Flubot: the evolution of a notorious Android Banking Malware https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/
Fox-IT International blog
Flubot: the evolution of a notorious Android Banking Malware
Authored by Alberto Segura (main author) and Rolf Govers (co-author) Summary Flubot is an Android based malware that has been distributed in the past 1.5 years inEurope, Asia and Oceania affecting …
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive
AdvIntel
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
By Vitali Kremez, Marley Smith & Yelisey Boguslavskiy This report is part one of AdvIntel’s new series on the ALPHV (aka BlackCat) ransomware group. In the upcoming part two, AdvIntel will hold an analytical lens on BlackCat’s organizational, recruitment…
Practical Attacks on Machine Learning Systems (nice whitepaper from NCC Group Research) https://research.nccgroup.com/2022/07/06/whitepaper-practical-attacks-on-machine-learning-systems/
NCC Group Research Blog
Whitepaper – Practical Attacks on Machine Learning Systems
This paper collects a set of notes and research projects conducted by NCC Group on the topic of the security of Machine Learning (ML) systems. The objective is to provide some industry perspective …
Bulk Analysis of Cobalt Strike's Beacon Configurations
https://www.archcloudlabs.com/projects/bulk-cs-analysis/
https://www.archcloudlabs.com/projects/bulk-cs-analysis/
Arch Cloud Labs
Bulk Analysis of Cobalt Strike's Beacon Configurations
About The Project Security researcher Silas Cutler recently tweeted a link to a unique data set of Cobalt Strike Beacon payloads, and their extracted configurations (thanks Silas!). This is a fairly large data set going back to November of 2021, and containing…
Revisiting Pegasus on iOS9 https://shadowfile.inode.link/blog/2022/07/revisiting-pegasus-on-ios9/
The Shadow File
Revisiting Pegasus on iOS9
Reverse Engineering Dark Souls 3 Networking (good series here!) https://timleonard.uk/2022/05/29/reverse-engineering-dark-souls-3-networking
Tim Leonard’s Website
Reverse Engineering Dark Souls 3 Networking (#1 - Connection)
Breaking down and investigating how Dark Souls 3 communicates with its online services.
Google CTF 2022 d8: From V8 Bytecode to Code Execution https://mem2019.github.io/jekyll/update/2022/07/03/Google-CTF.html
mem2019.github.io
Google CTF 2022 d8: From V8 Bytecode to Code Execution
This weekend I have played Google CTF with r3kapig. On the first day I tried the OCR challenge but failed to solve it, and on the second day I spent the whol...
From NtObjectManager to PetitPotam https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
clearbluejar
From NtObjectManager to PetitPotam
Windows RPC enumeration, discovery, and auditing via NtObjectManager. We will audit the vulnerable RPC interfaces that lead to PetitPotam, discover how they have changed over the past year, and overcome some common RPC auditing pitfalls.
One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11 https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/
WarCon 2022 – Modern Initial Access and Evasion Tactics https://mgeeky.tech/warcon-2022-modern-initial-access-and-evasion-tactics/
Automating binary vulnerability discovery with Ghidra and Semgrep https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/
HN Security
HN Security - Automating binary vulnerability discovery with Ghidra and Semgrep -
Introducing new binary vulnerability research tools and methodology, based on custom Ghidra plugins and Semgrep.
Nice interesting discussion and research on forensics here » University of Adelaide's Dr. Matthew Sorell on Evidentiary Health Data at DFRWS-APAC 2022 https://www.forensicfocus.com/podcast/university-of-adelaides-dr-matthew-sorell-on-evidentiary-health-data-at-dfrws-apac-2022/
Windows Registry Forensic Analysis using Chainsaw, Wazuh Agent and Sigma Rules https://socfortress.medium.com/windows-registry-forensic-analysis-using-chainsaw-wazuh-agent-and-sigma-rules-40dbceba7201
Medium
Windows Registry Forensic Analysis using Chainsaw, Wazuh Agent and Sigma Rules
Introduction.
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
Intezer
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
OrBit is a new Linux malware that hijacks the execution flow, evading and gaining persistence to get remote access and steal information.
Exploring Token Members Part 2 https://jsecurity101.medium.com/exploring-token-members-part-2-2a09d13cbb3
Medium
Exploring Token Members Part 2
Introduction
Exploring SCCM by Unobfuscating Network Access Accounts https://blog.xpnsec.com/unobfuscating-network-access-accounts/
XPN InfoSec Blog
@_xpn_ - Exploring SCCM by Unobfuscating Network Access Accounts
In this post we'll explore just how SCCM uses its HTTP API to initialise a client, take a look at how Network Access Accounts are retrieved from SCCM, and see how we can decrypt these credentials without having to go anywhere near DPAPI.
Abusing forgotten permissions on computer objects in Active Directory https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/
dirkjanm.io
Abusing forgotten permissions on computer objects in Active Directory
A while back, I read an interesting blog by Oddvar Moe about Pre-created computer accounts in Active Directory. In the blog, Oddvar also describes the option to configure who can join the computer to the domain after the object is created. This sets an interesting…
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763) https://worthdoingbadly.com/coretrust/
Worth Doing Badly
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze’s CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763)
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.
Converting a malware dropper to x64 assembly
https://www.accidentalrebel.com/converting-a-malware-dropper-to-x64-assembly.html
https://www.accidentalrebel.com/converting-a-malware-dropper-to-x64-assembly.html
Accidentalrebel
Converting a malware dropper to x64 assembly
In this post I'll be listing down lessons I learned while converting a simple malware dropper written in C to x64 assembly. I started this project as a way to deepen my understanding of assembly so I could be better in malware development and reverse engineering…