Inevitably, and sadly, bad guys take advantage of such events using fear to trick victims into opening attachments or clicking links that they usually would not. Closely monitoring our systems, we found a couple of phishing examples that seek to take advantage of this event.

February's Patch Tuesday is here and brings with it patches for 98 CVEs. These are split between 13 CVEs rated as "Critical" and 85 CVEs rated as "Important." Among the "Critical" patches, Remote Code Execution (RCE) vulnerabilities in the Scripting Engine make up more than half of the list. It's a regular piece of software patched pretty much every Patch Tuesday.

Picture the scene - you’re on a penetration test, somehow you’ve got hold of a bunch of .NET assemblies for the application you’re assessing, be it a web application or thick client. On a thick client test, getting a hold of these files is somewhat trivial as they’re right there in front of you. On a web application test, however, things are not as easy - but it still is possible, depending on permissions and such. I won’t go into "the how-to" in order get these in this blog post, instead I will assume you’re sitting there, a cup of coffee in hand, staring at a bunch of .DLL files decompiled in something like dotPeek, ILSpy, etc.

2020 is not starting out quietly for Microsoft, it seems. After the first Patch Tuesday of 2020 addressing a vulnerability in CryptoAPI last week, Microsoft released an advisory for an Internet Explorer 0-Day, assigned CVE-2020-0674, scheduled to be fixed in the upcoming Patch Tuesday.

ModSecurity is an open-source WAF engine maintained by Trustwave. As a lively open-source project, we constantly work together with the community on reported bugs, feature requests, and other issues on the ModSecurity GitHub.

One of the most notable vulnerabilities patched during Microsoft's first Patch Tuesday of 2020 was a spoofing vulnerability in the Windows CryptoAPI. This has been issued CVE-2020-0601 and has also been referred to as the "Curveball" or "Chain of Fools" vulnerability.

The Citrix vulnerability (CVE-2019-19781) was first identified in December of 2019.  This vulnerability is a directory traversal attack that can lead to remote code execution.

It is a pleasure to announce the release of ModSecurity version 3.0.4 (libModSecurity). This version contains a number of improvements in different areas. These include cleanups, better practices for improved code readability, resilience and overall performance and security fixes.

Happy 2020! Microsoft is helping you celebrate the new decade with patches for 49 CVEs. Of those CVEs, eight are rated as "Critical," and 41 are rated as "Important." Among the "Critical" CVEs are four Remote Code Execution (RCE) vulnerabilities in the .NET Framework, and three RCE vulnerabilities in Remote Desktop (two for the client and one for the gateway). Ever since BlueKeep, RDP has been getting a monthly going through with a fine-toothed comb and a magnifying glass.

Time to start 2020? No better time for writing about the TTD (Time Travel Debugging) feature from WinDBG.

In this blog post, I intend to provide some insight into using the InterPlanetary File System for offensive purposes. I’ll cover what it is, why we may want to use it, some quick history, and walk through a few examples.

This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

Recently, we got a chance to investigate a REvil Ransomware sample from one of our DFIR investigations. During analysis, we encountered a few stumbling blocks that made the investigation a little tricky, namely unpacking and string deobfuscation. In this blog, we will show how we manually unpacked the malware and then how we deobfuscated the strings used by the ransomware.

In the past, there have been plenty of articles and blog posts recommending the use of Content Security Policy (CSP) and Sub Resource Integrity (SRI) to prevent the insidious skimming malware from taking hold of a website. However, what can a small business owner do if resources are limited and implementing these countermeasures is just not feasible? What can a normal everyday user do to check and see if their favorite shopping site is compromised? In this blog post, I will go over a few steps that don’t require any security training to perform.

Python's popularity is amazing and constantly growing. For the first time, Python has overtaken Java to take second place in GitHub general rankings. The more developers use that language in their projects, the more they enjoy the interest of cybercriminals using typosquatting tactics in library names. Thanks to Lukas Martini's recent finding,  two packages were removed from PyPi (Python Package Index) repository (perhaps the 'pip' command is more familiar to most of you).

December's Patch Tuesday is upon us, and, as in years gone by, it's a rather light month. All told there are 35 CVEs patched, including six rated "Critical," 28 rated as "Important," and one rated "Moderate."

During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service. Detecting the file and service creation may prevent the attack from succeeding.

November’s Patch Tuesday from Microsoft included a patch for yet another Internet Explorer 0-day, not too long after the out-of-band patch we talked about in September.

Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.

Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.