Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

March 17, 2023
By in Incident Response, Incident Response & Forensics, Purple Team Adversarial Detection & Countermeasures, Research, Vulnerability Assessment

Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of…

Read

Red vs. Blue: Kerberos Ticket Times, Checksums, and You!

March 14, 2023
By in Incident Response, Incident Response & Forensics, Penetration Testing, Purple Team Adversarial Detection & Countermeasures, Threat Hunting

This blog post was co-authored with Charlie Clark of Semperis. 1    Introduction At SANS Pen Test HackFest 2022, Charlie Clark (@exploitph) and I presented our talk ‘I’ve Got a Golden Twinkle in My Eye‘ whereby we built and demonstrated two tools that assist with more accurate detection of forged tickets being used. Although we demonstrated…

Read
TrustedSec Security Blog OneNote Malware Analysis

New Attacks, Old Tricks: How OneNote Malware is Evolving

January 31, 2023
By in Incident Response, Incident Response & Forensics, Malware Analysis, Office 365 Security Assessment, Purple Team Adversarial Detection & Countermeasures, Threat Hunting

1    Analysis of OneNote Malware A lot of information has been circulating regarding the distribution of malware through OneNote, so I thought it would be fun to look at a sample. It turns out there are a lot of similarities between embedding malicious code into a OneNote document and the old macro/VBA techniques for Office…

Read

A LAPS(e) in Judgement

January 10, 2023
By in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Program Assessment, Security Testing & Analysis, Threat Hunting

As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched applications and devices as well as the virtues of things like password managers and encrypted databases to protect our passwords and other…

Read

The Art of Bypassing Kerberoast Detections with Orpheus

November 17, 2022
By in Penetration Testing, Purple Team Adversarial Detection & Countermeasures, Red Team Adversarial Attack Simulation, Research, Security Testing & Analysis

Back in May of 2018, I wrote a blog post detailing the steps I took to detect Kerberoast (T1558.003) attacks. This research allowed us to help organizations build a detection for when a threat actor requests the Kerberos ticket for accounts with a service principal name established. In this blog post, I am going to…

Read

I Wanna Go Fast, Really Fast, like (Kerberos) FAST

September 20, 2022
By in Active Directory Security Review, Penetration Testing, Purple Team Adversarial Detection & Countermeasures, Red Team Adversarial Attack Simulation, Research, Security Testing & Analysis

1    Introduction At TrustedSec, we weigh an information security program’s ability to defend against a single specified attack by measuring detection, deflection, and deterrence. Now while a majority of my blog posts have been concentrated around detection this post is more ‘deterrence’ focused. I first heard about Kerberos FAST from Steve Syfuhs (@SteveSyfuhs) of Microsoft…

Read

Detection and Alerting: Selecting a SIEM

September 2, 2022
By in Endpoint Hygiene Automation, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Program Development, Purple Team Adversarial Detection & Countermeasures, Security Testing & Analysis

Summary Basic SIEM requirements should be in place to create mature detections for a variety of log sources, including network logs, system logs, and application logs (including custom applications). This focuses on Security Operations and does not include the engineering side of SIEM management, e.g., licensing, hardware/cloud requirements, retention needs, etc. Each component of the…

Read

Splunk SPL Queries for Detecting gMSA Attacks

May 20, 2022
By in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Testing & Analysis, Threat Hunting

1    Introduction What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘golden’ opportunity. If you’re an enterprise defender, it’s something you need…

Read

g_CiOptions in a Virtualized World

May 2, 2022
By in Penetration Testing, Purple Team Adversarial Detection & Countermeasures, Red Team Adversarial Attack Simulation, Research, Security Testing & Analysis

With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced…

Read

An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

January 6, 2022
By in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Testing & Analysis, Threat Hunting

1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….

Read

  • Search the blog

  • Search by Author

  • Browse by date

  • Browse by Category

  • Clear Form