X.509 Certificate Smuggling: Executables Delivered via TLS Certificates A new proof-of-concept highlights a novel technique for delivering executable payloads through X.509 TLS certificates. This approach avoids traditional delivery mechanisms entirely - no file downloads, no direct payload URLs. How it works: -> A binary executable is converted to a HEX string and embedded into a certificate extension (OID field). -> During an HTTPS connection, the client extracts the HEX, decodes it, and executes it - potentially all in memory. -> The certificate appears legitimate to most inspection tools, and no executable touches disk unless explicitly written. Why this matters for red teams: -> No file download means NGFWs and traditional proxies do not see a PE file being transferred. -> The TLS handshake is used as the delivery channel, which blends into normal encrypted traffic. -> The server hosting the certificate can appear fully legitimate, making traffic analysis difficult for defenders. -> The payload can be executed directly from memory, reducing forensic artifacts. Detection considerations: -> The payload is still a PE file, with the MZ header intact. -> Open-source detection tools like Suricata do not typically inspect OID fields in certificates, leaving a visibility gap. -> The HEX payload can be further obfuscated or modified to avoid static detection. This technique is a powerful example of abusing non-traditional channels for payload delivery. It underscores the need for deeper inspection of TLS metadata and certificate contents in both network and endpoint monitoring pipelines. PoC: https://lnkd.in/dK4nDMmU #infosec #cybersecurity #redteam #blueteam #malware
More Relevant Posts
-
🚨 CVE-2025-9074: Docker Desktop Engine API exposed on TCP allows full host/container control. Impact: Privilege escalation: container can call privileged Engine API to manage containers/images and mount host drives. Why this matters: Widely-used Docker Desktop exposes Engine API via TCP, enabling full host/containers control from a compromised container. To receive alerts, go to https://www.sec-news.ai to subscribe. #Cybersecurity #CVE #InfoSec #SecurityNews #CVE #Vulnerability #Docker #SecurityIssue
To view or add a comment, sign in
-
Just reviewed the Picus Security Blue Report 2025, and the findings are a wake-up call! 🚨 While we're making strides in some areas of cybersecurity, significant gaps persist. ➡️ Prevention effectiveness is down, data exfiltration defenses are alarmingly weak, and password cracking is on the rise. ➡️ The report highlights the critical need for continuous security validation, robust data loss prevention strategies, and stronger password hygiene. ➡️ It's not all bad news! macOS security has improved dramatically, and infrastructure hardening efforts are paying off. 💡 Key takeaway: Static defenses are no match for today's adaptive threats. We need to prioritize continuous threat exposure management (CTEM) and adversarial exposure validation (AEV). What are your thoughts on the report's findings? How are you addressing these challenges in your organization? #cybersecurity #bluereport #threatmanagement #securityvalidation https://lnkd.in/g5JaJstD
To view or add a comment, sign in
-
🔐 Weekly #SecurityAlert: [CRITICAL] CVE-2025-24893 — XWiki SolrSearch Macro Unauthenticated RCE • What’s the issue? A flaw in the XWiki Platform allows unauthenticated remote code execution (RCE) via the SolrSearch macro. When the media=rss path renders user-controlled input as Groovy without sanitization, attackers can inject and execute arbitrary code. • Is it exploitable? Yes. Public PoCs and exploit scripts are already available. A simple crafted request to /xwiki/bin/get/Main/SolrSearch?media=rss&text=... can let any unauthenticated guest run arbitrary code — fully compromising confidentiality, integrity, and availability of the instance. • Should I ignore it? Absolutely not. Patch immediately: → Upgrade to XWiki-Platform 15.10.11 or 16.4.1 (or newer). → If upgrading is delayed: – Edit Main.SolrSearchMacros to return application/xml via the rawResponse macro (blocks injection path). – Restrict unauthenticated access to SolrSearch endpoints. – Monitor logs for suspicious RSS-based requests. 📌 Learn more: • How XWiki’s macro handling exposed Groovy execution • Why unauthenticated RCE is high-risk for collaborative platforms • Defensive monitoring for SolrSearch exploit attempts 🦎 Adapt to every threat, and stay safe! #cybersecurity #infosec #rce More on our website: https://lnkd.in/ezqjNjPj
To view or add a comment, sign in
-
Completed a hands-on lab on packet capture and analysis using tcpdump and Wireshark; a great reminder that visibility into network traffic is essential for both defenders and pen testers. What I practiced today: • Preparing the host and gathering network info (IP, MAC, gateway, DNS). • Using tcpdump to capture traffic to a PCAP file for later analysis. • Generating traffic from a browser, then stopping and saving captures for review. • Opening PCAPs in Wireshark to analyze DNS lookups and identify domains frequently contacted by users. • Inspecting HTTP sessions (when sites use HTTP not HTTPS) to see cleartext form data, cookies, and session tokens. • Capturing traffic on a specific interface (e.g., br-internal) and testing service discovery with TCP probes. Why it matters: packet captures reveal what’s actually happening on the wire; DNS patterns useful for threat modeling, cleartext credentials that demand HTTPS, and protocol behaviors that indicate misconfiguration or exposure. These are the artifacts attackers use for reconnaissance, and the same artifacts defenders rely on to harden systems. Ethical reminder: only capture and analyze traffic on networks and systems you own or have permission to test. I attached a simple Wireshark cheat sheet based on my notes from the lab. #NetworkSecurity #tcpdump #Wireshark #DFIR #Pentesting #CyberSecurity #HandsOnLearning
To view or add a comment, sign in
-
CloFix WAF Security Assessment: We just ran a full OWASP Top 10 Security Assessment on our WAF - Here’s the result: ✅ A01: Broken Access Control – All blocked ✅ A02: Cryptographic Failures – All blocked ✅ A03: Injection (SQLi, XSS, Command Injection, Path Traversal) – All blocked ✅ A04: Insecure Design – Blocked ✅ A05: Security Misconfiguration – Blocked ✅ A06: Vulnerable Components – Blocked ✅ A07: Authentication Failures – Blocked ✅ A08: Data Integrity Failures – Blocked ✅ A09: Logging & Monitoring Failures – Blocked ✅ A10: SSRF (Server-Side Request Forgery) – Blocked ✅ XXE Injection – Blocked 📊 Every single OWASP Top 10 vulnerability was detected & blocked in real-time by CloFix WAF. 🔎 This proves how CloFix WAF provides end-to-end protection against modern web threats, including: - Broken Access Control attempts - SQLi, XSS & Command Injections - SSRF & XXE attacks - Security misconfigurations - Data integrity & authentication failures 📹 Here’s a short demo video of the assessment run in action. #OWASP #CyberSecurity #WAF #AppSec #CloFix #DevSecOps #DevOps
To view or add a comment, sign in
-
Real-world Detection Breakdown: Suspicious IP Activity + Exploitation Attempt As a SOC Analyst, I recently walked through a log correlation scenario that illustrates how layered visibility reveals serious threats. Firewall Logs showed: IP 198.51.100.72 was allowed HTTP access to our server on port 80. A few seconds later, it attempted an SSH connection on port 22 — which was denied. Web Server Logs confirmed: A GET request trying to exploit a Local File Inclusion (LFI) vulnerability: /index.php?page=../../../../etc/passwd A POST request to upload.php, potentially attempting to plant a malicious file (e.g., web shell). Both returned HTTP 200 OK — meaning the server processed them. Correlation: The short time between requests, use of the Nmap Scripting Engine, and a follow-up SSH attempt suggests an automated attack chain: Recon → Exploit → Upload → Attempted Access Severity: HIGH This is a textbook example of why correlating firewall and application logs matters. A SIEM would easily link these based on source IP + timestamps, triggering an alert without needing to review logs manually. Key takeaway: Even if an attack doesn’t fully succeed, early indicators (like successful LFI and upload attempts) can signal serious risk — especially if SSH or lateral movement follows. Have you seen similar patterns in your logs? What tools or rules help you catch this early? #CyberSecurity #SOCAnalyst #ThreatDetection #SIEM #IncidentResponse #InfoSec #BlueTeam #LogAnalysis #DFIR
To view or add a comment, sign in
-
🚨 TCP Handshake Sanity Check 🚨 One of the simplest — yet most overlooked — detection in SOC work: handshake anomalies. 🔹 Too many SYNs with no ACKs? 🔹 Weird RST storms? 🔹 Handshakes breaking patterns? This quick triage flow helps: ✅ Scope → compare SYN/SYN-ACK/ACK counts ✅ Noise Check → load-balancer/maintenance? ✅ Enrich → IP rep, geo, ASN ✅ Contain → rate-limit / ACL / WAF ✅ Document → pcap slice + dashboards ✅ Escalate → >15min or crown-jewel target Small steps → faster triage, less burnout, higher confidence. 👉 I often share such practical playbook. #CyberSecurity #BlueTeam #SOC #IncidentResponse #SIEM
To view or add a comment, sign in
-
-
The 99.9% MFA Protection Rate Multi-factor authentication blocks 99.9% of automated attacks, yet only 57% of businesses have implemented MFA across all systems. Authentication Security Stats: Password attacks increased 74% year-over-year MFA adoption grew 43% among enterprises 67% lack centralized identity management Passwordless authentication surged 156% Access Control Framework: ✓ Organization-wide MFA deployment ✓ Single sign-on integration ✓ Privileged access management ✓ Zero-trust architecture implementation Organizations with comprehensive MFA report 67% fewer security incidents and 89% reduction in credential attacks. Contact us at 833-41CYBER or www.unveilsg.com #MultiFactorAuthentication #AccessControl #ZeroTrust #UnveilSecurityGroup Sources: Microsoft Security Intelligence 2024; Google Security Research 2024
To view or add a comment, sign in
-
🔍 Today I learned how to enumerate HTTP & HTTPS — and why it matters Spent time exploring the differences between HTTP and HTTPS and practical reconnaissance techniques for web assessment. Key focus areas: identifying exposed endpoints, inspecting headers & methods, analyzing TLS/SSL configuration, discovering virtual hosts, and mapping accessible directories and files. Why this matters: even small misconfigurations in HTTP/HTTPS can expose sensitive info or increase attack surface — spotting them early is a huge win for security posture. Top lessons I took away: • Inspect, don’t assume — headers, redirects and response codes reveal a lot. • TLS matters — certificate details and ciphers can hint at overlooked assets. • Combine sources — passive data (cert transparency, public records) + active checks give better coverage. • Validate manually — automation helps, but real understanding comes from careful review. Would love to hear from the community: what signals do you watch first when enumerating web services? Share your favorite tools or quick tips below — I’ll compile the best ones into a follow-up thread. 👇 #CyberSecurity #Infosec #OSINT #Pentesting #WebSecurity #HTTPS #HTTP #TLS #Reconnaissance #BugBounty #Learning #SecurityTips
To view or add a comment, sign in
-
Secure-by-design—a CISA philosophy encouraging software manufacturers to design products in a way that minimizes security vulnerabilities—requires deft implementation. Here's the breakdown: #SecureByDesign
To view or add a comment, sign in