Ransomware DLL Hijacking & “The Canary DLL”

You might have seen in some of the security news sites, articles reporting about a security researcher discovering a method to stop certain ransomware samples from running, including Thanos, Conti, REvil etc. The method in question is known as DLL Hijacking and I thought it would be a great opportunity to talk about it in a little more detail, it’s limitations and how a blue team could leverage this in order to add another layer of security.

DNSCat2 Using Azure & GoDaddy

C2 Covert Channels

Today we’re exploring the world of obscure C2 channels, specifically DNS covert channels. Attackers know that DNS is widely used and trusted. Furthermore, because DNS is not intended for data transfer, many organisations don’t monitor their DNS traffic for malicious activity. As a result, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunnelling is one such attack.

PetitPotam + AD-CS + Rubeus

Summary Of The Attack:

Get the DC machine account to connect back to you while you have an NTLM relay set up
Use the NTLM relay to connect to the certificate services server to obtain a certificate under the context of the machine account for the DC
With a standard domain user use Rubeus to request a TGT using the certificate obtained of the machine account of the DC
Dump the hashes using Mimikatz via a DC-Sync attack with the Kerberos ticket imported

PrintNightmare – CVE-2021-34527

Overview

CVE-2021-34527 (dubbed PrintNightmare) is a Remote Code Execution Vulnerability that affects the Windows Print Spooler Service on all Windows Operating Systems. The vulnerability is trivial to exploit, as all an attacker requires to exploit the vulnerability are low level credentials, either on the domain or on the target host, and line of sight to the said host.

CISSP – Exam Prep & Guide

Hey all, thought I would share my notes for the CISSP certification if anyone was thinking of taking it. Certainly one of the big boy exams within the industry and certainty one that should be taken into consideration regardless of what area of Cyber Security you work in/plan to work in.

CySA+ (Version 2) – Guide for 2021

I recently took the CySA+ exam (version 2) and thought it would be useful to share my thoughts on it. From my experience I felt the CySA+ exam is one of the best exams I’ve encountered that is specifically tailored towards Cyber Security Analysts working within a Security Operations Centre. Literally everything I came across while preparing for the exam would (at least in my opinion) be something I encountered as an analyst. I would 100% recommended giving it a go if you are thinking of it.

Installing Nethunter on OnePlus 3T – 2020

I had an old OnePlus 3T kicking around and was bored one day and wanted to test out NetHunter. I was delighted to find that there was an official build of Nethunter for the OnePlus 3T. What I didn’t anticipate was the hell I would be facing with this project.

Using FileBeat with GrayLog

We can use FileBeat as our log collectors for our newly created GrayLog server. We can install FileBeat on any system we want our logs to be pushed from.

Installing GrayLog on Azure

Introduction

GrayLog is a powerful open source SIEM solution. With hosting within Azure there are additional parameters that needed to be changed to get it to work. If you are testing the solution is might be worth using a site such as azureprice.net to find the best price based on the location and your size requirements.

Metadata & Hidden Information Within Documents [FOCA] (Repost)

Document metadata is information attached to a file that may not be visible on the face of the document; documents may also contain supporting elements such as graphic images, photographs, tables and charts, each of which can have its own metadata. Metadata summarises basic information about data, which can make finding and working with particular instances of data easier. Having the ability to filter through that metadata makes it much easier for someone to locate a specific document or other data asset in a variety of different ways.