Researchers Feed

Cymulate research team updates

  • 24 Topics
  • 6 Replies

24 Topics

Jes
Employee
JesEmployee
published in Researchers Feed

Our vulnerability patching program costs us time and money. How do we know which ones are urgent to deal with and pose a larger risk?Blog

 

860
Jes
Employee
22 days ago
Elad Beber
Employee
Elad BeberEmployee
published in Researchers Feed

Google-sudoers Privilege Escalation

In this series of articles, we will discuss a variety of MITRE ATT&CK techniques for Google Cloud Platform (GCP). The articles will cover techniques such as persistence, privilege escalation, lateral movement, and more. The first technique we will discuss is privilege escalation in GCP through a process called "google-guest-agent". Google Compute Engine Services Google Compute Engine (GCE) has some services that are run by the systemd daemon, including "google-guest-agent.service". This service is responsible for executing the binary "google-guest-agent" at boot. As we can see the agent is child of the init process and is running as root. What is google-guest-agent?‘Google-guest-agent’ is a daemon that is responsible for handling GCE platform features. The guest agent functionality can be separated into various areas of responsibility. Historically, on Linux these were managed by separate independent processes, but today they are all managed by the guest agent.The guest agent handl

820
Elad Beber
Employee
22 days ago
C
Employee
Cymulate TeamEmployee
published in Researchers Feed

Confluence Pre-Auth RCE

On June 02, 2022, Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity of unauthenticated remote code execution vulnerability.The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance and is currently being exploited by a specific threat actor. in order to bring value to our customers and help them test and verify their systems are secure against it our research team rushed to release a purple team module for that specific reason.You can find it under the following name: Confluence Pre-Auth Remote Code Execution via OGNL Injection(CVE-2022-26134)The execution expects two input arguments:Hostname : the vulnerable host to checkCommand : the command we would like to run if the host is found to be vulnerable (defaults to whoami which will print the current running username.) 

320
C
Employee
29 days ago
David_Kellerman_CISSP
Employee
David_Kellerman_CISSPEmployee
published in Researchers Feed

3 Quick Wins for Risk Mitigation on Each Attack Vector

It is crucial to protect yourself from cyber-attacks that can compromise your security posture and cause damage to your organization. With proper configurations and implementations, you can help prevent these cyber-attacks from impacting your organization. For each attack vector, we have compiled the top 3 recommendations for risk mitigation.  Email Gateway  Block unnecessary attachment file types – allow the minimum that is required for operating your organization.   Enable aggressive anti-malware scanning such as advanced AV, Sandbox, or CDR.  Enable URL scanning, sandboxing, and rewriting – in email body and attachments.   Web Gateway  Block downloads or allow the minimum required list of file types that is required for operating your organization.   Block browsing categories that are not required for operating your organization. Focus on questionable categories such as “Newly Registered Domains,” “Parked Domains,” and “Uncategorized.”   Implement browsing isolation to ensure th

1640
David_Kellerman_CISSP
Employee
29 days ago
A
arron_harrell
published in Researchers Feed

Leverage Cymulate XSPM to Support All MITRE 11 Strategies for a World-Class SOCBlog

MITRE just published the 11 Strategies for a World-Class Cybersecurity Operations Center book. A recurring theme in this book is the importance of Cyber Threat Intelligence (CTI) as instrumental to “augment the SOC’s ability to identify adversaries and discern their movements from those of authorized users.” The document further states that CTI “moves the SOC from a per-incident approach to an adversary-focused paradigm.”As Cymulate XSPM is designed to provide extensive in-context CTI capabilities and, as such, supports each one of these tactics as briefly broached below.MITRE Strategy 1 - Know what you are protecting and why:XSPM provides a continuously updated situational awareness of the security posture of individual attack vectors, including iteratively observing, orienting, deciding, and acting through:the creation and continuous updater of a composite inventory of all exposed assets through attack surface management, the continuous security posture assessment through production-

2110
A
2 months ago
dan_lisichkin
Employee
dan_lisichkinEmployee
posted in Researchers Feed

Leveraging the Pyramid of Pain and the Diamond Model to do great Threat Hunting Simulations

One of Cymulates greatest features is the Purple Team module. It allows users to create advanced attack scenarios for Threat Hunting scenarios using templates which are the chained sum of the plethora of executions created by Cymulate. Bundled with the Immediate Threat Module, one can create strong Threat Hunting scenarios.But how does one create good threat hunting scenarios and really challenge ones Blue Team and test their capabilities?The Pyramid of Pain Let’s look at the pyramid of pain from a great article written way back in 2014.[1]Designed back in 2013, as a response to the APT 1 report written by Mandiant[2]. It was created as a response to the discussion about the report – people were talking mostly about the host-based indicators and the network-based indicators detection instead of leveraging the information describing the TTPs reported within the report.In short –Hash values – the computed hash values for malware and tools dropped in a compromise, these can be added into

1
idant
Community Manager
3 months ago
Miri Adjiashvili
Employee
Miri AdjiashviliEmployee
posted in Researchers Feed

Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher (CVE-2022-22536)

On February 8th, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Servers. One critical vulnerability, named ICMAD (CVE-2022-22536), received a CVSS score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).A remote unauthenticated attacker could exploit this vulnerability by sending a simple HTTP request, and lead to a full system takeover and complete compromise of Confidentiality, Integrity and Availability of the system.While the best mitigation would be to patch the vulnerable servers as soon as possible, the following SAP Notes provide additional information around patch and mitigations:3123396 – [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher 3137885 – Workaround for security SAP note 3123396 3138881 – wdisp/additional_conn_close workaround for security SAP note 3123396The Cymulate team published an Advanced Scenario scanner allow

0
Miri Adjiashvili
Employee
4 months ago
Miri Adjiashvili
Employee
Miri AdjiashviliEmployee
posted in Researchers Feed

Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

Last week, a local privilege escalation vulnerability was introduced in the Polkit component, affecting every major Linux distribution. Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It allows a non-privileged process to communicate with privileged ones.This memory corruption vulnerability, which got the name PwnKit, exploits a bug in polkit’s pkexec utility where it doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands.This easily exploited vulnerability, which received a CVSS score of 7.8, allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration. The exploit to this vulnerability was published and is now available to all.To mitigate this vulnerability, it is necessary to update the operating system and patch this vulnerability. If full patching is not an option at the moment, an example of a temp

1
E
Employee
5 months ago
Miri Adjiashvili
Employee
Miri AdjiashviliEmployee
posted in Researchers Feed

Lateral Movement Use Case - Local Administrator's Password Reuse

As part of the Professional-Services packages we offer our clients, Cymulate’s security experts ran Lateral Movement campaign together with the clients. The main security misconfigurations our team identified were associated with the usage of golden images to deploy new servers and workstations.The usage of golden images can help IT managers to easily deploy new endpoints in the network. By preconfiguring once, the IT team can rest assured the new endpoint will include all the necessary settings and configurations, without the need to configure each new endpoint every time. The problem starts, when the deployment procedure lacks changing the password of the local users on the new endpoint following the deployment.By reusing the token of the local users, especially the local administrator user, a potential threat actor could easily move laterally and reach high risk network areas and critical assets. In severe cases, the Domain Controller’s local administrator password is reused as well

3
N
Employee
5 months ago
Miri Adjiashvili
Employee
Miri AdjiashviliEmployee
posted in Researchers Feed

HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2022-21907)

In the last Patch Tuesday (Jan, 11th 2022), Microsoft introduced a patch for a critical vulnerability in the HTTP Protocol Stack (http.sys) CVE-2022-21907. This vulnerability, who got a CVSS Base Score of 9.8, allows an unauthenticated attacker to send a specially crafted packet to the server and run malicious code.The affected operating systems include Windows 10, Windows Server 2019 (Builds 1809 and 20H2 or higher) and Windows Server 2022.Windows 10 and Windows server 2019 build 1809 are not vulnerable by default, unless “HTTP Trailer Support” was enabled. It can be checked by querying the registry for a specific key, meaning this configuration is enabled (a temporary mitigation could be deleting this registry value).Windows 10 and Windows server 2019, builds 20H2 or higher, and Windows Server 2022 have “HTTP Trailer Support” enabled by default, making them vulnerable.Cymulate released a small scanner under the “Advanced Scenarios” part of the platform, to help our customers scan the

0
Miri Adjiashvili
Employee
5 months ago
idant
Community Manager
idantCommunity Manager
published in Researchers Feed

Piece of History - AIDS Trojan: The Story Behind the First Ever Ransomware AttackBlog

https://www.makeuseof.com/aids-trojan-the-first-ransomware-attack-in-history/

160
idant
Community Manager
7 months ago
M
Employee
michael_ioffeEmployee
published in Researchers Feed

Cloud penetrations and why it could be difficult to prevent them - Part #2Blog

Let’s talk about another interesting case. I could, for example, create a lambda function, which, in turn, does some sort of activity. It’ll be function, created at your system and running with your level of permissions.For the POC, I’ll make one that simply creates another user upon receiving a specific input.Is this operation logged?  Yes, CloudTrail has “CreateFunction%” event. And there is also “UpdateFunctionConfiguration%” event for updating existent function.But would it be a good point to catch the attacker? Well, it depends. If your organization has limited use of lambda functions, then this would be abnormal activity and would be easily seen in your logs. Yet, if your organization makes heavy use of lambda, then it is far less likely this will be seen as abnormal and because of the nature of the typical development lambda function we are showing, every development activity will trigger a false alarm. So that could easily be missed by a security team. Where else can a maliciou

350
M
Employee
7 months ago
M
Employee
michael_ioffeEmployee
published in Researchers Feed

Cloud penetrations and why it could be difficult to prevent them - Part #1Blog

As workloads have shifted from on-premises to the cloud so too have attacks on cloud infrastructure become a new focus. Not surprising, Cloud services provide many benefits but also demand quite a degree of responsibility, shared responsibility may be “shared” but the responsibility is far greater now.It’s fairly easy to name the main reasons for the vulnerability of cloud components in various organizations but one of my top reasons is misconfigurations. Followed quickly by absence of configurations in logging systems. Cloud is Complex, and Complex systems totally rely on highly configured logging to report any anomalies. Default configurations, coming with so many solutions, rarely can be helpful. As we see too often you must have a certain level of development knowledge within the infrastructure you are about to configure logging for or suffer the consequences of default logging not being enough.Let’s look at some examples. In this article we will stay with AWS as our examples throu

400
M
Employee
7 months ago
idant
Community Manager
idantCommunity Manager
posted in Researchers Feed

ChopChop - A CLI To Help Developers Scanning Endpoints And Identifying Exposition Of Sensitive Services/Files/Folders

ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file (by default: chopchop.yml), fully configurable, and especially by developers. https://github.com/michelin/ChopChop 

0
idant
Community Manager
7 months ago
idant
Community Manager
idantCommunity Manager
published in Researchers Feed

Ddosify - High-performance Load Testing Tool

Features Protocol Agnostic - Currently supporting HTTP, HTTPS, HTTP/2. Other protocols are on the way. Scenario-Based - Create your flow in a JSON file. Without a line of code! Different Load Types - Test your system's limits across different load types. Installationddosify is available via Docker, Homebrew Tap, and downloadable pre-compiled binaries from the releases page for macOS, Linux and Windows.

180
idant
Community Manager
7 months ago
idant
Community Manager
idantCommunity Manager
posted in Researchers Feed

Smuggler - An HTTP Request Smuggling / Desync Testing Tool

An HTTP Request Smuggling / Desync testing tool written in Python 3https://github.com/defparam/smuggler.git  

0
idant
Community Manager
7 months ago
R
Employee
raja_wizEmployee
posted in Researchers Feed

Agent Logs on Linux Machine

/usr/share/Cymulate/Agent/AgentLogs  

1
mike_talon
Employee
8 months ago
S
Employee
SashaGEmployee
posted in Researchers Feed

Web-Hacking-Toolkit - A Multi-Platform Web Hacking Toolkit Docker Image With Graphical User Interface (GUI) Support

A multi-platform web hacking toolkit Docker image with Graphical User Interface (GUI) support.https://github.com/signedsecurity/web-hacking-toolkit

0
S
Employee
8 months ago
S
Employee
SashaGEmployee
posted in Researchers Feed

Exploiting Redis Through SSRF Attack

https://infosecwriteups.com/exploiting-redis-through-ssrf-attack-be625682461b

0
S
Employee
8 months ago
Y
Employee
Yahav LevinEmployee
posted in Researchers Feed

PeTeReport - Open-Source Application Vulnerability Reporting Tool

https://github.com/1modm/petereport  PeTeReport (PenTest Report) is an open-source application vulnerability reporting tool designed to assist pentesting/redteaming efforts, by simplifying the task of writing and generation of reports.Focused in product security, the tool help security researchers and pentesters to provide detailed findings, appendix, attack paths and manage a finding template database to avoid wasting time spent in the reporting phase.PeTeReport (PenTest Report) is written in Django and Python 3 with the aim to help pentesters to manage a finding repository, write reports (in Markdown) and generate reports in different formats (HTML, CSV, PDF, Jupyter and Markdown). DocumentationDocumentationInstallation and deployment Docker  DjangoFeatures Customizable reports output  Customizable reports templates  Findings template database  Possibility to add appendix to findings  Possibility to add attack trees Deciduous to findings  HTML Output format  CSV Output format  PDF Ou

0
Y
Employee
8 months ago
Y
Employee
Yahav LevinEmployee
posted in Researchers Feed

DonPAPI - Dumping DPAPI Creds Remotely

https://github.com/login-securite/DonPAPI Dumping relevant information on compromised targets without AV detection DPAPI dumpingLots of credentials are protected by DPAPI.We aim at locating those "secured" credentials, and retrieve them using :User password Domaine DPAPI BackupKey Local machine DPAPI Key (protecting TaskScheduled blob) Currently gathered infoWindows credentials (Task scheduled credentials & a lot more) Windows Vaults Windows RDP credentials AdConnect (still require a manual operation) Wifi key Internet explorer Credentials Chrome cookies & credentials Firefox cookies & credentials VNC passwords mRemoteNG password (with default config)Check for a bit of complianceSMB signing status OS/Domain/Hostname/Ip of the audited scopeOperational useWith local admin account on a host, we can :Gather machine protected DPAPI secrets ScheduledTask that will contain cleartext login/password of the account configured to run the task Wi-Fi passwords Extract Masterkey's hash

0
Y
Employee
8 months ago
Y
Employee
Yahav LevinEmployee
posted in Researchers Feed

Multi-Platform Web Hacking Toolkit Docker Image With Graphical User Interface (GUI) Support

https://github.com/signedsecurity/web-hacking-toolkit InstallationDockerPull the image from Docker Hub:docker pull signedsecurity/web-hacking-toolkitRun a container and attach a shell:docker run --rm -it --name web-hacking-toolkit signedsecurity/web-hacking-toolkit /usr/bin/zshDocker ComposeDocker-Compose can also be used.version: "3.9"services: web-hacking-toolkit: image: signedsecurity/web-hacking-toolkit container_name: web-hacking-toolkit hostname: web-hacking-toolkit stdin_open: true ports: - "22:22" # exposed for GUI support sing SSH with X11 forwarding volumes: - ./data:/root/data restart: unless-stoppedBuild and run container:docker-compose upAttach shell:docker-compose exec web-hacking-toolkit /usr/bin/zshBuild from SourceClone this repository and build the image:git clone https://github.com/signedsecurity/web-hacking-toolkit.git && \cd web-hacking-toolkit && \make buildRun a container an

0
Y
Employee
8 months ago
S
Employee
SashaGEmployee
posted in Researchers Feed

Blue Team Techniques - networkit

Open-source toolkit for large-scale network analysishttps://github.com/networkit/networkit

0
S
Employee
8 months ago
S
Employee
SashaGEmployee
posted in Researchers Feed

Awesome Azure Penetration Testing - Github

Useful tools and resources for penetration testing and securing Microsoft cloud platform Azure.https://github.com/Kyuu-Ji/Awesome-Azure-Pentest

0
S
Employee
8 months ago

Badge winners

  • Conversation Starter
    IG_fillhas earned the badge Conversation Starter
  • Rising star
    Cookiehas earned the badge Rising star
  • Conversation Starter
    Alkemysthas earned the badge Conversation Starter
  • Conversation Starter
    Jeshas earned the badge Conversation Starter
  • Conversation Starter
    antonio_puighas earned the badge Conversation Starter
Show all badges
Terms & ConditionsCookie settings