Skip to content
PwnDefend
  • Base
  • Comms Room
    • Customer Feedback
    • Company Information
    • Security Management
  • Services
    • Consulting Services
      • Enterprise Security Posture Assessment
      • Cyber Security Assurance & Security Testing Services
      • IT Security Healthchecks
      • Active Directory Assessment Services
      • Managed Remediation Services
    • Emergency Cyber Incident Response Support
    • Our Success Stories
    • Partner Services
  • Blog
  • Privacy
Image Defense

Infection Monkey Overview

Have you ever wanted to see what would occur in an environment if a worm was a make its way in? I often work with customers to show them about lateral movement from a human operated perspective however sometimes it’s useful for people to visualise this better and to demonstrate what could occur if a worm was set loose. A great tool to help with this is Infection Monkey from Guardicore (https://www.guardicore.com/

High Level View

The process steps are as follows:

  • Scope Exercise
  • Prepare Environment
  • Deploy Infection Monkey Server (Monkey Island)
    • Configure Server Credentials
  • Monkey Configuration
  • Release Monkey/s
  • Review
  • Report

Read more “Infection Monkey Overview” →

Defense

Windows 11 Privilege Escalation via UAC Bypass (GUI based)

Introduction

Ok these are a really simple UAC bypass from a userland GUI perspective. This is about increasing process integrity levels – it’s not about performing LPE from low integrity to high/SYSTEM with no interaction. These clearly work in older version of Windows as well but since Windows 11 will be the current version in the near future I thought it was fun to re-visit these!

And just to be clear, a medium integrity process as an administrator user will have the following privileges:

Text

Description automatically generated

What we are talking about here is to move to a high integrity process without knowing credentials or having the secure desktop launch. Read more “Windows 11 Privilege Escalation via UAC Bypass (GUI based)” →

Strategy

Cyber Strategy Magic

Strategic this, strategic that

People band strategy around like it’s some sort of mythical beast that requires no knowledge of the subject involved but is done by wizards and executives (it’s just done by people, but I digress) so I thought I’d talk about strategy development.

Now forewarning you might come out of this post thinking… there must be something else… something you are missing as Dan’s not showing any secret magic…. Often what is commonly lacking when looking at strategic execution is effective communication, consensus, and marathon like commitment to deliver on said goals and objectives. Why? Because that part is really, really, hard, if it wasn’t we’d all be sipping Bollinger in the Bahamas.

Know the business

If your first thoughts are to run to Sun Tzu or grab an ISO27001 document then you should probably pause, grab a tea, and take a breath. In my experience cyber security is:

  • Not a war
  • Does not require anything to do with the military
  • The answers are not simply in a book or standard document

People often think that a framework, guide, or standard will give them the answers. Sure, they are often useful tools to help, hell the domain of cyber is broad as hell and there’s so much to do and often so little time, so job aides and not re-inventing the wheel is a good thing, that doesn’t however just mean that with documents you will be in a good position. Read more “Cyber Strategy Magic” →

A picture containing text, electronics, monitor, indoor Description automatically generated Defense

Razer Privilege Escalation Vulnerability

“And I looked and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.”

Firstly, Kudos to @j0nh4t for finding this!

I woke up this morning to see twitter fun with a LPE discovered in the Razer driver installation. Basically, when you plug a Razer mouse into a Windows machine, it will download (via windows update) and execute a process as system which has user interaction. This interface includes an install path selector, with this a right click + SHIFT (LULZ) on whitespace will allow you to launch a command prompt/PowerShell window (as SYSTEM).

A black shoe on a wood surface

Description automatically generated with medium confidence

A picture containing text, electronics, monitor, indoor

Description automatically generated Read more “Razer Privilege Escalation Vulnerability” →

Guides

Rapid Active Directory Security Testing of Windows Server 2022…

Introduction

Ever needed to test active directory in a hurry? Well, here’s some common commands to test active directory domain services. In this post today we are going to focus on DNS and username enumeration, there are however a range of weaknesses you want to look for:

  • SMB Null Session/Guest Access
  • LDAP Null Bind
  • Sensitive Information Disclosure
  • Weak Password Policies
  • Unpatched Software Vulnerabilities

Active Recon

Port Scanning and Service Fingerprinting

nmap -p- -sC -sV -Pn -v -A -oA ecorp.local.txt 192.168.1.22

Text

Description automatically generated

Text

Description automatically generated

Domain Name and Domain Controller Enumeation

Read more “Rapid Active Directory Security Testing of Windows Server 2022 and Kali Linux” →

Guides

Hacking Windows Server 2022

WIndows Server 2022 is RTM! I love new operating systems, but also with the new, what is old? There will be loads of new blogs and articles on new features of Server 2022 however I wanted to see what mischief we can have with it! So I’ve decided to start looking at common vectors and exploits (from the fun to the serious) so that we can see how much of the world has changed (or not!)

So let’s take a look. The first thing I did was to offline replace stickykeys with cmd.exe – yes this method still works. But as lots of people will realise, you neeed physical access to the disk (well you don’t if you have access to someone’s vcenter you don’t!) but also the reg key methods also work! We can still backdoor RDP – here’s a script to disable NLA, Enable RDP, configure the firewall rules and set the registry keys to backdoor the system (clearly for lab use only!)

https://github.com/mr-r3b00t/RDP_Backdoor

Read more “Hacking Windows Server 2022” →
Defense

Windows Remote Management 101

Windows Remote Management is easy if you are using a domain joined machine and have a CA. But what if you are off the domain and you want to connect to WINRM that has an HTTPS listener? (by default WINRM uses HTTP on TCP 5985, you can clearly chop out the TLS related configs in the example scripts and they will work for plain old WINRM)

This is useful from a sysadmin and penetration testing/red team perspective. Now obviously you could export the certificates and import them into your store, however that’s more work. So, let’s look at how we ignore revocation, CA name and Computer Name checks.

Text

Description automatically generated with medium confidence

WinRM via HTTPS (self-signed)

Read more “Windows Remote Management 101” →

Defense

Windows Security Fundamentals & LPE

Introduction

Recently I decided to do the Red Team Operator: Privilege Escalation in Windows Course by Sektor7 (thanks for the recommendation Justin!). I thought I’d write some notes but also create a quick blog covering some of the Windows fundamental areas. It’s easy to actually forget how this stuff is at a detailed level so figured it helps both myself and the world to share a snippet. I’m litterally listening to the course as I type this, I’ve just imported an OVA to vmware workstation so this is litterally live! (I’m 7 video modules in!)

There’s some key parts around Windows Security Architecture that is important to know, the course does cover this off at the start so I thought I’d share a tiny bit of my notes. Read more “Windows Security Fundamentals & LPE” →

Defense

Penetration Testing

Overview

Penetration testing is the activity of conducting security testing with the aim of identifying and exploiting vulnerabilities to identify strengths and weaknesses. I include strengths because I believe it’s important for security testing to promote both positive and negative findings. I also think that there is a huge mis conception with what penetration is, what it helps with and how to best get value from a penetration test.

My definition isn’t too far from the NCSC one: https://www.ncsc.gov.uk/information/check-penetration-testing

A penetration test is a security assurance activity, but it’s one of many activities that I recommend people conduct. This is however largely only adopted by the few, for many a penetration test is a compliance tick box, either from a regulatory or contractual requirement.

When looking at a system a penetration test is not usually the most efficient starting point, especially if it’s from a black box perspective. Read more “Penetration Testing” →

Guides

What do you need to be Cyber Leader?

Introduction

What does it take to be a cyber leader? How do we address a broad challenge we have in today’s business world?

There are a huge number of organisations whereby the leadership do not have domain expertise in cyber and related disciplines. There are decision makers who are having to best guess. On the other end of the spectrum, we have thousands and thousands of people trying to “break into cyber” yet they face largely insane entry requirements with the forementioned adding things to junior and entry level role which include:

  • Must have a CISSP (CISSP requires 5 years’ experience and is an Information Security certificate that is very broad and not very deep, it also covers a range of areas that in my opinion aren’t even required for many cyber security capabilities inside organisations)
  • Must have a Certified Ethical Hacker (this exam includes remember historic malware dates, is that really what we need from our leaders?)
  • Must have a very large level of experience of be from an existing cyber role

Read more “What do you need to be Cyber Leader?” →

Posts navigation

1 2

Recent Posts

  • Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)
  • The Long Game: Persistent Hash Theft
  • The Hacker on a Train
  • Adopting an Attacker Mindset to Defend Healthcare
  • Caught: A Hacker Adventure

Recent Comments

No comments to show.

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • March 2020
  • February 2020
  • January 2020
  • October 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018

Categories

  • Architecture
  • Breach
  • Company News
  • CTF
  • Defence
  • Defense
  • Education
  • Fiction
  • Getting into Cyber
  • Guides
  • Hacking
  • IOT
  • Leadership
  • News
  • OSINT
  • Reviews
  • Strategy
  • Threat Intel
  • Uncategorized
  • Vulnerabilities
Copyright (c) Xservus Limited