When you hear “tokens” in the world of Entra ID, what does it mean? There are different types of tokens with different utilities. Not all tokens are created equal either; there are more attractive tokens for an attacker to steal causing a world of confusion and pain for blue and …
Read More »How to use Responder to capture NetNTLM and grab a shell
Responder: The Ultimate Tool for Samba Server Hijack and NetNTLM Hash Theft In the vast arsenal of cybersecurity tools, Responder stands out for its unique capability to masquerade as a rogue Samba server, opening up avenues to pilfer NetNTLM hashes with finesse. Here’s a deep dive into harnessing this tool …
Read More »Remotely Capture Traffic from a Domain Controller and Analyze It Locally
This blog post will walk you through the steps of remotely capturing traffic from a domain controller and then analyzing it locally. This can be useful for troubleshooting network issues or investigating security incidents. Requirements A Windows computer with PowerShell The NetEventPacketCapture PowerShell module The etl2pcapng PowerShell module A domain …
Read More »very simple modifications to a Meterpreter shellcode dropper can be sufficient to bypass modern EDRs
Introduction When I talk about EDRs in this article, I mean a combination of endpoint protection (EPP) and endpoint detection and response (EDR). I also want to define the term “evasion” in the context of EDRs and malware. When I talk about the fact that it is or has been …
Read More »Incident Response Playbooks and Workflows
Incident-Response-Playbooks-and-workflows-1Download
Read More »Cybersecurity Terms
Cybersecurity-Terms-v2023Download
Read More »Inspect RDP traffic in Wireshark
Wireshark RDP resources Looking for a way to capture and inspect RDP traffic in Wireshark? You’ve come to the right place! SSLKEYLOGFILE Many applications, including browsers, support the SSLKEYLOGFILE environment variable with a path to a text file where TLS pre-master secrets are dumped. This format is supported by Wireshark …
Read More »NTLMRelay2Self over HTTP (Webdav)
Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring …
Read More »ISO 27001 Controls Ultimate Guide – Updated for 2022
In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002: 2013 controls and the new and updated ISO 27002: 2022 control list. What controls do you need …
Read More »Cobalt Strike Defense Guide – 2
In previous report on Cobalt Strike focused on the most frequently used capabilities that observed. In this report, we will focus on the network traffic it produced, and provide some easy wins defenders can be on the look out for to detect beaconing activity. We cover topics such as domain fronting, …
Read More »