Security Review #237

This post examines Grok's vulnerabilities against modern LLM application security threats, including prompt injection, data exfiltration, conditional attacks, disinformation and ASCII Smuggling.

Amazon Simple Email Service (SES) is a common target for attackers to send out spam or phishing emails. In this post, we explore specific techniques regarding persistence within AWS SES that we have observed used by an attacker.

In this blog, we will explore how threat actors can exploit sensitive data stored in serverless environment variables in AWS, Azure, GCP and Kubernetes. We will also examine the use of cloud-offensive tools for this purpose.

Reflected input is often unexploitable because the attack ends up in a place which stops it working, such as inside a quoted attribute. However, the Range header can be used to force the server to send only the attack section from the document, making it fully-exploitable in the process.

This guide will walk you through hunting for 0-days in model file formats such as Pickle, ONNX, Safetensors, and GGUF. We're talking about bugs that could let you hide malicious payloads, manipulate memory, or plant backdoors that only trigger under specific conditions.

This series will focus on attacker tradecraft around the syncing mechanics between Active Directory and Entra. This first blog post demonstrates how complete control of an Entra user is equal to compromise of the on-premises user.

An unsafe and unprotected password file with weak encryption methods leads to full credentials disclosure. The attacker has different option to chain the required steps to pursue the attack: local file read or remote path disclosure and file read.

This blog post provides a technical analysis of kernel panic logs generated by an exploit targeting a driver called adsprpc.

This post will concentrate on basic compressors and crypters utilized by malware authors. We will explore the definitions of compressors and crypters, examine their functionalities, and discuss unpacking techniques. Additionally we will attempt to unpack a malware sample and develop a simple compressor/crypter in C for PE binaries.

This post delves into the issue of unsafe archive extraction across various programming languages. It shows how giving developers more freedom also places the responsibility on them. While manual implementations are important, they can also introduce serious security risks.

This post details how I found and successfully exploited CVE-2024-52875, a CLRF vulnerability in Kerio Control, a popular firewall and Unified Threat Management solution.

In this article, we'll dive into the message protocol between ADB Server and adbd, with the goal of improving our Rust client library with capacity to fully interact with a device, eliminating the need for system dependency installations.

Systems that implement the PublicKeyCallback function incorrectly end up with a vulnerability that allows an authorization bypass in Go's x/crypto/ssh. Our analysis suggests that this issue is prevalent across multiple projects utilizing this (golang.org/x/crypto/ssh) package, leading to potentially severe security implications.

In this article, we will cover simple as well as advanced file upload vulnerabilities, we will also be covering edge cases that could be exploited in specific environments.

I analyze a vulnerability in Databricks JDBC driver. It stems from improper handling of the krbJAASFile parameter. An attacker could potentially exploit this flaw to achieve remote code execution (RCE) within the driver's context by tricking the victim into using a specially crafted connection URL that includes the krbJAASFile property.

This blog post will explore various methods that threat actors could use to access Cloudflared connector tokens and delve into how they might exploit the Cloudflared connector replicas feature once such a token is compromised. Finally, the post will present a practical AiTM attack scenario, showcasing session hijacking through a step-by-step process.

This article talks about some key settings for the database, the process used to grant capability access, a few ways to detect intentional manipulation of the artifact, and some interesting situations that may arise such that the data is not in an intuitive order.

Windows 10/11 tracks all log deletions. It's possible for a threat actor to clear the majority of logs and, at the very end, clear System.evtx, leaving behind only a single piece of evidence of their activity. However, by correlating the modification times of empty event logs with the timestamp of the last log deletion, we may be able to determine what else was cleared.

Windows authentication protocols keep logs of every attempt - successful or otherwise. Let's explore how authentication protocols like Kerberos and NTLM create artifacts that are goldmines for forensic investigations.

In this post, we'll explore how Windows manages volatile memory beyond the traditional RAM, where it stores snapshots of this data, and why it's a treasure trove for forensic investigations.

GPOs are like the network's rulebook, setting who can do what, where, and how. In this article, we will see how to investigate compromises GPOs.

In this post, we'll explore the artifacts tied to user account life-cycles, where to find them, and how they can expose unauthorized access, privilege changes, or sneaky cover-ups.

In this article, we will learn how to leverage pagefile from an incident response poin of view.

Microsoft stores a compressed snapshot of your RAM in a file called hiberfil.sys. Let's dive into why this file matters for forensic investigations and how to analyze it.

When a system crashes, Windows OS generates a crash dump, a valuable artifact for debugging and forensic investigations. These dumps capture system data at the time of failure and can reveal critical insights, including running processes, memory states, and system configurations.

This post will introduce network artifacts that are available on Windows and explain how to extract and interpret this data to understand the host's activity during a potential compromise.

Abusing AssumeRoot is one of many living-off-the-cloud (LotC) techniques that adversaries have the capability to target. This article provides insight into AWS' AssumeRoot API operation, how it can be abused by adversaries, and some threat detection and hunting guidance.

In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the WriteOwner permission in Active Directory environments. The WriteOwner permission can be abused by an attacker to change the object owner to an attacker-controlled user and take over the object.

We provide a technical breakdown of a new family of malware we've named Malichus, delivered through the exploitation of CVE-2024-55956.

Imagine you are a security analyst and you have just been given a pair of Sysmon event log files. What would you do? Where do you start? In this tutorial we will be working two Sysmon event logs from two different systems.

SSO access tokens can buy adversaries more time as they exfiltrate credentials and other sensitive information from a victim's AWS command-line interface

Zeek logs contain valuable information about network activity, which can be analyzed to detect anomalies, threats, and trends. Here's a detailed guide to analyzing Zeek logs effectively.

An in-depth analysis of Xloader malware delivered via spoofed SharePoint notifications.

This article detail logs and traffic data that can be used for AS-REP Roasting attacks detection, as well as correlation that can be leveraged to get comprehensive detection.

Within this post you will be getting an introduction to some of the latest exploit mitigations offered by Microsoft and how "easily" they can be bypassed. That said only SOME will be covered, more exist but we will only cover them when relevant within this series.

I'll be breaking down a vulnerability in Philips' IntelliSpace Cardiovascular. This vulnerability allows a replay attack to be performed on the web application and I will demonstrate that it can be upgraded into full authentication bypass.

In this blog, we'll first revisit traditional methods for reflective code loading on macOS and examine specific examples of malware that have leveraged, these now-obsolete and ineffective approaches. Then, we'll detail a surprisingly simple approach that leverages Apple's own loader, ensuring that reflective code loading remains possible.

Android Static Analysis is a foundational approach to identifying vulnerabilities in applications without executing them. This blog provides insight into the tools and techniques required for effective analysis.

We show in this blog post that under a common (default) configuration of PHP we can achieve unauthenticated Remote Code Execution in Craft CMS.

RiseLoader is a new malware loader family that implements a custom TCP-based binary network protocol that is similar to RisePro. In this blog, we explore RiseLoader's TCP-based binary protocol, and highlight the similarities between RiseLoader and RisePro.

We have recently identified a phishing kit, which we have named WikiKit because of its functionality to redirect to Wikipedia pages if the JavaScript is disabled or the phishing link is invalid.

In this post, we are talking about using shared memory sections to inject and execute code in a remote process. This method of process injection uses Windows Section Objects to create a memory region that can be shared between processes.

We have identified a new sophisticated scam targeting people who work in Web3. The campaign includes crypto stealer Realst that has both macOS and Windows variants.

This writeup is an analysis of the Hells Gate malware. This malware strain contains a technique that performs syscalls on the Windows operating system in order to evade EDR detection.

In this post, I want to discuss a specific type of vulnerability I've encountered: Server-Side Template Injection (SSTI) in Freemarker that can lead to Remote Code Execution (RCE). This vulnerability is particularly concerning as it allows attackers to execute arbitrary code on the server.

This blog provides an in-depth analysis of the exploitation process for an unauthenticated XXE vulnerability in Ivanti Endpoint Manager, identified as CVE-2024-37397.

This article discloses 7 vulnerabilities, 2 of which pose a threat to Google Pixel devices, while the others pose a threat to all Android devices, regardless of vendor. These vulnerabilities range from access to sensitive data such as geolocation or arbitrary files, to full Bluetooth access and HTML injection.

Our bof-launcher project allows you to write, build, debug and execute BOFs using Zig, C and/or assembly language on Windows (x86/x64) and Linux (x86/x64/ARM/AARCH64). In this first part, we wil learn how to build the project, how to add our own custom BOFs to the build system and how to run/debug BOFs.

In this article, we will cover how C2 frameworks operate, their role in modern attacks, and strategies to detect and mitigate these threats.

In this article we are going on a "search for clues" regarding account brute force attempts, trying to identify on which system an account was locked or on which system the password was entered incorrectly.

I discovered a Remote Code Execution vulnerability inside well known Open Source tool actively mantained and lectured in seveal universities and labs using medical standard imaging RFC.

Environment variables provide valuable insights into user activities and are often manipulated by attackers to obfuscate their actions. By familiarizing yourself with common environment variables and how they are used, you can enhance your ability to detect, analyze, and respond to security incidents effectively.

I present a bpftrace script that focuses on monitoring and killing certain processes based on their parent process names when they invoke execve(), the system call used to execute new programs.

Call stacks are an understated yet often important source of telemetry for EDR products. In this article, we will see how it is possible to spoof a call stack so that when this collection takes place inline (say from within a kernel driver callback routine) a fake call stack is recorded.

A collection of some really cool PowerShell one-liners scripts. Useful in server administration and incident response operations.

In this short blog post, I would like to show you how easy it is to backdoor Apache HTTP server running on the Linux platform by using a malicious Apache module with rootkit functionality.