Backdooring Android Apps for Dummies

TL;DR - In this post, we'll explore some mobile malware: how to create them, what they can do, and how to avoid them. Are you interested in learning more about how to protect your phone from shady figures? Then this blog post is for you. Introduction We all know the classic ideas about security on …

Detecting the sudden appearance of events with ee-outliers and Elasticsearch

Recently, for our open-sourced ee-outliers framework, we released a new outlier model capable of detecting the sudden appearance of one or multiple field values of an Elasticsearch event. For example, this model could spot new TLDs that are suddenly being contacted (DNS/SSL) and communicating with C2 domains. It could also detect an executable that suddenly …

EDR: an overview of visibility improvements and economic benefits

Endpoint Detection and Response (EDR) is one of the most talked about cybersecurity topics in the last few years; it is on the agenda of most security officers as one of the first improvements to embrace in their organization, if not yet done. Why, though? What has made EDR the number one must-have security solution? …

Debugging DLL’s – 3 techniques to help you get started

During some redteam engagements, we find ourselves in the need of writing DLL's. However, debugging DLL's is not as easy as it seems, as a DLL isn't built to run on its own.In this article, we will explore how you can debug a DLL effectively. What is a DLL? A DLL is short for a …

Testing Ripple20: A closer look and proof of concept script for CVE-2020-11898

TL;DR: We use a proof of concept script to attack a Digi Connect ME 9210 device affected by CVE-2020-11898, part of the newly-released Ripple20 series of vulnerabilities. Ripple20 In June 2020, JSOF released information about a series of 19 vulnerabilities dubbed "Ripple20". Ripple20 affects the popular Treck network stack, which is used by many connected …

Using Word2Vec to spot anomalies while Threat Hunting using ee-outliers

Introduction In this blog post, we want to introduce the user to the concept of using Machine Learning techniques designed to originally spot anomalies in written (English) sentences, and instead apply them to support the Threat Analyst in spotting anomalies in security events. The basic idea behind this is that we try to identify sentences …

Under the hood: Hiding data in JPEG images

Ever wondered how tools like ExifTool or stegano programs work under the hood? Ever wanted to create your own program to embed secret data into images? In this is a short blog post on how to embed secret data in image files. This is something you can do as a party trick, some sort of …

Why Crisis management exercises (still) work

Do you know that feeling, when you think you did a great job, and suddenly you look at it with a new perspective and only then you realize in terror that it was not at all as good as you thought? I do. One of the things our Cyberculture team does is War Games. Crisis …

Introducing IOXY: an open-source MQTT intercepting proxy

TL;DR: IOXY is an open source MQTT intercepting proxy, developed by NVISO for our IoT pentest needs, and now available on GitHub. Features include a GUI, live packet interception and modification and MQTTS support. The need for IOXY In the web and mobile application worlds, intercepting proxies like Burp and OWASP ZAP occupy a central …

Unmanaged file searching with Filesearcher.exe

During our red team engagements, we are often reliant on a command and control infrastructure. Typically these infrastructures are capable of loading .NET assemblies in memory, which gave me the idea of coding a filesearcher assembly. This was partially invented because of a CTF event I was participating in which had me hunting several file …