Hi All, I just found this thread, so let me give a quick summary of what happened. The hack started on a Saturday afternoon. When I woke up on...
I can only repeat myself. "As mentioned, some attacks (especially those spawning new processes) will be blocked by VS, some like stealing...
Yes, always ON. please stop using words like DP tools. It makes no sense. Probably yes, I don't know. Proof, with password stealing...
The video I sent shows that ETERNALBLUE exploit is successful, it can install the DOUBLEPULSAR backdoor. DOUBLEPULSAR can install the PEDDLECHEAP...
GhostHook – Bypassing PatchGuard with Processor Trace Based Hooking:...
This is my final post on this topic. I feel tired to do this, and I don't think it is my responsibility to teach basic things. An exploit is used...
Eternalblue exploits the Windows File Sharing Service (a.k.a SMB) on TCP port 445. This Windows File Sharing Service runs with SYSTEM (a.k.a...
I agree 100% with what guest mentioned here. Another easy test is to ignore Peddlecheap completely, use Fuzzbunch + Eternalblue + Doublepulsar...
Ways Wannacry can get into enterprise environments via Eternalblue: Port 445 is open on the firewall from the Internet to an unpatched Windows...
If a security product is able to block loading the Doublepulsar backdoor installation, attackers have to come up with different ways to install...
What you describe is still not an exploit. Because in this attacker model, as an attacker, you can already execute malicious code on the machine....
On a very high level overview, Event Tracing works like a debugger, which can hook code before it is encrypted in SSL/TLS. It is basically an OS...
Although this test seems interesting and has important information, but there is one issue with the statement I quoted. Doublepulsar is not an...
The tool is using Event Tracing, but not the keylogger module.
We are using the InfoLeakPOC, and NOT the KeyloggerPOC in our tests. InfoLeakPOC is similar to malware-in-the-browser when malware can see (and...
Hi All! First of all, we would like to thank to all of you for pointing out mistakes in the report. Financial malware chart: Webroot and...
An interesting article can be found here: https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/ Our...
The good question is not how to protect yourself against fileless malware, but how to protect yourself from any malware. Usually there are four...
Bedep starts in memory after the exploit in a way that there is usually no new process being created at all (except when it drops new malware and...
If you look at this report: https://www.mrg-effitas.com/wp-content/uploads/2015/04/MRG_Real_world_enterprise_security_exploit_prevention_2015.pdf...
I am 100% sure we used reflective DLL injection. In my terminology, an in-memory (non persistent) malware infection works like this: Victim...
Here is our answer to multiple posts in this thread. We have not used any shellcode during the Online Banking Test Q2. Shellcodes are usually...
Based on the number of fallacies, I won't answer in this thread anymore unless there is a real, constructive question to us. Our lack of future...
As I am answering to multiple posts, please forgive me not to use the proper "reply"-"quote" method. First of all I'm confused. Most of the...
Some exploit samples targeted Silverlight in Chrome, others Flash in Firefox. Which means running non-IE browser with a vulnerable plugin (Flash,...
Separate names with a comma.