Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Remotely Capture Traffic from a Domain Controller and Analyze It Locally

This blog post will walk you through the steps of remotely capturing traffic from a domain controller and then analyzing it locally. This can be useful for troubleshooting network issues or investigating security incidents. Requirements A Windows computer with PowerShell The NetEventPacketCapture PowerShell module The etl2pcapng PowerShell module A domain …

Read More »

very simple modifications to a Meterpreter shellcode dropper can be sufficient to bypass modern EDRs

Introduction When I talk about EDRs in this article, I mean a combination of endpoint protection (EPP) and endpoint detection and response (EDR). I also want to define the term “evasion” in the context of EDRs and malware. When I talk about the fact that it is or has been …

Read More »

Inspect RDP traffic in Wireshark

Wireshark RDP resources Looking for a way to capture and inspect RDP traffic in Wireshark? You’ve come to the right place! SSLKEYLOGFILE Many applications, including browsers, support the SSLKEYLOGFILE environment variable with a path to a text file where TLS pre-master secrets are dumped. This format is supported by Wireshark …

Read More »

NTLMRelay2Self over HTTP (Webdav)

Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring …

Read More »

ISO 27001 Controls Ultimate Guide – Updated for 2022

In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002: 2013 controls and the new and updated ISO 27002: 2022 control list. What controls do you need …

Read More »

Cobalt Strike Defense Guide – 2

In previous report on Cobalt Strike focused on the most frequently used capabilities that observed. In this report, we will focus on the network traffic it produced, and provide some easy wins defenders can be on the look out for to detect beaconing activity. We cover topics such as domain fronting, …

Read More »

Malicious Document Analysis [Episode 1]

Before starting the analysis, I’m going to use the following environment and tools: REMnux: https://docs.remnux.org/install-distro/get-virtual-appliance Didier Stevens Suite:https://blog.didierstevens.com/didier-stevens-suite/ Malwoverview:https://github.com/alexandreborges/malwoverview Furthermore, it’s always recommended to install Oletools # python -m pip install -U oletools All three tools above are usually installed on REMnux by default. However, if you are using Ubuntu …

Read More »

PCAP Analysis

Learning Objectives Understand the advantages and goals of PCAP AnalysisHow to pivot into and away from PCAP Analysis (how to use findings for quicker analysis)Common tools to useHow data reduction aids in investigations Common Tools SnortTcpdumpWireSharkTShark Tools Covered Here SnortTcpdumpWireshark Notes Keep solid notes on your thinking around evidence and …

Read More »