ESXiargs Summary 09-02-2023 10:03

What do we know?

Adversary: Unknown, likely Criminal Actor/s

Initial Access Vector: Unknown/Unproven

Impact: ~3K+ Hosts have had Remote Code Execute and their ESXi logon pages changed (plus had encryption routines run to encrypt virtual machines, with varying success). A Second encryption routine has been deployed to some hosts; the threat actor is expanding/changing capabilities.

Risk: Further impact, Additional Threat Actors Exploit the vulnerability

Education

How to get some OPSEC with Kali?

There are major questions that must be answered here!

How do we change the hostname in KALI Linux?
How do we change the default TTL to look like a Windows Machine?
How do we pretend to be a SAMSUNG device/How do we change our MAC address?

Getting into Cyber

How to get into Cyber? It’s EASY!

Quick, I’ll tell you a little secret… to get into CYBER you must first follow this guide:

Now if you are going to GET INTO CYBER you need to have a range of things:

Computer Hacking Skills
Num-chuk Skills

Right ok, so let’s get some Hacking Skills!

Head over to KALI LINUX and download KALI

Hacking

CrackMapExec (CME) on Windows

Ok this is going to be really short post, but expect more later! Did you ever want to run CME but you were stuck on a Windows machine? Well don’t worry you can! How do we do this?

First we download CME

https://github.com/Porchetta-Industries/CrackMapExec/releases/download/v5.4.0/cme-windows-latest-3.10.1.zip

Extract the zip file

Make sure you have python3 installed!

Defence

Threat hunting with some funny results!

You never know what you will find when you go hunting! So here’s a quick tale of an explore I did using Advanced Hunting!

I went hunting here in Advanced Hunting:

Threat Intel

Simulating Human Operated Discovery

Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:

Guides

Volume Shadow Copy

If you are having fun today with Defender ASR deleting lnk files then you will see the MS Script has a v1.1 which looks to VSS to see if it can restore shortcuts from shadow copies, so whilst here I thought I’d note down a few different ways to list the Volume Shadow Copies.

You will need admin rights for these to work:

Uncategorized

Living with your password strength head in the sand

Password audits, if you ask some security pros you will hear a million reasons why you would be insane to do them… ask me however and the answer is more nuanced. They are activities that must be handled with the upmost care, however…. they (in my experience) have been incredibly useful to help improve security postures and to enable organisations to understand risk! You are of course free to ignore what I think and live like an ostrich (or it really might not be suitable for your environment). I’m not going to talk about how to do a password audit today, I’m also not going to advise in this post on sourcing strategy (you may want to do in house or you might want to outsource, after all, you normally put all your hashes in someone else’s computer when you use cloud right!?), anyway enough rambling, year ago the NCSC UK did some password auditing research (it was good work – Spray you, spray me: defending against password spraying… – NCSC.GOV.UK) and now the DOI have also done similar, check out the report In the link below:

Strategy

When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.

The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.

When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.

Leadership

Cloud Adoption Security Review

Anyone that knows me, knows I love maturity assessments and tools (I’ve built a few, and run LOADS more) so this morning when I saw this on LinkedIn I had to start to get some understanding! I’ve not even had a cup of tea, but let’s see what this looks like!