through some examples of incidents that were exposed due to the expanded telemetry provided by Sysmon. These include credential dumping, Active Directory database extraction, suspicious command line activity, and Exchange Server exploitation via ProxyLogon.

This blog takes a closer look at GCP's logging methods, covering the different types of logging, how logs are stored, and how to best access them.

In this blog post, we will present the finding of our analysis into the infrastructure behind TA577's recent phishing campaign utilising Impacket to capture NTLMv2 hashes and steal credentials.

In this post, we will detail how some threats actors exploit CVE-2024-21893 (SSRF) to deploy additional malware and maintain persistent access to compromised appliances. In addition, we have observed new TTPs that attempted to enable the custom backdoors to persist across factory resets, system upgrades, and patches.

This post describes browser credential dumping and its potential impact, illustrating the threat with a case study and outlining methods for detection and protection.

In this blog post, we will dissect Phemedrone, a newly emerged stealer exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen.

In this article, I will explain how to use a pool of collectors to scan and connect to BTLE devices, shedding light on the intricacies of hardware, radio frequency challenges, and the importance of rate-limiting algorithms.

This blog post introduces the concept of DUALITY, which is a methodology and pipeline for backdooring multiple DLLs on the fly so they are able to re-infect each other if infections are lost due to program updates.

To get initial access through malware infection, we need an ability to dynamically recompile malware artifacts. This points us directly to employing a CICD approach. This post describes a generic approach and introduces a public repository as a template that you might employ to achieve similar goals.

In this post I will cover the steps required to automate the checkout of the latest version of the SharpWMI open source .NET project using JetBrains TeamCity tool, automate the source code modification using PowerShell and obfuscate the compiled .NET assembly using Babel Obfuscator to bypass common AVs.

In this comprehensive guide, we delve into the world of iOS security from an offensive perspective, shedding light on the various techniques and methodologies used by attackers to compromise iOS devices and infiltrate their sensitive data.

In this article, we detail how, in a development environment that has been compromised, an arbitrary Visual Studio Code extension can be used for persistence since it will also enable the attacker to blend in with the underlying environment.

In this article, we will revisit a 2019-era technique for dumping LSASS using the MiniDumpW export of comsvcs.dll.

We've taken some time to dive into each component of the Azure Batch service to help identify any potential areas for misconfigurations and sensitive data exposure. This research time has given us a few key areas to look at, that we will cover in this blog.

My experience with Windows Defender is that getting through it initially is not too difficult, the difficulty comes with doing post-exploitation activities with Defender constantly watching. In this blog I will detail my entire journey to write a loader getting past Defender.

This is a technical analysis of GTPDOOR, a Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol - Control Plane) signalling messages.

In this article, I will explain how to setup a smishing (SMS phishing) campaign with EvilGoPhish.

We detail 2 authentication bypass vulnerabilities in JetBrains TeamCity: CVE-2024-27198 allowing for a complete compromise and CVE-2024-27199, allowing for a limited amount of information disclosure and a limited amount of system modification.

In this article, we detail how an unauthenticated attacker can leverage CVE-2023-0846 to inject a JavaScript payload in the OpenNMS admin dashboard, which exploits another vulnerability in the application to execute arbitrary code on the server once an admin views the dashboard.

In this post we'll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure configuration.

In this blog post, we'll delve into techniques for manipulating online voting systems, focusing on attacks that go beyond classic web vulnerabilities, and distinguishing between two common security contexts: anonymous polls and authenticated polls.

In this blog post, we give some insight into our cryptographic design review of Ockam's protocols, highlight several positive aspects of the initial design, and describe the recommendations we made to further strengthen the system's security.

Since Explorer is a native Windows process it could be used in red team operations for injection of arbitrary code. In this article, we will leverage one missing DLL called by explorer.exe to achieve persistence.

In this article, we are going to do is phish the local admin for their credentials, store them in PowerShell and then relay those credentials to run a scheduled task that calls our beacon in higher integrity.

This article detail a project that has a simple premise: injecting code into a process without using ptrace. To achieve that, it uses /proc/mem to write code directly into memory, allowing running threads to pick up the code and execute it.

In this article we'll talk about Kerberos Delegation and how to abuse it in various ways and escalate our privileges.

In this article, we provide technical detail and PoC for CVE-2024-1403, an authentication bypass vulnerability which effects certain components of the Progress OpenEdge platform.

This article show how to hijack SentinelOne's "Scan For Threats" context menu option and create your own option for persistence.

This article is the analysis of the Atomic MacOS Stealer (AMOS). It reveals a sophisticated malware with evident efforts to evade current XProtect signatures. It shows threats targeting macOS are constantly evolving.

This post is the third in a series of blogposts detailing the development process of a snapshot fuzzer that aims to utilize Bochs as a target execution engine. In this post, we're going to go over some changes and advancements we've made to the fuzzer and also document some progress related to Bochs itself.

This post will walk through a user, group, and application enumeration attack against a tenant where the attacker has guest access and the guest access settings are set to the default. This technique gets around numerous other attempts to prevent enumeration, and I believe it is novel.

In this post, I detail a method that makes it possible to reveal .NET applications source code.

This article is a technical analysis of new malware resembling the VBScript based BABYSHARK malware that we've called TODDLERSHARK. It is used in post-compromise activity following exploitation of a ScreenConnect application. It utilizes legitimate Microsoft binary and alternate data streams and exhibited elements of polymorphic behavior.

In this article, we detail the use of SOAPHound, a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.

This is a small blog about writing what I call "modern" position independent implants. Modern in the sense of being easy to write, easy to maintain, flexible and modular.

In this article, you'll be diving into an introduction to how packers work, some tips to unpack, and two walkthroughs showing off how i usually deal with custom packers.

This article dives into technical implementation details of MultiDump. This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python.

This post provides technical details about an unauthenticated remote code execution (RCE) in Bricks Builder Theme.

This blog post explores a recent finding I discovered. This vulnerability allows unauthorized users to enumerate all email addresses without authentication or rate limiting, potentially exposing sensitive information.

This article provides a list of security techniques implemented on Windows endpoints. This should give you a good sense of why it is increasingly difficult to achieve a foothold on a Windows endpoint and perform post exploitation activities in a maturely instrumented environment.

This blog introduces the mutator kit, which uses an LLVM obfuscator to break in-memory YARA scanning of the sleep mask. We will give a quick background to the mutator kit and then show you how to apply it so that a uniquely mutated sleep mask can be applied every time a payload is exported.

This post aims to provide a road map and example of how to replicate a fault injection attack and the hurdles and shortcomings that can occur when attempting to do so.

This post is an introduction to ARM64 assembly.