Security Review #234

In this article, we explore various lateral movement techniques for macOS, some of which are specific to macOS while others are shared by other operating systems. We'll also provide real-world examples to illustrate these methods and discuss detection opportunities.

In this blog post, we take a closer look at the security software Wazuh, where we identified two critical vulnerabilities: a heap buffer overflow (CVE-2024-32038) and a command injection (CVE-2023-50260). These vulnerabilities can be chained in an attack to move from initial access to full network compromise.

One interesting attempt at CSRF protection is the rejection of requests with a Content-Type header not equal to specific values. In this article, I would like to share an interesting caveat where the protection can be bypassed.

Learn how to craft and understand adversarial attacks on AI/ML models through three hands-on challenges.

We details attacks on LLM-controlled robots, which, if jailbroken, could be fooled into causing physical harm in the real world. Our attacks successfully jailbreak a self-driving LLM, a wheeled academic robot, and, most concerningly, the Unitree Go2 robot dog, which is actively deployed in war zones and by law enforcement.

I'd want to share how to develop your own fully operational C2 framework.

We discovered a security vulnerability in Sitecore that was exploitable due to an order of operations issue in the code. This vulnerability (CVE-2024-46938) allows an unauthenticated attacker to read arbitrary files from the local system. After downloading some specific files, achieving RCE is trivial by exploiting .NET ViewState deserialization.

We analyse the SmokedHam backdoor, detail main operations and provide relevant IoCs.

In this seconf part, we'll focus on the main artifacts that you might come across when investigating RDP lateral movement: the bitmap cache, UserAssist, RecentApps, JumpLists, Prefetch, Shimcache and Amcache, registry keys, Background Activity Monitor and Desktop Activity Monitor and the default RDP file.

This article investigates Cross-IdP impersonation, a growing trend as a method of hijacking SSO to access downstream apps - without needing to compromise accounts on your company's main IdP.

We explain a technique that can be used to detect Evil-WinRM operations, a post-exploitation tool that provides a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM).

This article breaks down the terminology, stages, and mechanisms of mixing services while highlighting key challenges in their analysis.

This article presents an alternative persistence mechanism for Linux, specifically loading kernel modules at boot time.

In this article, we will go through what fileless attacks are, their components, and how to detect, investigate, and secure your organization from them.

This post will discuss methodology for leveraging the VirusTotal (VT) API to gather malicious LNK samples and subsequently tailoring analytics to hunt for observed trends. The analytics presented are for Microsoft Defender for Endpoint (MDE) using KQL.

We provide a deep analysis of FrostyGoop, the first reported OT-centric malware that uses Modbus TCP communications to send commands to read or modify data on industrial control systems (ICS) devices, causing damage to the environment where attackers installed it.

This article introduces a technique allowing efficient analysis of malware protected by virtualization, one of the most popular, and potent forms of obfuscation today.

We provide improvements to the existing gadget chains: loading of the URI module, use alternative module to perform RCE and avoid the exception being raised after executing the gadget chain.

This blog post discusses the results and lessons over a year and a half of work to bring AI-powered fuzzing to a point where it will find vulnerabilities all by itself, both in introducing AI into fuzz target generation and expanding this to simulate a developer's workflow.

We detail the techniques that led us to the discovery of eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape.

In this article, we will share with you how we found a way to outsmart Fortinet's logging mechanism and will provide a solution together with a fun, simple script to test against your own Fortinet VPN server.

In this part of the series, I'll guide you through an awesome Linux injection technique using the ptrace system call.

Is BitLocker truly protecting you? We have a closer look at it, explain what TPM is and provide a brief workflow overview of how Bitlocker works.

In this post, I will present a new technique targeting CLR.DLL to prevent the runtime from passing reflectively loaded .NET modules to the installed anti-virus. This bypass will allow us to safely load our malicious binaries into memory undetected.

Today, we unveil our latest discovery: the first UEFI bootkit designed for Linux systems, named Bootkitty. The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup).

We detail the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit.

In this second part of the series we will add the ability to list processes , upload and download files and execute any command on the target.

We discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal.

In this post, in addition to learning some techniques to detect an LD_PRELOAD rootkit, we will learn how to hide it, to prevent these detections mentioned in the post from catching it.

This post will explain the general idea of Mutation XSS, what tricks exist, and how to find bypasses. It also contains two examples of a CVE I found in the lxml_html_clean library and a hard challenge combining and showcasing two new tricks.

There's a bug in MallocStackLogging, Apple's "magical" framework that allows developers to debug application memory allocations. It allows modifications to sudoers files through race conditions, giving us rootshell.

This article marks the beginning of a series on fuzzing native code in Android applications. In this first article, we will cover the fundamental concepts of fuzzing, the role of native components in Android applications, the use of the AFL++ fuzzer, and finally, we will create a harness to perform fuzzing on an example library.

I came across a Remote Code Execution (RCE) vulnerability in an R-based API endpoint. By exploiting it, I managed to retrieve sensitive system files and even establish a reverse shell on the server. This is the story of how I did it, explained step-by-step

This post introduces Mandatory Access Control Framework on macOS.

I needed to get the data off of a LUKS encrypted partition on a Virtual Machine that "wasn't mine". This blog details different techniques to recover the encryption keys from memory.

This second part of the series will be focused on certificate mapping vulnerabilities.

I found a fun bug in the popular enterprise VPN solution Zscaler. The bug allowed us to escape from a string and execute arbitrary JavaScript in the context of the PAC file. In this article, we develop an exploit that leverages a 17 year old version of SpiderMonkey (Firefox's JS engine) on which the pacparser relies.

When it comes to incident response or forensic investigation, the Azure landscape can feel overwhelming. To make things clearer, we will focus on the essential elements you're most likely to encounter during such operations.

This article explains how using traffic control through Network Security Groups (NSG) and PowerShell scripts for VM log retrieval empowers organizations to investigate security incidents efficiently, even without advanced security tools like SIEM.

In today's cybercrime landscape, attackers are increasingly turning to cloud services for data exfiltration. This article will help understanding how attackers use tools like rclone and MegaSync and how investigators can reconstruct attacker activities and gain insight into the extent of the breach.

This series helps understanding where Azure logs come from, how to access them, and how to store them can significantly improve your ability to investigate incidents and mitigate risks. The first part will explain how to centralize logs, setup analytics, and then focus tenant logs.

This second part of the series will discuss some advanced topics regarding Tenants logs, such as exporting logs to a storage account and investigate through Storage Explorer. We will then address another type of logs: Subscription logs.

The third part of the series will focus on Network Security Groups (NSG) and Storage Account logs.

We provide details and exploit path for a use-after-free vulnerability on Samsung Exynos running Android (CVE-2024-44068).

In this blog post, we will outline several techniques for investigating phishing campaigns by pivoting between phishing landing pages. We will examine 0ktapus as a case study, showcasing how we applied some of these methods and the results we obtained.

As part of an "assume breach" approach, organizations must prioritize comprehensive backup and restore strategies within their ADCS infrastructure. In this article, we provide the keys to keep up-to-date backups and implement effective restoration procedures.

In this article, I'm going to tell how you can automate Puncia with GitHub Actions to monitor for subdomains & 0-day/n-day exploits at no cost

In this series, I will show how ADCS misconfigurations introduce domain escalation vulnerabilities, and how these can be exploited. This first part will focus on the most common vulnerabilities in ADCS environments.

In this post, I will cover existing testing methodologies and the specific steps required to conduct an AWS penetration test. Additionally, I've summed up an introduction to Amazon Web Services and the dangers of cloud environments.

This blog provides an overview and detection methodology of two types of attacks that aims at generating fake logs in the Azure sign-in logs that look like legitimate events.

This first part introduces the necessary concepts to create a kernel module. We will learn to create one such module from scratch.

This second part focuses on code injection. We will provide two practical examples to find a process ID from its name, leveraging different techniques.

This write-up focuses on two kernel modules and a shared library found in an open directory to uncover how they operate together, emphasizing stealth, persistence, and modularity.

This blog post is going to show you how to create / register an application within an Azure portal; how to backdoor the application (aka add a "secret") and lastly, how to detect this.

This blog post will cover the Golden SAML attack which is used by attackers to move from on-premise to Office 365/Azure.

This post will explain how a registry key timestamp can be manipulated and provide related detection mechanisms.

I will detail how $FILE_NAME timestamps can be altered and how such behavior can be detected.

In this post, I will walk through two methods of removing and tampering Linux artefacts to delete the malicious logins one wants to hide. I will then walk through a simple way of detecting both methods based on timestamps that you can check.

Threat actors can modify the timestamps on malicious files to evade detection. I will cover two techniques to perform timestomping and offer a different method of detection that doesn't rely on auditd, command line logging or EDR.