Security Review #211

Quishing - QR code phishing - is a rapidly evolving threat. Now, we're seeing an evolution into the manipulation of QR codes: QR code is not in an image, but rather created via HTML and ASCII characters.

Many public blogs and conference talks have covered Windows telemetry sources like kernel callbacks and ETW, but few mention macOS and Linux equivalents. This post dives into endpoint security products on macOS and Linux to understand their capabilities and identify weaknesses.

In this article, we will discuss the details of the cache poisoning attack on npm and explore its potential impact on the broader software ecosystem. By disclosing publicly this vulnerability, we aim to show the importance of security and availability in our Software Supply Chains.

This blogpost aims at analyzing the cache components of Entra ID-joined devices with WHFB configured and provides a toolkit to use them.

I found it possible to abuse SYSTEM / TrustedInstaller privileges to tamper WdFilter settings and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target.

"Null session", "Guest session" and "Anonymous session" describe techniques that can be used on Windows servers to connect to resources and obtain information about a computer or Active Directory objects such as users or SMB shares you have access on. Even if these techniques are well known, people don't understand them completely, hence this blogpost.

This blog details how to exploit Parallels Desktop's trust in macOS installers, gaining local privilege escalation.

Active Directory Certificate Services (AD CS) is a crucial component of enterprise security infrastructure, providing services for public key cryptography. However, misconfigurations and vulnerabilities within AD CS can be exploited for domain escalation, persistence, and certificate theft.

In this second part we are going to reverse engineer the agent reverse engineered the agent to successfully use it to make configuration changes on the host system.

In this article we will reverse engineer the decryption process of an encrypted value stored in Windows registry. This decrypted value will be used as an UUID used as a means of authentication when doing configuration changes via the ADAudit Agent.

This deep-dive will allow us to understand and circumvent the hotspot detection in Samsung's WB850F WiFi camera based on one reverse-engineered function.

During our research, several vulnerabilities were discovered within the Zscaler Client Connector application. By chaining together several low-level vulnerabilities and bypasses, we were able to escalate a standard user's privileges to execute arbitrary commands as the high-privileged NT AUTHORITY\SYSTEM service account on Windows.

This article investigates SeRelabelPrivilege. We will show that it allows you to take ownership of a resource even if it's IL > of yours, and that once you take ownership you can grant yourself full access to the process and tokens. The result, from an abuse perspective, is then quite similar to the Debug Privilege.

Misconfigurations in Active Directory Certificate Services (ADCS) can introduce critical vulnerabilities into an Enterprise environment. In this article, we will cover the basics of exploiting escalation techniques ESC2 and ESC3 using Certipy. These escalation techniques abuse overly permissive enrollment rights and Extended Key Usage configurations.

In this blog, story we'll explain how reversing Google Drive protocol buffers along with other findings from researching the application's disk forensic artifacts, helped understanding the caching information. This knowledge allows us to recover the cached synced items without any extra collection.

In this blog post, we review the usage of the zsh session directory from an incident response perspective.

In this blog, we will learn how to write a YARA Rule to detect different samples from the same families and hunt for them on a scale.

This article describes our analysis of the top malware stealer families, unveiling their operation methodologies, recent updates, and configurations. By understanding the modus operandi of each family, we better comprehend the magnitude of their impact and can fortify our defences accordingly.

In this blog post, we'll look at some of the risks that can arise when you share Cisco running configurations on public forums. We'll see how the simple act of uploading a configuration to get assistance could lead to a serious security breach.

In this blog, we will explore the traditional heuristic approach to detecting new vulnerabilities in the wild such as the Foxit PDF exploit.

In this third post, I will go through the impacket Impacket-secretsdump and AtExec modules.

This blog post introduces Web Assembly (WASM) as a powerful alternative to traditional web technologies, highlighting its appeal to cybersecurity professionals for evading security measures for initial access.

In this blog, we will show you how to use Kusto Query Language (KQL) to parse and hunt for MFA modifications in Microsoft Entra audit logs.

Water Sigbin exploited Oracle WebLogic vulnerabilities to deploy a cryptocurrency miner using a PowerShell script. In this blog post, we investigate the different obfuscation techniques they use to avoid detection.

When tracking adversaries, we commonly focus on the malware they employ in the final stages of the kill chain and infrastructure, often overlooking samples used in the initial ones. In this post, we will explore some ideas to track adversary activity leveraging images and artifacts mostly used during delivery.

The verifier infrastructure (part of verifier.dll) provides convenient facilities to hook functions. In this article, we'll look into what it takes to create such a DLL that can be injected early and automatically into processes of our choice.

A series of vulnerabilities in the Cox Business portal demonstrates a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team.

While looking for a WebKit security update, we came across an interesting bug case related to Apple's AbstractInterpreter. Although it's quite an old bug, we thought this was a case that browser security researchers should take a look at. In this article, we share a detailed analysis of this case.

We identified an increased abuse of BoxedApp products to deploy multiple known malware families. In this article, we provide an in-depth analysis of the BoxedApp internals, focusing on the resulting packed binary structures.

This article provides an in-depth analysis of PikaBot, focusing on its anti-analysis techniques implemented in the different malware stages. Additionally, this report shares technical details on PikaBot C2 infrastructure.

In this post, we will delve into windows memory internals, understand how memory is managed in windows as well as process internals. we will also look into segmentation and its role in x86 memory address translation and why as well how it is ignored in x86_64.

Exception handlers are not something that we have not heard about before, it has been one of the basic ways to handle unforeseen errors within a program. In this blog post we will dive a bit deeper into exception handling techniques that could potentially be employed in an offensive security perspective.

The "Directory Synchronization Accounts" Entra role is very powerful (allowing privilege escalation to the Global Administrator role) while being hidden in Azure portal and Entra admin center, in addition to being poorly documented, making it a perfect stealthy backdoor for persistence in Entra ID

This post will provide technical details about CVE-2023-20938, a use-after-free vulnerability in the Android Binder device driver, and how our team used it to achieve root privilege from an untrusted app on a fully up-to-date (at the time of exploitation) Android device.

In this blog post we will cover an update we did to the Evilginx tool. Specifically, this update introduces the capability to add SPF, DMARC, DKIM and MX records to Evilginx. As a result, you can significantly enhance your sender's reputation and boost your chances of having your emails reach the recipient's inbox.

We have discovered "pytoileur", a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long "Cool package" campaign.

This post examines the attack against the initial SP 800-108 design when AES-CMAC is used as the PRF in KDF Counter mode.

Another fun exploit! This time with local privilege escalation through Apple's PackageKit.framework when running ZSH-based PKGs.

This article details how we managed to complete the deserialization chain and achieve full unauthenticated RCE against Telerik Reporting Register.

In this guide, we will walk through detecting threats using AuditD by writing rules based on the logs and how to dig deeper into the logs.

In this guide we will install Laurel which will combine all the AuditD events which will make creating higher fidelty alerts easier.

In this post, I want to explore the implications of execution modalities on detection engineering. I'm particularly interested in how diverse modalities affect our ability to evaluate detection coverage.

One of the fundamental axioms is that while using modern EDR sensors, we perceive events at the operational level. In this post, I will explain why it is not always the case and update the model in a way that allows us to capture the details that are necessary to handle these edge cases.

In this blog post, we'll be exploring FormBook, an infostealer malware. What's interesting is how this sample hides one of its payloads on a vulnerable WordPress website.

We provide a technical analysis of CVE-2024-27348, a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server. Upon exploitation, an attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server.

I decided to see if I can show "C:\Program Files\WindowsApps" in a Windows 11 unelevated explorer, bypassing the systems's ACL. It turns out to be more complex than it should be for various reasons, so let's dig in.

In this post, we will explore a new in-memory sleeping technique that relies on SWAPPALA, to hide a reflective DLL in memory in a remote process.

There are stillsome DLLs which can be leveraged for DLL Hollowing or spoofing the threads origin. This blog demonstrates how we can dynamically locate such DLLs and use them to deliver payloads.

This article details the Kerberoasting attack and provides guidelines to evade detection from AV and EDR.

In this article, we will detail how to passively decode replication data, allowing us to intercept password changes of user accounts, machine accounts and the krbtgt AD service account. Eventually it makes it possible to become a passive domain controller where you can keep track of all replicated data and use this as a method to exfiltrate data.

This article is not about something new, but rather a report on my research into password policies in an Active Directory environment. We article will clarify what password policies allow, how they are applied, and therefore, as a pentester, how to do password spraying while minimizing the risk of locking accounts.

In this article, we will first detail what is malware packing and understand how it works, then we will explain how to unpack packed malware.

In this post, we announce the release of a small library for disassembling Dalvik bytecode. This serves as a foundation for building static analysis tooling for Android applications and system services in Rust.

This blog is mostly intended to make sure I don't forget about all kind of possibilities to break in to facilities while all the security measures are enabled.

This new research is taking the abuse of DCOM authentication from local access (in the case of the many Potatoes) to fully remote by abusing security configuration changes or over granting group access.

In a this blog post, we discuss how Zsh records commands entered in the shell along with a timestamp, provided that the session remains open. This is useful for live response scenarios if we still have access to the session.

Software supply chain attacks are on the rise, and they're aiming for your GitHub repository. Here's how you can protect it by implementing GitHub's security controls and best practices.

In this first part, we will look into different places to load a shellcode or anyother forms of executable segments in a PE. We will also do basic analysis with IDA.

In this second article of the series, we will cover the important topics in x86 assembly.

In this article, I will show you how to weaponize developer tools used for API design and design reviews against them. In fact, we will use these same tools to discover potential attack vectors in the very APIs they are trying to build and secure.

The goal of this article is to find a memory-related vulnerability using fuzzing. The first part focuses on how to find a potent target, which tools can be used, and what a good fuzzing target should consist of. The second part then describes how to develop and debug a harness that is able to fuzz a specific function in a binary.

Dynamic linker hijacking via LD_PRELOAD is a Linux rootkit technique utilized by different threat actors in the wild. In part one of this series on Linux rootkits, we discuss this threat and explain how to detect it.

This second part dives into the world of LKMs (Loadable Kernel Modules) and kernel-space rootkits to explore what LKMs are, how attackers abuse them, and how to detect them.

In this blogpost, we take a closer look at CVE-2022-47758, a critical vulnerability impacting a very large number of Internet of Things smart devices. We will leverage this vulnerability in the lamp's firmware for unauthenticated remote code execution on the entire device with the highest privileges and hence abuse it for information gathering.

In this blog post I'm going to try and give an overview of physical penetration tests and how to start doing them from my own perspective. In addition I will focus on the type of tests where a target asks you to 'casually' break in and gain access to a room, plant a device or steal some specific information.