Six months ago, we killed two weeks for the selection of LightGBM hyperparameters for a C2 backed detect in corporate traffic. F1 was hanging between 0.71 and 0.74 - at least learning rate spin, at least max_depth, at least the number of trees. Then three types were added in one evening: the...
On the latest API pentest, fintech service every request requiredHMAC-signature in the title X-Signature - calculated from the body,current timestamp and session secretion obtained duringauthentication. No single plugin from the BApp Store supported thisscheme: Repeator sent queries with a...
The comment in the product code "ignore secp386 for now" - and the P-384 mTS is turned into a decoration. Heap overflow in TLS-handshake - preauth RCE as root before the first HTTP request. Stack overflow via mDNS - one UDP-package. All this is Mongoose, the embedded C-library, which, according...
On the last three IoT security testing projects, I opened the device body, connected to UART – and in two cases out of three received a root-hull without a single password request. The third device at least requested a login, but a pair admin:admin went straight. According to the industry, in...
In 2024, APT42hacked into the Trump campaign, pulled out internal documents andtried to merge them to journalists. Without a single maliciousinvestment. Neither EXE, no macro, nor PowerShell-dropper - puresocial engineering and interception of sessions. Seedworm(MuddyWater), according to public...
Internal pentest of the financial organization, late 2024. Domain on Windows Server 2019, GPO Network security: LAN Manager authentication level put in the level of 5 - Send NTLMv2 response only. Refuse LM & NTLM. I lifted Responder to the VLAN server and got NetNTLMv1 hash from file server...
The place of the consent phishing OAuth attacks in the attack chain
Consent phishing is not a pointtechnique, but a full-fledged attack path. One phishing link unfoldsin a chain covering seven MITRE AT&CK tactics
Here is what is fundamental for theSOC team: the attacker works at the level of...
The place in the chain of attack: why break the firmware
Compromise of UEFI-fishering is notan end in itself, but the solution of two tasks in kill chain:persistence below the level of the OS and stealth from softwareprotection.
According to the MITRE ATT&CKclassification, attacks on...
Six months ago on the internal Red Team exercise Isolation Forest,trained on the monthly baseline from Zeek conn.log, missed a DNStunnel with an exfiltration volume of 800 KB. Feature vector - theaverage size of packages, the number of sessions per interval, theratio of forward/backward bytes -...
In November 2023, the APT29 (Midnight Blizzard) climbed into the corporate environment of Microsoft through the password spraying of the only test cloud tenant without an MFA. Test tenant. Without MFA. At Microsoft. From there - through the attacked malicious OAuth application with rights...
Each mechanism closes certain tactics on MITRE ATT&CK: from the substitution of system firmware System Firmware (T1542.001, persistence/stealth) and installation of butquitoes - Bootkit (T1542.003) before compromising the supply chain - Compromise Hardware Supply Chain (T1195.003, initial...
On theSaaS-platform with SSO through Keyclok, I found that theauthorization server is accepting redirect_uri with path traversal:https://app.client.com/callback/../../../evil.com - validationchecked only the beginning of the line. Substituting its URL, sent acashed link, the authorization code...
The Place of the Technological Pentest in the Attack
Hardware analysis of embedded systemsis not a separate discipline, but a specific stage of kill chain. InTerms of MITRE ATT&C physical pentest of the equipmentseveral tactics:
• Reconnaissance -collection of information about the hardware...
For bug bounty in fintech, I spend three minutes to detect CRLF Pointin the Reddirect Engrade - and Two hours escalating to XSS throughHTTP response splitting with the administrator session capture. TheTrianger Put Medium, While the chain is led to the full session ofhijacking through the framed...
In 2023, ESET published a detailed analysis of BlackLotus, the firstpublic documented boutique that bypasses UEFI Secure Boot on theFull Updated Windows 11. A little earlier, Kaspersky's descriptionCosmicStrand, living in the SPI flash of motherboard. Twofamilies, two fundamentally different...
"Con" to the IBM X-Force Thread Intelligence Index 2025infostealers came out on top among all types of smallware - 32%Overtaking ransomware. The Growth of Atcitation Using Accountingdata is 71% year-on-year. Every day in the dark web is about 6000 fresh sets of creeds. The script is banal: the...
May 6, 2026 CISA added CVE-2026-0300 to the catcolog KnownExploited Vulnerabilities. Deadline for addressing - three days,Until May 9. SSVC - Act: operation is active, attack is automated,technical impact - total. On the Internet You can see tens ofof PAN-OS instances, by thoughts, to...
AWS-key format AKIA* in the git-history of the private repositoryremoved from the code eight months ago, but aws stsget-caller-identity returns a live IAM account with access to threeS3-backets. From in the Finding Old Committing to Read DataTwenty minutes. This scenario is repeated from the...
Binary patch as the only artifact for n-day research
When the Linux distribution releases a security update, a window appears in which vulnerable and corrected binaries are available at the same time. For n-day vulnerability research, this pair of ELF files is the main source of information. Not...
