Security Review #252

In this post, we'll explore how to implement a straightforward agent that leverages the capabilities of LLMs. We will be using Model Context Protocol (MCP) to synergise with Mythic C2 and automate Conti replication, by building a simple agent that uses various tools such as ldapsearch, smbclient, nslookup, and ping to discover domain controllers on a network.

In this blog, we're going to walk through some real-world KQL (Kusto Query Language) queries that can help you track down suspicious activities and even catch cybercriminals in action.

IngressNightmare is an unauthenticated remote code execution (RCE) vulnerability in the Ingress NGINX admission controller. I found the exploit chain particularly intriguing and decided to recreate it for a deeper understanding.

This post provides a simple methodology for identifying, monitoring, and exploiting named pipes. It also offers some insight into how custom tooling can be made to instrument Windows applications.

In this post, we will investigate the risk of manipulated LLMs by examining the anatomy of an LLM Remote Code Execution (RCE) vulnerability. We'll start by understanding how large language models are capable of executing code, and then we'll dive deep into a specific vulnerability we uncovered.

We create a full exploit chain allowing the hijacking of a high-privilege user on GLPI, an open-source software used to create a mapping of a network through an inventory plugin and gather users' issues through a ticket system.

Hardware and web security are two halves of modern smart device security, and learning to hack both can yield impressive and scary results. This blogpost goes through the basics of hacking connected smart devices from end-to-end, focusing on the critical workflow of user-device association.

We discuss CVE-2025-29927, a vulnerability that affects the Next.js framework, and that enables attackers to bypass authorization mechanisms implemented via Next.js middleware, potentially granting unauthorized access to sensitive resources.

In this series, we are testing for SSH artifacts when connecting to a Windows 11 OpenSSH Server. In this first part, we will identify the relevant event IDs.

In this second part, we will focus on specific logon IDs left after an SSH connection.

This last part looks at what artifacts can be found from an active connection.

When examining iOS Unified Logs in the case of a manually modified date and time, certain discrepancies may appear depending on the method of analysis used. This article documents such situation.

Understanding raw log locations in Windows and efficiently extracting and structuring them is crucial for forensic investigations and incident response. EZ Tools provide a powerful way to process these logs, making them more accessible and actionable.

Modern injection techniques include modifying memory permissions, hijacking execution pointers, and even patching legitimate code. While this might sound scary, the good news is that we can still detect these attacks - though it requires a deeper dive into how processes manage memory.

Rapid identification of suspicious and malicious software involves analyzing files, performing live response (examining a system while it's running), and conducting temporal analysis (also known as timelining) to trace malicious activity.

We present the first documented analysis of a ransomware named QWCrypt based on a self-reference 'qwc' found within the executable.

We analyse an intrusion attempt involving the use of a shortcut file leading to the loading of a new version of KoiLoader, a malware loader that facilitates Command and Control (CnC), and downloads/executes Koi Stealer, an information stealer written in C# with advanced information stealing capabilities.

We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands. We analyze the consistent tactics, techniques, and procedures (TTPs), as well as continuous use of core resources, across attacks that used the kits within the last five years.

In this article, I am going to show you how to configure Elastic Agent and Fleet Server to collect data from a Windows system.

In this article, I will show you how to send Windows Sysmon logs to your ELK Stack.

Evilginx can be used to steal usernames, passwords, and session tokens, allowing an attacker to potentially bypass multifactor authentication (MFA). In this post, we'll demonstrate how evilginx works and what information it is able to acquire; we also have advice for detecting this tool in use, as well as potential mitigations against its use.

This blog explores the offensive capabilities built into SQL Server and provides defenders with practical detection strategies. We'll examine how attackers can abuse stored procedures, CLR assemblies, modify the registry, and maintain persistence - all while potentially evading common monitoring controls.

We discuss the delivery methods, custom payloads, and techniques used by Water Gamayun abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.

This article provides a technical analysis of Auto-color, a Linux backdoor that acts as be benign color-enhancement tool. It encrypts its strings to prevent easy extraction of its functionality, uses multiple evasion techniques to avoid detection and receives remote commands to execute on the infected machine giving the attacker full control over the compromised system.

I discovered a potential SQL injection vulnerability in Nim's standard library module db_postgres. This affects applications using this module with older PostgreSQL databases or configurations where standard_conforming_strings is disabled.

We will walk through a vulnerability chain in Kentico Xperience CMS going from a Cross-Site Scripting (XSS) vulnerability to full Remote Code Execution.

This article introduces Beelzebub, a honeypot acting as decoy systems that appear legitimate to attackers but are actually isolated and heavily monitored. We detail how to efficiently deploy it in a Kubernetes environment.

A critical vulnerability (CVE-2025-2825) was discovered in CrushFTP, a widely used multi-protocol file transfer server. In this research, we explore how seemingly minor implementation details in authentication mechanisms - particularly the reuse of authentication flags for multiple purposes - can lead to severe security implications.

I've discovered a vulnerability in Google Web Designer that exposed its users on macOS and Linux to the possibility of client-side remote code execution via improper symbolic link resolution (CVE-2025-1079). Attackers could take control over client computers after victims interacted with a specially crafted malicious file using the app.

In this article, I detail 2 vulnerabilities I found in ZendTo filesharing software: a Remote Code Execution (RCE) and an authentication bypass.

I found a vulnerability (CVE-2025-31137) in React Router, a library used to manage multi-strategy routing in React applications. It allows URL manipulation through the Host/X-Forwarded-Host header and affects all users of Remix 2, as well as, more generally, React Router 7. This could potentially lead to several exploits, as we will demonstrate in this brief article.

This article covers Java security measures that can be implemented internally after the service receives a request from an external client, focusing on areas such as securing resource access, input validation, symmetric and asymmetric encryption, hashing, secure configuration of secrets, logging, and deserialization vulnerabilities.

The recently discovered CVE-2025-30066 for the GitHub action tj-actions/changed-files brought to light a topic that is really critical for companies: supply chain attacks. With that, we want to discuss and show a bit about how Falco can help your organization detect this kind of attack and other suspect behaviors inside your CI/CD pipeline.

In this article, I will provide you with a step-by-step guide for installing and configuring the ELK Stack, a popular open-source solution for managing and analyzing logs, consisting of ElasticSearch, LogStash, and Kibana.

A deep exploration of Windows EDR syscall hooking with a new "Ghost Hunting" theory for detecting direct and indirect syscalls, plus insights into kernel-level callbacks and communication between usermode and driver components.

In this article, I detail my journey to abuse an IDA MCP plugin and have it execute arbitrary command planted in the code of the file to be analyzed.

Process injection is a defence evasion technique that any skilled penetration tester needs in their arsenal. In this first part of the series I'll be breaking down some of the theory behind how and why process injection works.

In this secondf part of the series, we will look at how to weaponise and secure Process Injection against Modern Endpoint-Protection.

We will see how to capitalize on a particular (old) WordPress plugin vulnerability to deliver a persistent XSS injection (not logged into WordPress) that will later be executed by someone logged into WordPress with higher privileges, such as an administrator.