Adversary Services - Security Intelligence

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft…

July 29, 2024

Racing Round and Round: The Little Bug That Could

13 min read - The little bug that could: CVE-2024-30089 is a subtle kernel vulnerability I used to exploit a fully updated Windows 11 machine (with all Virtualization Based Security and hardware security mitigations enabled) and scored my first win at Pwn2Own this year.…

June 13, 2024

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now. This milestone was reached at Pwn2Own 2024 in Vancouver, where two women,…

February 29, 2024

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this…

December 7, 2023

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further…

Extending and automating NightHawk with DayBird

13 min read - NightHawk, MDSec’s commercial C2 product, has focused on operational security and detection avoidance since its initial release in December 2021. While the core functionality of the framework has been effective within the scope of these objectives, our team noticed certain features were missing as we started incorporating NightHawk into our engagements alongside our other C2 options. Most notably, there was no equivalent in NightHawk to Cobalt Strike’s Aggressor scripting platform, severely limiting automation capabilities. While I know how big of…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Reflective call stack detections and evasions

6 min read - In a blog published this March, we explored reflective loading through the lens of an offensive security tool developer, highlighting detection and evasion opportunities along the way. This time we are diving into call stack detections and evasions, and how BokuLoader reflectively loads call stack spoofing capabilities into beacon. We created this blog and public release of BokuLoader during Dylan’s summer 2023 internship with IBM X-Force Red. While researching call stack spoofing for our in-house C2, this was one of…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component…

Your BOFs are gross, put on a mask: How to hide beacon during BOF execution

8 min read - In this post, we’ll review a simple technique that we’ve developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon. Picture this — you’re on a red team engagement and your…

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development…

Security Intelligence

{{title}}

{{title}}

{{title}}

Topics

Getting “in tune” with an enterprise: Detecting Intune lateral movement

Racing Round and Round: The Little Bug That Could

Q&A with Valentina Palmiotti, aka chompie

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

Extending and automating NightHawk with DayBird

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

Reflective call stack detections and evasions

Databases beware: Abusing Microsoft SQL Server with SQLRecon

Databases beware: Abusing Microsoft SQL Server with SQLRecon

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

Your BOFs are gross, put on a mask: How to hide beacon during BOF execution

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

{{{title}}}

Topic updates