The Research Blog

Detecting Attacks against Azure DevOps

This article explores detection opportunities for attacks against Azure DevOps, focusing on telemetry sources and logging limitations. It details how malicious actors can exploit Azure AD applications, steal Personal Access Tokens (PAT), and compromise DevOps pipelines. The research emphasizes the importance of multi-source logging and contextual analysis to detect sophisticated DevOps security incidents.

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

This article explores potential attack paths in Azure DevOps by demonstrating how an unprivileged user can compromise cloud environments. The attack scenario involves phishing a Personal Access Token (PAT) to gain access to Azure DevOps repositories and pipelines. By manipulating pipeline code, an attacker can exfiltrate Service Principal credentials and gain unauthorized access to Azure cloud resources.

Faking A Positive COVID Test

A vulnerability was discovered in the Ellume COVID-19 Home Test that allows falsifying test results. By manipulating Bluetooth traffic, it was possible to change a negative test to a positive result. The attack involved modifying specific byte values in the device's communication protocol and recalculating checksums, ultimately obtaining a verified COVID test certificate from Azova.

Printing Shellz

Multiple zero-day vulnerabilities were discovered affecting over 150 HP multi-function printers. The vulnerabilities enable network infrastructure compromise through malicious printing and web-based exploits. New tooling was developed to demonstrate how printers can serve as entry points for network attacks.

A bit of a Fixer Upper - Testing FIX-backed applications

This article explores testing and intercepting FIX protocol applications using MitM_Relay and Burp Suite. A custom Python script was developed to maintain message integrity when modifying FIX messages. A Burp extension called "Fixer Upper" was created to simplify FIX message interception and modification.

  • 3 Aug 2021

Playing with PuTTY

This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #1

This article demonstrates a consent phishing attack in Azure, showing how an attacker can trick a user into granting malicious application permissions to access sensitive resources. The walkthrough covers setting up a lab environment using Terraform, deploying Azure resources, and using the O365 Attack Toolkit to generate a phishing link. Azure AD audit logs are explored to detect the attack and understand the permissions granted during the consent phishing process.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #2

An Azure security lab demonstrated privilege escalation by exploiting insecure Logic App workflow configurations. By leveraging a service principal with Reader permissions, sensitive credentials embedded in clear text were discovered. The attack allowed escalation from Reader to Contributor-level access in the Azure resource group.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #3

This article demonstrates a stealthy method of data collection from an Azure VM by creating a snapshot of a target VM's disk and mounting it to an attack VM. The technique allows accessing sensitive information without directly interacting with the original VM, minimizing detection risks. The lab concludes by highlighting the importance of monitoring Azure activity logs for detecting such lateral movement techniques.

Heavy Metal Debugging

This article provides a detailed walkthrough of reverse engineering and debugging techniques on IBM zOS using the TSO TEST debugger. A vulnerable C program with a buffer overflow vulnerability is analyzed through low-level assembly language examination. The guide covers compiling, running, and debugging a sample program on the zOS mainframe environment, demonstrating techniques for finding passwords and exploiting buffer overflow vulnerabilities.

Attack Detection Fundamentals 2021: AWS - Lab #1

This article demonstrates AWS attack detection fundamentals through a lab exploring IAM reconnaissance techniques. The lab uses a deliberately misconfigured AWS environment to show how an attacker might enumerate user permissions using AWS CLI and CloudTrail log analysis with Athena. The walkthrough highlights the risks of overly permissive IAM policies and the importance of monitoring user activities in cloud environments.

Attack Detection Fundamentals 2021: AWS - Lab #2

This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.