Skip to content
PwnDefend
  • Base
  • Comms Room
    • Customer Feedback
    • Company Information
    • Security Management
  • Services
    • Consulting Services
      • Enterprise Security Posture Assessment
      • Cyber Security Assurance & Security Testing Services
      • IT Security Healthchecks
      • Active Directory Assessment Services
      • Managed Remediation Services
    • Emergency Cyber Incident Response Support
    • Our Success Stories
    • Partner Services
  • Blog
  • Privacy
Uncategorized

Malicious Scheduled Tasks

A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.

So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:

“Show me all the command lines used in scheduled tasks on Windows with PowerShell”

So I knocked up this really simple proof of concept (there are other ways to write this obvs)

Read more “Malicious Scheduled Tasks” →
Defence

Planning to defend and respond to cyber threats

Everyone has a plan until they are cyber punched in the face! Or something like that!

People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.

Let’s be real here, you really don’t. But what you do need is a few things:

  1. Authorisation
  2. Time
  3. Some ideas for cyber incidents to plan for
Read more “Planning to defend and respond to cyber threats” →
CTF

Using CTFs for offensive and defensive training – Purple…

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run:

Read more “Using CTFs for offensive and defensive training – Purple Teaming” →
Threat Intel

Learn to SOC: Java Webshell via confluence

When running honeypots you never have to wait too long for something to drop!

This moring we had a new hit in the pot, so I decided to invesigate but also to blog and show how we could go about investigating the logs and paylods etc.

Read more “Learn to SOC: Java Webshell via confluence” →
Defense

Thoughts on IOCs for Exchange Hafnium/ProxyLogon

Intro

This isn’t a rant, far from it but I’ve been working on this for over a week now and some major questions are sprining to mind with regard to how the IOCs and detection details released may have hindered response efforts. These vulnerabilities were known about since at least December 2020, there were months to get detection intel and scripts/tools ready for people (that’s if you don’t question why did it take so long). So I’ve put some of my thoughts down here on some of the challenges with the IoCs initially released and the detection tools etc. I’ll probably update this later but wanted to publish it before it becomes virtual dust! Read more “Thoughts on IOCs for Exchange Hafnium/ProxyLogon” →

Defense

Exchange 2010 Rapid Analysis for IOCs

Purpose

With the Hafnium “incidents” and Exchange vulnerabilities I wanted to help people with ruling in or out compromise of their Exchange 2010 environments. At the time of writing, I don’t believe that Hafnium affected Exchange 2010 via the reported kill chain, I believe that BEC would be required but this is a theory, my general view is Exchange 2010 might be ‘safe’ from this kill chain. This is due to the initial stage leveraging CVE-2021-26855 which is an SSRF vulnerability which only affectes the new architecture (2013+). However, this is an unsupported platform so I wanted to help with some baselines and talk about how I would approach ruling compromise in or out (at least with regards to these vulnerabilities). The key impact area is a web shell. I’ve made some baselines to help people look for abnormalities.

Disclaimer

This document was made with limited time and without full Whitebox access to source code and engineering expertise. The areas we are checking for IOCs appear to make logical sense, but the OS and APP (Exchange 2010) are unsupported, and we are not the vendor. So, I am afraid your hunting responsibility is on you, this is just my opinions and thoughts from a very fast analysis. Use at your own risk. Read more “Exchange 2010 Rapid Analysis for IOCs” →

Recent Posts

  • Why is security so hard?
  • Virtual Desktop Infrastructure (VDI) & Cyber Essentials
  • Technology in the Wild
  • CrackMapExec (CME) on Windows
  • Ransomware + Mega = Mega Cyber Pain

Recent Comments

No comments to show.

Archives

  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • March 2020
  • February 2020
  • January 2020
  • October 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018

Categories

  • Architecture
  • Breach
  • Company News
  • CTF
  • Defence
  • Defense
  • Education
  • Guides
  • Hacking
  • Leadership
  • News
  • OSINT
  • Reviews
  • Strategy
  • Threat Intel
  • Uncategorized
  • Vulnerabilities
Copyright (c) Xservus Limited
Theme by Colorlib Powered by WordPress