Compass Security Blog

Offensive Defense

Page 7 of 26

Burp Extension: Copy Request & Response

Writing good reports is key in penetration tests / security assessments, since this is the final result delivered to the customer. Vulnerabilities should be described in a way so that the customer can understand and also reproduce the issue. For web application pentests, the best way is often to show the HTTP requests and responses to explain an issue. This Burp Suite extension “Copy Request & Response” can assist you while the report.

Continue reading

Evading Static Machine Learning Malware Detection Models – Part 1: The Black-Box Approach

Modern anti-malware products such as Windows Defender increasingly rely on the use of machine learning algorithms to detect and classify harmful malware. In this two-part series, we are going to investigate the robustness of a static machine learning malware detection model trained with the EMBER dataset. For this purpose we will working with the Jigsaw ransomware.

Continue reading

101 for lateral movement detection

The article discusses the very basics to keep systems ready for analysis of lateral movement. We present some guidelines in form of a cheat sheet and a tool (Readinizer) that you can run, to ensure that everything is set up as in the guidelines provided.

Continue reading

Make the most out of BloodHound

During internal assessments in Windows environments, we use BloodHound more and more to gather a comprehensive view of the permissions granted to the different Active Directory objects. In this post, we’ll show an advanced usage of this tool by using our additional queries.

Continue reading

Yet Another Froala 0-Day XSS

Compass found a DOM-based cross-site scripting (XSS) in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim’s session.

Continue reading

Relaying NTLM authentication over RPC

Since a few years, we – as pentesters – (and probably bad guys as well) make use of NTLM relaying a lot for privilege escalation in Windows networks.

In this article, we propose adding support for the RPC protocol to the already great ntlmrelayx from impacket and explore the new ways of compromise that it offers.

This vulnerability was discovered by Compass Security in January 2020, disclosed to Microsoft Security Response Center and assigned CVE-2020-1113 as identifier.

Continue reading

Reversing a .NET Orcus dropper

In this blog post we will reverse engineer a sample which acts as downloader for malware (aka a “dropper”). It is not uncommon to find such a downloader during DFIR engagements so we decided to take a look at it. The sample that we are going to analyze has been obtained from abuse.ch and was […]

Continue reading

New SMBGhost Vulnerability Affects Modern Windows Systems

A new vulnerability (CVE-2020-0796) affecting SMBv3 has been discovered. The community has started to name this vulnerability SMBGhost because everyone knows this vulnerability is present but no additional details are available. Microsoft also released the advisory ADV200005. [1]

Continue reading

Domain-Join Computers the Proper Way

When you add a new computer, it must first join the domain. If you use its future main user to do it, they’ll become the owner and be able to hijack the computer to become a local administrator in four easy steps.

Continue reading

Invoice Fraud with Everything the Bag of Tricks Has to Offer

Sometimes, it doesn’t take much for a good scam: a good story, a little persuasion, then disappear again… and sometimes, the scammers come up with tactics that come straight out of the textbook.

Continue reading

« Older posts Newer posts »