Introduction As anyone who has conducted a lengthy purple team engagement will tell you, logging and centralising the huge amount of data from these engagements can quickly become overwhelming. In the past we have seen attempts to use generic productivity software, such as Sharepoint, to attempt to track the huge number of activities and logs generated by both the red and blue teams. However, as you can imagine, shoehorning large quantities of engagement data from two teams with different operating procedures into a single application not built for this purpose can be…tricky. As purple team enthusiasts, we believe we have found a better solution to this problem, and sharing that with the wider security community is the purpose of this blog post. We also want to share some guidance when using this framework to help others avoid making the mistakes we have in the past. What is VECTR?...
JUMPSEC LABS
The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts! We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.
Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware
TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for...
Hunting the Snake: An Overview of Threat Hunting with Velociraptor
In May 2023 the NCSC and CISA released a joint cyber security advisory addressing a piece of Russian malware called Snake. According to them, this malware has been gathering...
Ligolo: Quality of Life on Red Team Engagements
In recent months we, JUMPSEC’s red team, have been using a nifty little tool that we would like to share with you in this blog post. Ligolo-ng is a versatile tool that has been aiding our covert, and slightly-less-covert, engagements with regards to tunnelling, exfiltration, persistence, and widely improving the operators’ “quality of life” when carrying out assessments involving beaconing from...
Hunting for ‘Snake’
Following the NCSC and CISA’s detailed joint advisory on the highly sophisticated ‘Snake’ cyber espionage tool, JUMPSEC threat intelligence analysts have provided a condensed blueprint for organisations to start proactively hunting for Snake within their network, contextualising key Indicators of Compromise (IoC), and providing additional methods to validate the effectiveness of Snake...
Advisory CVE-2023-30382 – Half-Life Local Privilege Escalation
Software: Half-Life Affected versions: Latest (<= build 5433873), at the time of writing Vendor page: www.valvesoftware.com CVE Reference: CVE-2023-30382 Published: 23/05/2023 CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Attack Vector: Local Credit: Ryan Saridar Summary An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the...
Butting Heads with a Threat Actor on an Engagement
After compromising a sensitive external server JUMPSEC’s Red Team found that they were not the first ones there…
Advisory CVE-2022-37832 – Mutiny Network Monitoring Appliance hardcoded credentials
Software: Mutiny Network Monitoring Appliance Affected versions: <= 7.2.0-10855 Vendor page: www.mutiny.com CVE Reference: CVE-2022-37832 Published: 16/12/2022 CVSS 3.1 Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector: Network Credit: Ryan Saridar Summary An attacker can log in as root remotely to the appliance via SSH. Mitigation Upgrade to version 7.2.0-10855 onwards to...
Online Machine Learning: how to integrate user feedback
When designing and implementing a machine learning model, ensuring it is continually updated is a challenge that all engineers encounter. In this article, I explore the online machine learning technique that I used during a project and present how it was implemented for effective results. Choosing a machine learning method Machine learning solutions can be mainly split into offline and...
Implementation and Dynamic Generation for Tasks in Apache Airflow
I recently worked on a project focused on log anomaly detection using manageable machine learning pipelines. The pipelines mainly include data collection --- feature extraction --- feature engineering --- detection/prediction --- updating (maintenance). It’s important to have a solid UI to manage the pipelines so I can easily review the chain of pipelines. After much research, I found many...
QUEST KACE Desktop Authority Pre-Auth Remote Code Execution (CVE-2021-44031)
Software: QUEST KACE Desktop AuthorityAffected Versions: 11.1 and earlier. Vendor page: https://www.quest.com/products/kace-desktop-authority/CVE Reference: CVE-2021-44031Published: 19/11/2021CVSS 3.1 Score: 9.8 CriticalAttack Vector: Pre-authenticated Remote Code ExecutionCredits: Tom Ellson JUMPSEC recently discovered multiple vulnerabilities in Quest KACE Desktop Authority 11.1. This is an...
Disclaimer
The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.