Embrace The Red
wunderwuzzi's blog
OUT NOW: Cybersecurity Attacks - Red Team Strategies
Home
Subscribe
Posts
Dec 23 2024
Trust No AI: Prompt Injection Along the CIA Security Triad Paper
Dec 16 2024
Security ProbLLMs in xAI's Grok: A Deep Dive
Dec 06 2024
Terminal DiLLMa: LLM-powered Apps Can Hijack Your Terminal Via Prompt Injection
Nov 29 2024
DeepSeek AI: From Prompt Injection To Account Takeover
Oct 24 2024
ZombAIs: From Prompt Injection to C2 with Claude Computer Use
Sep 20 2024
Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware)
Aug 26 2024
Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information
Aug 21 2024
Google AI Studio: LLM-Powered Data Exfiltration Hits Again! Quickly Fixed.
Jul 30 2024
Protect Your Copilots: Preventing Data Leaks in Copilot Studio
Jul 24 2024
Google Colab AI: Data Leakage Through Image Rendering Fixed. Some Risks Remain.
Jul 22 2024
Breaking Instruction Hierarchy in OpenAI's gpt-4o-mini
Jul 08 2024
Sorry, ChatGPT Is Under Maintenance: Persistent Denial of Service through Prompt Injection and Memory Attacks
Jun 14 2024
GitHub Copilot Chat: From Prompt Injection to Data Exfiltration
May 28 2024
Automatic Tool Invocation when Browsing with ChatGPT - Threats and Mitigations
May 22 2024
ChatGPT: Hacking Memories with Prompt Injection
May 18 2024
Machine Learning Attack Series: Backdooring Keras Models and How to Detect It
May 16 2024
Pivot to the Clouds: Cookie Theft in 2024
Apr 15 2024
Bobby Tables but with LLM Apps - Google NotebookLM Data Exfiltration
Apr 13 2024
HackSpaceCon 2024: Short Trip Report, Slides and Rocket Launch
Apr 07 2024
Google AI Studio Data Exfiltration via Prompt Injection - Possible Regression and Fix
Apr 02 2024
The dangers of AI agents unfurling hyperlinks and what to do about it
Mar 04 2024
ASCII Smuggler - Improvements
Mar 02 2024
Who Am I? Conditional Prompt Injection Attacks with Microsoft Copilot
Feb 22 2024
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
Feb 14 2024
ChatGPT: Lack of Isolation between Code Interpreter sessions of GPTs
Feb 12 2024
Video: ASCII Smuggling and Hidden Prompt Instructions
Feb 08 2024
Hidden Prompt Injections with Anthropic Claude
Jan 28 2024
Exploring Google Bard's Data Visualization Feature (Code Interpreter)
Jan 18 2024
AWS Fixes Data Exfiltration Attack Angle in Amazon Q for Business
Jan 14 2024
ASCII Smuggler Tool: Crafting Invisible Text and Decoding Hidden Codes
Dec 30 2023
37th Chaos Communication Congress: New Important Instructions (Video + Slides)
Dec 20 2023
OpenAI Begins Tackling ChatGPT Data Leak Vulnerability
Dec 12 2023
Malicious ChatGPT Agents: How GPTs Can Quietly Grab Your Data (Demo)
Nov 28 2023
Ekoparty Talk - Prompt Injections in the Wild
Nov 03 2023
Hacking Google Bard - From Prompt Injection to Data Exfiltration
Oct 19 2023
Google Cloud Vertex AI - Data Exfiltration Vulnerability Fixed in Generative AI Studio
Sep 29 2023
Microsoft Fixes Data Exfiltration Vulnerability in Azure AI Playground
Sep 28 2023
Advanced Data Exfiltration Techniques with ChatGPT
Sep 18 2023
HITCON CMT 2023 - LLM Security Presentation and Trip Report
Sep 16 2023
LLM Apps: Don't Get Stuck in an Infinite Loop! 💵💰
Aug 28 2023
Video: Data Exfiltration Vulnerabilities in LLM apps (Bing Chat, ChatGPT, Claude)
Aug 01 2023
Anthropic Claude Data Exfiltration Vulnerability Fixed
Jul 24 2023
ChatGPT Custom Instructions: Persistent Data Exfiltration Demo
Jul 14 2023
Image to Prompt Injection with Google Bard
Jul 12 2023
Google Docs AI Features: Vulnerabilities and Risks
Jul 06 2023
OpenAI Removes the "Chat with Code" Plugin From Store
Jun 20 2023
Plugin Vulnerabilities: Visit a Website and Have Your Source Code Stolen
Jun 18 2023
Bing Chat: Data Exfiltration Exploit Explained
Jun 11 2023
Exploit ChatGPT and Enter the Matrix to Learn about AI Security
May 28 2023
ChatGPT Plugin Exploit Explained: From Prompt Injection to Accessing Private Data
May 16 2023
ChatGPT Plugins: Data Exfiltration via Images & Cross Plugin Request Forgery
May 14 2023
Indirect Prompt Injection via YouTube Transcripts
May 11 2023
Adversarial Prompting: Tutorial and Lab
May 10 2023
Video: Prompt Injections - An Introduction
Apr 27 2023
MLSecOps Podcast: AI Red Teaming and Threat Modeling Machine Learning Systems
Apr 15 2023
Don't blindly trust LLM responses. Threats to chatbots.
Mar 29 2023
AI Injections: Direct and Indirect Prompt Injections and Their Implications
Mar 26 2023
Bing Chat claims to have robbed a bank and it left no trace
Mar 05 2023
Yolo: Natural Language to Shell Commands with ChatGPT API
Jan 25 2023
Video Tutorial: Hijacking SSH Agent
Jan 04 2023
Decrypting TLS browser traffic with Wireshark
Dec 02 2022
ChatGPT: Imagine you are a database server
Nov 21 2022
Device Code Phishing Attacks
Nov 20 2022
Ropci deep-dive for Azure hackers
Oct 20 2022
PenTest Magazine Open Source Toolkit: ropci
Oct 20 2022
ROPC - So, you think you have MFA?
Oct 16 2022
TTP Diaries: SSH Agent Hijacking
Sep 18 2022
gospray - Simple LDAP bind-based password spray tool
Sep 09 2022
Malicious Python Packages and Code Execution via pip download
Aug 28 2022
Machine Learning Attack Series: Backdooring Pickle Files
Jul 10 2022
Offensive BPF: Using bpftrace to sniff PAM logon passwords
Jun 26 2022
Post Exploitation: Sniffing Logon Passwords with PAM
May 28 2022
Customized Hacker Shell Prompts
Apr 11 2022
GPT-3 and Phishing Attacks
Apr 03 2022
Grabbing and cracking macOS hashes
Mar 18 2022
Flipper Zero - Initial Thoughts
Mar 12 2022
AWS Scaled Command Bash Script - Run AWS commands for many profiles
Feb 28 2022
Gitlab Reconnaissance Introduction
Jan 04 2022
Log4Shell and Request Forgery Attacks
Nov 08 2021
Video: Anatomy of a compromise
Oct 20 2021
Offensive BPF: Understanding and using bpf_probe_write_user
Oct 14 2021
Offensive BPF: Sniffing Firefox traffic with bpftrace
Oct 12 2021
Video: Understanding Image Scaling Attacks
Oct 10 2021
Video: What is Tabnabbing?
Oct 09 2021
Offensive BPF: What's in the bpfcc-tools box?
Oct 07 2021
Offensive BPF: Detection Ideas
Oct 06 2021
Offensive BPF: Using bpftrace to host backdoors
Oct 05 2021
Offensive BPF: Malicious bpftrace 🤯
Sep 30 2021
Offensive BPF! Getting started.
Sep 06 2021
Video: Web Application Security Fundamentals
Aug 30 2021
Backdoor users on Linux with uid=0
Aug 16 2021
Using Microsoft Counterfit to create adversarial examples for Husky AI
Aug 09 2021
Using procdump on Linux to dump credentials
Jul 28 2021
The Silver Searcher - search through code and files quickly
Jul 05 2021
Automating Microsoft Office to Achieve Red Teaming Objectives
Jun 28 2021
Airtag hacks - scanning via browser, removing speaker and data exfiltration
Jun 09 2021
Somewhere today a company is breached
May 01 2021
Google's FLoC - Privacy Red Teaming Opportunities
Apr 18 2021
Spoofing credential dialogs on macOS, Linux and Windows
Mar 19 2021
Broken NFT standards
Mar 03 2021
Hong Kong InfoSec Summit 2021 Talk - The adversary will come to your house!
Feb 08 2021
An alternative perspective on the death of manual red teaming
Feb 04 2021
Cybersecurity Attacks - Red Team Strategies Kindle Edition for free
Feb 02 2021
Team A and Team B: Sunburst, Teardrop and Raindrop
Jan 22 2021
Survivorship Bias and Red Teaming
Jan 11 2021
Gamifying Security with Red Team Scores
Dec 08 2020
Actively protecting pen testers and pen testing assets
Nov 26 2020
Machine Learning Attack Series: Overview
Nov 25 2020
Machine Learning Attack Series: Generative Adversarial Networks (GANs)
Nov 24 2020
Assuming Bias and Responsible AI
Nov 23 2020
Abusing Application Layer Gateways (NAT Slipstreaming)
Nov 10 2020
Machine Learning Attack Series: Repudiation Threat and Auditing
Nov 05 2020
Video: Building and breaking a machine learning system
Oct 28 2020
Machine Learning Attack Series: Image Scaling Attacks
Oct 26 2020
Leveraging the Blue Team's Endpoint Agent as C2
Oct 22 2020
Machine Learning Attack Series: Adversarial Robustness Toolbox Basics
Oct 20 2020
Hacking neural networks - so we don't get stuck in the matrix
Oct 19 2020
What does an offensive security team actually do?
Oct 14 2020
CVE 2020-16977: VS Code Python Extension Remote Code Execution
Oct 10 2020
Machine Learning Attack Series: Stealing a model file
Oct 09 2020
Coming up: Grayhat Red Team Village talk about hacking a machine learning system
Sep 23 2020
Beware of the Shadowbunny - Using virtual machines to persist and evade detections
Sep 22 2020
Participating in the Microsoft Machine Learning Security Evasion Competition - Bypassing malware models by signing binaries
Sep 18 2020
Machine Learning Attack Series: Backdooring models
Sep 16 2020
Machine Learning Attack Series: Perturbations to misclassify existing images
Sep 13 2020
Machine Learning Attack Series: Smart brute forcing
Sep 09 2020
Machine Learning Attack Series: Brute forcing images to find incorrect predictions
Sep 06 2020
Threat modeling a machine learning system
Sep 05 2020
MLOps - Operationalizing the machine learning model
Sep 04 2020
Husky AI: Building a machine learning system
Sep 02 2020
The machine learning pipeline and attacks
Sep 01 2020
Getting the hang of machine learning
Aug 28 2020
Beware of the Shadowbunny! at BSides Singapore
Aug 24 2020
Race conditions when applying ACLs
Aug 12 2020
Red Teaming Telemetry Systems
Jul 31 2020
Illusion of Control: Capability Maturity Models and Red Teaming
Jul 24 2020
Motivated Intruder - Red Teaming for Privacy!
Jul 21 2020
Firefox - Debugger Client for Cookie Access
Jul 15 2020
Remotely debugging Firefox instances
Jul 14 2020
Performing port-proxying and port-forwarding on Windows
Jul 01 2020
Blast from the past: Cross Site Scripting on the AWS Console
Jun 30 2020
Feedspot ranked 'Embrace the Red' one of the top 15 pentest blogs
Jun 22 2020
Using built-in OS indexing features for credential hunting
Jun 18 2020
Shadowbunny article published in the PenTest Magazine
Jun 12 2020
Putting system owners in Security Bug Jail
Jun 10 2020
Red Teaming and Monte Carlo Simulations
May 24 2020
Phishing metrics - what to track?
May 13 2020
$3000 Bug Bounty Award from Mozilla for a successful targeted Credential Hunt
May 01 2020
Cookie Crimes and the new Microsoft Edge Browser
Apr 28 2020
Post-Exploitation: Abusing Chrome's debugging feature to observe and control browsing sessions remotely
Apr 26 2020
Hunting for credentials and building a credential type reference catalog
Apr 06 2020
Attack Graphs - How to create and present them
Apr 02 2020
Cybersecurity Attacks - Red Team Strategies has been released.
Feb 15 2020
2600 - The Hacker Quarterly - Pass the Cookie Article
Feb 12 2020
Web Application Security Principles Revisited
Feb 06 2020
Zero Trust and Disabling Remote Management Endpoints
Dec 02 2019
Book: Cybersecurity Attacks - Red Team Strategies
Oct 27 2019
MITRE ATT&CK Update for Cloud and cookies!
Sep 01 2019
Coinbase under attack and cookie theft
Aug 24 2019
Cybersecurity - Homefield Advantage
Aug 24 2019
Now using Hugo for the blog
Jul 03 2019
BashSpray - Simple Password Spray Bash Script
Jun 20 2019
Active Directory and MacOS
Jun 04 2019
Google Leaks Your Alternate Email Addresses to Unauthenticated Users
May 21 2019
Lyrebird - Hack the hacker (and take a picture)
Jan 10 2019
KoiPhish - The Beautiful Phishing Proxy
Jan 05 2019
McPivot and useful LLDB commands
Dec 16 2018
Pass the Cookie and Pivot to the Clouds