Forensics and Security

Cobalt Strike Defense Guide

Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we see the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of …

Read More »

PrintNightmare CVE-2021-34527 exploit Mitigation to keep your Print Servers running while Microsoft Patch Doesn’t Really work Effectively

A regular domain user can easily take over the entire Active Directory domain. While we still recommend that the print spooler service should be disabled on any system that does not need it, we also want to provide a temporary workaround to make the exploit ineffective, while allowing you to …

Read More »

Dumping RDP Credentials

Administrators typically use Remote Desktop Protocol (RDP) in order to manage Windows environments remotely. It is also typical RDP to be enabled in systems that act as a jumpstation to enable users to reach other networks. However even though this protocol is widely used most of the times it is …

Read More »

Active Directory Exploitation [EVERYTHING]

Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalation Lateral Movement Powershell Remoting Remote Code Execution with PS Credentials Import a powershell module and execute its functions remotely Executing Remote Stateful commands Mimikatz Useful Tools Domain Privilege …

Read More »

Powershell is POWERED SHELL for Sysadmins and Penetration testers

This article contains a list of PowerShell commands collected from various corners of the Internet which could be helpful during penetration tests or red team exercises. The list includes various post-exploitation one-liners in pure PowerShell without requiring any offensive (= potentially flagged as malicious) 3rd party modules, but also a …

Read More »

Digital Forensics and Incident Response

IntroductionDisclaimerArtifact locationsGet an object of forensic artifactsQuery object for relevant registry keys:Query object for relevant file paths:Windows Cheat SheetOrder of VolatilityMemory Files (Locked by OS during use)Binalyze IREC Evidence Collector (GUI or CommandLine)Belkasoft Live RAM CapturerRedlineMemoryzeComae DumpITMagnet Forensics (Mostly GUI)Volexity SurgeMicrosoft LiveKdWinpmemImaging Live MachinesFTK Imager (Cmd version, mostly GUI for …

Read More »