Showing Posts About

Alfie champion

Attack Detection Fundamentals 2021: AWS - Lab #1

This article demonstrates AWS attack detection fundamentals through a lab exploring IAM reconnaissance techniques. The lab uses a deliberately misconfigured AWS environment to show how an attacker might enumerate user permissions using AWS CLI and CloudTrail log analysis with Athena. The walkthrough highlights the risks of overly permissive IAM policies and the importance of monitoring user activities in cloud environments.

Attack Detection Fundamentals 2021: AWS - Lab #2

This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.

Attack Detection Fundamentals 2021: AWS - Lab #3

This article details an AWS security lab demonstrating an attack scenario involving unauthorized S3 bucket access. The walkthrough covers exfiltrating customer data, modifying user permissions, and deleting files in an S3 bucket. Detection methods using CloudTrail and S3 access logs are explored to track malicious activities and understand the attack's forensic evidence.

Attack Detection Fundamentals 2021: Windows - Lab #1

This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.

Attack Detection Fundamentals 2021: Windows - Lab #2

This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.

Attack Detection Fundamentals 2021: Windows - Lab #3

This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.

Attack Detection Fundamentals 2021: Windows - Lab #4

This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.

Using and detecting C2 printer pivoting

A novel Command & Control (C2) technique using printer infrastructure for covert communication is explored in this article. The method involves placing print jobs in a paused state and using document names for data transfer. Multiple detection opportunities are detailed across endpoints, networks, and print servers to identify this stealthy communication method.

Attack Detection Fundamentals: C2 and Exfiltration - Lab #1

This article demonstrates detection techniques for PowerShell Empire's Command and Control (C2) traffic. Network indicators like default URIs, user agents, and server responses are analyzed to identify potential malicious communication patterns. A Snort rule is developed to detect these specific network traffic characteristics associated with PowerShell Empire.

Attack Detection Fundamentals: C2 and Exfiltration - Lab #2

This article demonstrates techniques for detecting DNS Command and Control (C2) channels using the dnscat2 tool. Detection strategies include analyzing DNS traffic for unique strings like "dnscat", unusual request sizes, and uncommon DNS record types. Practical Snort rule examples are provided to identify potential DNS-based exfiltration and C2 communication.

Attack Detection Fundamentals: C2 and Exfiltration - Lab #3

This article explores using Dropbox as a command and control (C2) channel for malware communication. Detection strategies are discussed using Windows ETW and Sysmon telemetry, focusing on identifying suspicious network behaviors like anomalous DNS queries and API endpoint interactions. Key detection opportunities include monitoring beaconing patterns and unusual web requests to Dropbox API endpoints.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #1

This article explores attack detection techniques for discovering valuable users in an Active Directory environment. It demonstrates methods for identifying kerberoastable and AS-REP roastable users through LDAP queries using tools like Rubeus and SharpSploit. Event Tracing for Windows (ETW) logging is used to capture and analyze reconnaissance activities in a cybersecurity lab setting.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #2

This article explores techniques for detecting file share enumeration and lateral movement in Windows environments. The lab demonstrates how to use Event Tracing for Windows (ETW) and Windows Event Logs to identify suspicious LDAP queries and file share access patterns. Specific focus is placed on using SharpShares to discover exposed file shares and detect potential security risks, including analysis of Group Policy Preference files.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #3

This article explores lateral movement techniques using C3 and Covenant to pivot through file shares in a Windows environment. The lab demonstrates detection strategies by analyzing file share access logs and Event Tracing for Windows (ETW) events to identify suspicious .NET module loading and communication patterns. Key detection techniques include monitoring file share object access logs and tracking anomalous CLR module loading in processes.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #4

This article explores lateral movement techniques using PsExec in Windows environments. It details detection strategies for identifying suspicious remote execution activities through Windows event logs and Sysmon telemetry. Key detection opportunities include monitoring service creation events, process creation logs, and named pipe interactions during remote command execution.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5

This article explores lateral movement techniques using Windows Management Instrumentation (WMI) in cybersecurity attack detection. The lab demonstrates detection strategies for both native WMIC commands and Impacket's wmiexec tool. Key detection opportunities include analyzing process creation events, network traffic patterns, and examining parent-child process relationships during WMI-based lateral movement attacks.