Security Review #248

This article explains how to turn a KQL hunting query into a Defender detection rule to spot unusual web server processes by using simple statistics.

This post discusses some more obscure, creative and/or complex backdoors and persistence mechanisms. We will review pre-OS Boot techniques (GRUB Bootloader, Initramfs), system processes (PolicyKit, D-Bus), and event triggered execution (Network Manager).

I've got an idea how we can detect malicious commands obfuscation techniques by counting the number of unusual substrings that show up, and I'm going to explore it in this blog post.

In this second part we demonstrate how AI agents introduce entirely new attack surfaces. We reveal how we exploited an HR agent and turned it against its own organization.

CVE-2023-32434 is an integer overflow in the VM subsystem of the XNU kernel allowing an attacker to map kernel memory into arbitrary process. This makes it a very powerful vulnerability, but its exploitation is not that easy. This writeup shows the steps involved in the final, working exploit.

We present Wallbleed, a buffer over-read vulnerability in the DNS injection subsystem of the Great Firewall of China. Wallbleed caused certain nation-wide censorship middleboxes to reveal up to 125 bytes of their memory when censoring a crafted DNS query.

This post dives into technical details of phantom call, a combination of thread hijacking and calling interesting APIs on a newly crafted stack in the context of hijacked thread in a more stable way.

This is a simulation of attack by Mustang Panda APT Group. The attack chain starts with abuse of Visual Studio Code's reverse shell to execute arbitrary code and deliver additional payloads.

The Universal Windows Platform (UWP) is Microsoft's modern application model, designed to replace traditional desktop applications with a sandboxed, secure environment. While UWP apps improve system security and organization, they also introduce new forensic challenges, as many of their artifacts exist outside of expected locations.

Email forensics is about understanding email structures, audit logs, and other relevant artifacts that can provide key evidence. This article focuses specifically on Google Workspace, though the principles discussed here apply broadly to all email platforms.

I wanted to produce a hash set for all the malware files in my repository. Using YARA and Python I wound up with three scripts. Two of them are used to create the hash sets, and a third that does counting and indexing on the source directory for different file headers.

Apple, being notorious for creating their own versions of things, developed two unique file system formats: HFS+ and APFS. This article provides an overview of these formats.

iOS file analysis is a necessary skill for any digital forensics' investigator, as files on Apple devices are stored in unique formats and structures. This tutorial will walk you through some of the most important artifacts: analyzing property list files (plists) and SQLite databases.

In this post, I'll explain the sliding_window_counts plugin and provide you with a query for Password Spray attack detection/hunting.

This post will cover the process of searching for, identifying, and responding to various ASNs identified as risky. It will also include recommendations and the corresponding KQL queries using different Defender tables.

Attackers exploit DNS traffic as a covert channel to exfiltrate data, communicate with compromised machines, or execute remote commands. This technique is known as DNS Tunneling, where malware hides malicious traffic inside legitimate-looking DNS queries and responses, making detection difficult. This article explains how it works, and how it can be detected.

Sneaky2FA is an AitM (Adversary-in-the-Middle) PhaaS (Phishing-as-a-Service) kit designed to bypass 2FA (Two-Factor Authentication) and provide the operator with access to the victim's Office 365 account via intercepted session cookies. It is leveraged by phishing operators to setup persistent access to stolen accounts.

This blog focuses on exploring how SmartScreen Debug Event Logs can help confirm execution and file interactions with solid forensic evidence.

This article details an attack leveraging a possible race condition in anti-malware operations leading to deletion of arbitrary attacker chosen file on the targeted system.

We discovered new Linux malware called Auto-color. The malware employs several methods to avoid detection, such as: using benign-looking file names for operating, hiding remote command and control (C2) connections and deploying proprietary encryption algorithms.

We investigate how threat actors leverage browser extensions as an attack vector, including examples for Cyberhaven and GraphQL Network Inspector. We go through how browser extensions work and review the main compromised ones.

This article walks through a SOC investigation where efficient surface-level analysis led to the identification of a web shell associated with a well-known toolset.

We investigate an attack chain starting with the exploitation of the CVE-2023-20118 vulnerability, leading the victime to be infected by a TLS backdoor. This blog post provides an analysis of the backdoor and the associated botnet. Additionally, it shares insights into the adversary's infrastructure.

In this blog, we will talk about an edge case that allows an attacker to take over inactive Substack blog custom domains.

In this part I'll cover how I found and exploited bugs in the Xbox 360 hypervisor to get full code execution and create the "Bad Update" exploit.

We recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services.

In this article we will discuss process injection, enumeration with EnumProcess and thread hijiacking.

Research into exploiting unsafe reflection in a minimal Rails application and the discovery of a new RCE reflection and deserialisation gadget in the sqlite3 gem.

In this second part, we attempt to exploit one of the most famous vulnerabilities ever: SSHNuke.

We detail a code execution vulnerability in the Microsoft Windows Key Distribution Center (KDC) Proxy (CVE-2024-43639). Successful exploitation could result in arbitrary code execution in the security context of the target service.

In this article, we API review rate limites strategies to protect the API by telling "overactive" API consumers to calm down a bit, telling clients to reduce the frequency of their requests, or take a break entirely and come back later to avoid overwhelming the API.

This article examines a scenario that works similarly to the CVE-2024-7014 vulnerability. A file with an ".htm" extension is disguised as a video and sent via the Telegram API, and while the user expects a video, the JavaScript code inside the HTML is actually executed.

Deferred Procedure Calls (DPCs) are a Windows mechanism that allows code running at a high interrupt request level (IRQL) to defer execution of lower-priority work until the processor returns to a lower IRQL. We will get into the details of how DPCs work and how they can be exploited for privilege escalation.

We analyze how FunkSec ransomware disables Windows Event logging and real-time protection for Windows Defender. We also review the check for VM-related processes, the command that verifies whether the user has administrative privileges, and provide related IoCs.

We review the key points of Client-side path traversal, a serious security vulnerability that occurs when an attacker manipulates file paths in web applications to gain unauthorized access to files stored on the client-side or server-side.

In this article, we explore what hotkey-based keyloggers are and how to detect them. Specifically, we explain how these keyloggers intercept keystrokes, then present a detection technique that leverages an undocumented hotkey table in kernel space.

We found an attack where a single 3rd party JavaScript file was used to inject four separate backdoors. This article provides a technical analysis of those backdoors.

Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities represent a critical class of race condition security flaws that plague software systems interacting with external resources. In this article, we detail the anatomy of a TOCTOU vulnerability, identify the common patterns in C# code and provide defensive techniques to mitigate such vulnerability.

In this article, I demonstrate how it is possible to do CSS Exfiltration if default-src 'self' is specified in the CSP. I also wrote a challenge about this, and will provide the solution in this blog.

SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API.

We analyze malicious Go packages that impersonate popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.

We found CVE-2025-27218, a remote command execution (RCE) vulnerability in Sitecore experience platform. It is another case of unsafe deserialization and is exploitable in the default configuration without authentication.

This blog post will shed some light on what's behind AMSI, how it works and what techniques are currently available to effectively bypass it.

We discuss how to leverage Enterprises' Circadian Window to spot unusual activity and potentially uncover cyber threats.

This is a two-part blog post disclosing two CVEs for the QardioArm, a wireless blood pressure monitor: CVE-2025-20615 (sensitive data exposure) and CVE-2025-24836 (command injection).

This article analysis SPAWNCHIMERA, an updated variant of the SPAWN malware family, that infects targets leveraging the CVE-2025-0282 vulnerability in Ivanti Connect Secure.

In this first part, we dig into into IoT ARM exploitation. We investigate a buffer overflow in the firmware of the Tenda AC15 router, known as CVE-2024-2850.

We observed a new malware campaign using fake CAPTCHAs to deliver Lumma Stealer. We detail the infection chain and analyze the payloads, one of them containing a snippet used for bypassing Windows Antimalware Scan Interface (AMSI).

This post covers the technical aspects of our exploitation of the HP M479fdw printer journey, from dumping the NAND to reliable code execution via the printer discovery service.

In this first part I provide an introduction to the main concepts of the Tor network.

This second part provides an overview of the various encryption keys in use, how relays can be contacted and how channels are established.

We detail a technique which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique "MalDoc in PDF" hereafter and explains the details of and countermeasures against it.