Predictive Endpoint Detection

On-disk, In the OS, In-Memory

Is it bad? Why is it bad? What will it do next?

CounterTack converges NGAV, EDR and Insider Threat Detection. It applies predictive behavioral analysis, patented real-time memory analysis, machine learning and reputational techniques to detect suspicious behaviors on-disk, in the OS and In memory. It correlates these data sources to provide guidance for faster and more effective mitigation.
img_01

NextGen AV applies CounterTack predictive technologies and Machine Learning to detect malicious files on-disk and block them. It surpasses other NextGen AV solutions by explaining why a file is malicious, it’s capabilities and what it will do next.

img_02

Predictive Endpoint Detection and Response (EDR) detects suspicious behavior that circumvent other solutions. The platform features CounterTack Digital DNA, our proprietary In-memory Behavior Analysis engine that predicts and convicts new malware, ransomware and fileless attacks with zero false positives.

img_03

Insider Threat Detection captures user behavior. It identifies User, Time and IP Address. It monitors file reads/writes/deletes and processes created /terminated. Insider Threat Detection records all network connections, USB device mount/dismount, and records screens and keystrokes. 

img_04

CounterTack’s patented Digital DNA is the predictive engine. It is the only detection technology that detects malicious behavior in memory. Digital DNA scans live memory, reverse engineers suspicious code and then predicts its malicious intent. It is the only solution that captures obfuscated malware.

Extend endpoint protection with full stack threat detection
Respond proactively with DDNA predictive technology
Explain if bad, why bad, and what it will do next
XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More