www.cyberark.com Open in urlscan Pro
104.16.69.86  Public Scan

URL: https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authenticati...
Submission: On October 22 via api from BY — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://www.cyberark.com/

<form role="search" method="get" class="ubermenu-searchform" action="https://www.cyberark.com/">
  <input type="text" placeholder="What can we help you find?" value="" name="s" class="ubermenu-search-input">
  <button type="submit" class="ubermenu-search-submit"><i class="fas fa-search" title="Search"></i></button>
</form>

Text Content

___

 * Developer
 * Events
 * Marketplace
 * Partners
 * Careers

 * 
 * Why CyberArk
    * * Identity Security Leader
        
        Security-forward identity and access management.
        
        Why CyberArk
    * * CyberArk Labs
        
        The industry’s top talent proactively researching attacks and trends to
        keep you ahead.
      
      * Blogs
        
        Insights to help you move fearlessly forward in a digital world.
      
      * Careers
        
        Join a passionate team that is humbled to be a trusted advisor to the
        world's top companies.

 * Platform
    * * CyberArk CORA AI™
        
        CyberArk CORA AI™ is your central hub of identity security-focused
        artificial intelligence capabilities.
        
        Learn More
      * Identity Security Platform
        
        Put security first without putting productivity second.
        
        Explore Platform
    * * * * Access Management
          * Workforce Access
            * Single Sign-On
            * Multi-Factor Authentication
            * Workforce Password Management
            * Secure Web Sessions
            * Secure Browser
          * Customer Access
            * B2B Identity
        * * Identity Governance and Administration
          * Identity Compliance
          * Lifecycle Management
          * Identity Flows
      * * * Privileged Access
          * Privileged Access Management
          * Vendor Privileged Access
        * * Secrets Management
          * Multi-Cloud Secrets
          * Secrets Hub
          * Credential Providers
        * * Venafi Machine Identity Management
      * * * Endpoint Privilege Security
          * Endpoint Privilege Management
          * Secure Desktop
        * * Secure Cloud Access

 * Solutions
    * * CyberArk CORA AI™
        
        CyberArk CORA AI™ is your central hub of identity security-focused
        artificial intelligence capabilities.
        
        Learn More
      * Identity Security Offerings
        
        Find the right CyberArk identity security solution for your
        organization.
        
        Explore Solutions
    * * * * Workforce
          * Secure Your Workforce
          * Secure High-Risk Users
          * Secure Your Desktops and Servers
          * Secure External Access
        * * IT
          * Secure IT Administrators
          * Secure Cloud Operations Teams
          * Secure Your Desktops and Servers
          * Secure External Access
      * * * Developer
          * Secure Developers
          * Secure Your Desktops and Servers
        * * Machines
          * Secure Cloud Workload Identities
          * Secure Secrets for Hybrid IT
          * Secure Certificate Management and PKI
      * * * Industries
          * Automotive
          * Banking
          * Critical Infrastructure
          * Financial Services
          * Government
          * Healthcare
          * Insurance
          * Manufacturing

 * Services & Support
    * * How Can We Help?
        
        Expert guidance from strategy to implementation.
        
        Services & Support
    * * * Customer Success
        * Customer Stories
        * CyberArk Blueprint
        * Success Plans
      * * Learning
        * Education Resources
        * Certification
        * Training
      * * Services
        * Design & Deployment Services
        * Red Team Services
        * Remediation Services
        * Strategic Consulting Services
      * * Support
        * Product Documentation
        * Technical Community
        * Technical Support

 * Company
    * * Company
        
        Our mission is to secure the world against cyber threats so together we
        can move fearlessly forward.
        
        Learn About CyberArk
    * * * About Us
        * Leadership
        * Investor Relations
        * Environmental, Social and Governance
        * Trust Center
        * Life at CyberArk
        * Careers
      * * Highlights
        * Newsroom
        * Events
        * Blog
        * Podcasts
        * Customer Stories
        * CyberArk Labs

 * Demos & Trials
    * * Demos & Trials
        
        Get started with one of our 30-day trials.
        
        Start a Trial
    * * How to Buy
        
        Evaluate, purchase and renew CyberArk Identity Security solutions.
      
      * Contact Us
        
        How can we help you move fearlessly forward?
      
      * Identity Security Subscriptions
        
        Learn more about our subscription offerings.

 * Request a Demo
 *  * 

 * Blog
 * Partners
 * Marketplace
 * Careers
 * Menu Item
   
   * Deutsch
   * Français
   * Italiano
   * Español
   * 日本語
   * 简体中文
   * 繁體中文
   * 한국어


English – CyberArk Software Inc


UP YOUR SECURITY I.Q. BY CHECKING OUT OUR COLLECTION OF CURATED RESOURCES.


English – CyberArk Software Inc
 * Products & Services
   
   * Products & Services
   * Cloud Security
   * Customer Access
   * Endpoint Privilege Security
   * Identity Management
   * Privileged Access Management
   * Secrets Management
   * Services & Support
   * Shared Services
   * Workforce Access
 * Topics
   
   * Topics
   * Access Management
   * Best Practices
   * DevSecOps
   * Endpoint Security
   * Hybrid and Multi-Cloud Security
   * Identity Security
   * IT Security Audit and Compliance
   * Least Privilege
   * Partners
   * Ransomware Protection
   * Remote Access
   * Robotic Process Automation
   * Threat Research
   * Zero Trust
 * Industry
   
   * Industry
   * Federal
   * Financial Services
   * Healthcare
   * Higher Education
   * Insurance
   * Manufacturing
 * Content Type
   
   * Content Type
   * Analyst Reports
   * Blog Articles
   * Customer Stories
   * eBooks
   * Executive Insights
   * Infographics
   * Podcasts
   * Product Announcements
   * Product Datasheets
   * Solution Briefs
   * Tools & Blueprints
   * Webinars
   * Videos
   * Whitepapers


Resource Menu
×


All » Threat Research Blog » Golden SAML: Newly Discovered Attack Technique
Forges Authentication to Cloud Apps
× Share this Article
 * Facebook
 * Twitter
 * Email
 * LinkedIn


GOLDEN SAML: NEWLY DISCOVERED ATTACK TECHNIQUE FORGES AUTHENTICATION TO CLOUD
APPS

Shaked Reiner11/21/17
 * Share this!
 * Facebook
 * Twitter
 * Email
 * LinkedIn

 



In this blog post, we introduce a new attack vector discovered by CyberArk Labs
and dubbed “golden SAML.” The vector enables an attacker to create a golden
SAML, which is basically a forged SAML “authentication object,” and authenticate
across every service that uses SAML 2.0 protocol as an SSO mechanism.

In a golden SAML attack, attackers can gain access to any application that
supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any
privileges they desire and be any user on the targeted application (even one
that is non-existent in the application in some cases).

We are releasing a new tool that implements this attack – shimit.

In a time when more and more enterprise infrastructure is ported to the cloud,
the Active Directory (AD) is no longer the highest authority for authenticating
and authorizing users. AD can now be part of something bigger – a federation.

A federation enables trust between different environments otherwise not related,
like Microsoft AD, Azure, AWS and many others. This trust allows a user in an
AD, for example, to be able to enjoy SSO benefits to all the trusted
environments in such federation. Talking about a federation, an attacker will no
longer suffice in dominating the domain controller of his victim.

The golden SAML name may remind you of another notorious attack known as golden
ticket, which was introduced by Benjamin Delpy who is known for his famous
attack tool called Mimikatz. The name resemblance is intended, since the attack
nature is rather similar. Golden SAML introduces to a federation the advantages
that golden ticket offers in a Kerberos environment – from gaining any type of
access to stealthily maintaining persistency.

SAML Explained

For those of you who aren’t familiar with the SAML 2.0 protocol, we’ll take a
minute to explain how it works.

The SAML protocol, or Security Assertion Markup Language, is an open standard
for exchanging authentication and authorization data between parties, in
particular, between an identity provider and a service provider. Beyond what its
name suggests, SAML is each of the following:

 * An XML-based markup language (for assertions, etc.)
 * A set of XML-based protocol messages
 * A set of protocol message bindings
 * A set of profiles (utilizing all of the above)

The single most important use case that SAML addresses is web browser single
sign-on (SSO). [Wikipedia]

Let’s take a look at figure 1 in order to understand how this protocol works.



Figure 1- SAML Authentication

 1. First the user tries to access an application (also known as the SP i.e.
    Service Provider), that might be an AWS console, vSphere web client, etc.
    Depending on the implementation, the client may go directly to the IdP
    first, and skip the first step in this diagram.
 2. The application then detects the IdP (i.e. Identity Provider, could be AD
    FS, Okta, etc.) to authenticate the user, generates a SAML AuthnRequest and
    redirects the client to the IdP.
 3. The IdP authenticates the user, creates a SAMLResponse and posts it to the
    SP via the user.
 4. SP checks the SAMLResponse and logs the user in. The SP must have a trust
    relationship with the IdP. The user can now use the service.

SAML Response Structure

Talking about a golden SAML attack, the part that interests us the most is #3,
since this is the part we are going to replicate as an attacker performing this
kind of attack. To be able to perform this correctly, let’s have a look at the
request that is sent in this part – SAMLResponse. The SAMLResponse object is
what the IdP sends to the SP, and this is actually the data that makes the SP
identify and authenticate the user (similar to a TGT generated by a KDC in
Kerberos). The general structure of a SAMLResponse in SAML 2.0 is as follows
(written in purple are all the dynamic parameters of the structure):





Depending on the specific IdP implementation, the response assertion may be
either signed or encrypted by the private key of the IdP. This way, the SP can
verify that the SAMLResponse was indeed created by the trusted IdP.

Similar to a golden ticket attack, if we have the key that signs the object
which holds the user’s identity and permissions (KRBTGT for golden ticket and
token-signing private key for golden SAML), we can then forge such an
“authentication object” (TGT or SAMLResponse) and impersonate any user to gain
unauthorized access to the SP. Roger Grimes defined a golden ticket attack back
in 2014 not as a Kerberos tickets forging attack, but as a Kerberos Key
Distribution Center (KDC) forging attack. Likewise, a golden SAML attack can
also be defined as an IdP forging attack.

In this attack, an attacker can control every aspect of the SAMLResponse object
(e.g. username, permission set, validity period and more). In addition, golden
SAMLs have the following advantages:

 * They can be generated from practically anywhere. You don’t need to be a part
   of a domain, federation of any other environment you’re dealing with
 * They are effective even when 2FA is enabled
 * The token-signing private key is not renewed automatically
 * Changing a user’s password won’t affect the generated SAML

AWS + AD FS + Golden SAML = ♥ (case study)

Let’s say you are an attacker. You have compromised your target’s domain, and
you are now trying to figure out how to continue your hunt for the final goal.
What’s next? One option that is now available for you is using a golden SAML to
further compromise assets of your target.

Active Directory Federation Services (AD FS) is a Microsoft standards-based
domain service that allows the secure sharing of identity information between
trusted business partners (federation). It is basically a service in a domain
that provides domain user identities to other service providers within a
federation.

Assuming AWS trusts the domain which you’ve compromised (in a federation), you
can then take advantage of this attack and practically gain any permissions in
the cloud environment. To perform this attack, you’ll need the private key that
signs the SAML objects (similarly to the need for the KRBTGT in a golden
ticket). For this private key, you don’t need a domain admin access, you’ll only
need the AD FS user account.

Here’s a list of the requirements for performing a golden SAML attack:

 * Token-signing private key
 * IdP public certificate
 * IdP name
 * Role name (role to assume)
 * Domain\username
 * Role session name in AWS
 * Amazon account ID

The mandatory requirements are highlighted in purple. For the other
non-mandatory fields, you can enter whatever you like.

How do you get these requirements? For the private key you’ll need access to the
AD FS account, and from its personal store you’ll need to export the private key
(export can be done with tools like mimikatz). For the other requirements you
can import the powershell snapin Microsoft.Adfs.Powershell and use it as follows
(you have to be running as the ADFS user):

ADFS Public Certificate



IdP Name



Role Name



Once we have what we need, we can jump straight into the attack. First, let’s
check if we have any valid AWS credentials on our machine.



Unsurprisingly, we have no credentials, but that’s about to change. Now, let’s
use shimit to generate and sign a SAMLResponse.



The operation of the tool is as follows:



Figure 2– Golden SAML with shimit.py

 1. 1. Generate an assertion matching the parameters provided by the user. In
       this example, we provided the username, Amazon account ID and the desired
       roles (the first one will be assumed).
    2. Sign the assertion with the private key file, also specified by the user.
    3. Open a connection to the SP, then calling a specific AWS API
       AssumeRoleWithSAML.
 2. Get an access key and a session token from AWS STS (the service that
    supplies temporary credentials for federated users).
 3. Apply this session to the command line environment (using aws-cli
    environment variables) for the user to use with AWS cli.

Performing a golden SAML attack in this environment has a limitation. Even
though we can generate a SAMLResponse that will be valid for any time period we
choose (using the –SamlValidity flag), AWS specifically checks whether the
response was generated more than five minutes ago, and if so, it won’t
authenticate the user. This check is performed in the server on top of a normal
test that verifies that the response is not expired.

Summary

This attack doesn’t rely on a vulnerability in SAML 2.0. It’s not a
vulnerability in AWS/ADFS, nor in any other service or identity provider.

Golden ticket is not treated as a vulnerability because an attacker has to have
domain admin access in order to perform it. That’s why it’s not being addressed
by the appropriate vendors. The fact of the matter is, attackers are still able
to gain this type of access (domain admin), and they are still using golden
tickets to maintain stealthily persistent for even years in their target’s
domain.

Golden SAML is rather similar. It’s not a vulnerability per se, but it gives
attackers the ability to gain unauthorized access to any service in a federation
(assuming it uses SAML, of course) with any privileges and to stay persistent in
this environment in a stealthy manner.

As for the defenders, we know that if this attack is performed correctly, it
will be extremely difficult to detect in your network. Moreover, according to
the ‘assume breach’ paradigm, attackers will probably target the most valuable
assets in the organization (DC, AD FS or any other IdP). That’s why we recommend
better monitoring and managing access for the AD FS account (for the environment
mentioned here), and if possible, auto-rollover the signing private key
periodically, making it difficult for the attackers.

In addition, implementing an endpoint security solution, focused around
privilege management, like CyberArk’s Endpoint Privilege Manager, will be
extremely beneficial in blocking attackers from getting their hands on important
assets like the token-signing certificate in the first place.

References:

 * https://aws.amazon.com/blogs/security/how-to-set-up-federated-api-access-to-aws-by-using-windows-powershell
 * https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/
 * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference

 

 * Share this!
 * Facebook
 * Twitter
 * Email
 * LinkedIn

PREVIOUS ARTICLE


CyberArk Labs: Evolution of Credential Theft Techniques Will Be the Cyber
Security Battleground of 2018

Organizations continued to struggle to address cyber security risks created in
the wake of rapid technology...

NEXT ARTICLE


KDSnap WinDbg Plugin – Manage Snapshots within the Debugger

KDSnap allows you to connect to your debugged VM and save or restore its state,
using a command from within...




RECOMMENDED FOR YOU

 * ‹
 * ›

2 months ago
A Security Analysis of Azure DevOps Job Execution

IN SOFTWARE DEVELOPMENT, CI/CD PRACTICES ARE NOW STANDARD, HELPING TO MOVE CODE
QUICKLY AND EFFICIENTLY FROM DEVELOPMENT TO PRODUCTION. AZURE DEVOPS, PREVIOUSLY
KNOWN AS TEAM FOUNDATION SERVER...

IN SOFTWARE DEVELOPMENT, CI/CD PRACTICES ARE NOW STANDARD, HELPING TO MOVE CODE
QUICKLY AND EFFICIENTLY FROM DEVELOPMENT TO PRODUCTION. AZURE D...



Read Blog Read Blog
3 months ago
AI Treason: The Enemy Within

TL;DR: LARGE LANGUAGE MODELS (LLMS) ARE HIGHLY SUSCEPTIBLE TO MANIPULATION, AND,
AS SUCH, THEY MUST BE TREATED AS POTENTIAL ATTACKERS IN THE SYSTEM. LLMS HAVE
BECOME EXTREMELY POPULAR AND SERVE...

TL;DR: LARGE LANGUAGE MODELS (LLMS) ARE HIGHLY SUSCEPTIBLE TO MANIPULATION, AND,
AS SUCH, THEY MUST BE TREATED AS POTENTIAL ATTACKERS IN THE SYSTEM. LLMS HAVE
BECOME E...



Read Blog Read Blog
3 months ago
A Brief History of Game Cheating

OVER THE SHORT SPAN OF VIDEO GAME CHEATING, BOTH CHEATERS AND GAME DEVELOPERS
HAVE EVOLVED IN MANY WAYS; THIS INCLUDES EVERYTHING FROM MODIFICATION OF
IMPORTANT GAME VARIABLES (LIKE HEALTH) BY...

OVER THE SHORT SPAN OF VIDEO GAME CHEATING, BOTH CHEATERS AND GAME DEVELOPERS
HAVE EVOLVED IN MANY WAYS; THIS INCLUDES EVERYTHING FROM MODIFICATION OF
IMPORTANT GAME V...



Read Blog Read Blog
3 months ago
Double Dipping Cheat Developer Gets Caught Red-Handed

FOLLOWING OUR POST “A BRIEF HISTORY OF GAME CHEATING,” IT’S SAFE TO SAY THAT
CHEATS, NO MATTER HOW LUCRATIVE OR PREMIUM THEY MIGHT LOOK, ALWAYS CARRY A
DEGREE OF DANGER. TODAY’S STORY REVOLVES...

FOLLOWING OUR POST “A BRIEF HISTORY OF GAME CHEATING,” IT’S SAFE TO SAY THAT
CHEATS, NO MATTER HOW LUCRATIVE OR PREMIUM THEY MIGHT LOOK, ALWAYS...



Read Blog Read Blog
3 months ago
Identity Crisis: The Curious Case of a Delinea Local Privilege Escalation
Vulnerability

DURING A RECENT CUSTOMER ENGAGEMENT, THE CYBERARK RED TEAM DISCOVERED AND
EXPLOITED AN ELEVATION OF PRIVILEGE (EOP) VULNERABILITY (CVE-2024-39708) IN
DELINEA PRIVILEGE MANAGER (FORMERLY THYCOTIC...

DURING A RECENT CUSTOMER ENGAGEMENT, THE CYBERARK RED TEAM DISCOVERED AND
EXPLOITED AN ELEVATION OF PRIVILEGE (EOP) VULN...



Read Blog Read Blog
3 months ago
How to Bypass Golang SSL Verification

GOLANG APPLICATIONS THAT USE HTTPS REQUESTS HAVE A BUILT-IN SSL VERIFICATION
FEATURE ENABLED BY DEFAULT. IN OUR WORK, WE OFTEN ENCOUNTER AN APPLICATION THAT
USES GOLANG HTTPS REQUESTS, AND WE HAVE...

GOLANG APPLICATIONS THAT USE HTTPS REQUESTS HAVE A BUILT-IN SSL VERIFICATION
FEATURE ENABLED BY DEFAULT. IN OUR WORK, WE OFTEN ENCOUNTER AN APPLICATION THAT
USES GOLAN...



Read Blog Read Blog
4 months ago
The Current State of Browser Cookies

WHAT ARE COOKIES WHEN YOU HEAR “COOKIES,” YOU MAY INITIALLY THINK OF THE
DELICIOUS CHOCOLATE CHIP ONES. HOWEVER, WEB COOKIES FUNCTION QUITE DIFFERENTLY
THAN THEIR CRUMBLY-BAKED COUNTERPARTS....

WHAT ARE COOKIES WHEN YOU HEAR “COOKIES,” YOU MAY INITIALLY THINK OF THE
DELICIOUS CHOCOLATE CHIP ONES. HOWEVER, WEB COOKIES FUNCTION QUITE DIFFERENTLY
THAN THEIR CRUM...



Read Blog Read Blog
4 months ago
You Can’t Always Win Racing the (Key)cloak

WEB RACE CONDITIONS – SUCCESS AND FAILURE – A KEYCLOAK CASE STUDY IN TODAY’S
CONNECTED WORLD, MANY ORGANIZATIONS’ “KEYS TO THE KINGDOM” ARE HELD IN IDENTITY
AND ACCESS MANAGEMENT (IAM) SOLUTIONS;...

WEB RACE CONDITIONS – SUCCESS AND FAILURE – A KEYCLOAK CASE STUDY IN TODAY’S
CONNECTED WORLD, MANY ORGANIZATIONS’ “KEYS TO THE KINGDOM” ARE HELD IN IDENTITY
AND ACCESS...



Read Blog Read Blog
5 months ago
Operation Grandma: A Tale of LLM Chatbot Vulnerability

WHO DOESN’T LIKE A GOOD BEDTIME STORY FROM GRANDMA? IN TODAY’S LANDSCAPE, MORE
AND MORE ORGANIZATIONS ARE TURNING TO INTELLIGENT CHATBOTS OR LARGE LANGUAGE
MODELS (LLMS) TO BOOST SERVICE QUALITY...

WHO DOESN’T LIKE A GOOD BEDTIME STORY FROM GRANDMA? IN TODAY’S LANDSCAPE, MORE
AND MORE ORGANIZATIONS ARE TURNING TO INTELLIGENT CHATBOTS OR LA...



Read Blog Read Blog
6 months ago
Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller

FOLLOWING RESEARCH CONDUCTED BY A COLLEAGUE OF MINE [1] AT CYBERARK LABS, I
BETTER UNDERSTOOD NVME-OF/TCP. THIS KERNEL SUBSYSTEM EXPOSES INET SOCKET(S),
WHICH CAN BE A FRUITFUL ATTACK SURFACE FOR...

FOLLOWING RESEARCH CONDUCTED BY A COLLEAGUE OF MINE [1] AT CYBERARK LABS, I
BETTER UNDERSTOOD NVME-OF/TCP. THIS KERNEL S...



Read Blog Read Blog
7 months ago
Crumbled Security: Unmasking the Cookie-Stealing Malware Threat

OVER THE PAST FEW YEARS, WE’VE SEEN A HUGE INCREASE IN THE ADOPTION OF IDENTITY
SECURITY  SOLUTIONS. SINCE THESE TYPES OF SOLUTIONS HELP PROTECT AGAINST A WHOLE
RANGE OF PASSWORD-GUESSING AND...

OVER THE PAST FEW YEARS, WE’VE SEEN A HUGE INCREASE IN THE ADOPTION OF IDENTITY
SECURITY  SOLUTIONS. SINCE THESE TYPES OF SOLUTIONS HELP PROTEC...



Read Blog Read Blog
8 months ago
The Hacker’s Guide to The Cosmos (SDK): Stealing Millions from the Blockchain

INTRODUCTION WELCOME, FELLOW TRAVELERS OF THE COSMOS! WHILE WE MAY NOT BE
TRAVERSING THE STARS ON A SPACESHIP, WE ARE ALL INTERCONNECTED THROUGH THE
POWERFUL NETWORK OF BLOCKCHAINS. UNFORTUNATELY,...

INTRODUCTION WELCOME, FELLOW TRAVELERS OF THE COSMOS! WHILE WE MAY NOT BE
TRAVERSING THE STARS ON A SPACESHIP, WE ARE AL...



Read Blog Read Blog
8 months ago
A Deep Dive into Penetration Testing of macOS Applications (Part 3)

INTRODUCTION THIS IS THE FINAL INSTALLMENT OF THE BLOG SERIES “A DEEP DIVE INTO
PENETRATION TESTING OF MACOS APPLICATIONS.” PREVIOUSLY, WE DISCUSSED THE
STRUCTURE OF MACOS APPLICATIONS AND THEIR...

INTRODUCTION THIS IS THE FINAL INSTALLMENT OF THE BLOG SERIES “A DEEP DIVE INTO
PENETRATION TESTING OF MACOS APPLICATION...



Read Blog Read Blog
9 months ago
Ransomware’s PLAYing a Broken Game

ABSTRACT THE PLAY RANSOMWARE GROUP IS ONE OF THE MOST SUCCESSFUL RANSOMWARE
SYNDICATES TODAY. ALL IT TAKES IS A QUICK PEEK WITH A DISASSEMBLER TO KNOW WHY
THIS GROUP HAS BECOME INFAMOUS. THIS IS...

ABSTRACT THE PLAY RANSOMWARE GROUP IS ONE OF THE MOST SUCCESSFUL RANSOMWARE
SYNDICATES TODAY. ALL IT TAKES IS A QUICK PEEK WITH A DISASSEMBLER TO KNOW WHY
THIS GROUP H...



Read Blog Read Blog
10 months ago
SafeNet: Securing Your Network From Yourself

TL;DR WHETHER WORKING AT HOME OR IN THE OFFICE, WHEN CONDUCTING CYBERSECURITY
RESEARCH, INVESTIGATING THE DARK WEB FORUMS OR ENGAGING WITH ANY DANGEROUS PART
OF THE INTERNET, STAYING SAFE IS...

TL;DR WHETHER WORKING AT HOME OR IN THE OFFICE, WHEN CONDUCTING CYBERSECURITY
RESEARCH, INVESTIGATING THE DARK WEB FORUMS OR ENGAGING WITH ANY DANGEROUS PART
OF THE IN...



Read Blog Read Blog
11 months ago
Fuzzer-V

TL;DR AN OVERVIEW OF A FUZZING PROJECT TARGETING THE HYPER-V VSPS USING INTEL
PROCESSOR TRACE (IPT) FOR CODE COVERAGE GUIDED FUZZING, BUILT UPON WINAFL,
WINIPT, HAFL1, AND MICROSOFT’S IPT.SYS....

TL;DR AN OVERVIEW OF A FUZZING PROJECT TARGETING THE HYPER-V VSPS USING INTEL
PROCESSOR TRACE (IPT) FOR CODE COVERAGE GUIDED FUZZING, BUILT UPON WINAFL,
WINIPT, HAFL1, AND MICROSOFT’S IPT.S...



Read Blog Read Blog
about a year ago
NVMe: New Vulnerabilities Made Easy

AS VULNERABILITY RESEARCHERS, OUR PRIMARY MISSION IS TO FIND AS MANY
VULNERABILITIES AS POSSIBLE WITH THE HIGHEST SEVERITY AS POSSIBLE. FINDING
VULNERABILITIES IS USUALLY CHALLENGING. BUT COULD...

AS VULNERABILITY RESEARCHERS, OUR PRIMARY MISSION IS TO FIND AS MANY
VULNERABILITIES AS POSSIBLE WITH THE HIGHEST SEVERITY AS POSSIBLE. FINDING...



Read Blog Read Blog
about a year ago
Fantastic Rootkits: And Where To Find Them (Part 3) – ARM Edition

INTRODUCTION IN THIS BLOG, WE WILL DISCUSS INNOVATIVE ROOTKIT TECHNIQUES ON A
NON-TRADITIONAL ARCHITECTURE, WINDOWS 11 ON ARM64. IN THE PRIOR POSTS, WE
COVERED ROOTKIT TECHNIQUES APPLIED TO A...

INTRODUCTION IN THIS BLOG, WE WILL DISCUSS INNOVATIVE ROOTKIT TECHNIQUES ON A
NON-TRADITIONAL ARCHITECTURE, WINDOWS 11 ON ARM64. IN THE PRIOR P...



Read Blog Read Blog
about a year ago
A Deep Dive into Penetration Testing of macOS Applications (Part 2)

INTRODUCTION THIS IS THE SECOND PART OF THE “A DEEP DIVE INTO PENETRATION
TESTING OF MACOS APPLICATION” BLOG SERIES. IN THE FIRST PART, WE LEARNED ABOUT
MACOS APPLICATIONS AND THEIR STRUCTURE AND...

INTRODUCTION THIS IS THE SECOND PART OF THE “A DEEP DIVE INTO PENETRATION
TESTING OF MACOS APPLICATION” BLOG SERIES. IN...



Read Blog Read Blog
about a year ago
A Deep Dive into Penetration Testing of macOS Applications (Part 1)

INTRODUCTION AS MANY OF US KNOW, THERE ARE A LOT OF GUIDES AND INFORMATION ON
PENETRATION TESTING APPLICATIONS ON WINDOWS AND LINUX. UNFORTUNATELY, A
STEP-BY-STEP GUIDE DOESN’T EXIST IN THE MACOS...

INTRODUCTION AS MANY OF US KNOW, THERE ARE A LOT OF GUIDES AND INFORMATION ON
PENETRATION TESTING APPLICATIONS ON WINDOW...



Read Blog Read Blog
Return to Home
 
© CyberArk Software Inc

× Resource Center
 * Products & Services
    * Cloud Security
    * Customer Access
    * Endpoint Privilege Security
    * Identity Management
    * Privileged Access Management
    * Secrets Management
    * Services & Support
    * Shared Services
    * Workforce Access

 * Topics
    * Access Management
    * Best Practices
    * DevSecOps
    * Endpoint Security
    * Hybrid and Multi-Cloud Security
    * Identity Security
    * IT Security Audit and Compliance
    * Least Privilege
    * Partners
    * Ransomware Protection
    * Remote Access
    * Robotic Process Automation
    * Threat Research
    * Zero Trust

 * Industry
    * Federal
    * Financial Services
    * Healthcare
    * Higher Education
    * Insurance
    * Manufacturing

 * Content Type
    * Analyst Reports
    * Blog Articles
    * Customer Stories
    * eBooks
    * Executive Insights
    * Infographics
    * Podcasts
    * Product Announcements
    * Product Datasheets
    * Solution Briefs
    * Tools & Blueprints
    * Webinars
    * Videos
    * Whitepapers


 * Share this Hub
 * Facebook
 * Twitter
 * Email
 * LinkedIn


×



 * STAY IN TOUCH
   
   Keep up to date on security best practices, events and webinars.
   
   Tell Me How

 * Support
 * Contact Support
 * Training & Certification
 * Technical Support
 * EPM SaaS Register / Login
 * Product Security

 * Resources
 * Resource Center
 * Events
 * Blogs
 * CIO Connection
 * CyberArk Blueprint
 * Scan Your Network
 * Marketplace

 * Partners
 * Partner Network
 * Partner Community
 * Partner Finder
 * Become a Partner
 * Alliance Partner

 * Company
 * Investor Relations
 * Leadership
 * Board of Directors
 * Newsroom
 * Office Locations
 * Environmental, Social and Governance
 * Trust Center
 * Careers – We’re Hiring!

Copyright © 2024 CyberArk Software Ltd.
All rights reserved.
 * 
 * 
 * Linkedin
 * Blog
 * Youtube


 * Terms and Conditions
 * Privacy Policy
   Cookie Preferences