TrustedSec Security Blog - Operators Guide to Meterpreter BOFloader

Operator’s Guide to the Meterpreter BOFLoader

January 24, 2023

1.1      Introduction Recently, myself and a few friends decided to port my coworker Kevin Haubris‘ COFFLoader project to Metasploit. This new BOFLoader extension allows Beacon Object Files (BOFs) to be used from a Meterpreter session. This addition unlocks many new possibilities for Meterpreter and, in my opinion, elevates Meterpreter back up to the status of…

Read

A LAPS(e) in Judgement

January 10, 2023

As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched applications and devices as well as the virtues of things like password managers and encrypted databases to protect our passwords and other…

Read

Looting iOS App’s Cache.db

December 1, 2022

Insecure By Default Mobile application assessments diverge somewhat from normal web application assessments as there is an installed client application on a local device to go along with the backend server. Mobile applications can often work offline, and thus have a local store of data. This is commonly in the form of SQLite databases stored…

Read

The Art of Bypassing Kerberoast Detections with Orpheus

November 17, 2022

Back in May of 2018, I wrote a blog post detailing the steps I took to detect Kerberoast (T1558.003) attacks. This research allowed us to help organizations build a detection for when a threat actor requests the Kerberos ticket for accounts with a service principal name established. In this blog post, I am going to…

Read

Windows Processes, Nefarious Anomalies, and You: Threads

November 3, 2022

In part 1 of this blog mini-series, we looked at memory regions and analyzed them to find some potential malicious behavior. In part 2, we will do the same thing with enumerating threads. Nobody explains it better than Microsoft—here is their explanation of what a thread is: “A thread is the basic unit to which…

Read

Windows Processes, Nefarious Anomalies, and You: Memory Regions

November 1, 2022

While operating on a red team, the likelihood of an Endpoint Detection and Response (EDR) being present on a host is becoming increasingly higher than it was a few years ago. When an implant is being initiated on a host, whether it’s on-disk or loaded into memory, then there is a lot to consider. In…

Read

How to Get the Most Out of Your Pentest

October 27, 2022

TL;DR Define the goal of an assessment. Take time to choose the right assessment type. The more detail you give about an asset, the better quality your report will be. Select the right environment for the assessment. Consider the timing for performing the assessment. Communicate internally and make sure everyone is up to speed. Do…

Read

LastPass Security Vulnerability: How Credentials are Accessed in Memory

October 25, 2022

In this video, our Principal Research Analyst Scott Nusbaum goes over his research on LastPass Password Manager. He discusses how the credentials are exposed in memory to an attacker that is present on the host and is able to access the browser process. He also goes over on how LastPass could modify their extension to…

Read
A Primer on Cloud Logging TrustedSec Security Blog

A Primer on Cloud Logging for Incident Response

October 25, 2022

Overview This blog post will provide an overview of common log sources in Azure and AWS, along with associated storage and analysis options. At a high level, cloud-based incidents can be categorized into host-based compromises (that is, compromises primarily involving virtual machines hosted in the cloud) and identity-based or resource-based compromises (compromises primarily involving cloud-native…

Read

The Curious Case of the Password Database

October 20, 2022

Nowadays, password managers are king. We use password managers to secure our most sensitive credentials to a myriad of services and sites; a compromise of the password manager could prove devastating. Due to recently disclosed critical Common Vulnerabilities and Exposures (CVEs) involving ManageEngine’s Password Manager Pro software, a client came to us at TrustedSec, wondering:…

Read
  • Browse by Category

  • Clear Form