-
Alfie Champion James Coote - 2 Nov 2020
Using and detecting C2 printer pivoting
A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.
- Ken Gannon
- 23 Oct 2020
Samsung S20 - RCE via Samsung Galaxy Store App
A remote code execution vulnerability was discovered in the Samsung Galaxy Store app for S20 devices. The vulnerability allowed attackers to install applications without user consent by exploiting a WebView JavaScript interface. An attack could be conducted via a man-in-the-middle attack using NFC or WiFi.
- Oliver Simonnet
- 21 Oct 2020
GWTMap - Reverse Engineering Google Web Toolkit Applications
GWTMap is a novel tool for reverse engineering Google Web Toolkit (GWT) applications. The tool extracts and maps service method endpoints from obfuscated client-side code across different GWT versions. It enables cybersecurity professionals to generate example GWT-RPC request payloads and analyze the attack surface of GWT-based web applications.
- Luke Roberts
- 16 Oct 2020
Operationalising Calendar Alerts: Persistence on macOS
A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.
- James Coote
- 6 Oct 2020
Introducing LDAP C2 for C3
A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.
- 29 Sep 2020
Application-level Purple Teaming: A case study
An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.
- 7 Sep 2020
Securing AEM With Dispatcher
This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.
- 2 Sep 2020
N1QL Injection: Kind of SQL Injection in a NoSQL Database
N1QL injection is a vulnerability in Couchbase NoSQL databases that allows attackers to manipulate database queries. An open-source tool called N1QLMap was developed to automate N1QL injection testing and exploitation. The tool enables data extraction, system information retrieval, and server-side request forgery (SSRF) attacks through specialized query techniques.
- 27 Aug 2020
Exploiting CVE-2019-17026 - A Firefox JIT Bug
A detailed technical analysis of a critical vulnerability (CVE-2019-17026) in Firefox's SpiderMonkey JIT compiler was presented. The vulnerability involves type confusion and bounds check elimination in the IonMonkey JIT compilation process. The article explores how carefully crafted JavaScript can exploit interactions between multiple compilation chains to bypass JIT compiler safeguards and potentially execute arbitrary code.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #1
This article demonstrates detection techniques for PowerShell Empire's Command and Control (C2) traffic. Network indicators like default URIs, user agents, and server responses are analyzed to identify potential malicious communication patterns. A Snort rule is developed to detect these specific network traffic characteristics associated with PowerShell Empire.
- Alfie Champion Jordan LaRose
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #2
This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #3
This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.