Publications

Legitimate exfiltration tools : summary and detection for incident response and threat hunting

Wed, 09/27/2023 - 14:02 Legitimate data transfer tools are more and more used by threat actors. During our incident response engagements, we often see the use of several administration tools, including tools for transferring data to SFTP servers or directly to the cloud. These are widely used by attackers as means of exfiltration. The issue of exfiltrated data is one of the most important and hardest topic in the case of ransomware incidents. As the subject has already been widely covered, the aim of this article is to centralize the traces left by most com...

Introducing ntdissector, a swiss army knife for your NTDS.dit files

Fri, 09/22/2023 - 08:33 This article tells our journey inside the ESE database and the NTDS features that led us to produce the ntdissector tool, suitable for offensive and defensive actions.

Presentation of the Pentest Team

Fri, 09/15/2023 - 15:53 Are you a potential applicant wishing to know more about Synacktiv's pentest team before actually applying? Or someone considering relying on Synacktiv to perform a security assessment and wondering whether we can handle your project? Or just someone curious and eager to know more? In any case, this blogpost will hopefully enlighten you about key aspects of what we do and how we work.

Finding a POP chain on a common Symfony bundle: part 1

Tue, 09/12/2023 - 08:41 The Symfony doctrine/doctrine-bundle package is one of the most common bundles installed along Symfony applications. At the time we are releasing this blogpost, it has been downloaded 144 million times, making it an interesting target for unserialize exploitation. If you want to improve your knowledge about PHP unserialize exploitation and see why weak typed languages are considered less secure, this blogpost is for you. The first part of this article aims to show a full methodology of POP chain research, it details the full code ana...

Magento for Security Audit

Wed, 09/06/2023 - 16:00 Magento, also known as Adobe Commerce since it was bought by Adobe in 2018, is a popular CMS for e-commerce web applications, powering 2.3% of them as of 2021 (according to Statista). This article provides an overview of its inner workings from a security point of view as well as some key points to keep in mind when auditing Magento-based applications.

Web Architect - An Introduction

Wed, 09/06/2023 - 15:00 This article is the first of a series detailing various security aspects of the most common technologies one can encounter on the web, starting with CMSs. As of today, most of the Content Management Systems (CMS) market shares are detained by PHP based solutions (WordPress accounting for most of it, admittedly). Thus, they are really common to find during web pentest engagements. This article and the following ones will tell you everything you need to know to get started when facing one of them, by studying two of the most common ones...

GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!

Mon, 09/04/2023 - 10:36 During the pentest of an Active Directory environment, we recently came across a situation in which we were able to relay the authentication data of a user having write permissions on a sensitive Group Policy Object (GPO). Due to the peculiarities of GPOs’ implementation in Active Directory, existing tools do not allow their exploitation in NTLM relaying contexts. We however devised a new versatile exploitation vector that can be implemented through relaying, as well as a tool automating the attack, GPOddity, available on Synacktiv’s...

Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023

Fri, 09/01/2023 - 10:00 At this year Pwn2Own Vancouver we demonstrated Local Escalation of Privilege (LPE) exploits for the three desktop operating systems present at the competition: Windows, MacOS and Linux (Ubuntu). This blogpost explores the Ubuntu entry exploiting CVE-2023-35001, a 9 year old vulnerability in the Linux Kernel.

Forensic Aspects of Microsoft Remote Access VPN

Mon, 08/28/2023 - 13:37 As remote work surges, VPNs gain significance. With employees using their devices in uncontrolled networks, VPNs are certainly now a serious option for attackers to gain an initial foothold on the corporate network. Microsoft offers a VPN solution called Remote Access Service. This article sheds light on Microsoft VPN service's inner workings, and provides forensic aspects to improve incident response and the monitoring of this service.

Exploring Android Heap allocations in jemalloc 'new'

Tue, 05/30/2023 - 10:00 When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allocators: jemalloc 'new' (jemalloc version 5 and superior). Whereas scudo is the latest allocator introduced in the platform, jemalloc 'new' is still very used today but not well documented.