Security Review #207

In this blog post, we'll introduce a new 0day technique designed to bypass AMSI without the VirtualProtect API and without changing memory protection. We'll discuss how we discovered the flaw, the process we used to exploit it and build proof of concept code to bypass AMSI in PowerShell 5.1 and PowerShell 7.4.

Effective Linux detector development cannot simply adhere to the Windows model, demanding a tailored approach to ensure more comprehensive coverage. This blog will explore the philosophical and practical differences in detector, the basics of Linux detector development, effective testing methodologies, and the criteria for developing Red Canary-grade Linux detectors.

While there are methodologies out there aimed at detecting malicious LDAP recon, we believe they are severely lacking and impractical for most organizations. To finally "leash" the various LDAP hounds (SharpHound, SOAPHound and many other tools), a new approach is needed, which we delve into in this post.

This article will focus on suspicious certificate usage alerts: the detection mechanism will be explained as well as how to avoid raising any alert. In addition, a PowerShell script will be released to perform Kerberos authentication via PKINIT with the Windows API, from a non domain-joined machine.

We demonstrate an attack flow that allowed us to bypass Okta FastPass phish-proof protection. We first delve into the technical details of the protection mechanism, then provide a bypass technique.

This research unveils a quarry of sensitive data stored in public AMIs. Digging through each AMI we managed to collect 500 GB of credentials, private repositories, access keys and more. The present article is the detailed analysis of how we did it and what the data represents.

In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a one-liner vulnerability that enables disclosure of all environment variables of a production container on GitHub.com, including numerous access keys and secrets. Additionally, this vulnerability can be further escalated to achieve remote code execution (RCE) on GitHub Enterprise Servers (GHES).

In this blog, I describe a means of exploiting the V8 JavaScript and WebAssembly engine to gain execution of arbitrary shellcode inside the renderer process. This includes a bypass of the V8 memory sandbox (Ubercage), though code execution is still constrained by the process isolation-based browser sandbox.

This blog post shows how Play Protect deals with various Android malware in different scenarios. I deal with Play Protect as a black box.

Let's say you want to research the secure kernel. You heard about hypervisors and VTL1 and you'd like to see it for yourself, and static analysis is just not always good enough. You need a debugger. In this blog post, we will show how to use LiveCloudKd that allows you to attach a live debugger to a virtual machine and debug the secure kernel.

Detecting illicit activities when looking at crypto movements has always been complex, but as assets and blockchains become increasingly interconnected, this problem has become even more difficult to solve. However, with the release of our new Holistic upgrade, Elliptic users can trace through asset swaps with ease.

In this post, we will cover how to statically analyze Android and iOS applications using Nuclei. Additionally, we will show how to use additional templates available out of the box with the Nuclei repository.

This part of the series will focus on actually securing the default domain administrator account against being misused in any way while still allowing it to be used when really needed. Please be aware this applies to the default domain administrator account in any AD domain within an AD forest.

In this article, we provide guidelines to password spray Micrososft365 account avoiding account lockouts.

We provide technical analysis of Cuttlefish, a malware that targets networking equipment. This malware is modular. It steals authentication material found in web requests, has the capacity to perform both DNS and HTTP hijacking, interacts with other devices on the LAN, and move material or introduce new agents.

We have discovered a vulnerability, CVE-2024-27322, in the R programming language that allows for arbitrary code execution by deserializing untrusted data. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim's target device upon interaction.

This post is a extensive walkthrough of the process of identifying and exploiting CVE-2024-0402, an arbitrary file write on GitLab instances.

In this blog post, we will present how we execute arbitrary code on the host OS from the guest by exploiting CVE-2023-20869.

Using and understanding YARA rules is a fundamental skill for anyone in a technical cyber security role. This guide will cover everything you need to start using YARA rules and crafting your own custom rules.

The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.

In this blog, we will cover how to build a simple Security Information and Event Management (SIEM) environment to simulate attacks and give us an understanding of how vital detection is in identifying threats and creating defenses against them.

In this blog post we are highlighting another way we use generative AI to help the defenders gain the advantage: Leveraging LLMs (Large Language Model) to speed-up our security and privacy incidents workflows.

In this second article, we will see howx we can catch malicious activity from the impacket WMI module.

We investigate a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages.

This blog post delves into various strategies and methodologies designed to enhance our grasp of the scope and complexity of how threat actors' manoeuvre within Azure subscriptions, thereby fortifying our defenses against the ever-evolving landscape of cyberattacks.

What if there was a way to rely on packages as dependencies but ensure they don't show up in lockfiles? This is precisely what Python build requirements are and they represent a dark spot in the fabric of dependency management.

Adversaries who have gained access to an M365 tenant might exploit these features, enabling them to monitor mailbox communications. In this blog post, we describe various methods attackers may leverage to monitor mailboxes, how to simulate them and how teams can detect them using Splunk's out-of-the-box security content.

In this blog, we take a closer look at the options attackers have to abuse Temporary Access Passes for lateral movement, showing how they can be used for passwordless persistence and even to recover on-premises Active Directory passwords in certain hybrid configurations.

SCCM Network Access Accounts (NAA) are frequently used despite being associated with several attack primitives. In this blog post, we will explore the various methods to identify and compromise NAA.

I encountered a feature that allowed users to define templates containing expressions, specifically for operations related to mathematics, logic, and strings. These templates contained expressions that were vulnerable to Code Injection and, subsequently, Remote Command Execution.

This blog post, discusses a use of thread pools that is relevant to red teamers: their use as an alternative to a sleeping main thread in a C2 agent or other post-exploitation offensive capability. Let us now compare the standard technique of using a sleeping thread with this alternative option.

In this post, I will explain how you can locate cross references programmatically using Python modules that are generally helpful in reverse engineering.

The objective of this post is very simple: understand how Core Isolation user setting affects the execution flow of driver loading.

Attacking Java applications requires a nuanced understanding of both the language's intricacies and common vulnerabilities prevalent in its ecosystem. In this article, we review main vulnerabilities, explaining their root causes and exploitation.

In this article, I would like to discuss a rather unconventional but very interesting detection mechanism used in conjunction with EDR, based on a combination of process environment block (PEB) modification, the use of fake DLLs and guard pages, and the use of vectored exception handling.

How could we identify backdoors before packages are released or, at the very least, identify them after upgrades ? I decided to try to write up a basic scanner to at least identify hooks in memory. In this post, we'll go through what the initial idea was, what needed to be built, and what we ended up with.

In this article we'll learn what is OPSEC is and how to safely investigate a malware sample, explore various methods malware uses to disguise its objectives, and discover how to create malware network signatures based on real malware samples.

RIOT is a free, open-source, real-time operating system. It aims to implement all relevant open standards supporting an Internet of Things that is connected, secure, durable, and privacy-friendly. I reviewed RIOT's source code and identified multiple security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution.

We identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user's traffic off their VPN tunnel using built-in features of DHCP. The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic.

With this blog post, we'll introduce the PiFex, a basic companion board for the Raspberry Pi designed to teach users the basics of hardware hacking and embedded protocols. We will then demonstrate how to use the PiFex to access a JTAG tap on an undocumented SSD, allowing memory reads and GDB access to the SSD CPU.

This is part one of a look into how symbols enhance reverse engineering and details on how Ghidra can take advantage. This article provides a brief overview of Ghidra's utility in reverse engineering and the role of symbols in streamlining the process.

Web application firewalls are the most annoying when you know that there is vulnerability out there! What if I told you that there is a way to bypass this layer of protection - I'm talking about finding origin IP address as a method. We will explore multiple ways how you can do it.

In this blog post we will detail some common misconfigurations we find in NextJS websites, along with a vulnerability we found in the framework.

gftrace is a command line Windows tool that will run a Go binary and log all the Windows API calls made as it runs. In this blog, I will demonstrate its usage to solve the Napper from HackTheBox. I'll also give a brief overview of how it works, walking through the source code from GitHub.

We recently analyzed a new HijackLoader sample that has updated evasion techniques. In this blog post, we discuss HijackLoader updates and provide a Python script to extract the malware configuration and modules from HijackLoader samples. Additionally, we delve into the malware families deployed by HijackLoader from March 2024 to April 2024.

In this blog post, we detail CVE-2024-21115 - an Out-of-Bounds (OOB) Write that occurs in Oracle VirtualBox that can be leveraged for privilege escalation.

We have uncovered a malware dissemination method involving a crafted Minecraft source pack. The malware, known as the zEus stealer, is specifically targeted at Microsoft Windows users, posing a high threat level by potentially enabling future attacks through the stolen information.

This post explains a process for fuzzing a parser function identified within a compiled program. We will use American Fuzzy Lop (AFL) QEMU mode to target the parsing logic.

With attackers becoming more sophisticated every year, knowing how to delve into a phishing campaign is a crucial skill for every OSINT analyst. This article will equip you with a well-rounded methodology to guide your investigations and help protect yourself and your organization.

The purpose of this article is to dive into the process of vulnerability research in the Linux kernel that led to the finding of CVE-2023-0179 and a fully functional Local Privilege Escalation (LPE). In this first post, we will focus on the nftables component and the new mitigations encountered while exploiting the kernel stack from the network context.

In this second post, we will get to the exploitation of a stack overflow in the interrupt context by dividing it into two main parts: defeating KASLR and privilege escalation.

In this first part of the series, I describe the capabilities of the default domain admin account, and basically how "special" that account is.

In this blog post, we will present how we get the critical information in VMware process running on the host from the guest.

Impacket is one of those tools which the threat actors are constantly using during the attacks. It, for example, allows for a PsExec like behavior which is very often one of the key tools the threats use Impacket for. My approach to see if I can catch this is to launch the attack from a non monitored device targeting a device which has the Defender for Endpoint agent installed.

This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise.

It is trivial to take a known good package, clone it, modify the distribution name and maybe some other metadata, and republish it. This post shows an example of that process using the known good certifi package.

Trojaning Python functions and imports method is also maybe the most obvious: add additional code to existing functions. What easier way to gain code execution in Python than to write a function and let users call it!

In this blog we will discuss how we could shift left even earlier in the software development lifecycle to have a better chance at capturing those juicy developer secrets.

In this post I will be going through the open-source intelligence process I went through following an attack performed against my honeypot.

During the forensic examination of a smartphone, we sometimes need to understand some basic settings of the device. In this blog post, I'll discuss how these settings can be extracted and what information is potentially more relevant for a forensic investigation.

This blog post aims at bootstrapping vulnerability research on Arlo cameras.

Every experienced pentester knows there is a lot more to XSS than - filtering, encoding, browser-quirks and WAFs all team up to keep things interesting. AngularJS Template Injection is no different. In this post, we will examine how we adapted template injection payloads to bypass filtering and encoding and exploit Piwik and Uber.

This blog post will introduce various methods of systematically detecting VPN IP addresses from providers such as NordVPN or ExpressVPN.