-
Oliver Simonnet - 24 Nov 2021
A bit of a Fixer Upper - Testing FIX-backed applications
This article explores testing and intercepting FIX protocol applications using MitM_Relay and Burp Suite. A custom Python script was developed to maintain message integrity when modifying FIX messages. A Burp extension called "Fixer Upper" was created to simplify FIX message interception and modification.
- Tim Carrington
- 3 Aug 2021
Playing with PuTTY
This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.
- 28 Apr 2021
Attack Detection Fundamentals 2021: Azure - Lab #1
This article demonstrates a consent phishing attack in Azure, showing how an attacker can trick a user into granting malicious application permissions to access sensitive resources. The walkthrough covers setting up a lab environment using Terraform, deploying Azure resources, and using the O365 Attack Toolkit to generate a phishing link. Azure AD audit logs are explored to detect the attack and understand the permissions granted during the consent phishing process.
- 28 Apr 2021
Attack Detection Fundamentals 2021: Azure - Lab #2
An Azure security lab demonstrated privilege escalation by exploiting insecure Logic App workflow configurations. By leveraging a service principal with Reader permissions, sensitive credentials embedded in clear text were discovered. The attack allowed escalation from Reader to Contributor-level access in the Azure resource group.
- 28 Apr 2021
Attack Detection Fundamentals 2021: Azure - Lab #3
This article demonstrates a stealthy method of data collection from an Azure VM by creating a snapshot of a target VM's disk and mounting it to an attack VM. The technique allows accessing sensitive information without directly interacting with the original VM, minimizing detection risks. The lab concludes by highlighting the importance of monitoring Azure activity logs for detecting such lateral movement techniques.
- Jake LaBelle
- 27 Apr 2021
Heavy Metal Debugging
This article provides a detailed walkthrough of reverse engineering and debugging techniques on IBM zOS using the TSO TEST debugger. A vulnerable C program with a buffer overflow vulnerability is analyzed through low-level assembly language examination. The guide covers compiling, running, and debugging a sample program on the zOS mainframe environment, demonstrating techniques for finding passwords and exploiting buffer overflow vulnerabilities.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #1
This article demonstrates AWS attack detection fundamentals through a lab exploring IAM reconnaissance techniques. The lab uses a deliberately misconfigured AWS environment to show how an attacker might enumerate user permissions using AWS CLI and CloudTrail log analysis with Athena. The walkthrough highlights the risks of overly permissive IAM policies and the importance of monitoring user activities in cloud environments.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #2
This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #3
This article details an AWS security lab demonstrating an attack scenario involving unauthorized S3 bucket access. The walkthrough covers exfiltrating customer data, modifying user permissions, and deleting files in an S3 bucket. Detection methods using CloudTrail and S3 access logs are explored to track malicious activities and understand the attack's forensic evidence.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #1
This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #2
This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #3
This article explores a macOS attack technique that bypasses Apple's Transparency, Consent & Control (TCC) security mechanism. The attack leverages SSH's full disk access to directly modify the TCC database, allowing unauthorized access to protected system resources. Detection methods are demonstrated, focusing on monitoring local SSH connections and direct database modifications.