4 Trends for Cloud Security in 2022

The migration from an on-premises environment towards the public cloud started years ago and is still going on. Both governmental agencies and business organizations are in the journey of migrating and maturing their cloud environments[SW1] , pulled by the compelling need for streamlining, scaling, and improving their production. It won’t potentially come as a surprise but … Continue reading 4 Trends for Cloud Security in 2022

Kernel Karnage – Part 8 (Getting Around DSE)

When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. … Continue reading Kernel Karnage – Part 8 (Getting Around DSE)

Kernel Karnage – Part 7 (Out of the Lab and Back to Reality)

This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment. To do just that, I had to … Continue reading Kernel Karnage – Part 7 (Out of the Lab and Back to Reality)

Kernel Karnage – Part 6 (Last Call)

With the release of this blogpost, we’re past the halfway point of my internship; time flies when you’re having fun. 1. Introduction - Status Report In the course of these 6 weeks, I’ve covered several aspects of kernel drivers and EDR/AVs kernel mechanisms. I started off strong by examining kernel callbacks and why EDR/AV products … Continue reading Kernel Karnage – Part 6 (Last Call)

DORA and ICT Risk Management: how to self-assess your compliance

TL;DR – In this blogpost, we will give you an introduction to the key requirements associated with the Risk Management Framework introduced by DORA (Digital Operational Resilience Act);  More specifically, throughout this blogpost we will try to formulate an answer to following questions: What are the key requirements associated with the Risk Management Framework of DORA?What … Continue reading DORA and ICT Risk Management: how to self-assess your compliance

Kernel Karnage – Part 5 (I/O & Callbacks)

After showing interceptor's options, it’s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. 1. Interceptor 2.0 Until now, I relied on the Evil driver to patch kernel callbacks while I attempted to tackle $vendor2, however the Evil driver only implements patching for … Continue reading Kernel Karnage – Part 5 (I/O & Callbacks)

Cobalt Strike: Decrypting DNS Traffic – Part 5

Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting DNS Traffic – Part 5

The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see.

TL;DR – In this blogpost, we will give you an introduction to DORA, as well as how you can prepare yourself to be ready for it. More specifically, throughout this blogpost we will try to formulate an answer to following questions: What is DORA and what are the key requirements of DORA?What are the biggest challenges … Continue reading The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see.

Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

To make up for the long wait between parts 2 and 3, we're releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. 1. RTFM & W(rite)TFM! The past few weeks I spent a lot of time getting … Continue reading Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

Cobalt Strike: Decrypting Obfuscated Traffic – Part 4

Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting Obfuscated Traffic – Part 4