Prioritize, Keep Pace, Prevail.

RESEARCH

Our research and development program sets industry standards in cyber security

At Dionach we are proud of our well-established research and development program. Our team of consultants are focused on continually uncovering new technical vulnerabilities in software and hardware, raising the bar in security assessment services and sharing our knowledge through whitepapers and various industry channels.

Through the responsible disclosure process we have published numerous vulnerabilities in leading software applications that our team has identified.

As part of our commitment to remaining vendor independent and offering the best technical solution to each client engagement, we also develop proprietary security tools for testing methods including vulnerability scanning, spear phishing and security auditing. In practice, our consultants have a wide range of commercial, open-source and custom tools at their disposal to deliver industry-leading outcomes for our client base.

Some of our custom tools are published as open source on Dionach’s GitHub page: https://github.com/Dionach.

TECHNICAL BLOG

ShareAudit – The File Share Auditing Tool

ShareAudit – The File Share Auditing Tool

In the previous blog post, we have discussed the steps in identifying sensitive information in file shares, as well as file servers with inappropriate access controls configured. It was aimed to provide organisations with a guide on how to perform internal file share audits. Dionach have now released a tool, ShareAudit, to further improve the process of performing these audits. The tool is now publicly available on GitHub.

Read More »
mitigate_social_engineering_risks

Mitigating Social Engineering Risks

Social engineering is the process of manipulating people through various channels such as phishing, phone calls and physical instrustions. This post provides a walkthough of an example attack using emails and phone calls, and what organisations can do to reduce the risk of these kind of social engineering attacks.

Read More »
Printer Server Bug to Domain Administrator

Printer Server Bug to Domain Administrator

During a recent internal network penetration testing engagement, a number of common attack paths were unavailable as a number of security mechanisms were implemented such as the Local Administrator Password Solution (LAPS) and the prevention of logged on credentials from being cached in memory. Additionally, the estate had a relatively

Read More »
The Security of Voice-Activated Technology

The Security of Voice-Activated Technology

Adoption of voice-activated technology has accelerated in recent years. Voice-controlled functionality on smartphones and voice-controlled devices for home use, such as Amazon Echo and Google Home, have become widespread. Voice control is also being implemented in many other areas, including banking, healthcare and office environments. US bank Capital One, for

Read More »
Minimising the Risks of Using Flash

Minimising the Risks of Using Flash

Flash is well-known to people within the cyber security industry to have a long history of security vulnerabilities as well as functionality flaws. However, it is impossible to completely uninstall Flash, as the plugin has been integrated in both Internet Explorer and Microsoft Edge, which are core applications that come with Windows builds. Therefore, the purpose of this blog post is to provide possible solutions for organisations to minimize the risks of having Flash.

Read More »
Compromising Jira Externally to Get Internal Network Access

Compromising Jira Externally to Get Internal Network Access

In a recent external network engagement, which had a fairly large number of external services, I found a Jira login page available on the client’s external network. The login page belonged to a Jira Software service, an issue-tracking system used in project management and software development. https://jira.example.com The Jira Software

Read More »
From Internal Web Application To Domain Admin

From Internal Web Application To Domain Admin

In a recent internal network penetration test I found a slightly less conventional route to get domain administrator privileges. This type of attack is certainly not new but it shows how thinking-out of the box takes a crucial part when comes to penetration testing. The client that I was facing

Read More »
Minimising the risk of using Java

Minimising the risk of using Java

Much as they may wish to do otherwise, organisations may need to install the Java Runtime Environment (JRE) so users have the Java Plugin they need for required web-sites, and/or run installed Java applications provided as JAR files. However, the vulnerabilities of JRE are well known and documented, as shown

Read More »