A VBA macro in a excel file as a entrypoint is a common way for attacker to perform the initial access to the victim system. This second part of the DNS tunneling series will show how to exploit the DNS to open a reverse shell when a VBA macro is executed on the victim system.
DLL sideloading is a technique that attackers use to trick a legitimate application to load a malicious DLL. Many applications are loading a .dll to use some functions without making any security check on the DLL that is being loaded. DLL sideloading technique might help the attacker to evade some host-based detection and it is a way to perform persistence or lateral movement action.
Domain Name System has been created in the early days of Internet and the DNS Tunneling attack method is not a recent discovery, it has been around for a long time. Despite it is a old and well known technique, many organizations still have difficulties to detect and prevent it. Usually, adversaries use DNS tunneling for data exfiltration but in some recent malicious activities, DNS tunneling has been also used to beacon a Command & Control and execute some commands or payloads.
Names pipes are a Windows feature used for interprocess communication (IPC). It can be used to load the backdoor into memory or inject into a process. Named pipes are used for local processes to communicate with each other. It’s similar to a TCP session between a client and server. It can be used to provide a communication channel between processes on the same computer or between processes on different computers across a network.
A Local File Inclusion (LFI) is a way to access to some local file from the web server that the user is not supposed to have accessed. Enumerating the local files of the web server can reveal some confidential documents or information. This article will show you an example of exploiting a local file inclusion vulnerability.
Many protections exist against the buffer overflow vulnerability. Among those protections, NXbit makes the stack non executable or ASLR randomize the start location of the stack and the attacker cannot determine precisely what address to set to the register RIP to control the program execution. Ret2libC is a buffer overflow technique to bypass certain protection, it uses the C library to determine exactly the address of a specific function to open a shell for example, such as system() and /bin/sh.
A buffer overflow attack occurs when the program is trying to write data over a buffer capacity, resulting overwriting other memory locations. Overwriting the memory locations might give the attacker a chance to take control of the program execution.
After getting several alerts from FireEye HX regarding suspicious .dll file coming from the process csc.exe, I decided to dig into that subject. After doing an Enterprise Search in FireEye for the process name "csc.exe", I've found that PowerShell.exe is often its parent process. This article is to understand what are the possible exploits by compiling C# code with PowerShell.
This cybersecurity challenge was organized by the DGA (Direction Générale de l'Armement) in November 2020. The challenges was around web, cryptography, digital investigation, reverse engineering and exploitation.