Showing Posts From
July 2020
-
Alfie Champion - 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #1
This article demonstrates detection techniques for PowerShell Empire's Command and Control (C2) traffic. Network indicators like default URIs, user agents, and server responses are analyzed to identify potential malicious communication patterns. A Snort rule is developed to detect these specific network traffic characteristics associated with PowerShell Empire.
- Alfie Champion Jordan LaRose
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #2
This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.
- Alfie Champion
- 15 Jul 2020
Attack Detection Fundamentals: C2 and Exfiltration - Lab #3
This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.
- Dmitry Janushkevich
- 15 Jul 2020
The Fake Cisco
An IT company discovered hardware failures in suspected counterfeit Cisco Catalyst 2960-X network switches. F-Secure's Hardware Security team investigated the devices and identified an undocumented vulnerability that bypasses Secure Boot restrictions. The investigation concluded with reasonable confidence that no intentional backdoors were present in the counterfeit hardware.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #1
This article explores attack detection techniques for discovering valuable users in an Active Directory environment. It demonstrates methods for identifying kerberoastable and AS-REP roastable users through LDAP queries using tools like Rubeus and SharpSploit. Event Tracing for Windows (ETW) logging is used to capture and analyze reconnaissance activities in a cybersecurity lab setting.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #2
This article explores techniques for detecting file share enumeration and lateral movement in Windows environments. The lab demonstrates how to use Event Tracing for Windows (ETW) and Windows Event Logs to identify suspicious LDAP queries and file share access patterns. Specific focus is placed on using SharpShares to discover exposed file shares and detect potential security risks, including analysis of Group Policy Preference files.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #3
This article explores lateral movement techniques using C3 and Covenant to pivot through file shares in a Windows environment. The lab demonstrates detection strategies by analyzing file share access logs and Event Tracing for Windows (ETW) events to identify suspicious .NET module loading and communication patterns. Key detection techniques include monitoring file share object access logs and tracking anomalous CLR module loading in processes.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #4
This article explores lateral movement techniques using PsExec in Windows environments. It details detection strategies for identifying suspicious remote execution activities through Windows event logs and Sysmon telemetry. Key detection opportunities include monitoring service creation events, process creation logs, and named pipe interactions during remote command execution.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5
This article explores lateral movement techniques using Windows Management Instrumentation (WMI) in cybersecurity attack detection. The lab demonstrates detection strategies for both native WMIC commands and Impacket's wmiexec tool. Key detection opportunities include analyzing process creation events, network traffic patterns, and examining parent-child process relationships during WMI-based lateral movement attacks.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #1
This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #2
This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.
- 3 Jul 2020
Helping root out of the container
A container breakout technique exploits AF_LOCAL sockets to smuggle file descriptors into a container. By passing a file descriptor for the root directory, a root user within the container can modify files outside its mount namespace. This attack demonstrates how root access in a container can compromise intended security isolation boundaries.