See how Research Team Lead Carlos Perez dissects a sample of a OneNote document that was used to deploy ASyncRAT, an open-source remote admin tool, to enable phishing attacks. You’ll find out how these OneNote files are now being used by threat actors and where to find the location that ASyncRAT is being downloaded and…
Read
1 Analysis of OneNote Malware A lot of information has been circulating regarding the distribution of malware through OneNote, so I thought it would be fun to look at a sample. It turns out there are a lot of similarities between embedding malicious code into a OneNote document and the old macro/VBA techniques for Office…
Read
1.1 Introduction Recently, myself and a few friends decided to port my coworker Kevin Haubris‘ COFFLoader project to Metasploit. This new BOFLoader extension allows Beacon Object Files (BOFs) to be used from a Meterpreter session. This addition unlocks many new possibilities for Meterpreter and, in my opinion, elevates Meterpreter back up to the status of…
Read
As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched applications and devices as well as the virtues of things like password managers and encrypted databases to protect our passwords and other…
Read
tl;dr Communications are critical during an incident. If you cannot coordinate, collaborate, and inform actions and information about an incident, the incident response will eventually fail. Normally, this isn’t an issue, as organizations have resources like Microsoft 365 email, SharePoint, Slack, and Teams to use to communicate with each other. However, what happens when those…
Read
While working at TrustedSec, I was issued a new company-furnished laptop to work from. While the Mac OS environment was useful, I found it useful to also setup an Ubuntu virtual machine. One reason is so I can have access to a Linux host that is very similar to the garden variety of Linux systems…
Read
Business Email Compromise (BEC) within the Microsoft 365 environment is becoming a more common attack vector. In case you’re unfamiliar with what exactly BEC entails, it’s when an attacker or unauthorized user gains access to a business email account via social engineering. Most commonly, an attacker compromises an account, intercepts email conversation(s), and uses this…
Read
Overview This blog post will provide an overview of common log sources in Azure and AWS, along with associated storage and analysis options. At a high level, cloud-based incidents can be categorized into host-based compromises (that is, compromises primarily involving virtual machines hosted in the cloud) and identity-based or resource-based compromises (compromises primarily involving cloud-native…
Read
In the first Back to Basics blog we discussed cyber hygiene and some fundamental security practices one can take to quickly assess their current cybersecurity posture and identify, prioritize, and mitigate visibility gaps. This post focuses on account management measures and how proactive identification and regulation can drastically elevate your security posture. Routine cyber hygiene…
Read
A tabletop exercise (TTX) measures more than an organization’s technical capabilities and adherence to an incident response plan—it facilitates the confluence of personalities and team cultures, in turn revealing friction not only in processes but also in team dynamics. The success of an organization’s response in both a TTX scenario and, more importantly, a real-world…
Read