1 Introduction What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘golden’ opportunity. If you’re an enterprise defender, it’s something you need…
Read
On March 29, 2022, a security researcher with the handle p1n93r disclosed a Spring Framework remote code execution (RCE) vulnerability, which was archived by vx-underground. This vulnerability, known as Spring4Shell, affects applications that use JDK v9 or above that run Apache Tomcat as the Servlet Container in a WAR package and use dependencies of the…
Read
Opening Hopefully you all were able to read our recent Threat Hunting whitepaper and had the chance to listen to our latest Threat Hunting webinar. These references should be used as the foundation of information, which leads us into the next journey: how to build out your first Threat Hunt. Building out an organization’s Threat…
Read
TrustedSec’s Incident Response Team sent urgent communications to all IR retainer clients after the discovery of the compromise of Okta. Below are the recommendations provided with additional updates after reviewing more information on 03/23/2022. On March 22, 2022, the threat group LAPSUS$ announced a successful compromise of Okta, a heavily used identity and access management…
Read
Every day, new challenges, attacks, and vulnerabilities are publicized. Just as attackers and the threat landscape are constantly changing, adapting, and evolving, so too must the Blue Teams and defenders who protect organizations against these threats. While the old adage may have been that attacks are rare and unlikely to happen, a new mentality of…
Read
I briefly mentioned using DKIM to verify an email’s sender in a previous blog post that described the steps I took to determine whether a suspicious email was legitimate or a phishing attempt. In this post, we will take a deeper dive into how organizations can help stop email spoofing using a combination of three…
Read
I briefly mentioned how easy it is to forge email sender addresses in a previous blog post that described the steps I took to determine whether a suspicious email was legitimate or a phishing attempt. In this post, we will take a deeper dive into why email sender addresses are so easy to forge and…
Read
1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….
Read
On December 09, 2021, a severe vulnerability for Apache Log4j was released (CVE-2021-44228). This vulnerability, also known as Log4Shell, allows remote code execution in many applications through web requests and without authentication. Almost immediately, many attackers on the Internet began to scan and exploit this vulnerability. This is meant to provide guidelines and recommendations on…
Read
Let’s see, it looks like your organization just met an annual Threat Hunting assessment compliance requirement or achieved the introductory objective of experiencing a formal Threat Hunting assessment. Well done! Now, what should the organization take into consideration after successfully completing the assessment? Once a third-party Threat Hunting assessment concludes, many organizations may feel overwhelmed…
Read