Late last year a new remote code execution vulnerability was discovered in Fortinet’s SSLVPN service. Given the relative lack of information surrounding it at the time, and the fact I’d have some uninterrupted research time due to a lengthy flight, I decided to attempt to produce a POC for the vulnerability.
Continue reading Producing a POC for CVE-2022-42475 (Fortinet RCE)Getting Started With SplunkUI
When developing new Splunk apps with a customised user interface, everything but SplunkUI is deprecated. Thus, it is only a matter of time before you need to jump from that building with faith.
Continue reading Getting Started With SplunkUIEngineering antivirus evasion (Part III)
Previous blog posts addressed the issue of static artefacts that can easily be caught by security software, such as strings and API imports:
- https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
- https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
This one provides an additional layer of obfuscation to target another kind of detection mechanism used to monitor a program’s activity, i.e userland hooks.
Continue reading Engineering antivirus evasion (Part III)Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizin
In our journey to try and make our payload fly under the radar of antivirus software, we wondered if there was a simple way to encrypt all the strings in a binary, without breaking anything. We did not find any satisfying solution in the literature, and the project looked like a fun coding exercise so we decided it was worth a shot.
Continue reading Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizinAutomatically extracting static antivirus signatures
This blog post accompanies the talk we gave at Insomni’hack 2022. The source code as well as the slides can be found at:
https://github.com/scrt/avdebugger
Continue reading Automatically extracting static antivirus signaturesSplunk Boss Of The SOC (BOTS) @Insomni’hack
It’s was a pleasure this year to meet you at the 2022 edition of our amazing security conference Insomni’hack !
With Splunk collaboration, we come back this year with “Splunk Boss Of The SOC” challenge.
Continue reading Splunk Boss Of The SOC (BOTS) @Insomni’hackApiculture 2 write-up
The Apiculture challenges are dedicated to API attacks. The second level basically looks like a webpage dedicated to beehives:
Continue reading Apiculture 2 write-upApiculture 1 write-up
The Apiculture challenges are dedicated to API attacks. It is basically a honey’s addict website:
Continue reading Apiculture 1 write-upGDBug write-up
The GDBug file is an ELF binary:
Continue reading GDBug write-upSOCs real-life challenges & solutions
Introduction
As SCRT’s blue teamers, we often deal with Security Operations Centers (SOCs). Being able to interact with many different SOCs for our consultancy service gives us the possibility to understand the main challenges a SOC faces and how to solve them.
Continue reading SOCs real-life challenges & solutions