Compass Security Blog

Offensive Defense

Evading Static Machine Learning Malware Detection Models – Part 2: The Gray-Box Approach

This part will discuss a grey-box approach in defeating malware detection. It will discuss the relevant features used and how they are fed into a malware detection model to classify an input file. After a short theory part, we try to find out which features are especially important for malware analysis and how to modify them. Finally, we will change some of the features of our ransomware to evade our model. But before all this, it is advisable to get familiar with the file format used by our malware.

Continue reading

Evading Static Machine Learning Malware Detection Models – Part 1: The Black-Box Approach

Modern anti-malware products such as Windows Defender increasingly rely on the use of machine learning algorithms to detect and classify harmful malware. In this two-part series, we are going to investigate the robustness of a static machine learning malware detection model trained with the EMBER dataset. For this purpose we will working with the Jigsaw ransomware.

Continue reading

Make the most out of BloodHound

During internal assessments in Windows environments, we use BloodHound more and more to gather a comprehensive view of the permissions granted to the different Active Directory objects. In this post, we’ll show an advanced usage of this tool by using our additional queries.

Continue reading

Relaying NTLM authentication over RPC

Since a few years, we – as pentesters – (and probably bad guys as well) make use of NTLM relaying a lot for privilege escalation in Windows networks.

In this article, we propose adding support for the RPC protocol to the already great ntlmrelayx from impacket and explore the new ways of compromise that it offers.

This vulnerability was discovered by Compass Security in January 2020, disclosed to Microsoft Security Response Center and assigned CVE-2020-1113 as identifier.

Continue reading

Domain-Join Computers the Proper Way

When you add a new computer, it must first join the domain. If you use its future main user to do it, they’ll become the owner and be able to hijack the computer to become a local administrator in four easy steps.

Continue reading

Challenging Your Forensic Readiness with an Application-Level Ransomware Attack

Ransomware focuses on encrypting data on a filesystem-level, either locally on infected client systems or remotely on accessible file servers. However, what if ransomware would start encrypting data on an application-level too?

Continue reading

There is such thing as a free lunch

Usually you need to pay for lunches with cash or using your credit card. But in some places employees can pay for a lunch using their access badge. And this is the payment method that will be covered in this blogpost.

Continue reading

A Smart Card Odyssey

Black box analysis of a not so smart card in ID-1 form factor that is in use for the billing of washing machines and tumble driers.

Continue reading

enOcean Security

In this post, we are going to take a closer look at the enOcean technology, how security is implemented, and if the security measures and options available are sufficient.

Continue reading

Windows Forensics with Plaso

Present State of Affairs We have been teaching forensics and network incident analysis for quite a while. We have investigated into a reputable number of cases and we are not the only doing so. Hence, one would expect a certain degree of automation in analysis. However, the high frequency of software release cycles somehow leads […]

Continue reading

« Older posts