CyberSecurity – PwnDefend

Detecting ‘Dark Tunnels’ with Microsoft Defender using KQL

Detecting ‘Dark Tunnels’ is an important element to corporate security, much like detecting unauthorised RMM usage. But what is a dark tunnel?

according to GROK:

A dark tunnel (sometimes called a “dark pool tunnel” or simply a secure reverse tunnel in networking contexts) refers to a type of secure, outbound-only tunneling technology that allows private access to internal services, devices, or networks without exposing them to the public internet. The “dark” aspect emphasizes that the tunnel is hidden or invisible from external scanners—there’s no inbound port forwarding, firewall holes, or public IP exposure required. Instead, it relies on encrypted outbound connections from the internal resource to a cloud-based relay or peer-to-peer mesh, enabling zero-trust access (e.g., via authentication tokens or keys).
This approach is popular in DevOps, IoT, remote work, and cybersecurity for bridging on-premises or edge devices to the cloud securely, often bypassing NAT traversal issues or legacy VPN complexities.

Education

Windows Defender at my tunnel

I was doing some testing with Cloudflare tunnels this weekend and I woke up this morning to see if funny honeypot messages I had, I quickly checked if the site was online and found a cloudflare error message. This is a just an IIS instance running on a windows 11 PC (with no WIFI or Bluetooth) plugged into a test network (so if it gets pwn3d, it’s not going to impact anything important).

Education

Kerberoasting History

Kerberoasting, a technique for offline cracking of Kerberos service account passwords in Active Directory environments, was publicly introduced and detailed by Tim Medin in his research paper and Black Hat USA 2014 presentation titled “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades.”

Breach

Ransomware kill chains are boring.. will we ever learn?

Are we stuck in a cyber world that never learns? are we doomed to suffer the same fate over and over again? Well, not if you take action, you can totally prevent events like this!

This is a fast post using an LLM to analyse the Capita redacted ICO report. Hopefully it will help people think about things and take the lessons and apply them in their own organisations.

Education

A threat to sanity – Cyber Myth: Juice Jacking

“Juice jacking” has become a modern cybersecurity myth — a catchy scare story built on a long-patched Android debugging issue and fueled by viral fear rather than facts. Despite years of warnings, there are no confirmed cases of real-world juice jacking attacks; the cost, effort, and low reward make it an impractical method for criminals. Yet the myth persists because it’s vivid, simple, and scary — everything our brains latch onto. The real danger is not the USB port at the airport, but the distraction such myths create. When people focus on imaginary threats, they waste precious attention that should go toward genuine risks like weak passwords, missing MFA, unpatched systems, and poor backups. So let’s take a bit of a deeper dive into this subject, because by it’s important to understand what to, and what not to focus on in my experience!

News

‘Secure’ Firewall backups, until they are not!

Firewalls are often both a defended gate but also the front door to access corporate network. That is all lovely until it’s not! You see so many corporate network intrusion incidents occur from threat actors simply logging into the VPN (due to lack of VPN), and then we have the software vulnerabilities where they shell their way in, but did you think that another way could be from stealing all the backups from a ‘security’ provider? Well now you might! There’s been bit of an incident (one that started as it’s only 5% of customers but actually it was 100% of customers who used the backup feature! YIKES), but before that let’s look at the typical landscape!

Guides

Breaching WPA2 PSK Wireless Networks

This weekend I was running a workshop with my awesome friend James, where we were discussing the realities of wireless network security, man in the middle attacks and what we have found in the field, both from an offensive perspective and as corporate network defenders. As with all things in life, sometime reality doesn’t work quite as well as a demo! So I’ve done a quick thread on twitter showing the kill chain an adversary can deploy when attacking WPA2 PSK (without PMF enforced) networks. This is written as a twitter thread so bear with the style!

Education

Why a SOC Without Triage, Analysis, and Remediation Is…

In the world of cybersecurity, the term Security Operations Center (SOC) carries significant weight. It evokes images of highly skilled analysts working around the clock to detect, respond to, and mitigate cyber threats. However, not all SOCs live up to this expectation. If a SOC lacks core functions like triage, analysis, assessment, and remedial action, it’s not truly a SOC—it’s merely a contact center masquerading as one. Let’s explore why these functions are non-negotiable for a SOC and why their absence undermines the entire purpose of cybersecurity operations.

Defence

Business Email Compromise: Impact Assessment

If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.

If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!

News

Japan goes on the Cyber Offensive

Ok with my AI companion GROK I’ve gone exploring on the differences between Japan’s new cyber laws and the UK! This is more GROK than me, but I thought people might find this interesting!