Security Review #228

In this blog post we introduce a novel process injection technique named Early Cascade Injection. This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique.

Execute a binary on a Linux system when execution is not allowed (e.g. restricted PHP environment, read-only filesystem or noexec mount flag). By using only Bash and making syscall(2)'s from Bash and piping the ELF binary straight from the Internet into Bash's address space - without touching the harddrive and without ptrace() or mmap()

This blog post details how I found CVE-2024-6778 and CVE-2024-5836, which are vulnerabilities within the Chromium web browser which allowed for a sandbox escape from a browser extension (with a tiny bit of user interaction). In short, these bugs allowed a malicious Chrome extension to run any shell command on your PC.

This article presents a step-by-step guide to the container hardening process on the GNU/Linux operating system: creating a customized Seccomp policy profile, setting up MAC tools to confine the container process, and addintional suggestions about further hardening options.

The purpose of the call stack spoofing technique is to construct a fake call stack that mimics a legitimate call stack in order to hide suspicious activity that might be detected by EDR or other security software.

In this article, I will use a tool called Cable to provide examples of how a few of the common Active Directory focused attacks can be executed from an offensive programmatic and tool development perspective.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics.

In this article, we'll explore how Dorking can be leveraged in information security, provide a few examples, and introduce some alternative techniques.

This articles provides step by step guidelines to build a Mimikatz binary that will not be detected by MS Defender.

Instead of immediately overwriting old entries, Windows 11 now stores the information from the CapabilityAccessManager registry keys in a SQLite 3 database, retaining the information for up to a month.

Each time a sudo command is executed, the system either creates or updates a timestamp file in /var/run/sudo/ts, named after the user executing the command. This file logs the last time the user used sudo, providing a reliable trace for forensic analysis.

On this article, we will see how attackers can exploit environment variables to execute malicious code or gain persistence in compromised systems.

In this blog, we highlight two novel evasive techniques detected recently by Barracuda threat analysts. The first involves QR code built from combinations of ASCII/Unicode 'block' characters, the second relies on the use of 'Blob' URIs.

In this article, we explore two campaigns based on the Havoc framework.

We detected yet another HijackLoader deployment attempt - except this time, the malware sample was properly signed with a genuine code-signing certificate. This article underscores that malware can be signed, highlighting that code signature alone cannot serve as a baseline indicator of trustworthiness.

We uncovered a cybercriminal's exposed server containing DDoS scripts, SpyNote spyware disguised as popular apps, phishing pages targeting digital currency companies and messaging platforms, and ransom notes hinting at ransomware delivery. In this post, we'll discuss the discovered files and illuminate the tactics and strategies used to target unsuspecting networks.

In this article, we will take a deep dive into APT groups, focusing on their Tactics, Techniques, and Procedures (TTPs), and explore real-world case studies that highlight the evolution of these multi-stage, sophisticated attacks.

In this second part, we will go further with our favourite service Athena, we will show you how to quickly load data and search for interesting events. As an extra goodie we have developed an Athena Cheatsheet to help you search smarter in Athena.

Executing code & persistence through scheduled tasks is one of the most common techniques used to persist on a device. In this short blog post, we will hunt by looking into the registry entries which needs to be created for a scheduled task.

The DeviceTvmInfoGathering table in Defender XDR is one of the understudied tables of Defender For Endpoint. This blog explores the uncovered potential of this table, because this will help you a lot to get quick insights into the configuration Defender For Endpoint on your devices.

In this article, we share our journey into SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinet's FortiGate devices. We set out to prove the exploitability of Fortinet FortiGate's CVE-2024-23113, and ended up down a bigger rabbit hole than we thought.

This first part of the series describes multiple vulnerabilities in RtsPer.sys, an SD card reader driver developed by Realtek. They range from leaking logs, kernel pool and stack, to writing to arbitrary kernel space.

DLL Sideloading is a technique that enables the attacker to execute custom malicious code from within legitimate - maybe even signed - windows binaries/processes. This technique is known to be extremely evasive, and in this blogpost, we will try to understand why.

We detail an attack chain in Grav, starting with a password reset link poisoning vulnerability, then escalating privileges through a Twig SSTI (Server-Side Template Injection) vulnerability, and finally exploiting a feature available to an Administrator to create a web shell in the web root directory, enabling code execution.

In this part, I will dive into what was causing the poor range of an RFID reader I built.

In this article, we will deep dive into the internals of Bitwarden, how it stores encrypted data, and what information is available to whomever controls the server.

In this article I will analyze a packed Snake Keylogger, an Infostealer, Keylogger and Clipboard-Hijacker that first appeared in 2019 and is quite popular. During unpacking, we face some .NET obfuscation, process injection and more obfuscation to in the end uncover SnakeKeylogge rand get limited access to the threat actor DopeLord's Telegram Bot.

In this short blog post we will see a trick/technique to enumerate an Azure environment when the User App Consent Workflow is blocked and it is necessary to request permission to an administrator. After the administrator approves the consent the user can user the application.

In this article, I reveal a misrouting vulnerability that I uncovered while diving into Google Cloud Load Balancers connected to storage buckets - something that exposed thousands of websites to potential attacks.

I'll go deep into their structure, components, and how they store data, explain the principles of USB malwares and focus on malicious USB files.

In this blog post, I describe three different methods for decrypting TLS and explain when to use one or the other.

We've encountered interactions between multihomed Linux devices and common firewall configurations, with Linux's stateful firewall (conntrack module). We have successfully exploited this vulnerability on multiple occasions, allowing us to spoof and inject packets into internal communication streams via an external/public interface.

Techniques for analyzing binaries or kernel modules that may try to monitor themselves, similar to malware behavior. We detail a method that allows for detailed analysis while maintaining stealth, making it effective in scenarios where the target must not detect the monitoring.

I discovered a file format vulnerability that took me down an unexpected rabbit hole. The bug was fairly straightforward but what made it interesting was its origin and its variants found across numerous popular projects. In this post, I'll explain the method developed to identify such variants at scale.

WE discovered a privilege escalation in F5 Big-IP that has now been assigned CVE-2024-45844.

This blog is about simulating Incident Response in an Active Directory environment by doing some common attack scenarios.

I am excited to share further insights and developments from the world of subdomain takeovers. The aim of this blog post is to provide a general understanding of subdomain misconfigurations, supplemented with up-to-date resources and tools.

Named pipes, for example, are often overlooked by many defenders, but in the hands of a skilled adversary, they become a stealthy vector for command-and-control (C2), lateral movement, and data exfiltration. This is the story of how we used technical precision to unravel such activity on a high-value system.

This blogpost covers a Capture The Flag challenge involving a format string vulnerability.

I came across a driver that had an IOCTL handler with the wrmsr instruction. This handler accepted the target MSR address and value from a user-mode application without any sanitization or access control. Although I had only read about this type of vulnerability and its potential abuse in theory, I decided to try it in practice because initially it didn't seem too difficult.

In this post, we are going to discuss how to exploit a Bluetooth Low Energy (BLE) smart bulb using BtleJuice by performing a Man-in-the-Middle (MiTM) attack. The techniques explored in this blog post equally applies to other BLE based smart devices.

This blog post gives an overview of using some recent tooling I've released to access Local RPC servers on Windows from .NET. I'll provide a worked example of using the tooling from PowerShell to exploit a novel and previously undocumented UAC bypass.