Security’s Blind Spot: Physical Keyloggers That Bypass Antivirus Entirely

Keyloggers: A Persistent Threat Nowadays, virtually all digital services rely on logins and authentication, from email inboxes to help desks. These involve login credentials to prove identity, typically at least a username and a password. Initially, this information is confidential from a potential attacker. While a username can be relatively easy to guess in a … Continue reading Security’s Blind Spot: Physical Keyloggers That Bypass Antivirus Entirely →

ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing

ConsentFix (a.k.a.AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL, by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim's Microsoft account.

The Detection & Response Chronicles: Exploring Telegram Abuse

Adversaries utilizing popular messaging apps throughout different attack phases is nothing new. Telegram, in particular, has constantly been the subject of abuse by multiple threat actors, favoured for its anonymity, accessibility, resilience, and operational advantages. In this blog, we explore popular Telegram Bot APIs, recent campaigns involving Telegram abuse, and provide detection and hunting opportunities.

Vulnerability Management – Process Perspective

Introduction Part 2b In this post, we dive deeper into the HOW of vulnerability management. This post is dedicated to the processes to provide a comprehensive overview. 1. Processes Figure 1: Levels [86] In this chapter, we will have a look at the processes of vulnerability management. The Center for Internet Security defines separate controls … Continue reading Vulnerability Management – Process Perspective →

Detection Engineering: Practicing Detection-as-Code – Documentation – Part 4

Sufficiently documenting our detections is essential in detection engineering as it provides context around the the purpose, detection logic, and expected behaviour of each detection rule. Just as important as documenting individual detections is tracking how the overall detection library evolves. In this part we are looking into how we can tackle both of those issues.

Detection Engineering: Practicing Detection-as-Code – Validation – Part 3

In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. Setting up validation pipelines is a key step, as it helps enforce the defined standards, reduce errors, and ensure that detections are reliable and consistent.