Security Review #244

In this blog post, we take a look at the security of DeepSeek and the vulnerabilities that allow for jailbreaks. We will uncover how AI restrictions can be bypassed and what that means for the future of AI security.

In this article, I will explain how I bypassed BIG IP Local Traffic Manager (F5 Networks) Web Application Firewall using Hex Overflow.

OAuth2 is a prime target for attackers. While it simplifies user login, its complexity can lead to misconfigurations that create security holes. Some of the more intricate vulnerabilities keep reappearing because the protocol's inner workings are not always well-understood. In an effort to change that, we have decided to write a comprehensive guide on known attacks against OAuth implementations.

In this article, we continue to dig deep into the world of Linux persistence. Building on foundational concepts and techniques we discuss some additional, creative and/or complex persistence mechanisms.

The Diamond Ticket attack represents a sophisticated escalation in Active Directory exploitation methods, leveraging intricate flaws in Kerberos authentication and authorization mechanisms. This article delves deeply into the underlying mechanisms of this attack, the role of Privilege Attribute Certificates (PACs), and the root causes that make AD environments susceptible.

We identified a new infostealer written in Rust on VirusTotal. This infostealer exhibits many of the same behaviors and targets, found in the leaked Banshee code. In this article, we will examine the behavior of this Rust-based application and compare it to the leaked Objective-C code to provide insights into reverse-engineering Rust malware.

We discovered a major authentication flaw in the design of the Deepin api-proxy D-Bus service (CVE-2025-23222) which allows local users to escalate privileges in various ways.

We provide a high level overview of the macOS Ferret malware variants family along with a list of indicators for threat hunters and defenders.

CMPivot is a component part of the Configuration Manager framework. With the rise in popularity for ConfigMgr as a target in red team operations, this post looks to cover a way other than using CMPivot (CMP) data gathering capabilities for taking over a computer object in Active Directory environments.

In this blog, we dive into the potential risks of Kubernetes policy enforcement, focusing on how seemingly secure rules, such as those used in OPA Gatekeeper, can be bypassed if not carefully configured. We uncover ways to bypass the k8sallowedrepos policy and demonstrated how minor misconfigurations, such as missing trailing slashes, can open the door to unauthorized actions.

In this article, you will learn how to craft custom wordlists that you can deploy on your target to find more vulnerabilities through unreferenced directories, files and even parameters.

In this article, we will see how to exploit a race condition in a vulnerable driver. We will start by finding the vulnerability in th driver, then write a full exploitation PoC.

In this tutorial we'll introduce Race Condition vulnerabilities. We will start with a high-level overview, explain how to find the vulnerability from th source code and write a PoC.

FFUF is a powerful open source fuzzing tool used for web application security testing. It allows users to discover hidden files, directories, subdomains and parameters through its high speed fuzzing. This article will break down FFUF commands and explain how to use them effectively.

Investigating Google Drive for Desktop can be a time-consuming process, especially when dealing with protobuf-encoded metadata and cached files. In this article, we introduce gMetaParse and DriveFS Sleuth, two tools that make the job significantly easier.

Prefetch files are typically used to provide evidence of execution during an investigation. In the absence of other artifacts, we will see how they can extend beyond evidence of execution to provide an indication of files targeted for extraction, staging and exfiltration.

STIX and TAXII are fundamental to structuring and sharing cyber threat intelligence with the wider community. This guide explores how you can get started using these standards, some of the challenges of adopting STIX/TAXII, along with possible solutions to overcome them.

In this article, we explore what reflective loading is, how it works in payload delivery, and experiment with a new tool that's great for quickly extracting C2 domains from Lumma Stealer samples.

This article will examine in detail the mechanics of the browser syncjacking attack across three stages: profile, browser and device hijacking.

We explain how we leveraged HTTP unencrypted communications to upload a modified firmware to a GoveeLife Smart Space Heater Lite.

CVE-2025-24118 is a race condition in the macOS kernel allows for corruption of thread's kauth_cred_t credential pointer. Specifically, the SMR-protected p_ucred field of a process's read-only struct can be corrupted to point to invalid memory, or potentially to a different (maybe even more privileged) credential.

In this article, we investigate the Phorpiex botnet which is then able to deliver LockBit Black Ransomware.

FleashStealer is a credential stealer operated through a web-based panel. This C#-based malware uses encryption to avoid detection and possesses several notable features that distinguish it from other infostealer threats. This article provides technical analysis of the Tactics, Techniques, and Procedures (TTPs) it leverages.

In this post, I'll show you how I developed a tool to load an arbitrary shared library (.so) file into another process's memory space.

In this article, we shall explore different tools & techniques that help us enumerate Active Directory (AD) users' passwords using which an attacker can expand their access within the organization.

In this post, we explore the exploitation technique known as the Kerberos pre-authentication brute-force attack. This attack takes advantage of Kerberos authentication responses to determine valid usernames and perform password bruteforcing.

This blog explains everything you wanted to know about Sigma rules, including how Sigma rules are structured, their predecessors and benefits, and how to integrate them into your Security Information and Event Management (SIEM) software.

We detail two CVEs (CVE-2024-45302 and CVE-2024-51501) for header injection vulnerabilities in the RestSharp and Refit .NET libraries. This blog post outlines the research which lead to discovering these vulnerabilities.

We discovered a privilege escalation issue affecting Thermo Fisher Scientific Xcalibur software (CVE-2024-55957). The issue allows for privilege escalation on Windows systems due to improper access controls on the application files.

In this first part of the series, we will introduce a handful of concepts, including the notion of "verifiable computation" proof systems, hash functions, some ideal models that we use for our security proofs, and the idea that these "ideal models" are bogus - and sometimes they can make us confident in schemes that are totally insecure in the real world.

In this second part, we will try to demonstrate that a proving scheme that appears to be secure in one setting, might not actually be secure. We will first introduce the interactive proof systems and its main limitation, then focus on the practical attack against Fiat-Shamir.

This post will detail how to use trusted binaries to a system and using them in an adversarial fashion: evade EDR detection, bypass firewall filtering and setup tunnel to our Kali VM.

In this article, I detail a vulnerability in Casdoor, an open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. The vulnerability affects both Android and Windows/MacOS/Linux, effectively allowing the theft of user data.

In this post, we'll delve into two critical vulnerabilities discovered in the HPE Insight Remote Support (IRS) application: an unauthenticated XXE vulnerability (CVE-2024-53675 ) and a remote code execution (CVE-2024-53676) - allowing unauthorized access and arbitrary code execution on vulnerable systems.

When operating under a normal user account, the focus of bypassing EDR is primarily on executing actions in the most innocuous manner possible. In this article, with a Standard User account, I will implement the masquerading attack technique to disguise the paths of payloads to closely resemble the path of the Antimalware Service Executable file.

In this article we will briefly examine what VBS, HVCI, and kCFG are and write an exploit code in a way that allows us to turn our arbitrary pointer dereference into an arbitrary read/write primitive, that in turn allows us to perform data-only attacks, such as elevating token privileges, swapping token addresses, disabling EDR kernel callbacks, etc.

We analyze a rootkit malware. We explain how the kernel module set a Netfilter hook function, what related tasks the Netfilter hook function performs, how the user-space process is started, how it disguises itself, how it creates the child process, and how it is eventually replaced by "/bin/sh" to process the attacker's Linux commands to control the system.

The methodology of ransomware detection of Cortex XDR is by the method of deploying honeypot files in different locations. In this article, we will see how the decoys files can be identified on a system protected by Cortex XDR.

SharpSCCM is capable of executing CMPivot queries through the Administration Service (AdminService) REST API. When operating within an SCCM/ConfigMgr site, and under the right context, this provides offensive operators with the ability to enumerate almost every aspect of a client's software and hardware.

We introduce Auditd, a powerful utility is designed for monitoring and recording system events, providing a detailed audit trail of who did what and when. It acts as a watchdog, patrolling and recording detailed information about system calls, file accesses, and system changes, which are crucial for forensic analysis and real-time monitoring.

DoubleClickjacking is a variation of the Clickjacking technique: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header, CSP's frame-ancestors and SameSite: Lax/Strict cookies.