NTLMRelay2Self over HTTP (Webdav)

Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring …

Read More »

ISO 27001 Controls Ultimate Guide – Updated for 2022

In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002: 2013 controls and the new and updated ISO 27002: 2022 control list. What controls do you need …

Read More »

Cobalt Strike Defense Guide – 2

In previous report on Cobalt Strike focused on the most frequently used capabilities that observed. In this report, we will focus on the network traffic it produced, and provide some easy wins defenders can be on the look out for to detect beaconing activity. We cover topics such as domain fronting, …

Read More »

PCAP Analysis

Learning Objectives Understand the advantages and goals of PCAP AnalysisHow to pivot into and away from PCAP Analysis (how to use findings for quicker analysis)Common tools to useHow data reduction aids in investigations Common Tools SnortTcpdumpWireSharkTShark Tools Covered Here SnortTcpdumpWireshark Notes Keep solid notes on your thinking around evidence and …

Read More »

Incident Response without Windows Event Logs

This post discuss some Digital Forensics and Incident Response (DFIR) techniques you can leverage when you encounter an environment without Windows event logs. Where are the logs? at work, we regularly respond to security incidents with ineffective logging and auditing for the purposes of a cyber incident. In some cases, …

Read More »

How to Allow Multiple RDP Sessions in Windows 10 and 11?

Remote users can connect to their Windows 10 and 11 computers via the Remote Desktop Services (RDP). It is enough to enable RDP in the device settings and connect to the computer using any Remote Desktop client. But there is a restriction on the number of simultaneous RDP sessions – …

Read More »

How To Attack Kerberos

Kerberos Fundamentals Kerberos is a network authentication protocol that works on the principle of issuing tickets to nodes to allow access to services/resources based on privilege level. Kerberos is widely used throughout Active Directory and sometimes Linux but truthfully mainly Active Directory environments. TLDR: https://www.roguelynn.com/words/explain-like-im-5-kerberos/ I am aiming to approaching …

Read More »

Windows Artifacts for Forensics Investigation

Generic Windows Artifacts Windows 10 Notifications In the path \Users\<username>\AppData\Local\Microsoft\Windows\Notifications you can find the database appdb.dat (before Windows anniversary) or wpndatabase.db (after Windows Anniversary). Inside this SQLite database you can find the Notification table with all the notifications (in xml format) that may contain interesting data. Timeline Timeline is a …

Read More »

Windows Processes Investigation

smss.exe It’s called Session Manager. Session 0 starts csrss.exe and wininit.exe (OS services) while Session 1 starts csrss.exe and winlogon.exe (User session). However, you should see only one process of that binary without children in the processes tree. Also, more sessions apart from 0 and 1 may mean that RDP …

Read More »