Published | JUMPSEC LABS

Weaponize Your Word – Malicious Template Injection

by Max Clarke | Oct 30, 2024 | Detection, Initial Access, Red Teaming, Research, Windows

Weaponize Your Word - Malicious Template Injection Historically, files sent via email have been a common initial access technique employed by threat actors. Personally, I have seen emails containing malware prove effective, and in the case of an IR (Incident Response) involving a malware infection, it would be one of the first places I would look to identify the source of compromise. There are many techniques for bypassing an email solution to deploy malware on an endpoint, however an old technique that is worth taking note of is that of malicious template injection. This technique allows for a document that is almost entirely non-malicious to be received by a user before an actual malicious loader is pulled via the Microsoft Word remote template functionality. This technique was observed being used by the LockBit Ransomware Gang (1) early in the year. Malicious templates and...

How to Handle Development Projects in a Pentest Company

If you are a pentester you probably never really think about programming. Instead you are testing what others have developed. However, every now and then a quick python or bash...

How Cloud Migration is Affecting AppSec – A Red Teamer’s Perspective

Introduction I’ve recently spoken at several conferences about the changes that are underway within red teaming as a result of cloud migration. My team and I have been delivering...

Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation

by xnand | Nov 11, 2020 | Jumpsec, Research

Several services are accessing named pipes with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).

Advisory CVE-2020-13771 – Ivanti Unified Endpoint Manager DLL search order hijacking privilege escalation

by xnand | Nov 11, 2020 | Jumpsec, Research

Various services running as user ‘NT AUTHORITY\SYSTEM’ rely on Windows’ DLL search order for loading DLL files that are not present on the filesystem. Under certain circumstances, a local attacker would be able to place a malicious DLL file to obtain code execution in the vulnerable service’s context to elevate privileges.

Pwning Windows Event Logging with YARA rules

by bats3c | Sep 4, 2020 | Exploitation

The Event Log coupled with Windows Event Forwarding and Sysmon can be extremely powerful in the hands of defenders, allowing them to detect attackers every step of the way. Obviously this is an issue for the attackers. Before privilege escalation it is limited what we can do to evade event logging, but once privileges have been elevated it is an equal playing field. In the past I have released a...

Defending Your Malware

by bats3c | Aug 11, 2020 | Exploitation

Malware is an important part of an engagement, though as many security solutions are now evolving past rudimentary signature comparisons to using more advanced techniques to detect malicious activity, it is important that we as attackers understand the methods they are using and how we can avoid them. Consider the following code I wrote for example. #include <stdio.h> #include...

Thunder Eye – Threat Intelligence Aggregator

by Daniel | Jun 7, 2020 | Jumpsec

The project currently code-named Thunder Eye is a threat intelligence aggregator that will act as an internal and external search engine for a variety of intelligence purposes. It will collect and store data varying from vulnerability scans, DNS data, breach lists, torrent sites, honeypot networks, and some manually inserted data sourced from our threat hunting and incident response/SOC...

API Hooking Framework

by Daniel | Jun 7, 2020 | Jumpsec

An API hooking framework, composed by a Windows driver component for library injection, a DLL file for function hooking and reporting, and a web service presenting a user interface and managing the communications between the user and the other components.The framework is aimed towards desktop application testing and vulnerability research: allows a granular monitoring of one or more processes at...

shad0w

by bats3c | Jun 3, 2020 | Detection, Exploitation

Post exploitation is large part of a red team engagement. While many organisations begin to mature and start to deploy a range of sophisticated Endpoint Detection & Response solutions (EDR) onto their networks, it requires us, as attackers to also mature. We need to upgrade our arsenal to give us the capabilities to successfully operate on their networks. That is why today, I am releasing shad0w.

shad0w is a post exploitation framework which is designed to operate covertly on such networks, providing the operator with much greater control over their engagements. Over future blog posts I will go into greater detail on the intricacies of how shad0w works. This blog post will, therefore, serve as an introduction into the usage and features that shad0w has to offer.

A Defender’s Guide For Rootkit Detection: Episode 1 – Kernel Drivers

by rootkid8 | Apr 20, 2020 | Detection, Exploitation, Jumpsec

Recently JUMPSEC’s youngest red team researcher @_batsec_ raised the bar once more using rootkit techniques to universally evade Sysmon.

« Older Entries

Next Entries »

JUMPSEC LABS

Weaponize Your Word – Malicious Template Injection

How to Handle Development Projects in a Pentest Company

Advisory CVE-2020-13770 – Ivanti Unified Endpoint Manager named pipe token impersonation privilege escalation

Advisory CVE-2020-13771 – Ivanti Unified Endpoint Manager DLL search order hijacking privilege escalation

Pwning Windows Event Logging with YARA rules

Defending Your Malware

Thunder Eye – Threat Intelligence Aggregator

API Hooking Framework

shad0w

A Defender’s Guide For Rootkit Detection: Episode 1 – Kernel Drivers

[Latest Posts]

[Categories]

GitHub Activity

Twitter

Latest from JUMPSEC

Disclaimer