JUMPSEC LABS

The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts!  We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.

Pwning Windows Event Logging with YARA rules

The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event logging, but once privileges have been elevated it is an equal playing field. In the past I have released a method to evade this logging by loading a malicious kernel driver and hooking the NtTraceEvent syscall. This method is effective but has two issues. The main issue is the risk associated with loading a kernel driver and patching syscalls as there is the potential to cause a BSOD on the machine which for obvious reasons a very bad thing. The other issue is that it will simply stop all events from being reported, so while the hook is active that machine will no longer be sending events to the SOC...

read more
Defending Your Malware

Defending Your Malware

Malware is an important part of an engagement, though as many security solutions are now evolving past rudimentary signature comparisons to using more advanced techniques to...

read more
shad0w

shad0w

Post exploitation is large part of a red team engagement. While many organisations begin to mature and start to deploy a range of sophisticated Endpoint Detection & Response solutions (EDR) onto their networks, it requires us, as attackers to also mature. We need to upgrade our arsenal to give us the capabilities to successfully operate on their networks. That is why today, I am releasing shad0w.

shad0w is a post exploitation framework which is designed to operate covertly on such networks, providing the operator with much greater control over their engagements. Over future blog posts I will go into greater detail on the intricacies of how shad0w works. This blog post will, therefore, serve as an introduction into the usage and features that shad0w has to offer.

read more

Bypassing Antivirus with Golang – Gopher it!

In this blog post, we’re going to detail a cool little trick we came across on how to bypass most antivirus products to get a Metepreter reverse shell on a target host. This all started when we came across a Github repository written in Golang, which on execution could inject shellcode into running processes. By simply generating a payload with msfvenom we tested it and found that it was easily...

read more

Enhanced logging to detect common attacks on Active Directory– Part 1

In this blog post I am going to tackle the topic of detecting common attacks using Active Directory logs. It is important to understand the power of data in InfoSec world. Too much data means you’ll be spending rest of the week digging through millions of log entries to try and figure out what the adversary was up to. You can set filters to help you through this, however it can get...

read more

Short introduction to Network Forensics and Indicators of Compromise (IoC)

“Indicator of compromise (IOC) in computer forensics is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer...

read more

CVE 2015-7547 glibc getaddrinfo() DNS Vulnerability

Hello w0rld! JUMPSEC researchers have spent some time on the glibc DNS vulnerability indexed as CVE 2015-7547 (It hasn’t got a cool name like GHOST unfortunately…). It appears to be a highly critical vulnerability and covers a large number of systems. It allows remote code execution by a stack-based overflow in the client side DNS resolver. In this post we would like to present our analysis....

read more

Research and Development

Hello w0rld. On this post we would like to let you know our areas of research and the research projects that we are working on currently. For 2016 we are planning to develop tools that will be used in our tests. Our areas of interest can be highlighted as: AntiVirus Detection and Evasion techniques (sandbox detection, etc) Packers, anti-debugging, anti-disassembly and binary obfuscation Network...

read more

Covert channels – (Mis)Using ICMP protocol for file transfers with scapy

Hello w0rld. In this post I will show how it is possible to (mis)use ICMP protocol for file transfers with scapy. “In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.” Source: Wikipedia I have to give credit to...

read more

Microsoft Onenote Image Caching Bug (Confidential Information Leakage)

Bug Summary A security bug in the Microsoft Onenote allows images placed in user-created password-protected sections to be cached persistently in the user profile temporary directory folder: C:\Users\%username%\AppData\Local\Temp.  Analysing the content the temporary folder will reveal images that should be securely protected by Onenote.   Bug Scope This has only been tested with Microsoft...

read more

GitHub Activity

 

Twitter

1 month ago
Guest to Domain Admin with #Zerologon exploit, apply August patch now! CVE20201472. Hint, hint… patching polices are important.
2 months ago
A new blog post by @_batsec_ on 'Defending Your Malware'. How using offensive API hooking and syscalls can help you to evade EDR solutions monitoring and reporting capabilities.

#infosec #pentesting #redteam #evasion #malware

https://t.co/YCyQHPUXpm

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.