Ransomware DLL Hijacking & “The Canary DLL”

You might have seen in some of the security news sites, articles reporting about a security researcher discovering a method to stop certain ransomware samples from running, including Thanos, Conti, REvil etc. The method in question is known as DLL Hijacking and I thought it would be a great opportunity to talk about it in a little more detail, it’s limitations and how a blue team could leverage this in order to add another layer of security.

Continue reading Ransomware DLL Hijacking & “The Canary DLL”

DNSCat2 Using Azure & GoDaddy

C2 Covert Channels

Today we’re exploring the world of obscure C2 channels, specifically DNS covert channels. Attackers know that DNS is widely used and trusted. Furthermore, because DNS is not intended for data transfer, many organisations don’t monitor their DNS traffic for malicious activity. As a result, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunnelling is one such attack.

Continue reading DNSCat2 Using Azure & GoDaddy

PetitPotam + AD-CS + Rubeus

Summary Of The Attack:

  • Get the DC machine account to connect back to you while you have an NTLM relay set up
  • Use the NTLM relay to connect to the certificate services server to obtain a certificate under the context of the machine account for the DC
  • With a standard domain user use Rubeus to request a TGT using the certificate obtained of the machine account of the DC
  • Dump the hashes using Mimikatz via a DC-Sync attack with the Kerberos ticket imported
Continue reading PetitPotam + AD-CS + Rubeus

PrintNightmare – CVE-2021-34527

Overview

CVE-2021-34527 (dubbed PrintNightmare) is a Remote Code Execution Vulnerability that affects the Windows Print Spooler Service on all Windows Operating Systems. The vulnerability is trivial to exploit, as all an attacker requires to exploit the vulnerability are low level credentials, either on the domain or on the target host, and line of sight to the said host.

Continue reading PrintNightmare – CVE-2021-34527

CySA+ (Version 2) – Guide for 2021

I recently took the CySA+ exam (version 2) and thought it would be useful to share my thoughts on it. From my experience I felt the CySA+ exam is one of the best exams I’ve encountered that is specifically tailored towards Cyber Security Analysts working within a Security Operations Centre. Literally everything I came across while preparing for the exam would (at least in my opinion) be something I encountered as an analyst. I would 100% recommended giving it a go if you are thinking of it.  

Continue reading CySA+ (Version 2) – Guide for 2021

Metadata & Hidden Information Within Documents [FOCA] (Repost)

Document metadata is information attached to a file that may not be visible on the face of the document; documents may also contain supporting elements such as graphic images, photographs, tables and charts, each of which can have its own metadata. Metadata summarises basic information about data, which can make finding and working with particular instances of data easier. Having the ability to filter through that metadata makes it much easier for someone to locate a specific document or other data asset in a variety of different ways. 

Continue reading Metadata & Hidden Information Within Documents [FOCA] (Repost)