IBM X-Force Research – WindowsTechs.com

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

Posted on December 7, 2023 by Rio Sherri

Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to […]

The post Exploiting GOG Galaxy XPC service for privilege escalation in macOS appeared first on Security Intelligence.

Continue reading Exploiting GOG Galaxy XPC service for privilege escalation in macOS→

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

Posted on October 30, 2023 by Golo Mühr

Recent analysis of Hive0051 has identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware.

The post Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing appeared first on Security Intelligence.

Continue reading Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing→

Critically Close to Zero(Day): Exploiting Microsoft Kernel Streaming Service

Posted on October 10, 2023 by Valentina Palmiotti

Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a […]

The post Critically Close to Zero(Day): Exploiting Microsoft Kernel Streaming Service appeared first on Security Intelligence.

Continue reading Critically Close to Zero(Day): Exploiting Microsoft Kernel Streaming Service→

Reflective call stack detections and evasions

Posted on October 6, 2023 by Bobby Cooke

In a blog published this March, we explored reflective loading through the lens of an offensive security tool developer, highlighting detection and evasion opportunities along the way. This time we are diving into call stack detections and evasions, and how BokuLoader reflectively loads call stack spoofing capabilities into beacon. We created this blog and public […]

The post Reflective call stack detections and evasions appeared first on Security Intelligence.

Continue reading Reflective call stack detections and evasions→

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

Posted on September 13, 2023 by Chris Caridi

Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still […]

The post “Authorized” to break in: Adversaries use valid credentials to compromise cloud environments appeared first on Security Intelligence.

Continue reading “Authorized” to break in: Adversaries use valid credentials to compromise cloud environments→

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

Posted on September 12, 2023 by Ole Villadsen

IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. Explore the analysis.

The post Email campaigns leverage updated DBatLoader to deliver RATs, stealers appeared first on Security Intelligence.

Continue reading Email campaigns leverage updated DBatLoader to deliver RATs, stealers→

Databases beware: Abusing Microsoft SQL Server with SQLRecon

Posted on August 7, 2023 by Sanjiv Kawa

Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, […]

The post Databases beware: Abusing Microsoft SQL Server with SQLRecon appeared first on Security Intelligence.

Continue reading Databases beware: Abusing Microsoft SQL Server with SQLRecon→

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

Posted on August 3, 2023 by Charles Henderson

Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek […]

The post Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub appeared first on Security Intelligence.

Continue reading Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub→

MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis

Posted on August 2, 2023 by Valentina Palmiotti

The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and […]

The post MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis appeared first on Security Intelligence.

Continue reading MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis→

Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain

Posted on July 18, 2023 by John Dwyer

This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker […]

The post Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain appeared first on Security Intelligence.

Continue reading Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain→