Education
There’s thousand of vulnerabilities, but do you ever struggle work out what ones might actually be useful to you if you are defending or attacking?
Well don’t worry I’ve started to document some things that might help you both attack and defend in CYBERSPACE!
Read more “PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV”
Education
I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:
This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)
Read more “Learn to SOC: Cryptominer Analysis”
Guides
Work in progress post
Ok so i posted a snipped of PowerShell on LinkedIn for hunting the confluence logs using a pattern match for ${ (after we have URL decoded (twice). This is just an example of how to parse log files using PS1 so it’s clearly very basic but i wanted to give people an idea of what we do when we “GREP” the logs:
Read more “Searching Confluence Logs with PowerShell”
Guides
So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.
Read more “Cyber Essentials Readiness”
Guides
A quick post becuase this is useful for security control testing:
If you want to enable MOTW (mark of the web) on a file you can run the following PowerShell cmdlet:
Set-Content -Path '.\safe3.rtf' -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'This will set the alterate data stream (ADS) Zone.Identifier value to ZoneID=3 (Internet Zone)
You can unblock this with
Read more “Adding a removing the mark of the web via PowerShell”
Hacking
Ok imagine this, you have got access to a file server and behold you find an unsecured, unencrypted backup of a domain controller (this isn’t made up I find these in networks sometimes!) and you yoink the NTDS.dit (or maybe it’s just a workstation SAM/SYSTEM file), you extract the hashes but now what, you need to crack those bad boys!
Check out the MS docs on how NT or LM Hashes are computed(hashed)! – (thanks @ANeilan for spotting my mistake!)
[MS-SAMR]: Encrypting an NT or LM Hash | Microsoft Docs
Read more “How to Crack NTHASH (commonly referred to as NTLM) password hashes?”
Defense
This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)
Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.
Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!
Read more “Exchange Emergency Mitigation Service with new CU Update”
Defense
Ok so the other day “we” as a community put out some guidance around post active directory compromise actions for when you can’t simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit”
Guides
Ever needed to test active directory in a hurry? Well, here’s some common commands to test active directory domain services. In this post today we are going to focus on DNS and username enumeration, there are however a range of weaknesses you want to look for:
Port Scanning and Service Fingerprinting
nmap -p- -sC -sV -Pn -v -A -oA ecorp.local.txt 192.168.1.22
Read more “Rapid Active Directory Security Testing of Windows Server 2022 and Kali Linux”
Defense
Recently I decided to do the Red Team Operator: Privilege Escalation in Windows Course by Sektor7 (thanks for the recommendation Justin!). I thought I’d write some notes but also create a quick blog covering some of the Windows fundamental areas. It’s easy to actually forget how this stuff is at a detailed level so figured it helps both myself and the world to share a snippet. I’m litterally listening to the course as I type this, I’ve just imported an OVA to vmware workstation so this is litterally live! (I’m 7 video modules in!)
There’s some key parts around Windows Security Architecture that is important to know, the course does cover this off at the start so I thought I’d share a tiny bit of my notes. Read more “Windows Security Fundamentals & LPE”