Security Review #239

I've always wanted to learn about bootkits and write one. This blog explains what bootkits are and how the one we wrote works.

In this post, we will build an automated pipeline for generating a .NET loader payload that can evade both AV detection and application controls.

In this article, we will discuss how AI wrappers can be tricked into spitting out system prompts exposing limits put in place by the developers.

PLAYFULGHOST is a backdoor that shares functionality with Gh0st RAT, a remote administration tool whose source code was made public in 2008. PLAYFULGHOST distinguishes itself through its use of distinct traffic patterns and encryption. It supports commands such as keylogging, screen capture, audio capture, remote shell, and file transfer/execution.

LegionLoader is a downloader malware written in C/C++. The loader has been observed delivering a malicious Chrome extension capable of altering email contents and monitoring browsing activity, capturing screenshots and managing requests to access and update balances for Facebook, Coinbase, and Google Pay accounts.

In this article I will demonstrate how to bypass BitLocker encryption on Windows 11 (version 24H2). This was accomplished by extracting full volume encryption keys (FVEK) from memory using my tool Memory-Dump-UEFI.

In this blog post we describe a technique that can be used to achieve remote code execution (RCE) fro.m an arbitrary file write vulnerability by abusing the cache mechanism of Bootsnap, a caching library used in Rails

Linux Incident Surface refers to the various points in a Linux system where an attacker could potentially leave traces after compromising the system. In this first part of the series, we will focus on processes and network communication. They are your magnifying glasses when it comes to incident investigations. Monitoring them can often reveal who crashed the party.

Persistence is how attackers cling to a system after they've wormed their way in - like an uninvited guest who refuses to leave. Let's explore some common techniques attackers use for persistence in Linux environments and, more importantly, how we can uncover the evidence they leave behind.

The Linux filesystem holds a wealth of information that attackers may target and, inadvertently, leave traces of their activity. By focusing on critical areas of the filesystem, forensic analysts can uncover attack footprints to aid incident response. Let's explore some of these surfaces and how to investigate them.

Logs in Linux are invaluable for monitoring system activity, identifying potential security threats, and investigating incidents. They provide a chronological record of events that can help uncover what transpired during a security breach. Let's dive into some key log files and explore how they aid in identifying incidents.

Understanding processes, services, cronjobs, and other operational components in Linux is crucial for system management and forensic analysis. These elements provide the foundation for routine tasks, user interaction, and application execution.

A process in Linux is a running instance of a program, uniquely identified by a Process ID (PID). Processes have hierarchical relationships, forming a parent-child structure that aids in resource allocation and management. Identifying unusual processes or relationships can help pinpoint malicious activities.

Cronjobs are scheduled tasks executed automatically at predefined intervals by the cron daemon. While cronjobs are essential for automating tasks, they can also be exploited by attackers to establish persistence or escalate privileges. Understanding cronjob configurations and execution artifacts is vital for forensic analysis and incident response.

In the first article of this series, we'll start with writing a Detection Rule. In essence, a Detection Rule defines patterns, behaviors, or indicators of compromise (IoCs) that are associated with known threats.

In this article we will learn how to create a fileless malware. Fileless malware represents a sophisticated and stealthy threat in the cybersecurity landscape. Unlike traditional malware that relies on files written to disk, fileless malware operates by injecting malicious code directly into the memory of legitimate processes.

In this blog, we will explore two basic yet powerful digital forensics tools: pdfinfo and exiftool. These tools help extract useful metadata, which can provide clues during an investigation.

Logging correctly LDAP queries for threats detection is trickier than it seems. In this article, I will provide tips both for Blueteam guys when setting logging up, and for redteam guys to lower the chance of detection for your LDAP queries.

CVE-2024-54819, a Server-Side Request Forgery (SSRF) vulnerability in "I, Librarian" software, demonstrates the risks associated with improper input validation and network protections.

An IDOR vulnerability was found in Microsoft 365 Copilot, giving direct access to generated images without relying on user authentication.

See how we developed a zero-click PoC exploit that crashes unpatched Windows Servers using the Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability (CVE-2024-49113).

In this first part of the blog series, we will focus solely on the EEPROM component, as it was the easiest to uncover and understand during my initial investigation. Using a multimeter, I was able to trace several key connections on the PCB and determine how the microcontroller (MCU) communicates with the EEPROM.

The following post will describe some technical attacks that can sometimes be performed against NFS shares. We will talk about security features of the NFS protocol, common configuration mistakes and how to abuse them.

This blog is a guide for reviewing event logs and actions to investigate the most common lateral movement tactics used by attackers across your Windows domain.

This post discusses CVE-2024-38193, a use-after-free vulnerability in the afd.sys Windows driver. Specifically, the vulnerability is in the Registered I/O extension for Windows sockets. We describe the exploitation process for the vulnerability.

The WPML Multilingual CMS Plugin for WordPress is susceptible to an Authenticated Remote Code Execution (RCE) vulnerability through a Twig server-side template injection.

It's about an SSRF vulnerability that lets attackers exfiltrate AWS metadata. Since it's based on DNS rebinding, it takes a while for the request to reach the backend and fetch the data. Only 1 out of every 30 attempts actually showed if the attack was successful or not.

This article will focus on suspicious certificate usage alerts generated by Microsoft Defender for Identity. The detection mechanism will be explained as well as how to avoid raising any alert. In addition, a PowerShell script will be released to perform Kerberos authentication via PKINIT with the Windows API, from a non domain-joined machine.

In this blog post, we discuss a variation of the DLL Hollowing technique that removes the prerequisite of having write access to the target DLL and is stealthier than "classic" Dll Hollowing.

We analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft Defender 365. This article will present its architecture, analyze its detection logic and abilities and present some bypasses.