-
Alfie Champion - 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #3
This article details an AWS security lab demonstrating an attack scenario involving unauthorized S3 bucket access. The walkthrough covers exfiltrating customer data, modifying user permissions, and deleting files in an S3 bucket. Detection methods using CloudTrail and S3 access logs are explored to track malicious activities and understand the attack's forensic evidence.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #1
This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #2
This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #3
This article explores a macOS attack technique that bypasses Apple's Transparency, Consent & Control (TCC) security mechanism. The attack leverages SSH's full disk access to directly modify the TCC database, allowing unauthorized access to protected system resources. Detection methods are demonstrated, focusing on monitoring local SSH connections and direct database modifications.
-
Riccardo Ancarani - 9 Apr 2021
Detecting Exposed Cobalt Strike DNS Redirectors
A technique was developed to detect exposed Cobalt Strike DNS redirectors by identifying DNS servers that consistently return the same IP address for all domain queries. The method involves scanning DNS servers and analyzing their response patterns to identify potential Cobalt Strike infrastructure. An internet-wide survey was conducted to validate the detection approach, revealing multiple potential Cobalt Strike DNS servers.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #1
This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #2
This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #3
This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #4
This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.
- 30 Mar 2021
Click here for free TV! - Chaining bugs to takeover Wind Vision accounts
A critical vulnerability was discovered in the Wind Vision mobile app that enables account takeover through chained security flaws. The attack exploits insecure URL schemes, weak device identification, and authentication mechanisms to intercept OAuth tokens. By crafting a malicious app, an attacker can potentially stream content or remove user devices from the Wind Vision account.
- Henri Nurmi
- 21 Dec 2020
Sniff, there leaks my BitLocker key
A low-cost method was demonstrated to extract BitLocker encryption keys by sniffing the SPI bus of a Trusted Platform Module (TPM). The attack requires brief physical access to a target machine and can be performed using publicly available tools. By capturing TPM communication, the Volume Master Key can be retrieved and used to decrypt a BitLocker-protected drive.
- Riccardo Ancarani
- 20 Nov 2020
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
A technical analysis of Cobalt Strike's default modules reveals distinctive named and anonymous pipe communication patterns. The article explores how Cobalt Strike uses pipes for inter-process communication during post-exploitation activities like keylogging and screenshot capture. Detection techniques are proposed, including Yara rules and Splunk searches to identify these unique pipe characteristics.