The Citrix NetScaler remote code execution vulnerability (CVE-2019-19781) has been a pretty popular topic over the last few weeks. Once public exploits of the vulnerability started to appear in the wild, TrustedSec deployed a Citrix NetScaler honeypot. We did not have to wait long for the attacks to begin. Less than 24 hours after deployment,…
Read
With the recent Citrix ADC (NetScaler) CVE-2019-19781 Remote Code Execution vulnerability, the TrustedSec Incident Response team has been working closely with our offensive and research teams as they created a working exploit. This has allowed us to create a list of locations and indicators to search for on potentially compromised Citrix ADC hosts. Based on…
Read
On December 17, 2019, Citrix released a critical advisory that allows for remote code execution. Advisories like these come out often for organizations, and critical exposures are nothing new for any company. However, when digging into the remediation step details, this advisory gave a substantial amount of information on the exploit itself. What makes this…
Read
In this blog post, I will discuss SELinux and Auditd, how to use them, how to determine what the default policies are doing, and how to add new ones. For those who do not know what SELinux is, it stands for Security-Enhanced Linux. More details about SELinux can be found in the resources section at…
Read
There is an old rule that if you find yourself doing anything more than twice, you should automate it. For developers, this may be software builds or the environments into which they will be deployed; for penetration testers, it may be the need to create a phishing host or a lab environment for testing. In…
Read
As an attacker, I frequently leverage LSASecrets to escalate privileges within the context of an ongoing compromise. Generally, the attack path is something like this: Gain Initial Foothold > Escalate to Limited User > Dump LSASecrets on Systems Where Credentials are Administrator A pretty slick way to identify targets to dump LSASecrets on is to…
Read
Microsoft JScript and VBScript are two languages that can be used for initial code execution on a new target. This may be done through the use of a phishing payload that leverages .hta files or through the use of trusted binaries to execute a payload on a new target. The use of .hta files specifically…
Read
In this blog post, I will cover the current state of my research investigating the possibility of using neural networks to hide shellcode. But before we dig in, I will provide a little background information. For those unfamiliar with neural networks, they are a type of computer system design that is inspired by how human…
Read
A few months ago, I came across a piece of Java malware. This was a nice change of pace for me, since most of what I see is written in C/C++. The malware was heavily obfuscated using a common tool, Allatori v5.3. After working my way manually through decoding, I came to a point where…
Read
For those tempted to delay migration away from Secure Sockets Layer (SSL)/early Transport Layer Security (TLS)—don’t wait! This includes all versions of SSL and version 1.0 of TLS (TLS v1.1 and newer are fine). For Payment Card Industry Data Security Standard (PCI-DSS) compliance, you can’t simply migrate sometime before your next PCI audit. Rather, you…
Read