1 Introduction At TrustedSec, we weigh an information security program’s ability to defend against a single specified attack by measuring detection, deflection, and deterrence. Now while a majority of my blog posts have been concentrated around detection this post is more ‘deterrence’ focused. I first heard about Kerberos FAST from Steve Syfuhs (@SteveSyfuhs) of Microsoft…
Read
Unauthenticated JavaScript Fun In prior blog posts I’ve shown the types of weaponized XSS attacks one can perform against authenticated users, using their session to access and exfiltrate data, or perform actions in the application as that user. But what if you only have unauthenticated XSS? Perhaps your client hasn’t provided you with credentials to…
Read
This blog post was co-authored with Charlie Clark at Semperis 1.1 Background of the ‘Diamond’ Attack One day, while browsing YouTube, we came across an older presentation from Blackhat 2015 by Tal Be’ery and Michael Cherny. In their talk, and subsequent brief, WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING, they outlined something we…
Read
One of the more common questions we receive during a red team scoping call or RFP Q&A call is, how many dedicated consultants will be involved in the assessment? There is no “correct” answer to this question, and ultimately, the answer as to how red team engagements are staffed comes down to how the consultancy…
Read
I was on an engagement where I simply could not elevate privileges, so I had to become creative and look deep into my old bucket (bucket being my head) of knowledge, and this resulted in some fun stuff. I had found that the client had a vulnerable certificate template also known as ESC1 that allowed…
Read
With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced…
Read
XSS Iframe Traps Longer Running XSS Payloads An issue with cross-site scripting (XSS) attacks is that our injected JavaScript might not run for an extended period of time. It may be a reflected XSS vulnerability where we’ve tricked our user into clicking a link, but when they land on the page where we were able…
Read
This week, I dusted off my reading list and saw that I’d previously bookmarked an interesting article about the introduction of SMB over QUIC. The article from Microsoft showed that Windows was including support for SMB to be used over the QUIC protocol, which should immediately spark interest for anyone who includes SMB attacks as…
Read
When investigating my laptop, I stumbled upon something interesting that resulted in privilege escalation. I use a Lenovo ThinkPad X1 Extreme Gen 1, which has an installed software named Glance, for my day-to-day work. The purpose of this software is to use the advanced web camera to figure out if you are speaking when the…
Read
Introduction When doing an Internal Penetration Test, it is not uncommon to run BloodHound at one point or another. In case you are not familiar with BloodHound, it’s a tool that automatically fires off a bunch of LDAP queries and Windows API calls to collect various data in an Active Directory environment. Data can range…
Read