by Süleyman Özarslan, PhD

On the 11th of August 2020, Microsoft released a security update[1], CVE-2020–1472 | Netlogon Elevation of Privilege Vulnerability, for a critical vulnerability within the Netlogon Remote Protocol (MS-NRPC)[2]in Windows Server operating systems, namely Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019. Since the exploit payload includes a string of zeros, the vulnerability is also known as “Zerologon”.

An attacker who successfully exploits the vulnerability could elevate their privileges to domain administrator and compromise the domain controller. Accordingly, this vulnerability has a “10.0 CRITICAL” CVSS 3.0 base score[3]. Note that only 3% of vulnerabilities last…


by Süleyman Özarslan, PhD

A scheduled task is a command, program or script to be executed at:

  • a particular time in the future (e.g. 11/08/2022 1:00 a.m.
  • at regular intervals (e.g. every Monday at 1:00 a.m.)
  • when a defined event occurs (e.g. a user logs on the system).

Legitimate users like system administrators use scheduled tasks to create and run operational tasks automatically. Adversaries also use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence.


by Süleyman Özarslan, PhD

Picus is dedicated to collaborating with its technology alliance partners and the cybersecurity community to build better cyber defenses against the adversary attempts. Accordingly, we have a responsible disclosure policy to publish vulnerabilities and bypass/evasion methods of security controls. We first notified the vendor, and after a grace period of 30 days, the new attack signature update was published.

Summary

We have discovered that the “rev” and “printf” commands incorporated with the Bash shell’s command substitution feature bypass certain attack signature checks of F5 Advanced WAF/ASM/NGINX App Protect products. …


by Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Scheduled Task was the seventh most prevalent ATT&CK technique used by adversaries in their malware.

A scheduled task is a command, program or script to be executed at a…


Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.

Red and Blue Team Exercises

Red Teaming — How to simulate?

In this exercise, we explain a real VBA code that was used by Emotet malware. …


by Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.

A script is a set of codes written in a scripting language such as AppleScript, PowerShell, Python…


by Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. has found that Command Line Interface was the fifth most prevalent ATT&CK technique used by adversaries in their malware.

A Command-Line Interface ( CLI) offers a way of interacting with local or remote computer…


by Armagan Zaloglu

In our recent blog, What is security testing and why is it important?, we talked about how security testing is one of the single most important jobs an effective security department can do.

Without it, security leaders have no way to make informed and pragmatic decisions about the areas of investment they need to prioritize — and no basis on which to make the argument for a bigger security budget.

However, while it’s uncommon nowadays to find a business without some form of security testing program in place, different organizations tend to be at very different levels…


by Süleyman Özarslan, PhD

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Masquerading was the fourth most prevalent ATT&CK technique used by adversaries in their malware.

As a defense evasion technique, adversaries change features of their malicious artifacts with legitimate and…


by Armagan Zaloglu

Security testing isn’t just a nice-to-have — it should be the north star of effective security leadership. Your security validation program should be able to tell you, in real time, whether your security controls would stand up against the most advanced current threats, whether your current investments are driving ROI, and where you need to steer the business next.

That’s a lot of pressure, considering the rate at which new attack techniques and tactics are emerging, which is why the security validation market is evolving fast. A wide and diverse array of security testing methods are in…

Picus Security Inc.

Breach & Attack Simulation technologies | Continuous Validation | Cool Vendor of Gartner

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store