Introduction This blogpost will describe how Transparency, Consent, and Control (TCC) affects extended attributes on macOS. TCC is a control that limits an application’s ability to interact with various services on the operating system. It controls access to services such as camera, microphone, contacts, photos, folders on disc, location services, and…

Introduction This blogpost will describe the concept of Location Services on macOS and how an attacker can utilize the Core Location APIs to track the geographical location of their targets. This technique is mapped to MITRE ATT&CK under System Location Discovery (T1614). Recently, I have been diving into understanding Transparency, Consent…

Introduction This blogpost will describe the concept of cookie theft against Chromium browsers and how this technique can be utilized to access web applications without credentials. This technique is mapped to MITRE ATT&CK under Steal Web Session Cookie (T1539). On a recent engagement, my team was ceded access on a macOS…

Introduction This blogpost will describe the concept of dynamic-link library (DLL) search order hijacking and how it can be used for userland persistence on Windows systems. This technique is mapped to MITRE ATT&CK under DLL Search Order Hijacking (T1038). DLL hijacking is useful to an attacker for a myriad of reasons…

Introduction This blogpost will describe the concept of access token manipulation and how this technique can be utilized against winlogon.exe to impersonate a SYSTEM access token from an administrator context. This technique is mapped to MITRE ATT&CK under Access Token Manipulation. Impersonating a SYSTEM access token is useful in cases that…

In this post, I will cover how to manipulate file times on the Windows OS. Manipulating timestamps is a common technique implemented in malware to blend in with other files on disc or as an anti-forensics technique. …

Clipboard Monitoring Have you ever wondered what occurs when you push Ctrl+C or right click some highlighted text/image and click copy on Windows? We’re going to look into detecting changes to the clipboard, clipboard events, and reading the data copied to the clipboard. Additionally, we’ll read the user’s current active window for…

LyncSniper LyncSniper is an essential tool for any external penetration test or red team engagement. It performs brute-force and password spraying attacks against Skype for Business to obtain valid credentials. LyncSniper was written by @domchell of the MDSec ActiveBreach Team. MDSec put out an awesome blogpost detailing exactly how LyncSniper works…

Last week 33000+ Internet of Things devices were posted on pastebin with their IP addresses and telnet credentials. I downloaded the leak to analyze and found some interesting things. I confirmed the leaked credentials by logging into some of the systems. The original leak has since been removed from pastebin. In this post, I will look over the following three things: …