Search
UP-TO-DATE

Blog

Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day-vulnerabilities.

Blog Articles

Blog

Wer hat das Elster-Zertifikat weiterge­geben?

December 3, 2024 – The German government has introduced a government-provided electronic identity for its citizens, the BundID. Authentication for this ID can be – among other things – achieved using a certificate file that was introduced for submitting tax returns. However, many citizens share this certificate file either with people that do the taxes for them or with online services that provide easier interfaces for doing your taxes. As a result, many people’s online identities are at risk.

Read more »
Blog

Google DoC2

November 7, 2024 – In this article we show how to use any Chromium-based browser as a C2 agent and Google Docs as a C2 proxy and how to detect this. We provide sample code in Rust and a basic agent and server that can be used to execute shell commands on the agent and receive the output of the commands.

Author: Frederik Reiter

Read more »
Blog

Abusing Microsoft Warbird for Shellcode Execution

November 7, 2024 – In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We’ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API.

Author: Jan-Luca Gruber and Frederik Reiter

Read more »
Blog

Inside the NAC Pi

July 5, 2024 – The NAC Pi is our all-in-one man-in-the-middle device, which allows us to bypass network access control solutions, including 802.1x. We use it as an effective measure in our Red-Teaming assessments to eavesdrop on and manipulate our customers’ supposedly protected network traffic. With this blog article we would like to go into the theory behind it and take you on the journey of how our device was created.

Author: Leon Schmidt

Read more »
Blog

Loader Dev. 5 – Loading our payload

May 10, 2024 – In this post, we will finally cover loading our actual payload. As discussed at the beginning of this series, our loader should be able to load shellcode and C# assemblies as well as PEs. The actual mode will be chosen using an argument to the python script used for compilation.

Author: Kolja Grassmann

Read more »
Blog

Loader Dev. 4 – AMSI and ETW

April 30, 2024 – In the last post, we discussed how we can get rid of any hooks placed into our process by an EDR solution. However, there are also other mechanisms provided by Windows, which could help to detect our payload. Two of these are ETW and AMSI.

Author: Kolja Grassmann

Read more »

Research

Advisories

Vulnerabilities

cirosec conducts vulnerability research into products and services, which at times results in zero day vulnerabilities being discovered.

cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our Responsible Disclosure Policy can be found here.

Below is a list of CVEs vulnerabilities identified by cirosec and presented here for reference and cataloguing.

VulnerabilityCVECVSS ScorePublication DateMore Details
Vulnerability in HP Hotkey SupportCVE-2024-274588.8 (CVSS v3)October 4, 2024Advisory, HP
Vulnerability in AVG Internet SecurityCVE-2024-65107.8 (CVSS v3)September 12, 2024Advisory
Vulnerability in OverwolfCVE-2024-78347.8 (CVSS v3)September 4, 2024Advisory
Vulnerability in baramundi Management AgentCVE-2024-66897.8 (CVSS v3)July 15, 2024Advisory baramundi
Vulnerability in Trend Micro Apex OneCVE-2024-363027.8 (CVSS v3)July 1, 2024Advisory, Trend Micro
Vulnerability in Checkpoint HarmonyCVE-2024-249127.8 (CVSS v3)May 1, 2024Advisory, Checkpoint
Vulnerability in Webroot AntivirusCVE-2023-72417.8 (CVSS v3)May 1, 2024Advisory, Webroot
Vulnerability in BitdefenderCVE-2023-61547.8 (CVSS v3)April 1, 2024Advisory, Bitdefender
Vulnerability in neo42 Sumatra PDF Package 7.8 (CVSS v3)November 7, 2023Advisory
Vulnerability in Bytello Share 7.8 (CVSS v3)November 6, 2023Advisory
Vulnerability in Kiteworks OwnCloudCVE-2023-72736.8 (CVSS v3)November 4, 2023Advisory
Vulnerability in VMware WorkstationCVE-2023-208547.8 (CVSS v3)February 3, 2023Advisory, VMware
Vulnerability in Remote Access Software from RealVNCCVE-2022-419757.8 (CVSS v3)September 30, 2022AdvisoryRealVNC

Blogs - Overview

TitleAuthorPublication DateCategory
Google DoC2Frederik ReiterNovember 7, 2024Command-and-Control, Red Teaming
Abusing Microsoft Warbird for Shellcode ExecutionJan-Luca Gruber & Frederik ReiterNovember 7, 2024Red Teaming, Reverse Engineering, Windows
Inside the NAC PiLeon SchmidtJuly 5, 2024Red Teaming
Loader Dev. 5 – Loading our payloadKolja GrassmannMay 10, 2024Red Teaming
Loader Dev. 4 – AMSI and ETWKolja GrassmannApril 30, 2024Red Teaming
Loader Dev. 3 – Evading userspace hooksKolja GrassmannApril 10, 2024Red Teaming
Loader Dev. 2 – Dynamically resolving functionsKolja GrassmannMarch 10, 2024Red Teaming
Loader Dev. 1 – BasicsKolja GrassmannFebruary 10, 2024Red Teaming
Microsoft Tiering Model – Part 3/3Hagen MolzerJanuary 10, 2024AD Security
Microsoft Tiering Model – Part 2/3Hagen MolzerDecember 10, 2023AD Security
Microsoft Tiering Model – Part 1/3Hagen MolzerNovember 10, 2023AD Security

Your contact person

Do you want to protect your systems? Get in touch with us.
Search
Search