Posts

Showing posts from July, 2022

Hunting for APT Abuse of Exchange

Image
  APT abuse of Exchange is not a new topic, but I noticed there weren’t enough write-ups of hunting methodologies, so I decided to write one based on the various attack techniques I’ve seen various APTs use over the last 2 years. This is not a comprehensive guide as there honestly is WAY too much for me to write and cover (I don’t have enough time T_T but will add to this post over time). I’m going to show you specifically some key areas you can focus on when hunting for malicious behaviour. This guide will not cover the entire attack map of what happens in an APT case where Exchange is abused, it will only cover key areas to hunt on Exchange.    Over the course of the last few years there has been a heavy abuse of legacy authentication from APT groups from various nations, with a strong focus especially on EWS and other legacy auth methods as their preferred method of access. If there is a business need for legacy authentication… (aka you still have legacy authentication enabled) then

Heap Overflows on iOS ARM64: Heap Grooming, Use-After-Free (Part 3)

Image
Welcome back to part 3 of my iOS arm64 exploitation series!  If you’ve missed the blogs in the series, check them out below ^_^ Part 1: How to Reverse Engineer and Patch an iOS Application for Beginners Part 2: Guide to Reversing and Exploiting iOS binaries: ARM64 ROP Chains If you’re more of a visual learner – I have filmed a YouTube video on this that you can check out! The YouTube video does not go into the same level of depth as this blog post will, so just keep that in mind. INTRODUCTION We’ve gone through iOS hooking, buffer overflows and simple ROP chains on ARM64. Now it’s time to talk about heap overflows and exploiting use-after-free (UAF) bugs. The goal of this blog is to show you how a UAF bug can be exploited and turned into something “malicious”. I will be walking you through step-by-step the following things: How to identify a UAF bug How to statically analyse the binary to figure out how to perform the exploitation Heap overflow logic Heap grooming Full exploitation As