-
Alfie Champion 
Riccardo Ancarani - 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #4
This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.
-
Leonidas Tsaousis - 30 Mar 2021
Click here for free TV! - Chaining bugs to takeover Wind Vision accounts
A critical vulnerability was discovered in the Wind Vision mobile app that enables account takeover through chained security flaws. The attack exploits insecure URL schemes, weak device identification, and authentication mechanisms to intercept OAuth tokens. By crafting a malicious app, an attacker can potentially stream content or remove user devices from the Wind Vision account.
- Henri Nurmi
- 21 Dec 2020
Sniff, there leaks my BitLocker key
A low-cost method was demonstrated to extract BitLocker encryption keys by sniffing the SPI bus of a Trusted Platform Module (TPM). The attack requires brief physical access to a target machine and can be performed using publicly available tools. By capturing TPM communication, the Volume Master Key can be retrieved and used to decrypt a BitLocker-protected drive.
- Riccardo Ancarani
- 20 Nov 2020
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
A technical analysis of Cobalt Strike's default modules reveals distinctive named and anonymous pipe communication patterns. The article explores how Cobalt Strike uses pipes for inter-process communication during post-exploitation activities like keylogging and screenshot capture. Detection techniques are proposed, including Yara rules and Splunk searches to identify these unique pipe characteristics.
- Alfie Champion James Coote
- 2 Nov 2020
Using and detecting C2 printer pivoting
A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.
- Ken Gannon
- 23 Oct 2020
Samsung S20 - RCE via Samsung Galaxy Store App
A remote code execution vulnerability was discovered in the Samsung Galaxy Store app for S20 devices. The vulnerability allowed attackers to install applications without user consent by exploiting a WebView JavaScript interface. An attack could be conducted via a man-in-the-middle attack using NFC or WiFi.
- Oliver Simonnet
- 21 Oct 2020
GWTMap - Reverse Engineering Google Web Toolkit Applications
GWTMap is a novel tool for reverse engineering Google Web Toolkit (GWT) applications. The tool extracts and maps service method endpoints from obfuscated client-side code across different GWT versions. It enables cybersecurity professionals to generate example GWT-RPC request payloads and analyze the attack surface of GWT-based web applications.
- Luke Roberts
- 16 Oct 2020
Operationalising Calendar Alerts: Persistence on macOS
A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.
- James Coote
- 6 Oct 2020
Introducing LDAP C2 for C3
A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.
- 29 Sep 2020
Application-level Purple Teaming: A case study
An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.
- Rob Russell
- 7 Sep 2020
Securing AEM With Dispatcher
This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.
- Krzysztof Pranczk
- 2 Sep 2020
N1QL Injection: Kind of SQL Injection in a NoSQL Database
N1QL injection is a vulnerability in Couchbase NoSQL databases that allows attackers to manipulate database queries. An open-source tool called N1QLMap was developed to automate N1QL injection testing and exploitation. The tool enables data extraction, system information retrieval, and server-side request forgery (SSRF) attacks through specialized query techniques.