Exploiting Leaked Handles for LPE

The inheritance of object handles between processes in a Microsoft Windows system can be a good source to identify local privilege elevation (LPE) vulnerabilities. After introducing the basic concepts around this type of security weaknesses, a tool capable of identifying and exploiting them will be presented, providing Pentesters and Researchers with a new point to focus their intrusion and research actions respectively, read on!

Within a Microsoft Windows operating system, processes are able to interact with securable system objects such as files, PIPES, registry keys, threads or even other processes. To do this and through the use of the WINAPI the source process requires the O.S. of a handle to perform a certain action on the object in question.

If the appropriate permissions and/or privileges are available, the O.S. authorizes this access by delivering the aforementioned object handle to the process that requires it. From that moment on it is possible to interact with it within the limits of the requested permissions. Let’s see the following example where a source process would make use of the WinApi OpenProcess function to try to open a target process (spoolsv.exe) in order to obtain information remotely from it (PROCESS_QUERY_INFORMATION).

[Read more…]

Hunting with Artificial Intelligence: Detection of malicious domains (II)

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.


In the previous article we commented on the difficulty faced by Threat Hunting analysts as a result of the high number of domains registered daily by an organization. This makes it difficult to analyze and locate potentially malicious domains, which may go unnoticed among so much traffic. For this reason, in an attempt to facilitate the analyst’s task, the use of alternative techniques based on Machine Learning is proposed. Before presenting the different tests performed, the article introduces the algorithms to be used for the detection of anomalies in the domains.

To begin with, it is necessary to comment that having a large and varied database is fundamental for a model to be able to detect potentially malicious domains reliably, since its parameters are going to be adjusted in an environment that must be similar to the real one.

However, there is great difficulty in identifying patterns in high-dimensional data, and even more difficulty in representing such data graphically and expressing them in a way that highlights their similarities and differences. This is where the need arises to use a powerful data analysis tool such as PCA (Principal Components Analysis).

[Read more…]

Hunting with Artificial Intelligence: Detection of malicious domains (I)

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.


Internet brings a world of possibilities for personal development and the realization of many of the daily activities, being an indispensable piece in today’s society. On this network there are hundreds of millions of domains to access, although unfortunately not all of them are safe. Malicious domains are those used by cybercriminals to connect to command and control servers, steal credentials through phishing campaigns or distribute malware.

In many cases, these domains share certain lexical characteristics that at first glance may attract attention. For example, in phishing campaigns, domains with TLD xyz, top, space, info, email, among others, are relatively common. Similarly, attackers use DGA (Domain Generation Algorithm) techniques to create random domains to exfiltrate information, such as istgmxdejdnxuyla[.]ru. Other striking properties can be excessive hyphens, multi-level domains or domains that attempt to impersonate legitimate organizations such as amazon.ytjksb[.]com and amazon.getfreegiveaway[.]xyz.

With digitization on the rise, organizations surf to thousands of different domains, making it difficult to detect malicious domains among so much legitimate traffic. In a medium-sized organization, between 3,000 and 5,000 domains of traffic are logged daily. This volume makes it unfeasible to analyze them manually. Traditionally, part of this detection process is automated using pattern search rules, for example, rules to find domains with TLDs (Top Level Domain) used in phishing campaigns, containing the name of large companies that are not legitimate or have more than X characters.

[Read more…]

Hacking DICOM: the hospital standard

Have you ever thought that radiographs were just JPG images? Do you remember hearing the name DICOM? In this article we expect to resolve all your doubts about the protocol for sending medical images and show you its implications for cybersecurity.

Quick introduction to DICOM

Figure 1. DICOM logo

Medical images that are transmitted within hospitals, such as X-rays or ultrasounds, are not in the common image formats, but are in DICOM (Digital Imaging and Communications in Medicine) format. However, they can be converted to JPG or PNG.

Although at first glance it looks like a simple image format, DICOM is much more: it is the standard for transmission, storage, retrieval, printing, processing and visualization of medical images and their information. Thanks to the implementation of this standard, technology in the health field was revolutionized, replacing physical radiographs with digital radiographs with all the implied data. Today, DICOM is recognized as the ISO 12052 standard.

[Read more…]

Purple Team: Why all the fuss? (III). Vectr.io

As you can already guess from previous spoilers, in this third part of the series (see part one and part two), after having made clear the role that Threat Intelligence plays in the Purple Team methodology, we will go a bit more into details about the phases of preparation, execution and lessons learned in an exercise.

Disclaimer: As I mentioned in the first episode, I do not intend to set in stone anything in this article, but rather to give my point of view and provide an overview of a subject for which there is not much documentation, and what I found, is scattered in multiple sources.

After having developed an implementation plan based on the mapping of threats on the MITRE ATT&CK MATRIX, it is time to put all the use cases into practice. To do so, we will use Vectr.io, an open source web platform developed by Security Risk Advisors.

This tool is responsible for centralizing all the coordination tasks of the Red and Blue teams. But far from being a tool just for coordinating exercises, it is also prepared to be used as a sort of logbook of all operations executed in various exercises and their outcome over time, so that the evolution of the organization’s security posture can be tracked.

With an abstract description such as the above, it may be difficult to imagine how all of this is accomplished. Therefore, the aim of this post is to opt for a more practical approach.

For the sake of brevity, we will not detail all the functionalities of this tool but will show the possibilities it offers and how these can help us with our goal. It will then be up to you to explore the more advanced functions and evaluate whether they are useful for your particular use case.

[Read more…]

Purple Team: Why all the fuss?(II). Threat Intelligence

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.

[Read more…]

MQTT: risks and threats in healthcare environments

This post has been elaborated together with Alex Alhambra Delgado.


Since 2020, many changes have been made in the way we interact with each other, as well as with computer systems. In the wake of the pandemic, all companies had to upgrade their network infrastructures to provide better performance, speed and availability, given the large amount of work that suddenly had to be done remotely.

In the same way, companies needed a way to monitor all their processes remotely, in order to reduce travel and the potential exposure to viruses. In this situation, all types of industries took advantage of the benefits of the IoT (Internet of Things), which provided a new way to control the processes of a company remotely.

Illustration 1. IoT and IIoT
[Read more…]

“Spam Nation,” a portrait of 2014 cybercrime

For those interested in cybersecurity, journalist Brian Krebs is a more or less standard reference. Krebs, who used to cover cybercrime cases for the Washington Post, left his position in the newsroom and set up his own blog to continue investigating what is behind some of the most notorious cases or the most common crimes.

In his first (and so far only) book, “Spam Nation,” Krebs tells us about the so-called “Pharmaceutical Wars” between the leaders of two criminal “families”, who between 2007 and 2013 competed for the market of spamming and selling counterfeit drugs.

The two spammers, Pavel Vrublevsky and Dimitry Nechvolod, escalated their rivalry by leaking information about each other, bribing authorities, competing on price and, finally, even ordering the assault and physical elimination of their rivals. All in a six-year “war” that ended with the defeat of both.

Krebs, who tells in first person his inquiries about this rivalry, even learned Russian and traveled to the Russian Federation to interview them in person and, along the way, gives us a portrait of how the mafias that use the Internet for their purposes act and organize themselves.

[Read more…]

Purple Team: Why all the fuss? (I)

We often read or hear terms like Red, Blue, Purple, Adversarial Emulation and many others almost interchangeably, which often causes confusion in cybersecurity neophytes.

All these disciplines, often partially overlapping each other in their scope, have their place in an organization’s security plan, but it is important to be clear about their strengths and weaknesses in order to take advantage of the former and minimize the latter.

Throughout this article, or series of articles (let’s see how far down the rabbit hole I go), I will try to do my bit on this topic by ,firstly, introducing the Purple Team methodology and then looking into it with a bit more depth.

It is convenient to clarify that this article does not intend to be a lecture on the subject and only aims to make an exposition as educational as possible.

Some background

As organizations have matured and cybersecurity has become more and more important, different methodologies and approaches have been developed.

Several years ago (and unfortunately also in some organizations today) cybersecurity was reduced to hardening measures, and gradually detection and response technologies began to be appear.

[Read more…]

Is Windows SID registry important?

Within the Windows universe there are countless features and details that, given their magnitude and depth, could in turn make up multiple universes in which to wander, learn and, above all, get lost.

In today’s article we are going to take a break from Windows Security Identifiers, hoping to reveal (or remind) some of the possibilities it offers us. First, a bit of theory.

What is the SID? The SID (Security Identifier), briefly explained, is the equivalent of our National ID Card. That is, Windows generates a unique and unalterable SID for each of its entities. An entity is understood as everything that can be authenticated by the Operating System (users, groups, processes, etc.). Ultimately, thanks to this mechanism, the domain user Paco will forever have his own identifier, as will the group of Domain Administrators.

[Read more…]