Publications

Escaping from bhyve

mer 04/01/2023 - 09:26
Exploit
Bhyve is a hypervisor for FreeBSD. This blogpost will describe how a limited OOB write vulnerability in an adapter emulator can be turned into code execution allowing to escape from the guest machine.

Cool vulns don't live long - Netgear and Pwn2Own

mar 06/12/2022 - 16:40
Exploit
Pwn2own is a competition where hackers try to execute arbitrary code on selected devices. This blogpost will describe two vulnerabilities found in the Netgear RAX30 router, and explain how both were patched the day before the event.

PrideLocker - a new fork of Babuk ESX encryptor

lun 05/12/2022 - 13:33
CSIRT
A few months after the leak of Babuk source code in September 2021, new ransomware families with very similar capabilities already seem to emerge. During an incident response, Synacktiv's CSIRT detected a new ESX encryptor dubbed PrideLocker that is based on Babuk ESX encryptor, with new additions. This article provides an in-depth analysis of PrideLocker, and a method using IDAPython to decrypt its strings, as well as tips to detect its encryption capabilities.

A dive into Microsoft Defender for Identity

mer 23/11/2022 - 13:10
Pentest
We recently analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft Defender 365. This article will present its architecture, analyze its detection logic and abilities and present some bypasses, as well as general Red Team advices to stay under the Blue Team’s radar.

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

jeu 20/10/2022 - 13:37
CSIRT
Legitimate remote access tools are more and more part of threat actors toolbox: in order to gain remote access on targets, keep persistence, deploy malicious payload as well as leveraging trusted connections between an IT provider and its customers. Therefore, detection and incident response teams must have a good grasp on traces left by those tools on the system. In this context, this article aims to collect host forensic evidence of four famous legitimate remote access tools.

PHP filters chain: What is it and how to use it

mar 18/10/2022 - 15:43
Pentest
Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious. In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution. To support our explanations we will rely on a Laravel file inclusion gadget chains that was discovered during this research.

Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there !

lun 10/10/2022 - 17:00
Pentest
During the assessment of a PHP application, we recently came across a file upload vulnerability allowing the interpretation of PHP code inserted into valid PNG files. However, the image processing performed by the application forced us to dig deeper into the different techniques available to inject PHP payloads into this particular file format - and to make it persist through image transformations. These investigations allowed us to successfully exploit the vulnerability, and are summarized in this article.

Traces of Windows remote command execution

mar 13/09/2022 - 15:34
CSIRT
Pentest
A real ninja leaves no traces. However, in the Windows context, a lot of information are disseminated when performing actions and can be leveraged by DFIR analysts. Focusing on remote command execution techniques used by attackers and red-teamers, this article aims to get a collection of artifacts that can collected by analysts.