Sharing my discoveries in pentesting and security research.

Don’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit policy

Don’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit policy feature image

Windows offers built-in audit policy settings to configure which events should be logged. But when testing those options, we noticed surprising behaviors that can lead to missed events. When you configure your Active Directory domain controllers to log security events to send to your SIEM and raise alerts, you absolutely do not want any regression which would ultimately blind your SOC! In this article we will share technical tips to prevent those unexpected issues.

➡️ Discover this article on Tenable’s TechBlog: Don’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit policy

Read more...

Auto deploy Python Flask web app on GitHub push

Auto deploy Python Flask web app on GitHub push feature image

On my server I have a very simple webapp developed in Python with Flask. Its code is hosted on GitHub in a private repository. Before, every time I modified the app on my PC, then pushed it to GitHub, I had to connect to the Linux server to kill it, git pull and restart it. It was annoying but now everything is happening automatically!

How can my Python Flask web app deploy itself to my Linux server when I push to GitHub?

Read more...

Risks of Microsoft Teams and Microsoft 365 Groups

Risks of Microsoft Teams and Microsoft 365 Groups feature image

Microsoft Teams has become even more popular in the current context (blah blah pandemic, blah blah work from home). It allows users to collaborate using Groups that they create and manage themselves. Groups can be public or private (on invitation), but many group owners use the public option, even though it allows anyone in the organization to access their chats, shared files and more! 😮 We will also see that even private Groups disclose their title, description, and members to anyone, and sometimes this alone is enough to disclose restricted information. 🕵️

Read more...

NTLM relay of ADWS (WCF) connections with Impacket

NTLM relay of ADWS (WCF) connections with Impacket feature image

The NTLM relay feature of Impacket’s ntlmrelayx.py used to offer only two servers, HTTP and SMB, for incoming NTLM authenticated connections using those two protocols. Which can then be relayed to more protocols: HTTP, SMB, LDAP, SMTP, etc. I had a situation where the incoming NTLM authenticated connection used ADWS (built upon NetTcpBinding WCF) so I implemented this new server protocol in Impacket 😉

Read more...

CVE-2020-7315 McAfee Agent DLL injection

CVE-2020-7315 McAfee Agent DLL injection feature image

DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee password

The macompatsvc.exe McAfee Agent process tries to load the missing wow64log.dll DLL file (in System32). By DLL planting a malicious file, a local Windows administrator can achieve code execution in the context of this trusted McAfee process and kill other McAfee processes thus achieving a denial of service on the antivirus which cannot detect and clean viruses anymore.

Read more...

"Twitter likes" Python tool

"Twitter likes" Python tool feature image

This small Python 3 project allows to fetch from Twitter API all the tweets you (or even another account) liked, to save them (for backup) and display them as a nice HTML page.

Read more...

"Google Drive uploader" Python tool

"Google Drive uploader" Python tool feature image

This Python 3 script allows to archive a local folder, as a ZIP file, and upload it to a Google Drive folder. It allows to easily backup a folder from a server for example.

Read more...

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 2/2

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 2/2 feature image

Second part of the article about CVE-2019-1172 where we will deep-dive through reverse-engineering to finally understand how it works and discover the cause of the vulnerability. We will also review the patch via binary diffing.

Read more...

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 1/2

CVE-2019-1172 Disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension 1/2 feature image

CVE-2019-1172 is the first vulnerability I discovered in Windows and it allows the disclosure of Azure AD personal account auth token to malicious websites when using the recommended browser extension.
The vulnerability lies in an incorrect check of the origin of a web request: “login.live.com” is the only authorized host, however “login.live.com.example.com” (under the control of “example.com”) is also accepted!

This is a classic and unimpressive issue. But in this post, I will explain how I discovered it and I think the journey is more interesting than the end result here. I will also give details about the vulnerability and share a PoC.
Also, it may look easy once finished and summarized in an article, but note that I discovered almost everything on the fly! So can you 😉

Read more...

CVE-2020-4311 IBM Tivoli Monitoring weak folder permissions

CVE-2020-4311 IBM Tivoli Monitoring weak folder permissions feature image

Story of how I discovered a DLL planting vulnerability in IBM Tivoli Monitoring, due to dangerous default folder permissions. Including PoC steps.

Read more...