Ollie Whitehouse

Slides from a fifteen minute lightening talk on detection opportunities for implant framework behaviour on Windows.

We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous

We prototyped a Windows Installer Package Canary to help detect certain first stage trade craft. The ultimate goal being to alert for those threat actors targeting security products through uninstallation.

We prototyped a Windows Service Canary to help detect and respond to certain pre-ransomware trade craft. The ultimate goal being to alert and minimize the impact of ransomware deployments.

We wanted to build a mechanism to capture all the passwords used (successful or not) against RDP to ascertain potential sources of credential theft and if they are organisation specific. This post provides the background on an approach and the steps to build such a system.

One true constant (until someone schools me) is that threat actors need executable memory of some kind to operate from for their endpoint implant even if fleeting. Given this we've released an open source Microsoft Windows Service that aims to facilitate detection of anomalous executable memory

CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. This blog looks at the root causes of both the exploit paths discovered which boil down to subtle configuration issues and differences in behavior between…

The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the…

tl;dr Today we’ve released a whitepaper on the key techniques that continue to enable us to breach the largest and most sophisticated organisations on the planet. Organisations that prioritize these areas, and the mitigations we outline, will thwart attacks while making threat actors work harder and ultimately fail more often.…

Earlier last month saw the publication an IETF draft NCC Group co-wrote with the UK's National Cyber Security Center titled 'Indicators of Compromise (IoCs) and Their Role in Attack Defence'

Quick note to say we’ve released ScoutSuite 5.8.0 on Github with the following features: Improved support for AWS Added support for KMS Added basic support for Secrets Manager Simplified evaluation of IAM policies in multiple rules Improved support for Azure Added support for App Service Web Apps Added support for…

Originally written by Jack Leadford Introduction In their eternal quest for more performance, compilers like GCC perform clever optimizations behind the scenes to make your code more performant, among other optimization classes. One example of this is adding padding to struct objects so that accessing their members is memory-aligned and…

Tl;dr – we were engaged by a client back in June 2017 to rebuild NotPetya from scratch. However, instead of the data destruction payload, they asked for telemetry and safeguards. Why? Because they wanted to measure what the impact of NotPetya would have been. Below, you’ll find part one of the…

Phishing the simple and effective blended attack Phishing is a common and yet highly successful technique used by adversaries and red teams alike to breach organisations. Phishing is successful as it is a blended attack relying on end-users to be convinced, tricked or otherwise persuaded into performing an action which…

Previous current event This is a current event and as such this blog post is subject to change over the course of the next couple of days as we perform further supplementary research and analysis. 1.0: Initial version. 1.1: Revised to include further vulnerable software, alpha signature and small clarifications.…

tl;dr Intel SGX is a trusted execution environment which provides a reverse sandbox. It’s not yet available but those who have had access to the technology have shown some powerful applications in cloud use cases that on the face of it dramatically enhance security without the performance constraints of homomorphic…

Current event – 1.1 of post This is a current event and as such the blog post is subject to change over the course of a couple of days as we performed further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.1 – updated…

Current event – 1.2 of post This is a current event and as such the blog post is subject to change over the course of the next few days  as we perform further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.2 – Link…

This blog walks through the methodology and process of writing robust Yara rules to detect either Heartbleed vulnerable OpenSSL statically linked or shared libraries which omit version information. Although Yara is designed for pattern matching and typically used by malware researchers we’ll show how we can also use it to detect vulnerable binaries. One…

Previous current event – v1.8 of post This was a current event and as such the blog post was subject to change over the course of a couple of days as we performed further supplementary research and analysis. 1.8: Update to include Bro detection and further analysis. This is likely…

Introduction We’ve seen a sharp rise in the last five years or so in the amount of security assurance and research activities we’re asked to undertake in the embedded system space. This has naturally led us to working increasingly with the Internet of Things (IoT) in a variety of different…

tl;dr Anti-Fuzzing is a set of concepts and techniques that are designed to slowdown and frustrate threat actors looking to fuzz test software products by deliberately misbehaving, misdirecting, misinforming and otherwise hindering their efforts. The goal is to drive down the return of investment seen in fuzzing today by virtue…

tl;dr The Windows program loader isn’t the only PE parser in Windows. The .NET runtime has its own used for loading modules as well. We can find yester years code for on the Internet for the implementation which shows some interesting defensive properties. Examples include obvious defences against import, entry…

The tools So I’ve been re-writing an old private tool in the glare of GitHub with a number of improvements under the catchy moniker of the ‘Windows DACL Enum Project’.So far I’ve completed (the planned list for future tools is quite long so I’ll spare you): Process and thread permissions with…

A quick post to announce NCC Group’s first tool has been pushed to our Github repo at https://github.com/nccgroup/. So what is Grepify? It’s basically a regex engine with a Windows GUI with some short cuts and pre-defined profiles to aid in security focused code reviews. It’s not very clever but for…

Over the last 12 months there has been an increasing amount of analysis on the effectiveness of desktop AntiVirus and its ability to detect and stop the reality of targeted attacks (I refuse to use the APT banner). This critique has been covered in pieces such as: The death of…

Back in 2010 Seth Fogie noted that certain car manufactures were sending out USB devices. These USB devices presented themselves as keyboards in order to inject key strokes into the computer to which they were attached. Why a keyboard? Well in order to circumvent security controls designed to stop the automatic execution of…

By way of a bit of background I had always been curious how Microsoft Office knew that a document came from the Internet and that it might be unsafe. This behaviour can be seen in modern versions of Microsoft Office when you see: So I went on a 10 minute…