Defense
Only admins can use PowerShell, right? Wrong! In Office 365 and Azure AD standard users can connect using PowerShell.
In this quick post we are going to look at how to disable users from being able to read other users data using the MSOL cmdlets. (this also appears to limit AzureAD cmdlets access as well)
Run the following command as a global admin: Read more “Hardening Office 365 PowerShell Access”
Guides
This is an experiment to combine a near real time thread on twitter and a blog… I have no idea if this will work. The premise is, we are conducting a adversary simulation against a target and want to see how this translates into a ‘plain language’ blog/story about how these things work. (I’ve also not included sales/scoping/documentaiton and clearly not all of this is in real time) but it is real!
Ok so first thing is first – the criminal part is a joke! We are here to help people. What we are going to do however is consider the general cyber threat landscape, look at the organisation from an ‘external threat actor’ perspective and then see what we can map out from an attack surface point of view.
Read more “Becoming a Cyber Criminal (Pro) – Basic External Attacks”
CTF
Subdomain Enumeration is a key part to security testing from an internet facing perspective. Today we are going to install Subfinder on a Windows Server.
Launch a command prompt Read more “Installing Subfinder on Windows”
CTF
Covenant is a c2 built on .net core. It can run on Linux or Windows, so I thought I would do a quick install demo in the lab.
https://github.com/cobbr/Covenant/wiki/Installation-And-Startup
Defense
Ok so this is not very ‘1337’ but it will get the job done (and that is what is important, no one cares how they get pw3d they just care they were). If you really wanted, you could hand craft this in python of another language or use another tool (script etc.)
Do start with we are going to need a username list and a password list (as well as a target IP or DNS name). This could be:
We also need to have considerations for account lockouts. If we are doing a penetration test, then we will have to likely avoid DoS. If we are doing a ‘RED TEAM’ or adversary simulation, then we will want to avoid being noisy and getting caught. (If we are doing monitoring and detection testing you probably want to be quiet and noisy ala control testing). Read more “Password Spraying/Credential Stuffing OWA with Metasploit Framework”
Defense
The last two weeks we’ve seen major activity around the world with defenders and criminals rushing to respond to the recent zero day vulnerability patches and then the race to reverse engineer the kill chain to create an explot. We saw a PoC fairly early but it required that you reverse engineer some exchange DLLs and/or TAP the 443 to 444 interface on an exchange server to work out how to weaponise it. Things however have progressed, 8 hours ago we saw a metasploit module go online:
Read more “ProxyLogon (CVE-2021-26855) PoC and Metasploit Module Released”
Breach
Imagine being able to read emails from any mailbox from a corporation! But everyone uses office 365… don’t they? Well ok even if that was the case (It’s not) then the RCE would come into play. An RCE into system level access to Exchange which is so heavily tied to active directory they are almost joined at the hip) is a killer foothold. However, you pain the scenarios they aren’t good!
Imagine if you could read everyone’s email! What could you do with this?
The SSRF vulnerability enabling a threat actor to gain unauthenticated read access to mailboxes would be a killer tool for both nation state spies and criminals alike. Read more “ProxyLogon – A god mode backdoor even when used with READ only”
Defense
This isn’t a rant, far from it but I’ve been working on this for over a week now and some major questions are sprining to mind with regard to how the IOCs and detection details released may have hindered response efforts. These vulnerabilities were known about since at least December 2020, there were months to get detection intel and scripts/tools ready for people (that’s if you don’t question why did it take so long). So I’ve put some of my thoughts down here on some of the challenges with the IoCs initially released and the detection tools etc. I’ll probably update this later but wanted to publish it before it becomes virtual dust! Read more “Thoughts on IOCs for Exchange Hafnium/ProxyLogon”
Defense
Ok so John and I have been working on this for a while. We have been working with both customers and industry profesionals and there’s a common theme. Understranding the events from this incident are quite challenging because:
Getting guidance out so far on this has been challenging becuase:
So to try and help people we have made a diagram which we will update as we go.
Essentially you need to perform a weighted analysis to understand if:
Defense
On March 2nd, 2021 at ~6pm GMT Microsoft released an out of band update to all version of exchange from 2010 through to 2019. This was in response to a range of vulnerabilities which had been abused (a 0-day) by a threat actor (coined by MS as HAFNIUM).
For more info from MS please see the following:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Key CVES include:
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Read more “Checking for Hafnium or other groups impact from Exchange Abuse”