-
James Coote - 6 Oct 2020
Introducing LDAP C2 for C3
A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.
- 29 Sep 2020
Application-level Purple Teaming: A case study
An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.
- 7 Sep 2020
Securing AEM With Dispatcher
This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.
- Krzysztof Pranczk
- 2 Sep 2020
N1QL Injection: Kind of SQL Injection in a NoSQL Database
N1QL injection is a vulnerability in Couchbase NoSQL databases that allows attackers to manipulate database queries. An open-source tool called N1QLMap was developed to automate N1QL injection testing and exploitation. The tool enables data extraction, system information retrieval, and server-side request forgery (SSRF) attacks through specialized query techniques.
- 27 Aug 2020
Exploiting CVE-2019-17026 - A Firefox JIT Bug
A detailed technical analysis of a critical vulnerability (CVE-2019-17026) in Firefox's SpiderMonkey JIT compiler was presented. The vulnerability involves type confusion and bounds check elimination in the IonMonkey JIT compilation process. The article explores how carefully crafted JavaScript can exploit interactions between multiple compilation chains to bypass JIT compiler safeguards and potentially execute arbitrary code.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #1
This article demonstrates detection techniques for PowerShell Empire's Command and Control (C2) traffic. Network indicators like default URIs, user agents, and server responses are analyzed to identify potential malicious communication patterns. A Snort rule is developed to detect these specific network traffic characteristics associated with PowerShell Empire.
- Alfie Champion Jordan LaRose
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #2
This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #3
This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.
- 15 Jul 2020
The Fake Cisco
An IT company discovered hardware failures in suspected counterfeit Cisco Catalyst 2960-X network switches. F-Secure's Hardware Security team investigated the devices and identified an undocumented vulnerability that bypasses Secure Boot restrictions. The investigation concluded with reasonable confidence that no intentional backdoors were present in the counterfeit hardware.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #1
This article explores attack detection techniques for discovering valuable users in an Active Directory environment. It demonstrates methods for identifying kerberoastable and AS-REP roastable users through LDAP queries using tools like Rubeus and SharpSploit. Event Tracing for Windows (ETW) logging is used to capture and analyze reconnaissance activities in a cybersecurity lab setting.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #2
This article explores techniques for detecting file share enumeration and lateral movement in Windows environments. The lab demonstrates how to use Event Tracing for Windows (ETW) and Windows Event Logs to identify suspicious LDAP queries and file share access patterns. Specific focus is placed on using SharpShares to discover exposed file shares and detect potential security risks, including analysis of Group Policy Preference files.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #3
This article explores lateral movement techniques using C3 and Covenant to pivot through file shares in a Windows environment. The lab demonstrates detection strategies by analyzing file share access logs and Event Tracing for Windows (ETW) events to identify suspicious .NET module loading and communication patterns. Key detection techniques include monitoring file share object access logs and tracking anomalous CLR module loading in processes.