Published | JUMPSEC LABS

Bring Your Own Trusted Binary (BYOTB) – BSides Edition

by David Kennedy | Feb 6, 2025 | Adversary Infrastructure, Red Teaming

Recently, I presented a talk on the main stage at BSides London 2024 and the topic I chose to present on was in regards to bringing trusted binaries to a system and using them in an adversarial fashion. This post will cover what I presented and how to use these binaries in detail. If you would also like a copy of the slides they can be found here. My talk was mainly focused on binaries that allow for the passing of the following 5 scenarios: Proxy my Kali tools, and tunnel traffic into an environment Bypass EDR (e.g. CrowdStrike), on dropping to disk and on execution Firewall friendly A good alternative to network tunnelling tools (e.g. Ligolo) Doesn't require a pre-installed SSH client The first solution is pictured below where the 'cloudflared' binary from, you guessed it, Cloudflare can be used in conjunction with the SSH 'ProxyCommand' to allow 'cloudflared' to transport the SSH...

NTLM Relaying – Making the Old New Again

I am old enough to remember that it was not always possible to get domain admin within the first hour of a test via Active Directory Certificate Services (ADCS) misconfigurations...

Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 2)

In this part 2, we'll walk you through the step-by-step process of setting up and conducting a Digital Forensics and Incident Response (DFIR) investigation using a virtual...

Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution

by lrckt | Jan 26, 2022 | Research, Security Bug, Vulnerability

Software: Leostream Connection BrokerAffected Versions: 9.0.40.17Vendor page: https://leostream.com/CVE Reference: CVE-2021-41550Published: 25/01/2022Attack Vector: Remote, authenticatedCredits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi Summary As the Leostream Connection Broker version: 9.0.40.17 allowed an attacker to upload any content through Third Party...

No Logs? No Problem! Incident Response without Windows Event Logs

by editor | Nov 22, 2021 | Forensics, Incident Response, Windows

In this article, we discuss some Digital Forensics and Incident Response (DFIR) techniques you can leverage when you encounter an environment without Windows event logs.

PowerShell Jobs

by editor | Oct 7, 2021 | Detection, Incident Response, Monitoring, Windows

JUMPSEC investigators recently observed an adversary weaponising PowerShell Jobs to schedule their attack whilst responding to an incident. We discuss what PowerShell Jobs are, how they can be leveraged for malicious purposes, and how defenders can protect, detect, and respond to neutralise the threat.

Burp Suite and Beyond: Exploring non-HTTP protocols using MITM_RELAY

by editor | Aug 24, 2021 | Application Security, burpsuite, network, Network Tools, Research

In this article, Muhammet takes us on a deep technical journey to persevere beyond the limitations of the proxy tool Burpsuite, and explore non-HTTP, application-layer protocols using ‘MITM RELAY’.

Running Once, Running Twice, Pwned! Windows Registry Run Keys

by editor | Aug 11, 2021 | Detection, Incident Response, Monitoring, Windows

The Windows registry is a vast and complex topic and cannot be understood and defended in one article. One particular area of interest from a security perspective is registry run keys. In this article, we discuss who uses them, how to uncover abuse, and how to eradicate evil from them.

Can Depix deobfuscate your data?

by editor | Aug 3, 2021 | Jumpsec, Obfuscation, Password Cracking, Uncategorized

In this post, Caleb explores Depix and its potential to recover sensitive text from reports that were redacted by the original authors.

Car Hacking – Manual Bypass of Modern Rolling Code Implementations

by 0x5c4r3 | Jul 22, 2021 | Exploitation, Social Engineering

Introduction I recently researched modern algorithms used by keyfobs to open cars. Since most of the blogs online talking about the topic are unfortunately quite old and in general and do not precisely describe the exact path followed in detail, nor the code used. I thought that talking about my experience could be interesting and inspiring for other researchers. I won’t go in depth on certain...

Obfuscating C2 During a Red Team Engagement

by Patryk Zajdel | Jul 16, 2021 | Red Teaming

Command-and-Control (C2) infrastructure is one the most important tools in a red teamer’s arsenal. In this article, we introduce a few simple methods that red teams use to harden their C2 infrastructure.

« Older Entries

Next Entries »

JUMPSEC LABS

Bring Your Own Trusted Binary (BYOTB) – BSides Edition

NTLM Relaying – Making the Old New Again

Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 2)

Advisory CVE-2021-41550 Leostream Connection Broker – Authenticated Remote Code Execution

No Logs? No Problem! Incident Response without Windows Event Logs

PowerShell Jobs

Burp Suite and Beyond: Exploring non-HTTP protocols using MITM_RELAY

Running Once, Running Twice, Pwned! Windows Registry Run Keys

Can Depix deobfuscate your data?

Obfuscating C2 During a Red Team Engagement

[Latest Posts]

[Categories]

GitHub Activity

Twitter

Latest from JUMPSEC

Disclaimer