Showing Posts About

Initial Access

Detecting OneNote Abuse

OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #1

This article demonstrates a consent phishing attack in Azure, showing how an attacker can trick a user into granting malicious application permissions to access sensitive resources. The walkthrough covers setting up a lab environment using Terraform, deploying Azure resources, and using the O365 Attack Toolkit to generate a phishing link. Azure AD audit logs are explored to detect the attack and understand the permissions granted during the consent phishing process.

Attack Detection Fundamentals 2021: macOS - Lab #1

This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.

Attack Detection Fundamentals 2021: macOS - Lab #2

This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.

  • 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #1

This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.

  • 3 Jul 2020

Attack Detection Fundamentals: Code Execution and Persistence - Lab #2

This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.

Attack Detection Fundamentals: Initial Access - Lab #1

This article demonstrates a technique for establishing initial access in a target environment using malicious Office macros. The lab walkthrough covers creating a PowerShell-based command and control payload embedded in a macro document. Detection strategies are explored through parent-child process analysis and Sysmon event log examination, with a focus on identifying anomalous process spawning from Office applications.

Attack Detection Fundamentals: Initial Access - Lab #2

This article explores attack detection techniques for initial access using the Koadic post-exploitation framework deployed via an HTA file. The lab focuses on identifying suspicious process and network connection relationships using Sysmon event logs. Key objectives include detecting anomalous binaries and network connections as potential indicators of compromise.

Attack Detection Fundamentals: Initial Access - Lab #3

This article details a multi-stage initial access attack technique used by the Cobalt Kitty group involving a malicious Word macro. The attack creates a scheduled task to execute an obfuscated PowerShell payload that ultimately injects a Cobalt Strike beacon into memory. The walkthrough explores detailed steps of crafting a beacon delivery mechanism while highlighting potential detection strategies.

Attack Detection Fundamentals: Initial Access - Lab #4

This article demonstrates creating a malicious Excel 4.0 Macro with Metasploit shellcode to obtain remote access on a Windows system. The lab walks through generating a Meterpreter payload, setting up a Metasploit listener, and executing the malicious macro. Memory forensics techniques using Volatility are explored to analyze the compromised host and detect stealthy code injection methods.

AutoCAD - Designing a Kill Chain

A detailed analysis of potential cybersecurity vulnerabilities in AutoCAD reveals multiple attack vectors across the cyber kill chain. The research demonstrates how malicious actors can exploit AutoCAD's features like ActionMacros, AutoLisp scripts, and remote text functionality to gain code execution, establish persistence, and perform lateral movement. Multiple attack techniques were identified that could potentially compromise users in high-value industries through targeted AutoCAD-specific exploitation methods.

DLL Tricks with VBA to Improve Offensive Macro Capability

This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.

One Template To Rule 'Em All

A presentation explored how Microsoft Office VBA and templates can be exploited as a persistent malware delivery mechanism. The talk demonstrated vulnerabilities in locked-down environments through a proof-of-concept tool called WePWNise. VBA-enabled files remain an attractive attack vector due to business requirements and human factors in targeted attacks.