Security Review #238

This blog focuses on a particular campaign that we have so far identified across multiple AWS environments. As part of the attack, the actor utilized relatively unique techniques for privilege escalation and persistence, which we will detail in this blog.

ftrace (Function tracing) is a kernel function tracer. It can be used by LKM rootkits to do hooking. This post will explain how such rootkits can be automatically detected.

In this write-up, I'll dive into a real-world example of SOQL (Salesforce Object Query Language) injection, explore why it happens, and how I was able to get a full impact from it.

A deep dive into IIS 4.0 exploitation techniques, including the very first description of SQL Injection attack.

This article explains in details what are Use After Free vulnerabilities, and how to find and exploit them from the source code.

This article details all the steps to exploit an UAF (User after Free) vulnerability from a binary: reverse engineering, allocation from user space, and large pools allocation, and coed execution.

Windows Defender Application Control (WDAC) is a technology that allows organizations fine grained control over the executable code that is permitted to run on their Windows machines. We detail an attack that makes use of a specially crafted WDAC policy to stop defensive solutions across endpoints and could allow adversaries to easily pivot to new hosts.

I stumbled upon an interesting Ruby library raising red flags while searching for JWT algorithm confusion vulnerabilities: xmidt-org/cjwt. This article delves into the code and explains how I identified these red flags. From there we will write a fully functioning PoC.

In this third part, we are now incorporating some new features that really make this lightweight C2 actually useful in a live pentest scenario: getsystem, UAC bypass, migrate

A "Zip Slip" vulnerability is a security flaw that occurs when an application extracts files from an archive without validating their paths. We detail such a vulnerability we found in InVesalius that allows attackers to write arbitrary files unto the system via a crafted .inv3 file.

Despite such a strong security posture, Argo CD can be configured in ways creating vulnerabilities. This article studies on two examples where Argo CD is deployed in a way which unexpectedly enabled privilege escalation and authentication bypass.

This article describes multiple vulnerabilities identified in NASA Crytolib. The identified vulnerabilities enable an attacker to send arbitrary commands to a spacecraft's Onboard Computer (OBC), potentially causing unwanted behaviours. More critically, the attacker could gain exclusive control of the spacecraft.

Fuzzy hashes focus on finding "close enough" similarities. This makes them incredibly useful for detecting malware that's been slightly modified or identifying patterns in large sets of data. In this post, we'll break down the different types of hashes, how fuzzy hashes work, and why they're a key part of malware identification.

In this article, I explain and demonstrate how to improve our LKM persistence method by removing the malicious module name from from modules.dep once the modules.dep.bin file is created.

In this post, we'll discuss how to view network-based Named-Pipes and analyze the SRUM database for historical system usage data. These methods can assist in identifying suspicious or malicious activities, including processes that are communicating with other systems or hosts.

Knowing how to retrieve network activity using PowerShell is a great "first step" in triaging a machine, especially when you can't immediately throw your toolset at it. This article is going to show you some example commands for PowerShell.

In this article, we investigate the rising activity and provide technical analysis of the malware LummaStealer.

The combination of LNK files and SSH commands has emerged as a notable trend, signaling a shift in the tactics used by threat actors. By leveraging SSH commands in conjunction with various LOLBins, attackers can establish connections to remote servers, download payloads, and maintain persistence on compromised systems.

This blog provides insight and overview of infostealers and the logs they harvest, exploring how the malware strains work, what logs contain, where they are sold, and what attackers can do with them.

In this article, we explain how users with the Key Vault Contributor role can escalate their privileges to read and modify Key Vault contents for any key vault that uses access policies as the access control mechanism. This includes keys, certificates, and secrets.

In this post, we'll be taking a look at the steps involved in IMDSv2 adoption and outline how you can identify containers and processes that are preventing you from enforcing IMDSv2 across your workloads.

In this post, we will show different approaches to hunt for interesting samples and derive new Sigma detection opportunities based on their behavior.

I've put together a "Top 10" list of items to leverage as you write and refine your YARA-L rules. These are ordered from a flow perspective from event generation to basic rule creation to more refining and enhancing of a rule.

In this blog, we'll explore what AiTM is, how to detect it using available logs, how to respond when it's identified, and most importantly, how to prevent it from occurring in the first place. This blog focuses on incident response.

The KQL operator enables you to seamlessly incorporate external data into your KQL queries, such as GitHub IOC lists or MISP Feeds. This data can be dynamically loaded in your KQL query to hunt for matches across all your devices. In this blog, we share ready-to-use hunting queries for suspicious NamedPipes, connections, CISA KEV vulnerabilities and MISP Feeds.

We have discovered new security vulnerabilities in the Azure Data Factory Apache Airflow integration. Attackers can exploit these flaws by gaining unauthorized write permissions to a directed acyclic graph (DAG) file or using a compromised service principal.

This article provides a practical guide to developing a detection strategy for Lightweight Directory Access Protocol (LDAP)-based attacks. We analyze real-world examples of nation-state and cybercriminal threat actors abusing LDAP attributes. We also examine common LDAP enumeration queries and assess their potential risks.

We developed an adversarial machine learning (ML) algorithm that uses large language models (LLMs) to generate novel variants of malicious JavaScript code at scale.

We we identified malware campaigns using fake CAPTCHA pages that mimic trusted services like Google and CloudFlare. These malicious CAPTCHAs silently copy commands to users' clipboards, tricking them into execution via the Windows Run prompt.

In this blog entry, we discuss our investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram.

In this blog, I'll provide a summary of a simple automation process in a SOC environment using a few tools. I have used Wazuh, TheHive, VirusTotal, and Shuffle to detect Mimikatz usage and protect a machine through active response with firewall rules.

In this first part of the series, we will take a look at the mitigation bypass techniques used in more common kernel exploits.

This article aims to explore the details of CVE-2024-24942 and explain the process of constructing an exploit leading to Authentication Bypass and Path traversal.

In this second post, we will target some real-world code, learning how to select a relevant candidate and run our fuzzing engine to find actual crash.

The aim of this article is to examine how hidden apps are represented and the differences in forensic artifacts generated by hidden apps versus visible apps. Understanding these differences will provide mobile forensic examiners with better insight to detect, analyze, and interpret hidden app activity during investigations.

This post will introduce kernel debugging to find and exploit a stack overflow on Windows 7 - x86.

This article aims to explore the details of CVE-2024-23917 and explain the process of constructing an exploit leading to Authentication Bypass.

In this first part of the series, we will see how to setup syzcaller and how to test (and crash) a vulnerable driver.

This article demonstrates a technique to avoid Elastic EDR detections and perform lateral movement to another machine with CobalStrike BoFs.

In this blog post we introduce a new kind of attack against embedded systems relying on XiP (eXecute in Place) that exploits TOCTOU at hardware level in order to bypass secure boot.