COMMSEC: Kubernetes Security Detection Engineering – Mapping Back to MITRE ATT&CK Matrix

Kubernetes has become a de facto way of running containerized workloads from startups to enterprises and governments, however like most modern technology, it’s not mature, especially in regards to security. Given its nature of being immutable and things happening in a matter of seconds, it’s super hard to perform security detection and incident response. In […]

COMMSEC: The Return of Stack Overflows in the Linux Kernel

PRESENTATION SLIDES (PDF)   This starts with an overview of the latest Linux CVEs that involve the kernel stack, explaining why they cannot be exploited without softening certain Linux security controls.  For instance, overwriting the return address is unlikely without corrupting the stack canary, while exploitation through syscalls must be done in one shot to […]

COMMSEC: Feeding Gophers to Ghidra

PRESENTATION SLIDES (PDF) Golang malware is becoming more and more prevalent, requiring analysts to understand how to effectively analyse such files, without diving into the myriad of rabbit holes that one encounters along the way. Based on Dorka Palotay her work, I’ve created several Java-based scripts to improve Ghidra’s handling of Golang binaries. To be […]

COMMSEC: Red Wizard – A User-friendly Infrastructure for Red Teams

PRESENTATION SLIDES (PDF) Repeatable, OPSEC-safe infrastructure is the bread and butter of every serious Red Team. However, the publicly available deployments are either pretty limited, or not user friendly to administrators and Red Team operators alike. This requires additional time and work for infrastructure maintainers and operators, that instead could have gone into testing your […]

COMMSEC: Nomadic Honeypots: How to Create Actionable CTI

PRESENTATION SLIDES (PDF)   We introduce a practical example of a game-changing concept called Automated Moving Target Defense (AMTD), where a dynamic fog of war is added on the defender side through deceptive response and nomadic honeypots. Thanks to our massive global infrastructure of honeypots in more than 50 countries (low to high interaction), we’ve […]

COMMSEC: Exploring JARM – An Active TLS Fingerprinting Algorithm

PRESENTATION SLIDES (PDF) JARM is an active TLS fingerprinting algorithm developed by Salesforce. The algorithm could be used to cluster servers with similar TLS configuration, identify default application settings, and hunt for malware C&C servers and other malicious servers. It works by sending specially crafted 10 TLS Client Hello requests, with different options, probing the […]

COMMSEC: All You Always Wanted to Know About AntiViruses

PRESENTATION SLIDES (PDF) This talk presents research results on the internals of Antiviruses (AVs). The main goal is to demystify AVs operation and to clarify the impact of AV’s project decisions to the security of users and companies. To do so, I analyzed multiple real, commercial AVs targeting the Windows, Linux, and Android platforms. Based […]

COMMSEC LAB: Developing Malicious Kernel Drivers

LAB SLIDES / MATERIALS (PDF) You know what really grinds my gears? Having everything thought out for a red team action, and then be detected by modern EDR. Especially when simulating APTs and staying unobtrusive in the network for extended periods of time. Over the years we’ve moved from PowerShell one-liners to LOLBINS, from LOLBINS […]