Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debugging Monday's code.
Starred Articles
Windows MiniFilter Altitude can be abused to blind EDR. Some vendors have developed mitigations, and we've decided to explore these mitigations and attempt to bypass them.
Vulnerabilities in Open Source C2 Frameworks
09/18/2024I decided to investigate Command & Control (C2) frameworks. The post begins with an illustrated introduction of what C2 frameworks are, followed by a survey of the current state of open source options. Next the post gives a brief C2 framework threat model, before sharing details of a mix of authenticated and unauthenticated remote code execution (RCE) vulnerabilities.
SAP Hash Cracking Techniques
09/19/2024In this blog, we will delve into how SAP stores passwords and explore the tools available for performing hash cracking tests.
Cast me an alert(1)
01/03/2021This article is about my journey trying to execute arbitrary code with implicit JavaScript calls.
New Articles
Let's discuss on what deserialization is and give a demonstration example, as it can sometimes can lead to Remote Code Execution (RCE), Privilege Escalation and additional weaknesses with severe impacts on the entire application.
In this post we detail the internal workings of a deserialization vulnerability in Ivanti Endpoint Manager AgentPortal, resulting in remote code execution
Discover how attackers can sniff your data on network cables and how you can defend against it, by encrypting on-the-fly all your ethernet traffic with very good performance.
DD Oriented Programming
09/07/2024Looking for a more generic way to inject arbitrary code by using a malicious shared object library, I realized that the procfs memory-related entries with r/w permissions left an open door to quite literally pwn and own the process. So I set out to prove it.
This post is the result of my own research on using FEAL-8 block cipher on malware development. I decided to check what would happen if we apply this to encrypt/decrypt the payload.
This paper will provide a brief overview of Peach's features and explain its core concepts and basic usage through experimentation.
In this blog post, I'll give a walkthrough how I used free resources to acquire a sample of a malicious browser extension similar and using some simple cryptanalysis, I was able to pivot and acquire and decrypt newer samples.
Friends don't let friends reuse nonces
09/13/2024This blog post tells a cautionary tale of what can go wrong when implementing a relatively basic type of cryptography: a bidirectional encrypted channel, such as an encrypted voice call or encrypted chat.
Shell Shocked: The Oyster Backdoor Update
09/15/2024We identified a potential update to the Oyster backdoor, now referred to as CleanUpLoader. By analysing the tactics, techniques, and procedures (TTPs) associated with CleanUpLoader and comparing them with the newly deployed executables, I was able to identify key patterns and draw meaningful conclusions.
Attacking PowerShell CLIXML Deserialization
09/13/2024In this article, we will learn that using PowerShell's CLIXML deserialization could lead to undesired effects, including remote code execution. We will also see that widely used solutions, like PowerShell Remoting and PowerShell Direct (Hyper-V), rely on such deserialization and could make you vulnerable to this kind of attack.
This blog post shows how a user with Reader-level access to an Azure API Management resource actually had the equivalent of Contributor-level access, allowing the user to read, modify and even delete configurations of the resource via the Direct Management API.
DFIR Next Steps: What To Do After You Find A Suspicious Use Of Remote Monitoring & Management Tools
09/09/2024This post is about what to do when you identify the use of RMM tools on a host. This is the first part of a series on RMM investigations and will start with a broad overview of RMM tools and some of the challenges they present.
In this second part we'll walk you through the step-by-step process of setting up and conducting a Digital Forensics and Incident Response (DFIR) investigation using a virtual machine (VM). We'll cover everything from configuring the VM to ensure it's completely isolated to tackling the challenges of USB passthrough with a write blocker.
In a recent investigation of an open directory, we uncovered a Windows executable and two Chrome extension files. The extensions, deceptively presented as a "Dark Mode" feature, borrow code from an open-source project, providing the operator with capabilities such as logging keystrokes, taking screenshots, etc.
Researchers have uncovered a major cyber attack targeting cloud environments by exploiting sensitive secrets stored in .env files. The following article offers a detailed breakdown of techniques used by attackers in this malicious operation. I will explore the 5 phases of the attack: Initial Access, Account Discovery, Privilege Escalation, Malicious Execution, and Data Exfiltration.
SLEAPING and SWAPPALA techniques are used to hide a memory mapping from memory scanners. However, they still leave some IOC behind. In this article, we will see how this can be fixed.
Advanced Frida Usage Part 10
09/17/2024This blog post takes a unique and intriguing approach by demonstrating how to use Frida's Stalker APIs to trace instructions as they execute within an app in real time. Additionally, we'll explore how to use various attributes of these instructions to extract valuable insights.
CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability
09/16/2024We have a look at CVE-2024-8190, a command injection vulnerability in Ivanti Cloud Service Appliance.
CVE-2024-38041 allows a local attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass which might become a requirement in future releases of windows. This blog post details my process of patch diffing in the Windows kernel, analysing N-day vulnerability, finding the bug, and building a working exploit.
This blog post will dive into our research on isolating functional expectations for LLMs that provide a service through a controller that controls access to both privileged LLMs and quarantined LLMs.
Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to escalate their privileges to SYSTEM rights. This vulnerability is referenced as CVE-2024-38014.
Three-Headed Potato Dog
09/17/2024We have a look at using DCOM to coerce Windows systems to authenticate to other systems, and how this can be misused to relay the authentication to NTLM or Kerberos, to AD CS over HTTP for instance.
In this blog post we will explain novel attacks scenarios that affects the widely used protocols PowerShell Remoting and PowerShell Direct.
Entra ID Administrative Units (AUs) allow scoped role assignment of an Entra ID role over a subset of Entra ID users, groups, and devices, instead of over the whole tenant. In this post, we'll cover the technical background you need to understand AUs, how they can be used and abused, and details of the AU restricted management and hidden membership features.
Snake&Apple Part 8 - App Sandbox
09/19/2024This article will examine the MacOS Sandbox components, such as the kernel extension, private framework, running in the userland daemons, and containers directories, to see how it works.
Extracting Credentials From Windows Logs
09/14/2024Active Directory logs are great for threat detection; however, it can also be leveraged by adversaries to find plaintext credentials.
By leveraging code review techniques and a few "What if..." scenarios, it's possible to uncover vulnerabilities hidden within common patterns like automatic ORM mapping and SQL query building. We demonstrate this through the analysis of CVE-2024-32963, a parameter tampering vulnerability in Navidrome.
In this post we detail the internal workings and probide a PoC for CVE-2023-28324, an improper input validation vulnerability on Ivanti Endpoint Manager (EPM).
Still Recent
In this blog I will show how I exploited the exposed javascript interface of a Webview-based cryptocurrency application to perform critical authenticated actions like placing a trade order, cancelling trade order or deactivting the account.
Monitoring Gists with trufflehog
08/23/2024In this article, we will guide you through setting up a basic monitoring system to detect leaked secrets in GitHub Gists using Trufflehog. This process will help you to identify sensitive information, such as API keys and passwords, that may have been unintentionally exposed in public Gists.
In this article, we'll configure TruffleHog to detect sensitive information, such as API keys and passwords, that might have been inadvertently exposed in public GitLab Snippets.
In this article, we'll go over some of the most common security misconfigurations present in Salesforce Experience Cloud that can lead to a wide variety of security vulnerabilities, ranging from sensitive data exposure (often including personally identifiable information) to allowing unauthorized users to perform unwanted actions.
This post is about what to do when an alert relating to the use of certutil.exe is raised. We'll cover how you can take this first indicator and then gather more clues about what happened in the attack.
This first part focuses on the prerequisites and preparation work done before kicking off an USB key investigation, such as explaining the forensic principles used in the investigation, how the evidence is preserved and introducing tools deployed.
Oldies but Goodies
RX->RW detections can detect a wide range of sleep obfuscation techniques and attackers need to find more creative ways to hide a beacon in memory while sleeping. This post describes an attempt in that direction using a PE generic loader to quickly prototype and test ideas that can then be further improved and engineered if deemed worthy.
We tested to see if light-weight Gemini 1.5 Flash model is capable of large-scale malware dissection. We analyzed 1,000 Windows executables and DLLs randomly selected from VirusTotal's incoming stream. The system effectively resolved cases of false positives, samples with obfuscated code, and malware with zero detections on VirusTotal.
In this part, we will learn how to use a very interesting API provided by frida called Memory.scan(). It can help you to scan bytes from the memory and also helps you to patch them as well.
We decided to put Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise.
BloodHound is powerful, but it is easy to get lost. This article will cover setting up, collecting data, analyzing the data, and providing value with that data.
In this article I'll outline the boot process of the R1, and how (and why) I subverted it to create a "tethered jailbreak" that gives you a root shell on otherwise-stock firmware, all without unlocking the bootloader or making any persistent changes to internal storage.
Unearthed Arcana
You don't need a physical smart card at all to authenticate to Active Directory that enforces smart card logon. The attributes of the certificate determine if it can be used for smart card based logon not the origin of the associated private key.
All is XSS that comes to the .NET
11/08/2019ASP.NET takes responsibility for fixing project files path problems by offering app-root-relative URLs. Luckily for the attackers - it also opens some new ways to attack web applications.
CVE-2024-29847 is a Remote Code Execution vulnerability impacting Ivanti Endpoint Manager (EPM). In the following blog post I will be publishing the fully working unauthenticated exploit and detail how this bug class works.