MDSec was founded on the principles that traditional security
assessment describes problems, but Security Education helps
fix or avoid them.
VirtualBox is a popular open source, cross-platform, virtualization software developed by Oracle Corporation. Earlier this year we identified an arbitrary file move vulnerability in the VirtualBox system service service that…
March, 2024 Last week, the Bank of England announced the introduction of a new regulatory framework, STAR-FS, to support the financial sector in its cyber resilience operations. Over 4 years…
The Directory Service is the heart and soul of many organisations, and whether its Active Directory, OpenLDAP or something more exotic, as a source of much knowledge it often acts…
Overview Visual Studio is a complex and powerful IDE developed by Microsoft and comes with a lot of features that can be interesting from a red team perspective. During this…
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and…
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were asked to investigate the organisation’s Password Manager solution, with the key objective of compromising stored credentials, ideally from…
Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical…
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure. As part of…
May 2nd 2023 Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4. Our last Nighthawk public post was for our 0.2.1 release in…
Date: 14th March 2023 Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows…
Recently, Proofpoint released a blog post entitled “Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice”. In this post, Proofpoint outlined a campaign used by a legitimate red…
November 1st 2022 This Halloween week brings our third and final Nighthawk release for the year and its packed with exciting new features, backed by MDSec’s world class research and…
The use of the AutodialDLL registry subkey (located in HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters) as a persistence method has been previously documented by @Hexacorn in his series Beyond good ol’ Run key, (Part 24)….
Microsoft’s Office Online Server is the next generation of Office Web Apps Server; it provides a browser based viewer/editor for Word, PowerPoint, Excel and OneNote documents. The product can be…
Having been in IT longer than I care to remember, one issue keeps coming up. It doesn’t matter how well you have implemented <insert security mechanism> what really matters is…
Introduction In part one, we introduced generic approaches to performing threat hunting of C2 frameworks and then followed it up with practical examples against Cobalt Strike in part two. In…
Introduction Process enumeration is necessary prior to injecting shellcode or dumping memory. Threat actors tend to favour using CreateToolhelp32Snapshot with Process32First and Process32Next to gather a list of running processes….
Cobalt Strike is one of the most popular command-and-control frameworks, favoured by red teams and threat actors alike. In this blog post we will discuss strategies that can be used…
Introduction Its no secret that MDSec provides a commercial command-and-control framework with a focus on evasion for covert operations. With this in mind, we are continuously performing on-going R&D in…
Introduction During a recent engagement the team came up against an unfamiliar product, Altiris. Very little public research was available about Altiris, with a considerable lack of information regarding abusing…
Introduction It’s been some months since our 0.1 release in December ‘21 and the development team have been working hard on new features, research and development, alongside bug fixes and…
Introduction While developing new features for Nighthawk C2, we observed that NTDLL contains up to three internal tables with the Relative Virtual Address (RVA) of all system calls. Two of these…
Introduction The MDSec red team are continually performing research in to new and innovative techniques for code injection enabling us to integrate them in to tools used for our red…
This blog post details several recently patched vulnerabilities in the Veeam Backup & Replication and Veeam Agent for Microsoft Windows. We’ll detail MDSec’s process for identifying these 1Day vulnerabilities, writing…
Introduction Post-exploitation tooling designed to operate within mature environments is frequently required to slip past endpoint detection and response (EDR) software running on the target. EDR frequently operate by hooking…
Introduction MDSec’s ActiveBreach red team operate in the some of the highest maturity environments, where a significant degree of in-memory and post-exploitation operational security is often required to counteract defensive…
As part of Microsoft Exchange April and May 2021 patch, several important vulnerabilities were fixed which could lead to code execution or e-mail hijacking. Any outdated and exposed Exchange server…
The Incident Response team at MDSec regularly gets queries from our customers, as well as our consultants about odd things that they’ve found, either during engagements, or on an ad-hoc…
As security teams continue to advance, it has become essential for attacker’s to have complete control over every part of their operation, from the infrastructure down to individual actions that…
Introduction When looking for new interesting attack surfaces in Windows, I’ve often looked to default file handlers and LOLBins. Another interesting place to look is the default protocol handlers and…
Overview In the ActiveBreach red team, we’re always looking for innovative approaches for lateral movement and privilege escalation. For many of the environments we operate in, focusing on the classic…
Overview It’s no secret that macOS post-exploitation is often centric around targeting the installed apps for privilege escalation, persistence and more. Indeed, we’ve previously posted about approaches for code injection…
Web browsers are inherently trusted by users. They are trained to trust websites which “have a padlock in the address bar” and that “have the correct name”, This trust leads…
Introduction The motivation to bypass user-mode hooks initially began with improving the success rate of process injection. There can be legitimate reasons to perform injection. UI Automation and Active Accessibility will use it…
Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are…
Overview I started out this research having taken some inspiration from @buffaloverflow‘s Chlonium tool for easily exfiltrating and using a victim’s Chromium based web browser cookies. I was working on…
In a recent red team engagement, we discovered a SharePoint instance that was vulnerable to CVE-2020-1147. I was asked to build a web shell without running any commands to avoid…
Overview In the past two posts of this series, we’ve covered lateral movement through WMI event subscriptions and DCOM, detailing approaches to improve the OpSec of our tradecraft. In the…
Overview In part 1 of this series, we discussed lateral movement using WMI event subscriptions. During this post we will discuss another of my “go to” techniques for lateral movement,…
Overview Performing lateral movement in an OpSec safe manner in mature Windows environments can often be a challenge as defenders hone their detections around the indicators generated by many of…
At MDSec it not uncommon to need to develop custom post-exploitation tooling to meet the requirements of an engagement; this is especially true for the red team where the techniques employed for tasks such as information gathering and lateral movement often need to be adapted to the target environment.
Introduction During red team engagements, it is not uncommon to encounter Endpoint Defence & Response (EDR) / Prevention (EDP) products that implement user-land hooks to gain insight in to a…
Introduction In-memory tradecraft is becoming more and more important for remaining undetected during a red team operation, with it becoming common practice for blue teams to peek in to running…
Introduction Microsoft patched a number of deserialisation issues using the XPS files. Although the patch for CVE-2020-0605 was released in January 2020, it was incomplete and an additional update was released in…
Introduction LaTeX is a document typesetting system that takes a plaintext file, stylised using mark-up tags similar to HTML or CSS, and converts this into a high-quality document for displaying…
Introduction During Red Team Operations, it is not uncommon to find systems or applications related to the engagement objectives being protected by Two Factor Authentication. One of the solutions that…
The YSoSerial.Net project has become the most popular tool when researching or exploiting deserialisation issues in .NET. We have recently invested some research time to improve this tool to help ourselves and…
Introduction In this blogpost, we will describe a technique that abuses legacy Firefox functionality to achieve command execution in enterprise environments. These capabilities can be used for lateral movement, persistence…
As some of you will know, we have recently entered into the Red Team training space. Before deciding to create our course now known as “Adversary Simulation and Red Team…
After the introduction of PowerShell detection capabilities, attackers did what you expect and migrated over to less scrutinised technologies, such as .NET. Fast-forward a few years and many of us…
Introduction Actions is a CI/CD pipeline, built into GitHub, which was made generally available back in November 2019. Actions allows us to build, test and deploy our code based on triggers…
Introduction If you have worked with SharePoint, you have seen two types of ASPX pages: Application pages Site pages Application pages are not customisable. They are stored on the file…
Introduction Credential recovery is a common tactic for red team operators and of particular interest are persistently stored, remote access credentials as these may provide an opportunity to move laterally…
Introduction Back in 2018, PaloAlto Unit42 publicly documented RGDoor, an IIS backdoor used by the APT34. The article highlighted some details which sparked my interest and inspired me to write…
As RedTeaming has grown with the industry, so has our need to build dependable environments. In keeping with the cat-and-mouse game we find ourselves in, it’s essential to possess the…
SQL Server Reporting Services (SSRS) provides a set of on-premises tools and services that create, deploy, and manage mobile and paginated reports. Functionality within the SSRS web application allowed low privileged…
Description A remote code execution issue in SharePoint Online via Workflows code injection was reported to Microsoft in November 2019 which was addressed immediately on the online platform. However, the…
Last month, a critical vulnerability in Citrix ADC and Citrix Gateway was published under CVE-2019-19781. The vulnerability caught our attention as it suggested that an unauthenticated adversary could leverage it to…
Last year I posted a few tricks to help when targeting MacOS users, and included a technique useful for spoofing file extensions with the aim of taking advantage of Finder’s…
Introduction Remote Desktop is one of the most widely used tools for managing Windows Servers. Admins love using RDP and so do attackers. Often the credentials that are used to…
During our red team operations, we frequently come in contact with organisations using Office 365. The present tooling targeted at this environment is somewhat limited meaning that development is often…
In my previous two posts I covered persistence using both Microsoft Office and COM hijacking, in this post I’ll discuss my third favourite technique for persistence; WMI event subscription. Unlike…
In the first post I talked about my favourite persistence technique using Microsoft Office add-ins and templates. My second favourite technique for persistence is using COM hijacking which will be…
During a red team engagement, one of the first things you may want to do after obtaining initial access is establish reliable persistence on the endpoint. Being able to streamline…
As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in…
Background Cobalt Strike 3.6 introduced a powerful new feature called External C2, providing an interface for custom Command and Control channels. Being a fan of custom C2 channels I started…
In March 2018 we released SharpShooter, a framework for red team payload generation. We followed up with further updates and new techniques in June. Like many offensive tools, the framework…
Background The Office add-ins platform allows developers to extend Office applications and interact with document content. Add-ins are built using HTML, CSS and JavaScript, with JavaScript being used to interact…
No matter where you turn, it’s hard to miss just how much of an effect the Blockchain has had on our daily lives. Being the backbone of the digital currency…
Introduction We recently performed an Insider Threat red team engagement, posing as employees within the company. We were provided with all the benefits of a regular employee (except salary :))…
Sometimes when you are in the middle of an engagement, you will come across a hurdle which requires a quick bit of research, coding, and a little bit of luck….
Constrained Language Mode is a method of restricting PowerShell’s access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the PowerShell runtime…
During a red team engagement, it is often beneficial to have the ability to quickly and programatically deploy infrastructure. To date, most existing literature has focussed on deploying the server…
Overview Title: Pulse Secure Client Authentication Bypass Version: Pulse Desktop Client 9.0R1 and 5.3RX before 5.3R5. Researcher(s): Nassar Amin, Ricardo Ramos, Russel Crozier and Dominic Chell Disclosure Date: 01-03-2018 Public Disclosure…
Overview Title: CouchDB Arbitrary Write Local.ini Configuration Authenticated Remote Code Execution Version: <=2.1.1 Researcher: Francesco Oddo at MDSec Labs (https://www.mdsec.co.uk) Disclosure Date: 5/01/2018 Public Disclosure Date: 30/04/2018 Severity: High Description…
System Integrity Protection (sometimes called “rootless”) is a security feature introduced in OS X El Capitan as a way to protect critical system components from all accounts, including the root…
Recently we’ve been looking at MacOS in the context of redteaming, looking at endpoint security products and how they can be evaded on a Mac. I have previously explored Windows…
You’ve completed your recon, and found that your target is using MacOS… what next? With the increased popularity of MacOS in the enterprise, we are often finding that having phishing…
In April, we released our in-house payload generation tool SharpShooter to demonstrate the automation of some of the nuances in payload creation and evasion of defensive controls. This was generally…
By now, many of us know that during an engagement, AMSI (Antimalware Scripting Interface) can be used to trip up PowerShell scripts in an operators arsenal. Attempt to IEX Invoke-Mimikatz…
Getting a foothold is often one of the most complex and time-consuming aspects of an adversary simulation. We typically find much of our effort is spent creating and testing payloads…
Last week, it was reported that an exploit was being used to spread the ROKRAT malware. What made this so interesting is that Flash was being used by an APT…
During a recent mobile application assessment, MDSec’s mobile team encountered a binary protocol over HTTP used for server communication. Analysis of this protocol revealed it to be Apache Thrift, which…
The MDSec hardware security team were recently researching the Virgin Super Hub 2ac; the latest of Virgin’s Super Hub models which supports the 5Ghz band of wireless. This blog post…
Overview Sophos Web Appliance is a “next generation” anti-malware and content filtering proxy appliance created by Sophos. Description During a review of Sophos Web Appliance, MDSec discovered a remote code…
Introduction CVE-2017-8759, the vulnerability recently discovered by FireEye as being exploited in the wild is a code injection vulnerability that occurs in the .NET framework when parsing a WSDL using…
What is ANGRYPUPPY ANGRYPUPPY is a tool for the Cobalt Strike framework, designed to automatically parse and execute BloodHound attack paths. ANGRYPUPPY was partly inspired by the GoFetch and DeathStar projects, which…
Delivery of staged and stageless payloads is often achieved using the PowerShell web delivery technique. While this is a highly effective strategy for staging, in some cases it can be…
A key step in an adversary simulation is the reconnaissance phase which almost always requires obtaining e-mail addresses for employees within the organisation. LinkedIn is probably one of the most…
Prior to commencing any red team engagement, it is important to carefully consider how your infrastructure will be designed. As part of this process, one pivotal consideration is the host/domains…
CACTUSTORCH is a framework for payload generation that can be used in adversary simulation engagements based on James Forshaw’s DotNetToJScript tool. This tool allows C# binaries to be bootstrapped inside a…
Remote Desktop is often used by Systems Administrators to remotely manage machines. In a lot of organisations this could mean that a machine is placed in a DMZ or segregated…
Sometimes on embedded systems (such as routers or webcams), the manufacturer has left debugging ports on the board. These ports are obviously not meant for the public as they are…
FireEye recently documented attacks of a 0-day vulnerability in the Windows HTA handler being exploited in the wild using Office RTF documents. The vulnerability later became referenced as CVE-2017-0199 and addressed…
Around a year ago, Black Hills documented multiple ways to obtain domain credentials from the outside using password spraying against Outlook Web Access. They then went on to release MailSniper,…
This year’s Pwn2Own contest saw the majority of the main stream browsers being compromised once again, highlighting that we still have some way to go for a secure browsing experience….
Tor, also known as The Onion Router as well as the Dark Web is a network that is aimed to conceal its users’ identity and their online activity from surveillance…
These are not the domains you are looking for… A technique known as Domain Fronting was recently documented for circumventing censorship restrictions by Open Whisper Systems. The benefits of this…
Matt Nelson recently released a very useful, file-less UAC bypass using Event Viewer which was quickly implemented in to a Metasploit module by @TheColonial. Following this, we decided to release our own implementation…
In August, @MDSecLabs delivered a talk at the Manchester BSides titled “Breaking and Entering, Hacking Consumer Security Systems”. The talk outlined research that we had performed in to the security (or…
Sometimes when conducting internal assessments or even simulated attacks, you may want the ability to quickly identify weak credentials in your environment. We often faced this problem which led to…
Browser exploitation is continually getting more challenging as defenders constantly introduce new protections, moving the goal posts further and further away. Memory corruption on the latest Internet Explorer is now not…
Vulnerability Description The Samsung Voice application provides a means to control your smartphone through voice commands, such as initiating calls to the device’s contacts. It is installed by default on…
During a recent penetration test, MDSec found several vulnerabilities in a RF spectrum analyzer that was exposed to the Internet. The SED Systems Decimator D3 is the third generation of SED’s popular…
RIPE NCC is building the largest Internet measurement network ever made. RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of…
PonyOS is a hobby Unix-like operating system that uses it’s own kernel, built from scratch. This makes it a great research target for exploring software exploitation concepts. The OS is…
As you may have heard, our latest publication the Mobile Application Hacker’s Handbook is out. When you’re writing a book you have to agree a number of things with the…
If you’re interested in web and/or mobile security and want to learn some cutting-edge techniques, then we have just the thing! This April and June we’re running two training courses…
We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. This obviously has huge…
Following on from our previous publications in the Hacker’s Handbook series, MDSec’s director Dominic Chell has co-authored a new book on how to secure mobile applications. The Mobile Application Hacker’s…
At 44CON in September 2014, MDSec presented “GreedyBTS: Hacking Adventures in GSM” where we discussed our research of 2.5G network attacks against mobile devices. We outlined many existing known weaknesses…
Yesterday we presented some of our exploitation notes on the Heartbleed vulnerability at 44Cafe and shared some of the lessons learned, the slides are available for review here: The accompanying…
This week, the OpenSSL security team announced a high-risk vulnerability within a TLS extension of the popular open-source cryptography toolkit. The original advisory can be found here. The advisory indicates that a missing…
Security conscious developers often turn to SQLCipher [1] to encrypt content stored on a device’s file system. SQLCipher is a slightly extended version of SQLite, which allows 256-bit AES encryption…
In October 2013, Dominic Chell and I (Shaun Colley) presented our research and proof-of-concept tool for traffic analysis of encrypted VoIP streams. We focused on Skype as a case study….
At HackInTheBox KUL 2013, we demonstrated two possible techniques that could be used to perform side channel attacks on packet captures of encrypted VoIP communications. The two techniques, Dynamic Time…
Overview Threats to mobile apps are well documented, as are the risks posed from jailbreaking, rooting and malware. As we place an increasing level of trust in mobile apps, we…
When performing any kind of product assessment, it is always preferable to have the source code. However, in the real world we all know that this isn’t always possible and…
MDSec will be delivering the WAHH live training course at BlackHat USA again this year. The course syllabus follows the chapters of the Second Edition of The Web Application Hacker’s…
This if the first in a series of blog posts about iOS and iOS platform security, encompassing and expanding on the MDSec iOS Application (In)Security whitepaper. In this post, MDSec…
Today MDSec released a whitepaper detailing some of the vulnerabilities we’ve observed over the past year while performing regular security assessments of iPhone and iPad applications. This whitepaper details some…
We recently had the pleasure of presenting at OWASP Ireland. The following talk discusses some of the issues we’ve identified during pentests that don’t easily slot in to the categories…
We recently had the pleasure of talking about iOS application security at OWASP Ireland, the slides for our presentation are below: iOS application (in)security
MDSec are proud to announce the Web Application Hacker’s Handbook training course will be running at Countermeasure 2012! The course syllabus follows the chapters of the Second Edition of The…
We recently presented at the Manchester OWASP chapter on Evaluating iOS Applications. Thanks to everyone involved, it was a great evening. Our slides can be found below:Evaluating iOS Applications
Some time in 2008, we developed a framework for automating Oracle penetration tests. The framework was called OAP, which stood for Oracle Attack and Penetration. However, due to the lack…
Along with our new website, MDSec are proud to announce the launch of our new blog where MDSec consultants will be speaking their mind on both technical and non-technical information…