Tech Blog
One of the many ways to install third-party applications on workstations and servers in corporate environments is to push MSI-installation packages using GPO’s. However, the use of MSI-packages can, if not created securely, leave systems vulnerable to various privilege escalation vulnerabilities. Even Microsoft’s own MSI-parser, MSIEXEC, can in certain situation leave a Windows system vulnerable to privilege escalation.
The ability of Mimikatz to extract the NTLM hash of users at runtime from Windows has always fascinated me. Although alternatives exist (as explored in previous blog posts), there may still be situations during Red Team engagements where live credential extraction from LSASS is wanted. In those situations, defense evasion tactics such as heavily modifying Mimikatz or using another implementation of Mimikatz are common.
The year of 2020 is almost over and what an eventful year it has been! We have all collectively struggled under the Corona lockdowns, but as the end of 2020 draws near, light may yet return to these dark and desperate times.
For this very reason, Improsec has, in cooperation with Danske Bank, prepared a little Christmas present that will hopefully spread joy amongst some of our precious readers!
We are very pleased to introduce the Improsec Password Solutions toolkit.
Improsec has in close collaboration with Danske Bank developed two light-weight tools to help you strengthen the security posture of your Active Directory environments by increasing the strength of passwords used throughout your enterprise. The Improsec Password Solutions toolkit comprises two distinct tools called Improsec Password Filter and Improsec Password Auditor, respectively.
The threat landscape has changed over the last decade, which means securing and protecting your valuable assets and intellectual property is a multi-layered approach, and definitely now more than ever includes normal workstations.
We are leveraging and taking advantage of the cloud and its capabilities, which enables our workforce and employees to bring their work with them. This is our new world, and attackers can and will take advantage. Having that in mind, it is crucial for any enterprise to pay some serious attention to workstation security and hardening.
By reading along, we strive to give an idea of how you can design and build a fundamental foundation and standardization for your workstation security.
In recent years, certain AV and EDR products have become significantly better at detecting and preventing classic credential theft via memory dumping techniques that target the LSASS process, that #Mimikatz is widely known for. In this blog post, our Security Advisor Magnus K. Stubman discuss an alternative attack that in many situation may get the same job done without ever touching LSASS, while also serving as a lateral movement and persistence technique.
System Update is an application for keeping drivers, firmwares and software packages up-to-date on Lenovo workstations or laptops. The application often comes preloaded on Lenovo systems.
Like in my previously disclosed vulnerabilities for Intel Driver & Support Assistant and Splashtop Streamer, the process of updating software and firmware can, if not implemented securely, leave a system vulnerable for privilege escalation.
In this blog post, you will see how simple solutions may evade highly-capable AV/EDR products to gain initial access.
TL;DR: I designed a piece of super simple malware/implant that evaded everything that I threw against it. You should really disable execution of legacy scripting languages on your systems to prevent attacks like these.
Microsoft has added a tremendous amount of functionality to MSSQL throughout the years, which enables developers and database administrators to do all sorts of neatness to complete their tasks. Today it does not take long to build a webpage and populate it with data collected from multiple sources, and even present it in a professional manor. This is of course great; It is possible to produce something of value in a short amount of time, but it can also expose your infrastructure in ways you might not suspect. In this blog post, I will dive into two MSSQL features; Impersonation and SQL Database Links and end it off with a Zero-to-Hero type attack, simulating a webpage vulnerable to SQL injection, which eventually leads to a complete domain compromise. Sounds interesting? Lets go!
Not too long ago, a colleague and I came across this almost forgotten attack vector, which swiftly resurfaced when Portswigger added it to their portfolio of web vulnerability checks in their fantastic tool, Burp. This attack is quite interesting and different from the usual web vulnerabilities such as SQL injection and path traversal, which, unfortunately, we still see in the wild. In this blog post I will shed some light on what HTTP Request Smuggling is and why it should, once again, be taken seriously.
Dealing with responsible disclosure can be a time-consuming process for both parts, and can especially become a tedious task, if the software vendor in question, either ignores the inquiries or becomes hostile. Occasionally we still see software vendors go on the defense when we contact them about a security vulnerability in their product. They might insist that it’s not worth their time to fix the issue or even threaten with lawsuits, if we release our findings.
Just recently we had such an experience, wherein the software vendor unfortunately chose to first ignore our inquiry, only to attempt to fix the issues we found silently without informing us.
This blog post highlights bugs found in installed software while doing vulnerability research. The process for this publication is aligned with the Improsec Responsible Disclosure Policy.
Splashtop Streamer is a remote desktop application that allows users to share their desktop and remotely control workstations. The affected component is the Splashtop Updater that is bundled with Splashtop Streamer, as well as certain other Splashtop products.
At Improsec we have a desire to share our knowledge with the outside world in an attempt to improve worldwide security. In that regard, we have decided to create an introductory mini-series on Reverse Engineering of various types of software. Through this effort, we hope to motivate aspiring security specialists or guide people who wish to have a look into the world of reverse engineering.
In this specific section, namely ‘part 1’, we will be touching upon the topic of reverse engineering .NET applications written in C#. Everything introduced in this part is, by all means, perceived as introductory level, so we hope that most of you are able to understand what is going on - if not, we are probably doing a poor job at explaining it properly :)
Implementing application whitelisting should be one of the first priorities when securing a Windows Endpoint. Allowing only a specific set of applications to run on endpoints, besides some of Windows own binaries, can reduce the possibility of attackers executing arbitrary code on the endpoints.
Using Windows own application whitelisting solutions, we can choose from AppLocker and Windows Defender Application Control (formerly known as Device Guard or Configurable Code Integrity).
This blog post will focus on the configuration of secure RDP (Remote Desktop Protocol) access for a jumphost/PAW (Privileged Access Workstation) to a DC (Domain Controller), such that the jumphost/PAW is the only computer which the DC will accept ingoing RDP connections from. Additionally, I will protect the RDP connection between the hosts with IPSec. This guide is designed for connections between a jumphost/PAW and a DC, but it can be used for any Windows computers of Vista/Server 2008 and later.
Threat Hunting gives a great advantage in detecting a compromise with an increased chance of detecting it during an early stage of the kill chain. Our Security Advisor, Slavi Parpulev, has written a post describing Threat Hunting into deeper detail, including practical examples of detection some threats. Read the blog post here.
A customer asked us to check the security level of their standard Windows 10 client. Among other vulnerabilities and misconfigurations, we found the following critical vulnerability in Pronestor HealthMonitor (part of the “Outlook add-in for Pronestor” product) and agreed with the customer in question, that we (Improsec) should handle this under our normal Responsible Disclosure policy and process.
