Cyber Strategy Magic

Strategic this, strategic that

People band strategy around like it’s some sort of mythical beast that requires no knowledge of the subject involved but is done by wizards and executives (it’s just done by people, but I digress) so I thought I’d talk about strategy development.

Now forewarning you might come out of this post thinking… there must be something else… something you are missing as Dan’s not showing any secret magic…. Often what is commonly lacking when looking at strategic execution is effective communication, consensus, and marathon like commitment to deliver on said goals and objectives. Why? Because that part is really, really, hard, if it wasn’t we’d all be sipping Bollinger in the Bahamas.

Know the business

If your first thoughts are to run to Sun Tzu or grab an ISO27001 document then you should probably pause, grab a tea, and take a breath. In my experience cyber security is:

Not a war
Does not require anything to do with the military
The answers are not simply in a book or standard document

People often think that a framework, guide, or standard will give them the answers. Sure, they are often useful tools to help, hell the domain of cyber is broad as hell and there’s so much to do and often so little time, so job aides and not re-inventing the wheel is a good thing, that doesn’t however just mean that with documents you will be in a good position. Read more “Cyber Strategy Magic” →

Defense

Razer Privilege Escalation Vulnerability

“And I looked and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.”

Firstly, Kudos to @j0nh4t for finding this!

I woke up this morning to see twitter fun with a LPE discovered in the Razer driver installation. Basically, when you plug a Razer mouse into a Windows machine, it will download (via windows update) and execute a process as system which has user interaction. This interface includes an install path selector, with this a right click + SHIFT (LULZ) on whitespace will allow you to launch a command prompt/PowerShell window (as SYSTEM).

Guides

Rapid Active Directory Security Testing of Windows Server 2022…

Introduction

Ever needed to test active directory in a hurry? Well, here’s some common commands to test active directory domain services. In this post today we are going to focus on DNS and username enumeration, there are however a range of weaknesses you want to look for:

SMB Null Session/Guest Access
LDAP Null Bind
Sensitive Information Disclosure
Weak Password Policies
Unpatched Software Vulnerabilities

Active Recon

Port Scanning and Service Fingerprinting

nmap -p- -sC -sV -Pn -v -A -oA ecorp.local.txt 192.168.1.22

Domain Name and Domain Controller Enumeation

Guides

Hacking Windows Server 2022

WIndows Server 2022 is RTM! I love new operating systems, but also with the new, what is old? There will be loads of new blogs and articles on new features of Server 2022 however I wanted to see what mischief we can have with it! So I’ve decided to start looking at common vectors and exploits (from the fun to the serious) so that we can see how much of the world has changed (or not!)

So let’s take a look. The first thing I did was to offline replace stickykeys with cmd.exe – yes this method still works. But as lots of people will realise, you neeed physical access to the disk (well you don’t if you have access to someone’s vcenter you don’t!) but also the reg key methods also work! We can still backdoor RDP – here’s a script to disable NLA, Enable RDP, configure the firewall rules and set the registry keys to backdoor the system (clearly for lab use only!)

https://github.com/mr-r3b00t/RDP_Backdoor

Defense

Why are ransomware attacks so devastating? – Part 1

Introduction

“Ransomware is a major issue!”

Hang on maybe we need to re-phrase that:

“Weak security postures are a major issue!”

or perhaps.. why not both!

I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.

Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.

Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1” →

Defense

Audit NTDS.DIT using DSINTERNALS

Ok this assumes you know how to get the NTDS.DIT and SYSTEM registry hive out from a domain controller, if you don’t go looking, we might have blogged a few ways to do that! Now then, firstly, let’s Install DSInternals. From PowerShell 5 onwards you can simply run:

Install-Module -Name DSInternals -Force

You will likely need to set your execution policy:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Now to dump the hashes we use: Read more “Audit NTDS.DIT using DSINTERNALS” →

Defense

Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)

I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.

To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.

Mimikatz

Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.

To gain system we launch mimikatz from an admin shell and run:

privilege::debug

token::elevate

Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)” →

Defense

Hacking Guide – AESREPRoast and Kerberoasting

Kerberos Pre-Authentication Hash Retrieval and Cracking

We can enumerate active directory to find accounts that do not require pre-authentication. There’s a simple way of doing this using Rubeus:

.\Rubeus.exe asreproast /format:hashcat

We can see there is a vulnerable account that has Kerberos Pre-Authentication disabled.

This hash can be loaded into hashcat and possibly cracked (the hash in the screenshot is weak on purpose) Read more “Hacking Guide – AESREPRoast and Kerberoasting” →

Defense

Executing/Creating a process via WMI Methods

WMI is an awesome technology capability for Windows administration, I’ve been using WMI since the Windows 2000 era, I’ve written WMI based scripts/tools to defeat malware, yay, however with any tool the use can be for good and for evil!

This post is going to focus on Win32_Process:Create (there are other methods as well!) Read more “Executing/Creating a process via WMI Methods” →

Defense

Ransomware Realities

Everything is much worse now, or is it?

”The world is burning, the world is burning but then if you look around, it always has been…”

Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.

The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.