Threat Research Blog

Decentralized Identity Attack Surface – Part 1

Introduction Who are you? That’s a hard question to answer. Many philosophers have been fascinated with this question for years. Who are you in cyberspace? Your digital identity is comprised of...

Read Article
CyberArk Named a Leader in the 2022 Gartner® Magic Quadrant™ for Privileged Access Management – again.
View the Report
Fantastic Rootkits: And Where to Find Them (Part 1)

Introduction In this blog series, we will cover the topic of rootkits — how they are built and the basics of kernel driver analysis — specifically on the Windows platform. In this first part, we...

Read Article
Colorful Vulnerabilities

Our love for gaming alongside finding bugs led us back to the good ol’ question: Is it true that the more RGB colors you have (except for your gaming chair, of course), the more skill...

Read Article
Understanding Windows Containers Communication

Several years ago, when I spoke with people about containers, most of them were not familiar with the term. Today, it is unquestionably one of the most popular technologies being used in DevOps...

Read Article
Trust Me, I’m a Robot: Can We Trust RPA With Our Most Guarded Secrets?

In our complicated and challenging enterprise world, trust is not just important — it’s a vital link in the long chain of enterprise success. If you’ve ever managed people who didn’t trust one...

Read Article
Inside Matanbuchus: A Quirky Loader

An in-depth analysis of Matanbuchus loader’s tricks and loading techniques Matanbuchus is a Malware-as-a-Service loader that has been sold on underground markets for more than one year....

Read Article
That Pipe is Still Leaking: Revisiting the RDP Named Pipe Vulnerability

On January 11, 2022, we published a blog post describing the details of CVE-2022-21893, a Remote Desktop vulnerability that we found and reported to Microsoft. After analyzing the patch that fixed...

Read Article
Go BLUE! A Protection Plan for Credentials in Chromium-based Browsers

In my previous blog post (here), I described a technique to extract sensitive data (passwords, cookies) directly from the memory of a Chromium-based browser’s [CBB] process. Google’s response to...

Read Article
Extracting Clear-Text Credentials Directly From Chromium’s Memory

This research was initiated accidentally. After “mini-dumping” all active Chrome.exe processes for another research project, I decided to see if a password that I recently typed in the browser...

Read Article
Finding Bugs in Windows Drivers, Part 1 – WDM

Finding vulnerabilities in Windows drivers was always a highly sought-after prize by sophisticated threat actors, game cheat writers and red teamers. As you probably know, every bug in a driver...

Read Article
Conti Group Leaked!

The conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the cyber attacks conducted against Ukraine infrastructure — including evidence of...

Read Article
How Docker Made Me More Capable and the Host Less Secure

TL;DR After Docker released a fix [1] for CVE-2021-21284 [2], it unintentionally created a new vulnerability that allows a low-privileged user on the host to execute files from Docker images....

Read Article
Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter

What is PwnKit Vulnerability CVE-2021-4034? On January 25th, 2022, a critical vulnerability in polkit’s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability...

Read Article
Analyzing Malware with Hooks, Stomps and Return-addresses

Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final Thoughts Introduction This is the second post in my series and with this post we will...

Read Article
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services, which we recently uncovered. We reported the vulnerability to Microsoft in a...

Read Article
Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters

One day, while I was working on OpenShift, a Kubernetes distribution by RedHat focused on developer experience and application security, I noticed that I was able to inject ANSI escape characters...

Read Article
Hook Heaps and Live Free

I wanted to write this blog post to talk a bit about Cobalt Strike, function hooking and the Windows heap. We will be targeting BeaconEye (https://github.com/CCob/BeaconEye) as our detection tool...

Read Article
Cloud Shadow Admins Revisited in Light of Nobelium

A recently detected attack campaign involving threat actor Nobelium has caught our attention due to an attack vector our team has previously researched – Cloud Shadow Admins – that the adversary...

Read Article
Cracking WiFi at Scale with One Simple Trick

How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi). In the past seven years that I’ve lived in Tel Aviv, I’ve changed apartments four times. Every time I...

Read Article
Fuzzing RDP: Holding the Stick at Both Ends

Introduction This post describes the work we’ve done on fuzzing the Windows RDP client and server, the challenges of doing so, and some of the results. The Remote Desktop Protocol (RDP) by...

Read Article
Loading More...

Threat Research Blog

Decentralized Identity Attack Surface – Part 1

Introduction Who are you? That’s a hard question to answer. Many philosophers have been fascinated with this question for years. Who are you in cyberspace? Your digital identity is comprised of...

Fantastic Rootkits: And Where to Find Them (Part 1)

Introduction In this blog series, we will cover the topic of rootkits — how they are built and the basics of kernel driver analysis — specifically on the Windows platform. In this first part, we...

Colorful Vulnerabilities

Our love for gaming alongside finding bugs led us back to the good ol’ question: Is it true that the more RGB colors you have (except for your gaming chair, of course), the more skill...

Understanding Windows Containers Communication

Several years ago, when I spoke with people about containers, most of them were not familiar with the term. Today, it is unquestionably one of the most popular technologies being used in DevOps...

Trust Me, I’m a Robot: Can We Trust RPA With Our Most Guarded Secrets?

In our complicated and challenging enterprise world, trust is not just important — it’s a vital link in the long chain of enterprise success. If you’ve ever managed people who didn’t trust one...

Inside Matanbuchus: A Quirky Loader

An in-depth analysis of Matanbuchus loader’s tricks and loading techniques Matanbuchus is a Malware-as-a-Service loader that has been sold on underground markets for more than one year....

That Pipe is Still Leaking: Revisiting the RDP Named Pipe Vulnerability

On January 11, 2022, we published a blog post describing the details of CVE-2022-21893, a Remote Desktop vulnerability that we found and reported to Microsoft. After analyzing the patch that fixed...

Go BLUE! A Protection Plan for Credentials in Chromium-based Browsers

In my previous blog post (here), I described a technique to extract sensitive data (passwords, cookies) directly from the memory of a Chromium-based browser’s [CBB] process. Google’s response to...

Extracting Clear-Text Credentials Directly From Chromium’s Memory

This research was initiated accidentally. After “mini-dumping” all active Chrome.exe processes for another research project, I decided to see if a password that I recently typed in the browser...

Finding Bugs in Windows Drivers, Part 1 – WDM

Finding vulnerabilities in Windows drivers was always a highly sought-after prize by sophisticated threat actors, game cheat writers and red teamers. As you probably know, every bug in a driver...

Conti Group Leaked!

The conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the cyber attacks conducted against Ukraine infrastructure — including evidence of...

How Docker Made Me More Capable and the Host Less Secure

TL;DR After Docker released a fix [1] for CVE-2021-21284 [2], it unintentionally created a new vulnerability that allows a low-privileged user on the host to execute files from Docker images....

Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter

What is PwnKit Vulnerability CVE-2021-4034? On January 25th, 2022, a critical vulnerability in polkit’s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability...

Analyzing Malware with Hooks, Stomps and Return-addresses

Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final Thoughts Introduction This is the second post in my series and with this post we will...

Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services, which we recently uncovered. We reported the vulnerability to Microsoft in a...

Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters

One day, while I was working on OpenShift, a Kubernetes distribution by RedHat focused on developer experience and application security, I noticed that I was able to inject ANSI escape characters...

Hook Heaps and Live Free

I wanted to write this blog post to talk a bit about Cobalt Strike, function hooking and the Windows heap. We will be targeting BeaconEye (https://github.com/CCob/BeaconEye) as our detection tool...

Cloud Shadow Admins Revisited in Light of Nobelium

A recently detected attack campaign involving threat actor Nobelium has caught our attention due to an attack vector our team has previously researched – Cloud Shadow Admins – that the adversary...

Cracking WiFi at Scale with One Simple Trick

How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi). In the past seven years that I’ve lived in Tel Aviv, I’ve changed apartments four times. Every time I...

Fuzzing RDP: Holding the Stick at Both Ends

Introduction This post describes the work we’ve done on fuzzing the Windows RDP client and server, the challenges of doing so, and some of the results. The Remote Desktop Protocol (RDP) by...