Security Review #285

Default Active Directory (AD) settings allow standard users to register DNS records, enabling Ghost SPNs (Service Principal Names mapped to hostnames that fail to resolve). This introduces an exploitable attack surface that adversaries can leverage to perform Kerberos authentication reflection, leading to remote privilege escalation.

We built an LLM-powered AMSI provider and paired it against a red team agent, generating a unique dataset and a blueprint for detecting malicious code at execution time.

We investigate a new wave of the Shai-Hulud supply chain attack. It leverages the same worm-like propagation mechanism observed previously, but with updated tactics. It also exfiltrate stolen credentials directly to GitHub repositories created with compromised tokens.

I walk you through conducting complete post-exploitation operations using nothing but native Windows tools. We'll cover initial reconnaissance, credential harvesting, lateral movement, persistence mechanisms, and data exfiltration. I'll explain why these techniques work, what defenders see when you use them, and how to make your operations blend in with legitimate administrative activity.

We will dive into the techniques for loading vulnerable drivers in a stealthy way, focusing on how to integrate them into the system without triggering alarms or leaving obvious traces.

I've discovered a technique that turns classic clickjacking on its head and enables the creation of complex interactive clickjacking attacks, as well as multiple forms of data exfiltration.

We review the critical differences between OAuth State, Nonce, and PKCE, and explain how these parameters prevent CSRF, replay attacks, and code interception.

We uncover BLE flaws in the Meatmeet BBQ probe that allowed us to take over the device, push malicious firmware, and even build a BLE BBQ Probe botnet.

A fake VSCode extension triggered a multi-stage attack deploying the Anivia loader and OctoRAT. In this article, we detail how the chain worked and where defenders can detect it.

React and Next.js are exposed to critical unauthenticated RCE via CVE-2025-55182 and CVE-2025-66478. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution.

ADS (Alternate Data Streams) in NTFS are extra named data parts attached to the same file, allowing adversaries to hide malicious payloads or exfiltrate data stealthily, bypassing normal detection methods. We will detail how ADS works and how suspicious files can be detected.

I introduce two free tools efficient for log analysis within the Microsoft cloud ecosystem: Microsoft-Extractor-Suite and Microsoft-Analyzer-Suite. These tools are easy to use, flexible, and excellent for investigating business email compromises, cloud environment audits, and more.

We reverse engineer the Meatmeet Pro thermometer, dump its ESP32 flash, uncover stored credentials, and analyze UART, BLE, and MQTT communication.

We analyze the Meatmeet Android app, uncovering stored credentials, traffic interception, insecure uploads, session bypass, and leaked tokens.

In this post, I walk through the process of building a modern piece of ransomware from an attacker's perspective. The goal is to show, step-by-step, how an operator would think about assembling the core components of a payload and layering on the evasion techniques that help it slip past contemporary defenses.

In this article we explore the Pass-The-Cert Attack from the original flow to KDFv2 implementation along with support for multiple protocols such as SMB, WinRM, RPC and RDP.

We analyzed FFmpeg and reported seven distinct memory safety flaws, including buffer overflows and invalid memory writes, missed by traditional tools.

We detail a critical ChatGPT Atlas Browser vulnerability: XSS on an OpenAI subdomain let attackers hijack tabs, leak browsing URLs, and steal OAuth tokens.

In this blog post, we’ll explore how attackers can abuse file uploads without relying on extensions and how this can lead to critical vulnerabilities when combined with PHP session handling behavior.

The Bind Link API enables Administrators to create transparent mappings from a virtual path to a backing path (local or remote). It is possible to abuse the feature of bind links to force the redirection of the folder containing the EDR files to a folder that a threat actor has write access to perform evasion.

We delve into PromptPwnd, a vulnerability in GitHub Actions or GitLab CI/CD pipelines when combined with AI agents. We explain how sensitive data may leak or workflow can me manipulated if a malicious input gets injected as a prompt.

We explore built-in and undocumented bypasses in Microsoft Entra Conditional Access (CA): Microsoft Authenticator App scope combination, Device Management Service access via Teams, and resources excluded from Conditional Access.

In this blog article, we will look at Crystal Palace from a defence perspective and search for artifacts that would tell a capability has been loaded by Crystal Palace. We enventually identify __resolve_hook() and build the corresponding YARA rule.

We discuss 3 techniques used to filter the targets when performing lateral mouvement though GPO mechanism: filter during the execution of the attack (in-script), using configuration settings within GPO(in configuration), using the configuration of the GPO itself (security filtering).

Content Security Policies (CSPs) are often deployed as the last line of defense against client-side attacks such as cross-site scripting (XSS) and clickjacking. In this article, we'll explore in-depth what Content Security Policies are and how we can bypass CSPs to, for example, exploit XSS vulnerabilities.

This blog shows how to identify and abuse DLL hijacking vulnerabilities in Windows Electron apps, as well as the process of developing a proof of concept that utilises DLL proxying.

We detail an attack chain in which an attacker controlling an Entra account with a UPN matching a privileged AD identity can impersonate that account, leading to compromise of the entire SCCM hierarchy.

In this part of the series we will leverage all the NTAPI counterparts of the Win32 API to perform our DLL injection.

We first review what DLL are, write a sample one and inject it into a target process.

In this post, we're going to take a look at how the functions that you use from the standard Windows API get translated into the lower-level NTAPI/syscalls. After that, we'll program a super simple injector that will inject a DLL into our target process, except this time instead of using only Win32 API, we'll swap out one function for its NTAPI counterpart.

In this post, we'll go over what indirect syscalls are and why you'd want to use these over direct syscalls.

In this blog, we are going to discuss a method of hiding malicious code, using Process Hollowing. At a high level, this is where malicious code launches a new process, then overwrites parts of it, and then allows the process to continue running. When a specific event is triggered, the malicious code is executed.

We will use syscalls that allow us and our programs (which reside in the user-space) the ability to interface with the Kernel directly. Since we, as user-space residents can't operate in the Kernel, we need these intermediaries/interfaces in order to (indirectly) do it for us.

EDR collect data from multiple sources (e.g. hooked functions, ETW, driver callbacks) working in tandem. In this article, we try to understand the limitations of each these sources to identify blind spots. We can then tailor our TTPs to avoid hitting as many "sensors" as possible, giving us a higher chance of success during the operation.

We go through the steps of the simplest injection technique: get a handle on a process, allocate a buffer in the process memory, write the content of the shellcode in this buffer, and create a thread that will run the shellcode.

In this post, I'll take a quick look at CVE-2023-28218, a heap overflow in afd.sys, diving deep into the exploits at the code level.