May 10, 2024 – In this post, we will finally cover loading our actual payload. As discussed at the beginning of this series, our loader should be able to load shellcode and C# assemblies as well as PEs. The actual mode will be chosen using an argument to the python script used for compilation.
Author: Kolja Grassmann
April 30, 2024 – In the last post, we discussed how we can get rid of any hooks placed into our process by an EDR solution. However, there are also other mechanisms provided by Windows, which could help to detect our payload. Two of these are ETW and AMSI.
Author: Kolja Grassmann
April 10, 2024 – In this post, we will go over techniques to avoid hooks placed into memory by an EDR.
Author: Kolja Grassmann
March 10, 2024 – In this post, we discuss dynamically resolving functions, which help to avoid static detections based on the functions imported by our executable.
Author: Kolja Grassmann
February 10, 2024 – This is the first post in a series of posts that will cover the development of a loader for evading AV and EDR solutions.
Author: Kolja Grassmann
January 10, 2024 – This is the third part of a three-part blog post series that looks at different design decisions, considerations and options an organization should bear in mind when planning, implementing and maintaining a tiering model in order to administrate the IT infrastructure securely. It describes the various options for implementation, explains trade-offs that must be made and their residual risks, and outlines the technical measures that need to be taken.
Author: Hagen Molzer
May 1, 2024 – Checkpoint Harmony is an enterprise security software protecting customers from malware.
May 1, 2024 – Webroot Antivirus is an antivirus software. The vulnerability existed in both the end user product and the enterprise product.
April 1, 2024 – Bitdefender produces different antivirus products. The privilege escalation vulnerability existed in Bitdefender Total Security, Internet Security, Antivirus Plus and Antivirus Free.
November 7, 2023
Sumatra PDF is an Open-Source PDF Reader. The vulnerability in this case was found in the installer for this product shipped by neo42 for Matrix 42 Unified Endpoint Management.
November 6, 2023
Bytello Share is a software used to share the screen of a device. The vulnerability was found in the installation process of the software.
February 3, 2023
VMware Workstation is a virtualization software that allows to run several virtual machines in parallel on one device. These virtual machines can be managed via the software VMware Workstation Player or VMware Workstation Pro, which is installed on all systems used for managing virtual machines.
cirosec conducts vulnerability research into products and services, which at times results in zero day vulnerabilities being discovered.
cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our Responsible Disclosure Policy can be found here.
Below is a list of CVEs vulnerabilities identified by cirosec and presented here for reference and cataloguing.
| CVE # | Vendor | Product | CVSS Rating | Advisory Link |
| CVE-2024-24912 | Checkpoint | Checkpoint Harmony | 7.8 (CVSS v3) | Advisory Checkpoint |
| CVE-2023-7241 | Webroot | Webroot Antivirus | 7.8 (CVSS v3) | Advisory, Webroot |
| CVE-2023-6154 | Bitdefender | Bitdefender Total Security, Internet Security, Antivirus Plus, Antivirus Free | 7.8 (CVSS v3) | Advisory, Bitdefender |
| CVE-2023-20854 | VMware | VMware Workstation | 7.8 (CVSS v3) | Advisory, VMware |
| CVE-2022-41975 | RealVNC | Connect | 7.8 (CVSS v3) | Advisory, RealVNC |
Competent IT security consulting, pentests, incident response and training
