Overview Process Hollowing is a common technique used by modern malware to create a process which appears legitimate when viewed in tools such as Task Manager, but whose code has in fact been replaced with malicious content. This post will outline the API calls used in Process Hollowing and will explain how to follow the
Today, Citrix released the CTX219580 security advisory containing the fixes for the five vulnerabilities. It has to be noted that all the exchanges with the Citrix Security Response Team were very pleasant, and they provided us with regular updates about the correction status of the vulnerabilities. Citrix Provisioning Services is a Citrix product, which allows
There are many ways to contribute to the cyber security of a company, either from a technological point of view or from a procedural point of view. This concept, translated into a company’s cyber security architecture must always be aligned with the strategic needs of the business and its risk appetite; otherwise you could be
Critical infrastructure operated by Industrial Control Systems (ICS) form the backbone of modern societies. However, as opposed to safety, cyber security in ICS has not been addressed at a level adequate to the criticality of these systems. Most ICS and their communication protocols have been designed and implemented in the pre-internet era with limited to
Sysmon is a widely known and powerful tool that could be used as an EDR. Through this short analysis, a programming mistake has been identified when Sysmon converts the registry root key names to their abbreviations. Even if this bug does not seem to lead to a vulnerability, it is interesting to describe it. First,
The Bromium vSentry solution is a product deployed on end-user workstations which takes advantage of hardware virtualisation features in order to isolate untrusted or exposed software. As part of this analysis, it is possible for a non-privileged user to cause a Denial of Service (DoS) in the client side application of Bromium vSentry 4.0.3.2060. A
Table 1: Comparison of used Techniques of Backdoor.Oldrea in ATT&CK for ICS and ATT&CK for Enterprise Conclusion Blue teams who have to protect IT and OT environments need the interaction of both Enterprise and ICS matrix depending on which threat should be addressed in which zone. ATT&CK for ICS is a great addition to
This study from Airbus CyberSecurity has been reviewed jointly with Schneider Electric. Please see the Security Notification here. In this article we will describe the process on how to perform a “Stuxnet type” attack on a Schneider Modicon M340 PLC. The end result was that we were able to design an automation program using C language and
This study from Airbus CyberSecurity has been reviewed jointly with Schneider Electric. Please see the Security Notification here. In this article we will describe the process on how to perform a “Stuxnet type” attack on a Schneider Modicon M340 PLC. The end result was that we were able to design an automation program using C language and
In the previous OXID Resolver Part 1 article [1], a way to remotely enumerate the network interfaces on a recent Windows OS machine has been described. This method does not require the knowledge of user credentials and relies on the ServerAlive2() RPC method. The latter is held by the IOXIDResolver interface. This article is dedicated
