Security Review #258

In this post I will focus specifically on patching Kernel Event Tracing for Windows (ETW) structures to render providers either ineffective or inoperable. I will provide some background on this technique, analyse how an attacker may manipulate Kernel ETW structures, and get into some of the mechanics of finding these structures.

Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced.

Explore why adversarial examples fundamentally exist & why models are often wrong almost everywhere.

In this short post, I explain how one can overwrite the content of the __pycache__ directory to have arbitrary code executed.

This post examines the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.

We detected a new technique for successfully delivering a credential phishing page to a user's inbox: blob URIs. Blob URIs are generated by a browser to display and work with temporary data that only that browser can access.

This blog post will look at multiple command injections we found in Rundeck, a job scheduler and runbook automation platform. First, we will examine jobs running on Rundeck Linux servers - both those with a single parameter and those with multiple parameters. Afterward, we will do the same for Rundeck Windows servers.

We explore security risks associated with Microsoft Copilot for SharePoint, focusing on how attackers can exploit AI-powered SharePoint Agents to access sensitive data.

Let's break down Linux user management, authentication, and logging in a way that actually makes sense, especially if you've been on both Windows and Linux systems.

Windows Defender Application Control (WDAC) bypass techniques are limited to executing JavaScript code only, and you can't execute native code, such as loading DLLs or running EXEs. This blog post covers a technique we utilized to get around those restrictions.

CRLF Injection is not as well-known as SQL Injection or Cross-Site Scripting, but it can lead to serious issues like HTTP response splitting, web cache poisoning and even XSS attacks all of which can put a website at risk.

Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. We successfully bypassed it by using a known LOLBIN, DLL side-loading a trusted application with an untrusted DLL, exploiting custom exclusion rule from and finding a new execution chain in a trusted application that allows C2 deployment.

CVE-2025-37752 is an Array-Out-Of-Bounds vulnerability in the Linux network packet scheduler, specifically in the SFQ queuing discipline. An invalid SFQ limit and a series of interactions between SFQ and the TBF Qdisc can lead to a 0x0000 being written approximately 256KB out-of-bounds at a misaligned offset. If properly exploited, this can enable privilege escalation.

This article provides an in-depth analysis of an active phishing campaign targeting crypto and blockchain communities. We examine every stage of the attack, from phishing interaction mechanisms to the deep technical intricacies of Inferno Drainer's operation, including the chain of malicious smart contracts and the subsequent transfer of stolen funds to the attackers' wallets.

An alternative technique for obtaining Microsoft Entra refresh tokens (and "family refresh tokens") using beacon on a compromised endpoint.

In this post, we'll explore why forensic analysis on Linux is significantly harder than on Windows. From script-infested systems and log file nightmares to a dizzying array of distros and containers, we've got a lot to cover.

We explore CVE-2025-21756, a Linux kernel vulnerability affecting vsock transport. We will detail our journey in exploiting the bug, which involves a Use-After-Free (UAF) condition triggered by improper reference counting in the vsock subsystem.

I started to put considerable effort into making loadlibrary work with recent versions of Windows Defender. This post is my brain dump of the process so far. The first part is about the Lua VM, red teamers may find some useful techniques and ideas. The second part is focused on fuzzing and how I managed to get stable results for millions of fuzzer runs.

We review how to use the log stats command to analyze iOS unified logs, understand TTL values, and get useful insights of your logarchive for digital investigations.

Because manually squinting at hex dumps is so last century. Let me show you how AI-assisted debugging is leaving WinDBG's command line in the dust.

In this second part, I'll start writing some code little by little and explore how someone without a coding background can grow and eventually write a DLL injection script to better understand the attack technique.

The goal for this post is to provide some insight into why targeting page tables can be such a powerful exploitation technique. We'll do a primer on how paging works in Linux, to give us some context, before looking at how we can gain control of page tables in the first place, how to exploit them for privilege escalation and mitigations to be aware of.

We will detail the DSM architecture, explain how the agent is installed and how credentials are stored, focusing on the usage of RPC - providing details for two related vulnerabilities. Then, we will demonstrate how software deployment works and how this vector can be utilized for lateral movement.

This article exploreqs hidden risks in API testing tools like Postman and Insomnia. We dive into scripting vulnerabilities and explore JavaScript sandbox security pitfalls.

We identified a new piece of malware called LOSTKEYS, capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. We provide a technical overview of the malware as well as YARA rules and IoCs.

We discusses a method to bypass BitLocker encryption on Windows devices using a software-only attack called Bitpixie. While traditional attacks involve hardware-based techniques, Bitpixie exploits vulnerabilities in Windows boot processes without requiring physical modifications.

We uncovered techniques that attackers are using to bypass MFA using stolen browser cookies. By leveraging custom-made malicious browser extensions and automation scripts, attackers can extract and reuse authentication cookies to impersonate users without needing credentials, while keeping persistence.

In cloud-first environments, access tokens have become the new keys to the kingdom. Attackers no longer need passwords or multifactor authentication (MFA) codes to compromise an environment. A single valid access token can grant broad and often silent access to critical cloud resources, making detection and containment significantly more challenging.

Autonomous system numbers are like the address book of the internet, and not every IP address belongs to a "friendly" address. We'll cover what exactly ASNs are, how they can be utilized in hunting and incident response workflows, and provide real-life examples of how we used ASNs to unravel intrusions and locate malicious activity in partner networks.

In this blog post, I'll explore using Mach IPC messages as an attack vector to find and exploit sandbox escapes. I'll detail how I used a custom fuzzing harness, dynamic instrumentation, and plenty of debugging/static analysis to identify a high-risk type confusion vulnerability in the coreaudiod system daemon.

This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities. The ultimate goal of this operation is to steal confidential data from specific email accounts.

This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads, eventually detonating the final payload.

A short post to detail an alternative way of accessing javascript window object in an event handler context.

With ClickFix being one of the popular delivery methods for malware, infostealers and state-sponsored hackers it is time to share a blog on investigating these incidents using Defender For Endpoint.

We investigate a Linux cryptojacking campaign, named RedisRaider, targeting publicly accessible Redis servers. The campaign incorporates subtle anti-forensics measures, such as short-key time-to-live (TTL) settings and database configuration changes, to minimize detection and hinder post-incident analysis.

In this post, I will explain USMA, a universal and data-only exploitation technique that allows us to patch kernel code from user space.

Rate limit bypass refers to the techniques used by attackers to circumvent the protections put in place by rate limiting mechanisms. In this article, we will review the weaknesses in the implementation as well as the various tactics leveraged by attackers to make excessive requests without triggering the rate limit, gaining access to resources or launching attacks undetected.

In this post, I will explain PageJack, a universal and data-only exploitation technique that turns an off-by-one bug into a page UAF.

We detail an authentication bypass and an RCE vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Ivanti EPMM. We demonstrate that, when chained together, successful exploitation can lead to unauthenticated remote code execution.

When you're digging into Linux systems, especially during live forensics or incident response, understanding file system behavior is crucial. The ext4 file system is commonly used, and knowing how to read file timestamps properly can give you a solid edge in an investigation.

In this third part, we will walk through the typical steps of DLL injection: OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

In this post, I will explain Dirty PageTable, a universal and data-only exploitation technique that allows us to gain arbitrary read and write access to the entire physical memory.

In this post, I will explain Dirty Pipe, a universal and data-only exploitation technique that allows us to arbitrarily overwrite read-only files.

We discovered new versions of the Triada Trojan on devices whose firmware was infected even before they were available for sale. The modular architecture of the malware gives attackers virtually unlimited control over the system, enabling them to tailor functionality to specific applications.

We'll dive into the Dirty Pagetable method by showcasing its use on a real-world page UAF (use-after-free) vulnerability in io_uring. Although this article addresses the vulnerability itself, our focus is on the exploitation technique rather than the bug's details.

We will see how to detect, analyze, and defend against Kerberos-based attacks in Active Directory with this in-depth guide to hunting Kerbrute and mitigating authentication abuse.

We will dive deep into Flutter's architecture, some of its inner workings and dependencies, and finally, drill down into the SSL verification logic. The post will end by exploring what the reFlutter tool actually does and my attempts at replicating the same behaviour with Frida.

In this post, I will explain DirtyCred, a universal and data-only exploitation technique that allows us to escalate privileges without a write primitive.

In this post, I will explain how to build and debug the Linux kernel.

In this post, I will explain cross-cache attack, a fundamental technique for advanced Linux kernel exploitation. Understanding this technique is important to understand other exploitation techniques, such as Dirty PageTable and DirtyCred, which I will cover in future posts.

Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, we explore how potential weaknesses in these synchronization options can be exploited.

The goal of this article is to illustrate the process of a red team engagement and how cyber attackers might operate employing diverse techniques and procedures when targeting critical infrastructure.

This post introduces one of the virtualization features needed to keep kernel-mode shadow stack functional against kernel exploits: supervisor shadow stack restrictions / supervisor shadow-stack control.

I discuss a potential security issue affecting Windows LNK files (shortcuts) leading to potential NTLM hash capture.

We identified a local privilege escalation vulnerability arising from an unauthenticated Java Management Extensions (JMX) remote management interface of the Ant Media server (CVE-2024-32656). An attacker could then leverage access to the JMX remote management listener to leverage the account's sudo privileges and elevate access to root on the system.

A technical analysis of the distribution campaign of DeerStealer, a malware posing as Google Authenticator that we discovered.

This blog post focuses on Authentik, detailing two high-severity vulnerabilities we found and our journey of exploiting them. Furthermore, we share a proof of concept (POC) demo exploiting a privilege escalation vulnerability we found.

We explain how Windows Text Services Framework (TSF) plugins can be exploited for advanced persistence techniques, and detail this stealthy attack vector that allows code injection into GUI processes.

In this blog post, I will show how n-gram analysis can be used to identify uncommon instruction sequences in binary code. It is not only fun to see what statistics can reveal about assembly patterns, but it is also an effective technique to pinpoint obfuscated code or other obscure computations which might be worth a closer look during reverse engineering.