Debugging DLL’s – 3 techniques to help you get started

During some redteam engagements, we find ourselves in the need of writing DLL’s. However, debugging DLL’s is not as easy as it seems, as a DLL isn’t built to run on its own.In this article, we will explore how you can debug a DLL effectively. What is a DLL? A DLL is short for a …

The Rise of Adversary Emulation

In this blog post, we will discuss a fairly new concept that has been gaining a lot of traction recently: Adversary Emulation. Adversary emulation aims to test a network‚Äôs resilience against advanced attackers or advanced persistent threats (APTs). To do so, the adversary‚Äôs tactics, techniques, and procedures (TTPs) are emulated along the cyber kill chain, …

Compiling Our Python Decompiler

Following the feedback we get for our py2exe decompiler¬†(a decompiler for Windows executables created by py2exe1), we noticed that there is a community need for this tool. Most of the feedback comments are requests for help related to missing dependencies and similar problems. However, a couple of months ago, there had been an API-breaking release …

Intercepting Belgian eID (PKCS#11) traffic with Burp Suite on OS X / Kali / Windows

TL;DR: You can configure Burp to use your PKCS#11 (or Belgian eID) card to set up client-authenticated SSL sessions, which you can then intercept and modify. This blog post shows how you can easily view and modify your¬†own, local traffic.¬† In order to complete this tutorial, you still need a valid eID card, and the …

Intercepting HTTPS Traffic from Apps on Android 7+ using Magisk & Burp

Intercepting HTTPS traffic is a necessity with any mobile security assessment. By adding a custom CA to Android, this can easily be done. As of Android Nougat, however, apps don’t trust client certificates anymore unless the app explicitly enables this. In this blogpost, we present a new¬†Magisk module, that circumvents this requirement, by automatically adding …

Malicious PowerPoint Documents Abusing Mouse Over Actions

A new type of malicious MS Office document has appeared: a PowerPoint document that executes a PowerShell command by hovering over a link with the mouse cursor (this attack does not involve VBA macros). In this blogpost, we will show how to analyze such documents with free, open-source tools. As usual in attacks involving malicious …

Using binsnitch.py to detect files touched by malware

Yesterday, we released binsnitch.py – a tool you can use to detect unwanted changes to the file sytem. The tool and documentation is available here: https://github.com/NVISO-BE/binsnitch. Binsnitch can be used to detect silent (unwanted) changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based …