- 3 Jul 2020
Helping root out of the container
A container breakout technique exploits AF_LOCAL sockets to smuggle file descriptors into a container. By passing a file descriptor for the root directory, a root user within the container can modify files outside its mount namespace. This attack demonstrates how root access in a container can compromise intended security isolation boundaries.
-
Riccardo Ancarani - 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #1
This article demonstrates a technique for establishing initial access in a target environment using malicious Office macros. The lab walkthrough covers creating a PowerShell-based command and control payload embedded in a macro document. Detection strategies are explored through parent-child process analysis and Sysmon event log examination, with a focus on identifying anomalous process spawning from Office applications.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #2
This article explores attack detection techniques for initial access using the Koadic post-exploitation framework deployed via an HTA file. The lab focuses on identifying suspicious process and network connection relationships using Sysmon event logs. Key objectives include detecting anomalous binaries and network connections as potential indicators of compromise.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #3
This article details a multi-stage initial access attack technique used by the Cobalt Kitty group involving a malicious Word macro. The attack creates a scheduled task to execute an obfuscated PowerShell payload that ultimately injects a Cobalt Strike beacon into memory. The walkthrough explores detailed steps of crafting a beacon delivery mechanism while highlighting potential detection strategies.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #4
This article demonstrates creating a malicious Excel 4.0 Macro with Metasploit shellcode to obtain remote access on a Windows system. The lab walks through generating a Meterpreter payload, setting up a Metasploit listener, and executing the malicious macro. Memory forensics techniques using Volatility are explored to analyze the compromised host and detect stealthy code injection methods.
- 11 Jun 2020
Abusing access to mount namespaces through /proc/pid/root
Linux namespaces can be abused for privilege escalation in containerized environments. Two key attack vectors are demonstrated: creating block devices in Docker containers to bypass access controls and exploiting symlink vulnerabilities through mount and user namespaces. The research highlights potential security risks in container configurations and namespace implementations.
- 20 May 2020
Releasing the CAPTCHA Cracken
A tool called CAPTCHA Cracken was developed to bypass text-based CAPTCHAs on an Outlook Web App portal. Advanced image preprocessing techniques and browser automation with Pyppeteer were used to overcome significant CAPTCHA recognition challenges. The project demonstrated the vulnerability of traditional text-based CAPTCHAs to machine learning-based automated attacks.
- 15 May 2020
Internet Exploiter: Understanding vulnerabilities in Internet Explorer
This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.
- 6 May 2020
U-Booting securely
This whitepaper analyzes security vulnerabilities and misconfigurations in U-Boot for embedded systems. It provides guidance to developers on securing hardware products against potential security compromises. The analysis is based on real-world research by hardware security experts investigating secure boot implementations.
- 1 May 2020
Bypassing Windows Defender Runtime Scanning
This article details techniques for bypassing Windows Defender's runtime memory scanning by exploiting memory permission limitations. A method was developed using PAGE_NOACCESS memory permissions to prevent detection during suspicious API calls. A custom Metasploit extension called Ninjasploit was created to implement these bypass techniques.
-
Calum Hall Luke Roberts - 17 Apr 2020
Jamfing for Joy: Attacking macOS in Enterprise
The article details multiple attack vectors against Jamf, a macOS enterprise management platform. Multiple techniques for compromising device management systems are explored, including password spraying, user enumeration, and policy abuse. An open-source Jamf Attack Toolkit was developed to demonstrate and facilitate these cybersecurity vulnerabilities.
- Emilian Cebuc
- 27 Mar 2020
How are we doing with Android's overlay attacks in 2020?
Android's Accessibility Services (AAS) can be exploited by malicious apps to perform dangerous actions on a user's device. These actions include keylogging, auto-granting permissions, reading screen content, and performing automated interactions with other apps. The article demonstrates how a malicious app can leverage AAS to potentially steal sensitive information and perform unauthorized actions without user detection.