OWA Breach detection script

Posted on : by : Lion

I made a quick an dirty detection script within incident response that searches a bit deeper for LSASS dumps and other artefacts from attackers. Update 08.12: This script does not detect artefacts used in current attacks (late october till now)!Read More

How Microsoft (could) spy on you with Outlook for Android

Posted on : by : Lion

Due to a server issue on my mail server I had to put the dovecot, a mail-server for Linux, in debug mode. Meaning that from now on it logs whatsoever happens on the machine for troubleshooting.

My problem wasRead More

Suspicious activities you can hunt for in the external e-mail communication

Posted on : by : Lion

Companies are focusing a lot of time trying to secure the email system against attacks from the outside, like (spear-) phishing, malware and other threats. A customer asked me today for ideas for threats he could hunt for in hisRead More

Requirements for chainoffools CVE-2020-0601 POC exploit

Posted on : by : Lion

Short list of stuff you need to get the POC running pip3 install fastecdsa apt-get install openssl sudo apt install python-dev libgmp3-dev apt-get install libmpc-dev pip3 install gmpy2 POC: https://github.com/kudelskisecurity/chainoffools

Notepad.exe fail fast while accessing ADS streams

Posted on : by : Lion

Today i want to share with you a “bug” in notepad.exe that you might want to play around with and look what really happens, might be a intersting little reversing project. My limited time currently does not allow me toRead More


Posted on : by : Lion

There is a privilege escalation vulnerability in the Windows Certificate Dialog allowing an attacker to easily elevate privileges to NT AUTHORITY\SYSTEM, it is documented as CVE-2019-1388. This is a good video demonstrating the issue: https://www.youtube.com/watch?v=3BQKpPNlTSo in this case they useRead More

App.Any.Run Heavy Anti-Evasion easy bypass

The goal of the research was to create a small dropper that creates no detection within the famous App.Any.Run Sandbox solution but can still determine if its running in the sandbox or not.For now, i cant tell if that alsoRead More

Empire C&C server detection

Posted on by : Lion Tags: , ,

While currently attending SANS SEC660 we did play a lot with empire post exploitation framework on the second day. So i used the time between the lab challenges today to play a bit with the C&C server. Detect Empire C&CRead More

Cyber Defense NetWars Review Tokio 2019

Posted on : by : Lion

“I am the watcher of the walls, i am the sword in the darkness” While attending the SANS course SEC660, Advanced Penetration Testing, Exploit Writing, and Ethical Hacking in Tokyo, i also took part in the Cyber Defense NetWars challenge.Read More