Threat Research Blog

Finding Bugs in Windows Drivers, Part 1 – WDM

Finding vulnerabilities in Windows drivers was always a highly sought-after prize by sophisticated threat actors, game cheat writers and red teamers. As you probably know, every bug in a driver...

Read Article
Conti Group Leaked!

The conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the cyber attacks conducted against Ukraine infrastructure — including evidence of...

Read Article
Gartner Names CyberArk a Leader in the 2021 Magic Quadrant for PAM
Download Now
How Docker Made Me More Capable and the Host Less Secure

TL;DR After Docker released a fix [1] for CVE-2021-21284 [2], it unintentionally created a new vulnerability that allows a low-privileged user on the host to execute files from Docker images....

Read Article
Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter

What is PwnKit Vulnerability CVE-2021-4034? On January 25th, 2022, a critical vulnerability in polkit’s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability...

Read Article
Analyzing Malware with Hooks, Stomps and Return-addresses

Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final Thoughts Introduction This is the second post in my series and with this post we will...

Read Article
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services, which we recently uncovered. We reported the vulnerability to Microsoft in a...

Read Article
Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters

One day, while I was working on OpenShift, a Kubernetes distribution by RedHat focused on developer experience and application security, I noticed that I was able to inject ANSI escape characters...

Read Article
Hook Heaps and Live Free

I wanted to write this blog post to talk a bit about Cobalt Strike, function hooking and the Windows heap. We will be targeting BeaconEye (https://github.com/CCob/BeaconEye) as our detection tool...

Read Article
Cloud Shadow Admins Revisited in Light of Nobelium

A recently detected attack campaign involving threat actor Nobelium has caught our attention due to an attack vector our team has previously researched – Cloud Shadow Admins – that the adversary...

Read Article
Cracking WiFi at Scale with One Simple Trick

How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi). In the past seven years that I’ve lived in Tel Aviv, I’ve changed apartments four times. Every time I...

Read Article
Fuzzing RDP: Holding the Stick at Both Ends

Introduction This post describes the work we’ve done on fuzzing the Windows RDP client and server, the challenges of doing so, and some of the results. The Remote Desktop Protocol (RDP) by...

Read Article
FickerStealer: A New Rust Player in the Market

This blog introduces a new information stealer, written in Rust and interestingly named FickerStealer. In this blog post, we provide an in-depth analysis of this new threat and its obfuscation...

Read Article
Bypassing Windows Hello Without Masks or Plastic Surgery

Biometric authentication is beginning to see rapid adoption across the enterprise as organizations look to incorporate passwordless solutions to help mitigate the numerous security risks inherent...

Read Article
Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques

Digital transformation, widespread remote work due to the COVID-19 pandemic and ever-increasing reliance on cloud services and infrastructure have all contributed to new enterprise access...

Read Article
Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2

In Part 1 of this blog post, we discussed attack vectors that utilize the different features of the devices that network plugins use, such as bridge devices and tunneling devices (VXLAN in...

Read Article
Virtual Cloak: Virtualization as Malware

Virtualization is a double-edged sword The glorious rise of the cloud in recent years could be attributed to the gradual advancement of many different technologies, both hardware and software...

Read Article
Kubesploit: A New Offensive Tool for Testing Containerized Environments

In this blog post, we will introduce a new open-source tool we developed, named Kubesploit, for testing Kubernetes environments. This is a full framework, dedicated to Kubernetes, to assist...

Read Article
The Mysterious Realm of JavaScriptCore

TL;DR JavaScriptCore (JSC) is the JavaScript engine used by Safari, Mail, App Store and many other apps in MacOs. The JSC engine is responsible for executing every line of JavaScript (JS) that...

Read Article
Kinsing: The Malware with Two Faces

Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...

Read Article
The Strange Case of How We Escaped the Docker Default Container

TL;DR During an internal container-based Red Team engagement, the Docker default container spontaneously and silently changed cgroups overnight, which allowed us to escalate privileges and gain...

Read Article
Loading More...

Threat Research Blog

Finding Bugs in Windows Drivers, Part 1 – WDM

Finding vulnerabilities in Windows drivers was always a highly sought-after prize by sophisticated threat actors, game cheat writers and red teamers. As you probably know, every bug in a driver...

Conti Group Leaked!

The conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the cyber attacks conducted against Ukraine infrastructure — including evidence of...

How Docker Made Me More Capable and the Host Less Secure

TL;DR After Docker released a fix [1] for CVE-2021-21284 [2], it unintentionally created a new vulnerability that allows a low-privileged user on the host to execute files from Docker images....

Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter

What is PwnKit Vulnerability CVE-2021-4034? On January 25th, 2022, a critical vulnerability in polkit’s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability...

Analyzing Malware with Hooks, Stomps and Return-addresses

Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final Thoughts Introduction This is the second post in my series and with this post we will...

Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services, which we recently uncovered. We reported the vulnerability to Microsoft in a...

Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters

One day, while I was working on OpenShift, a Kubernetes distribution by RedHat focused on developer experience and application security, I noticed that I was able to inject ANSI escape characters...

Hook Heaps and Live Free

I wanted to write this blog post to talk a bit about Cobalt Strike, function hooking and the Windows heap. We will be targeting BeaconEye (https://github.com/CCob/BeaconEye) as our detection tool...

Cloud Shadow Admins Revisited in Light of Nobelium

A recently detected attack campaign involving threat actor Nobelium has caught our attention due to an attack vector our team has previously researched – Cloud Shadow Admins – that the adversary...

Cracking WiFi at Scale with One Simple Trick

How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi). In the past seven years that I’ve lived in Tel Aviv, I’ve changed apartments four times. Every time I...

Fuzzing RDP: Holding the Stick at Both Ends

Introduction This post describes the work we’ve done on fuzzing the Windows RDP client and server, the challenges of doing so, and some of the results. The Remote Desktop Protocol (RDP) by...

FickerStealer: A New Rust Player in the Market

This blog introduces a new information stealer, written in Rust and interestingly named FickerStealer. In this blog post, we provide an in-depth analysis of this new threat and its obfuscation...

Bypassing Windows Hello Without Masks or Plastic Surgery

Biometric authentication is beginning to see rapid adoption across the enterprise as organizations look to incorporate passwordless solutions to help mitigate the numerous security risks inherent...

Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques

Digital transformation, widespread remote work due to the COVID-19 pandemic and ever-increasing reliance on cloud services and infrastructure have all contributed to new enterprise access...

Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2

In Part 1 of this blog post, we discussed attack vectors that utilize the different features of the devices that network plugins use, such as bridge devices and tunneling devices (VXLAN in...

Virtual Cloak: Virtualization as Malware

Virtualization is a double-edged sword The glorious rise of the cloud in recent years could be attributed to the gradual advancement of many different technologies, both hardware and software...

Kubesploit: A New Offensive Tool for Testing Containerized Environments

In this blog post, we will introduce a new open-source tool we developed, named Kubesploit, for testing Kubernetes environments. This is a full framework, dedicated to Kubernetes, to assist...

The Mysterious Realm of JavaScriptCore

TL;DR JavaScriptCore (JSC) is the JavaScript engine used by Safari, Mail, App Store and many other apps in MacOs. The JSC engine is responsible for executing every line of JavaScript (JS) that...

Kinsing: The Malware with Two Faces

Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...

The Strange Case of How We Escaped the Docker Default Container

TL;DR During an internal container-based Red Team engagement, the Docker default container spontaneously and silently changed cgroups overnight, which allowed us to escalate privileges and gain...