Security Review #217

In this post we show how an attacker can use prompt injection to cause a persistent denial of service that lasts across chat sessions for a user.

This blog post will explain how attackers can exploit a missing charset in the Content-Type header to inject arbitrary JavaScript code into a website by consciously changing the character set that the browser assumes.

Processes injection techniques has long been detected by most defense tooling. Therefore, it is required to find a way to execute the code in the context of another user without facing the need to inject in the process. In this article I will discuss such mechanism, called cross-session activation.

This article is the last one of this GitHub action exploitation series. We will explain a dangerous misconfiguration that can be exploited by unauthenticated users to gain access to internal networks from internet with the example of Haskell and Scroll.

In this blog post, we descibe the security analysis of the ALE DeskPhone (ALE-400), a VoIP deskphone manufactured and developed by Alcatel-Lucent Enterprise.

In this post, we will review how to configure a Raspberry Pi image for hardware reverse engineering

While auditing Havoc C2 codebase, I was able to discover a vulnerability that allows leaking the origin IP of a teamserver behind public redirectors, abuse of vulnerable servers as external c2 channels and traffic routing through any listening socks proxies on the teamserver.

This article introduces Echo, an innovative full-stack phishing framework engineered to empower users with flexibility and evasion capabilities in conducting phishing campaigns.

This small blog post discusses and demonstrates various VEH related abuse primitives, and how these can be used against EDRs employing VEH hooks.

In this blog, we will learn about the Process Environment Block (PEB), how malware authors can access PEB information, and how it can be abused. We will also see how to reverse-engineer our own program that uses PEB walk and perform custom structure addition in IDA Pro.

This guide will go over the basics of Google Drive Forensics, allowing readers of all skill levels to follow along if they wish to.

On XFS, I noted that when a file is deleted the inode address is often still visible in the deleted directory entry and the extent structures in the inode are not zeroed. This combination of factors should make it straightforward to recover deleted files. Let's see if we can document this recovery process.

We have spotted several malicious email campaigns over the past few months that disguise JavaScript code within HTML email attachments, a technique commonly known as "HTML Smuggling".

This article explains how to identify lateral movement via graph data querying with only MDE installed.

In this Threat Analysis report, we investigate HardBit Ransomware version 4.0, a new version observed in the wild. In particular we will review the binary obfuscation enhancements as well as the delivery methods.

In this article we detail how the SOC team can obtain a subset of MITRE ATT&CK techniques that feature to this or that extent in known attacks, and can be detected with available data sources, with an allowance for the way these are configured in the infrastructure.

Threat actors today are evolving new tactics in order to evade traditional AV detections. Let's dive into a technique growing in popularity: fileless code execution through the Windows registry.

This article introduces Gigaproxy, a tool providing a solution for solution for cheap IP rotation that works against multiple targets, and is easy to connect to and maintain.

In this post we present qwinsta, a tool that displays information about sessions on a Remote Desktop Session Host server by leveraging Windows API functions in order to retrieve session information from a host.

Throughout this article, we provided detailed explanations of the methodological aspects one should take into consideration when using their own infrastructure and OSINT platforms as the source of intelligence to identify possible vulnerable drivers that could be exploited by threat actors to covertly bypass protection layers.

In this article, we discuss the role, functions and main operations performed by managed identities in a Microsoft Azure environment.

We investigate a series of odd packages published to the npm package registry. At first glance, these packages appear entirely legitimate; however, they contained sophisticated command and control functionality hidden in image files that would be executed during package installation.

From defensive point of view when SharpHound is executed there are a number of detection opportunities. This blogs reviews the different techniques that can be leveraged to detect execution of the tool in a protected environement.

We discovered and exploited an Elevation of Privilege (EoP) vulnerability (CVE-2024-39708) in Delinea Privilege Manager. This vulnerability allowed an unprivileged user to execute arbitrary code as SYSTEM.

In this blog post, we will explore the Golang core net/http library more deeply to understand how to remove the SSL verification manually or using a short Python script.

We recently recovered a tool leveraged in Qilin ransomware attacks aimed at impairing defenses by disabling popular endpoint detection and response (EDR) and antivirus (AV) tools. We analyzed this malware to understand its full functionality and provide tactical threat intelligence to organizations to inform their detection and response strategies.

We demonstrate how an attacker can compromise a device connected to the wide-area network and move to the local network in order to compromise a connected IoT device. In this second part, we cover how we moved from the router to the local network to compromise the Synology BC500 IP camera.

In this blog, I will explain how attackers after gainig initial foothold of an Azure user can enumerate and abuse Azure Key Vault to access sensitive information about the target.

This guide presents a step-by-step process for patching the app without losing any entitlements so the application works as previously with our modifications.

In this post, we will start with the essentials of windows forensics, understand windows filesystems and artefacts that are important for Digital Forensics and Incident Response (DFIR) investigations.

This post explains Kerberos armoring - also known as FAST (Flexible Authentication Secure Tunneling) - an extension to the Kerberos protocol that improves the security of the Kerberos authentication process as well as service ticket retrieval.

The MSI repair process executes in an elevated context, but the lack of impersonation could lead to Arbitrary File Delete and similar issues. This article describes this unpatched vulnerability affecting the latest Windows 11 versions. It illustrates how the issue can be leveraged to elevate a local user's privileges.

In this article, I provide an in-depth analysis of a Brother-branded VC-500W labelmaker, investigating software and hardware to eventually get root access.

This is a writeup of a vulnerability I found that allowed us to exfiltrate data from an extremely limited Javascript environment.

In this blog we're going to take an in-depth look at the functionalities of C2 systems and uncover the processes that happen in the background after your device session is activated. The first part will detail the infrastructure components, show some shellcode examples and discuss the different types of stagers.

This document is a guide for compiler and linker options that contribute to delivering reliable and secure code using native (or cross) toolchains for C and C++. The objective of compiler options hardening is to produce application binaries (executables) with security mechanisms against potential attacks and/or misbehavior.

This article explores the 2022 Kubernetes Hardening Guide published by the NSA and CISA.

In this aticle, we will try to find a memory-related vulnerability. The first part focuses on how to find a potent target, which tools can be used, and what a good fuzzing target should consist of. The second part then describes how to develop and debug a harness that is able to fuzz a specific function in a binary.

This article will provide a step-by-step guide to writing custom burp suite extensions to help with API pentesting. We'll cover everything from setting up your environment to working with the extension interfaces so that you have all the tools necessary to build an effective extension explicitly tailored to your needs.

Hollow process injection is a sophisticated code injection technique attackers use to evade detection and carry out malicious activities. This article provides an overview of how such injection works through the coding of a working PoC.