Mindblown: a blog about DFIR.

CloudMe Sync before version 1.11.0 is affected by CVE-2018-6892[1]. This vulnerability allows an unauthenticated remote attacker to exploit the “CloudMe Sync” client application, which listens on port 8888[1]. By sending a malicious payload, the attacker can trigger a buffer overflow vulnerability in the application[1]. Successful exploitation of this vulnerability allows the attacker to gain control…

Modern operating systems employ a variety of anti-exploit mechanisms known as exploit mitigation techniques to prevent and limit the success of malicious activities on a system. Yet, skilled attackers and malware creators continually develop methods to bypass these defenses. Here are several modern anti-exploit mechanisms and ways they might be circumvented: As a malware analyst,…

MOVEit Transfer Attack TTP for Malware Analyst Overview MOVEit Transfer is a secure file transfer solution organizations use to exchange sensitive data. While the product is designed to be secure, attackers may still target the users, infrastructure, or underlying systems to compromise the transferred data. The TTP (Tactics, Techniques, and Procedures) for a MOVEit Transfer…

AS-REP Roasting is a technique that targets the Kerberos authentication protocol by exploiting user accounts with Kerberos pre-authentication disabled. When pre-authentication is enabled, a user who needs access to a resource initiates the Kerberos authentication process by sending an Authentication Server (AS) request. However, if pre-authentication is disabled, attackers may obtain the password hashes of…

The Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm established by the U.S. National Institute of Standards and Technology (NIST) in 2001. It was developed by Belgian cryptographers Joan Daemen and Vincent Rijmen, who submitted their Rijndael block cipher during the AES selection process. AES has a fixed block size of 128 bits and…

Salsa20 is a stream cipher developed by Daniel J. Bernstein in 2005, with a closely related variant called ChaCha introduced in 2008. Both ciphers are based on a pseudorandom function that uses add-rotate-XOR (ARX) operations, which include 32-bit addition, bitwise addition (XOR), and rotation operations. The core function maps a 256-bit key, a 64-bit nonce,…

Microsoft CryptoAPI, also known as CryptoAPI, Microsoft Cryptography API, MS-CAPI, or simply CAPI, is an application programming interface (API) included with Microsoft Windows operating systems. It provides services to enable developers to secure Windows-based applications using cryptography. First introduced in Windows NT 4.0, CryptoAPI has been enhanced in subsequent versions. CryptoAPI supports both public-key and…