This post is a sequel to Bypassing LSA Protection in Userland and The End of PPLdump. Here, I will discuss how I was able to bypass the latest mitigation implemented by Microsoft and develop a new Userland exploit for injecting arbitrary code in a PPL with the highest signer type.
Continue reading Bypassing PPL in Userland (again)Producing a POC for CVE-2022-42475 (Fortinet RCE)
Late last year a new remote code execution vulnerability was discovered in Fortinet’s SSLVPN service. Given the relative lack of information surrounding it at the time, and the fact I’d have some uninterrupted research time due to a lengthy flight, I decided to attempt to produce a POC for the vulnerability.
Continue reading Producing a POC for CVE-2022-42475 (Fortinet RCE)Getting Started With SplunkUI
When developing new Splunk apps with a customised user interface, everything but SplunkUI is deprecated. Thus, it is only a matter of time before you need to jump from that building with faith.
Continue reading Getting Started With SplunkUIEngineering antivirus evasion (Part III)
Previous blog posts addressed the issue of static artefacts that can easily be caught by security software, such as strings and API imports:
- https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
- https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
This one provides an additional layer of obfuscation to target another kind of detection mechanism used to monitor a program’s activity, i.e userland hooks.
Continue reading Engineering antivirus evasion (Part III)Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizin
In our journey to try and make our payload fly under the radar of antivirus software, we wondered if there was a simple way to encrypt all the strings in a binary, without breaking anything. We did not find any satisfying solution in the literature, and the project looked like a fun coding exercise so we decided it was worth a shot.
Continue reading Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizinAutomatically extracting static antivirus signatures
This blog post accompanies the talk we gave at Insomni’hack 2022. The source code as well as the slides can be found at:
https://github.com/scrt/avdebugger
Continue reading Automatically extracting static antivirus signaturesSplunk Boss Of The SOC (BOTS) @Insomni’hack
It’s was a pleasure this year to meet you at the 2022 edition of our amazing security conference Insomni’hack !
With Splunk collaboration, we come back this year with “Splunk Boss Of The SOC” challenge.
Continue reading Splunk Boss Of The SOC (BOTS) @Insomni’hackApiculture 2 write-up
The Apiculture challenges are dedicated to API attacks. The second level basically looks like a webpage dedicated to beehives:
Continue reading Apiculture 2 write-upApiculture 1 write-up
The Apiculture challenges are dedicated to API attacks. It is basically a honey’s addict website:
Continue reading Apiculture 1 write-upGDBug write-up
The GDBug file is an ELF binary:
Continue reading GDBug write-up