Security Review #242

IDS/IPS engines used by most next-generation firewalls allow a few packets of data to reach the destination while they collect enough information to make a verdict on whether they should allow or block the traffic. This is a design flaw that can be exploited to give us unfettered access to the server with a tool such as fragtunnel.

LitterBox is an open-source malware analysis tool. This post is a deep dive into what makes LitterBox stand out. I'll share my experiences with its installation, key features, and how it can streamline malware analysis workflows.

In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. By cleverly placing quotes and legacy cookies, an attacker can cause the server to misinterpret the structure of the cookie header, potentially exposing HttpOnly cookies to client-side scripts.

We discovered a security vulnerability in Subaru's STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts.

Historically, intercepting Linux system calls was done with ptrace, which proved to be very slow. This is where seccomp user notify comes in making it possible to intercept system calls in a much more elegant way. Due to the addition of BPF it can be programmed to yield back only for the desired system calls, which significantly reduces the performance penalty.

This guide will specifically highlight incident response workflows using Velociraptor and KAPE. We will outline the steps to go through a comprehensive process to identify, contain, and recover from an endpoint compromise.

Yara is a cutting-edge component of threat analysis. This small document summarizes just a few important ideas concerning security issues and how they have been further improved for easy detection and malware analysis.

The proprietary language Yara uses for rules is fairly trivial to pick up but hard to master. In this article, we will learn the steps to create a Yara rule and dive into rules conditions.

In this lab, we will learn how to use a YARA rule to hunt in search of Indicators of Compromise for the WINELOADER malware.

LDAPNightmare is a proof-of-concept exploit of a known Windows Lightweight Directory Access Protocol (LDAP) denial-of-service vulnerability (CVE-2024-49113). What is LDAPNightmare, how dangerous is this exploit, and how can you detect and defend against it?

In this article, we'll dive into the crucial role of YARA rules, how they work, and how they can help teams to detect and handle cyber threats with confidence and efficiency.

ESXi environments, with their lack of AV/EDR support, present a unique challenge to Detection Engineers. Let's explore the nuances with detection engineering in ESXi environments which will include describing the most useful log sources, showing off some common adversary techniques, and finally I'll share some useful detections.

SQL injection can create web shells, allowing attackers to remotely extract and exfiltrate sensitive data. Prevent this by using parameterized queries, securing uploads, and deploying WAFs.

Velociraptor is an open-sourceDFIR (Digital forensics and Incident Reponse) tool. In this article, I will not get into the details of its own query language called Velociraptor query language or VQL. Everything in Velociraptor is based on the VQL and hence can be easily customized to fit most of the use cases.

We have discovered a vulnerability (CVE-2024-7344) that allows bypassing UEFI Secure Boot, affecting the majority of UEFI-based systems. Exploitation of this vulnerability leads to the execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits even on systems with UEFI Secure Boot enabled.

In this second part of the series, we will discover how behavioral cloud IOCs can expose malicious activity as we break down real-world examples to reveal actionable detection techniques.

In this article, we will attempt to exploit a a Type Confusion on Windows 11 (x64).

We found three SSRF vulnerabilities in Azure DevOps that we reported to Microsoft. This blog post outlines the way we identified these vulnerabilities, and demonstrates exploitation techniques using DNS rebinding and CRLF injection.

In this article we will explore how TPM2 based disk decryption works, and understand why many setups are vulnerable to a kind of filesystem confusion attack. We will follow along by exploiting two different real systems (Fedora + clevis, NixOS + systemd-cryptenroll).

In this blog post, we will discuss how to take control over many aspects of the CLR using "CLR customizations" when executing .NET assemblies in memory. By implementing a custom assembly loading manager, we enable a novel AMSI bypass using only "intended" functionality, with no byte patches or process hacking required

This post will first give a short overview of the storing mechanism of the recycle bin, something like the well known basics. In particular, we will focus on what happens if the user restores a file, deletes the same file again after restoring, if a file is deleted from PowerShell, and if there is a difference between file systems?

In this post, I'll guide you through my deep dive into the bitpixie vulnerability. This vulnerability enables attackers to extract disk encryption key on Windows' default "Device Encryption" setup. This exploit relies on downgrading the Windows Boot Manager. All an attacker needs is the ability to plug in a LAN cable and keyboard to decrypt the disk.

In this article, I will show my technique for finding secret credentials in js files. We will start from manual analysis then move to automated search, based on tools such as LazzyEgg, Katana, GAU, HTTPX and JSLeak.

We will see how AD account can provide you with three detections that if implemented properly will catch common adversarial activities early: AD Enumeration via ADExplorer, BloodHound, and LDP.exe; Kerberoasting and service principal attacks; Password sprays, credential stuffing, and brute-forcing.

In this blog, we explore how to leverage WinRM plugins to perform lateral movement to other systems. We also take a look at how the CIM_LogicFile WMI class can be used to bypass some tricky detections by Microsoft Defender. Finally, we put all the logic in a Cobalt Strike BOF.

In this series, we will discuss how we identified vulnerabilities in multiple security products that could, in theory, allow privilege escalation to SYSTEM on millions of devices, assuming initial access was gained. We will introduce the general design of the targeted security products to give you some background information on the mechanisms that allowed us to escalate our privileges.

In this article, we will dive deep into what open URL redirect vulnerabilities are, how to identify them, exploit these vulnerability types and also escalate these to higher-severity security issues.

This article will detail a cache poisoning vulnerability in NodeJS (CVE-2024-46982), that can lead to Denial of Service (DoS), Cross-Site Scripting (XSS) and Cache Deception attacks.

We uncovered a VS Code extension in late November masquerading as a Zoom application designed to access and steal Google Chrome cookies. In this post, we'll explore how VS Code extensions can be vectors for malicious activities, focusing on the deceptive practices of an extension masquerading as a legitimate tool.

This article explains the rules and processes involved in the Entra sync engine, including provisioning, scoping filters, join rules, and transformations. It also provides a detailed walkthrough of an attack scenario, demonstrating how to take over a user account in another domain by leveraging compromised sync accounts and manipulating the msDS-KeyCredentialLink property.

Learn how specially crafted artifacts can be used to attack Maven repository managers. This post describes PoC exploits that can lead to pre-auth remote code execution and poisoning of the local artifacts in Sonatype Nexus and JFrog Artifactory.

In this article, we explain how Azure DevOps can be accessed using multiple 1st party client ids, allowing anyone to pivot from a stolen session to access the repositories.

Jailed instances, designed to isolate processes and protect the host system from malicious activities. I recently uncovered a critical vulnerability that bypasses Collabora Office, allowing an attacker to achieve Remote Code Execution (RCE) under certain conditions, even when the environment is locked down within a restricted jail.

We have successfully exploited CVE-2024-53704, an authentication bypass affecting the SSL VPN component of SonicWall firewalls. We confirmed that the attack can be performed remotely, without authentication, and enables hijacking of active SSL VPN client sessions.

In this new article, we will explore a real-world application and discuss some of the strategies adopted during the harness construction. We will learn how to combine AFL++ and QEMU to optimize fault detection, and adopt a more comprehensive approach to Android app security analysis, and how to perform a more detailed investigation of crashes by integrating debugging techniques.

In this post, I want to revisit another old technique I believe is a prime candidate to host malware payloads - Python for Windows. Python as a platform for malware deployment is often an undervalued target. It is easy to install, provides high-quality built-in libraries, and is an excellent target process for operations.

We have discovered a critical vulnerability in meta-llama, an open source framework from Meta for building and deploying GenAI applications. The vulnerability, CVE-2024-50050 enables attackers to execute arbitrary code on the llama-stack inference server from the network.

This blog post will describe the four CVEs (CVE-2025-23044: Cross-Site Request Forgery, CVE-2024-55602: Arbitrary File Read, CVE-2024-55652: Server-Side Template Injection, and CVE-2024-55653: Denial of Service) that were discovered for PwnDoc itself and another (CVE-2024-54152) regarding a Remote Code Execution vulnerability in the angular-expressions library used by docx-templater, and in turn PwnDoc.

IBM i Access Client Solutions (ACS) stores Windows passwords in a simple obfuscated way, making them accessible to attackers. In this article, we detail how to exploit this vulnerability, including the use of the Network Provider DLL attack technique and the deobfuscation of stored credentials.

Lateral movement analysis requires a deep understanding of logs, artifacts, and various attack vectors, which can seem daunting, even for seasoned Incident Response (IR) and Digital Forensics & Incident Response (DFIR) practitioners. This article aims at simplifying the process by using 3 tools: Chainsaw, Hayabusa, and LogParser.

This post series deals with hardening an Autopsy Multi-user Cluster. In the first post, we will update postgreSQL configuration to only allow connections from certain subnets. We will also remove the Log4J vulnerability and make Solr more secure by changing the admin panel username and adding a password.

In this blog, I will explore email threats, including understanding potential dangers from emails, understanding emails, its structure and email headers, identifying suspicious elements, and addressing them effectively.

In this article, we provide a technical analysis of PUMAKIT, a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.

Two-factor authentication (2FA) has become the go-to solution for strengthening account security. In this article, we are exploring 7 ways of bypassing 2FA implementations, including some advanced exploitation methods.

In this write up, we're going to explore what BITS jobs are, how they are abused/leveraged by threat actors, how to investigate them and of course, demo a bit of BITS for ourselves.

This blog post details a true story of cryptographic secret discovery, DLL modification, password recovery, and software platform compromise.

This blog post provides indicators, detections, and information regarding malware campaigns leveraging CVE-2025-0282 and CVE-2025-0283 vulnerabilities in Ivanti Connect Secure ("ICS") VPN appliances.

I've been reversing Black Ops Cold War for a while now, and I've finally decided to share my research regarding the user-mode anti-cheat inside the game.

In this post, I'll be sharing a couple of vulnerabilities I discovered leveraging null byte injection: password reset parsing confusion, path traversal to XSS, and internal WAF bypass.

In this article, we provide insights into Salt Typhoon's history, tactics, and objectives. We also explore the group's toolkit, including custom malware, lateral movement strategies, and evasion techniques that outsmart even the most advanced forensic tools.

In this first part of the series, we will cover how the unique infrastructure of cloud environments creates opportunities for new and useful atomic indicators of compromise (IoC).

In this article, we're going to create a malicious payload, such as a reverse shell, which we'll then convert into x64 shellcode.

I detail a vulnerability I found in Chrome that allows an attacker's site to execute scripts within the Content Script of vulnerable extensions.

This article will provide an overview of number parsers in JavaScript, detail how to write security tests to identify unusual behaviors, investigate some exploitation scenarios, involving parseInt, parseFloat, numeraljs and format injection, and discuss some prevention methods.

A vulnerability (CVE-2024-38041) in the Microsoft Kernel driver allows a local attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This blog post details my process of patch diffing in the Windows kernel, analysing N-day vulnerability, finding the bug, and building a working exploit.

During our analysis of the Keycloak authentication system we an OTP bypass and multiple issues in authentication and authorization: unauthenticated users can access some resources, and users with low privileges administrative functionalities (CVE-2024-3656), and multiple race conditions allowing to bypass the anti-brute-force mechanism (CVE-2024-4629).

This article details the steps to automate detection of Client-Side Path Traversal vulnerabilities and introduces Gecko, a Chrome extension dedicated to this task.

This article explains how to fix Donut to generate a reflective loader for a 64-bit PE file, embedding a shellcode that will be run from a .NET assembly.

We have examined the methods and exploitation techniques employed by the notorious Volt Typhoon Attacks. We provides insights into detecting such stealthy attackers throughout the various stages of an attack.

This blog is about bugs in Windows CSRSS server: a DLL Hijacking bug caused by the remapping of ROOT drive, and an Activation Cache Poisoning bug managed by the CSRSS server. When chained these bugs leads to SYSTEM privilege escalation.

Introducing DNSForge, a novel attacker tactic for responding to name resolution requests made to the authoritative DNS server in an internal network landscape, achieving interception and reuse of system credentials without user interaction.