At the audit of the energy enterprise, we received domain admin in four hours - Kerberoasting plus a weak password for service earnings AD. Standard story, nothing interesting. But between the enterprise network and the SCADA segment there was a firewall that only passed the Modbus TCP to the...
At red team, operations in the financial sector, we raised dnscat2 on the rented VPS, prescribed the NS delegation and chased the teams through TXT recordings for two days, simultaneously unloading hashes from NTDS.dit. Suricata was silent on the perimeter. SIEM is not a single alerta. SOC...
At the audit of the petrochemical plant last year, we found Modbus/TCP traffic from the Siemens S7-1200 and HMI panels in the same VLAN with an enterprise file server. From the compromised laptop of the contractor in the IT segment to the recording of the held values in the controller-registers...
When the Zero.T bootloader downloaded three BMP files from a C2 server, the corporate DPI system missed them without a single alert. Three ordinary pictures. Each contained modules of the Enfal ecosystem, packed in junior bats of pixels. According to Securelist, Zero.T is one of at least eight...
For the past year, I have been dismantling the dumps of infostlers - archives from Telegram channels and log marketplaces - and in each second I find the existing VPN or RDP accounts of corporate networks. Not test, not overdue - workers. According to Verizon DBIR 2025, the stolen accounts...
At the petrochemical facility in 2024, the task was specifically: to check whether the attacker from the corporate network will get to the PLC, which manages the refived convoy. After 14 hours, I read the hold-checks of the controller through the Modbus TCP - without a single alerte from the...
At the CTF last year, the dump of the database of the private server Dragonica appeared - about 40 thousand accounts, bcrypt-hashi with cost factor 10. The organizers laid two days for the cracking stage. Two RTX 3090, rockyou dictionary plus custom-made gamelist with mutation rules - and in 14...
99% of cloud security incidents are the fault of the client, not the provider. This is Gartner (Through 2025, original publication 2019), quoted by CybelAngel. Not zero-day and not APT-grouping: enough one forgotten tick in the access settings. Large businesses simultaneously hold thousands of...
In three of the five microsegmentation projects that I have audited over the past year and a half, within the created segments there was the “permit any any” rule. Formally, there is a segmentation of the network, in the report for the leadership, the architecture of zero trust is beautifully...
According to CrowdStrike Global Threat Report 2025, the average time of the lateral movement after initial access in 2024 is 62 minutes. A year earlier, there were 84. Record - 51 seconds from foothold before moving over the network. Fifty-one seconds. Two groupings set this pace: Akira with...
Business logic of APT: why the attacker stays in the network for months
Before dismantling detection tools, it is necessary to understand the motivation. APT-group is not an accidental hacker with ransomware-tuliki. For advanced threat threat is a long-term operation with a specific purpose...
In three years, I have conducted a gap analysis on four different maturity models for twelve organizations – from Defense Industrial Base subcontractors to energy companies with an OT segment. The result is the same: the team spends a month filling out scorcards, the guide receives a PDF with a...
SAML-Floy through the eyes of an attacker
For the SAML pencilator, there is a trust chain between three participants: User's browser (User Agent), Service Provider (SP) and Identity Provider (IdP).
1. The user comes to SP, SP generates AuthnRequest and sends a redirect to IdP
2. IdP...
How IDS ML Detectors Make Traffic Decisions
The ML-based NIDS operates on a three-stage pipeline. Understanding each step is critical for building an evasion attack - without this you will poking perturbations at random.
Extracting signs. Network traffic is converted into numerical features -...
Эволюция XSS и современные защиты
Most likely, you already know what XSS is, but let’s repeat for the completeness of the picture.
XSS (from English) Cross-Site Scripting) is a subtype of attack on web systems, consisting in the introduction of a malicious code page issued by the web system...
On the Red Team project last year, the task sounded the following task: to prove persistence below the OS level on the host with Windows 11 and included Secure Boot. SYSTEM received through Kerberoasting, reaching the workstation reached the field movement. Trying to put a modified downloader in...
On the audit of the fintech application for iOS, we stumbled in a three-layer jailbreak detection - file checks, sandbox recording in /private and analysis of loaded dylib for FridaGadget. Standard Team objection explore It led to a crash in 200 milliseconds: the app ended before Frida managed...
The place in the attack chain: why reverse an iOS application
Reverse-engineering of iOS applications is not an end in itself. This is reconnaissance before attacking the server infrastructure. The acquatic examines binary for the sake of specific things: extract secrets (API keys, tokens, URL...
A functionally identical plaid loader weighs 71.7 KB on C and 151.5 KB on Rust - the binary doubled. At the same time, according to a study by the Rochester Institute of Technology (2023, according to the Bishop Fox blog), automated means of analysis give much more false negatives on...
Business logic of attack: the place of Nginx-redirector in kill chain
Nginx reverse proxy for the security of C2 works at the Command and Control stage - the implant has already been delivered and fixed on the host. Full chain: initial access (phishing, operation of the perimeter service) →...
