NetScaler Honeypot

January 13, 2020

The Citrix NetScaler remote code execution vulnerability (CVE-2019-19781) has been a pretty popular topic over the last few weeks. Once public exploits of the vulnerability started to appear in the wild, TrustedSec deployed a Citrix NetScaler honeypot. We did not have to wait long for the attacks to begin. Less than 24 hours after deployment,…

Read

NetScaler Remote Code Execution Forensics

January 10, 2020

With the recent Citrix ADC (NetScaler) CVE-2019-19781 Remote Code Execution vulnerability, the TrustedSec Incident Response team has been working closely with our offensive and research teams as they created a working exploit. This has allowed us to create a list of locations and indicators to search for on potentially compromised Citrix ADC hosts. Based on…

Read

Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution

January 10, 2020

On December 17, 2019, Citrix released a critical advisory that allows for remote code execution. Advisories like these come out often for organizations, and critical exposures are nothing new for any company. However, when digging into the remediation step details, this advisory gave a substantial amount of information on the exploit itself. What makes this…

Read

Rekt by the REX

January 9, 2020

The request-to-exit (REX) passive infrared (PIR) sensor. You know the one. Spray canned air or smoke in its face, it becomes disoriented and unlocks the door. Spit a mist of alcohol in its face, it gets a buzz and unlocks the door. The butt of many “jokes” for how easily it provides unauthorized entry, but…

Read

SELinux and Auditd

January 7, 2020

In this blog post, I will discuss SELinux and Auditd, how to use them, how to determine what the default policies are doing, and how to add new ones. For those who do not know what SELinux is, it stands for Security-Enhanced Linux. More details about SELinux can be found in the resources section at…

Read

Red Team Engagement Guide: How an Organization Should React

December 5, 2019

A lengthy Red Team engagement is coming. What should the defense do if they catch the offense? Reimage systems? Notify and allow? What is the course of action that allows the engagement to proceed and deliver maximum value to the organization? These can be difficult questions to answer, but ones that companies procuring these tests…

Read

Automation Testing With Ansible, Molecule, and Vagrant

December 3, 2019

There is an old rule that if you find yourself doing anything more than twice, you should automate it. For developers, this may be software builds or the environments into which they will be deployed; for penetration testers, it may be the need to create a phishing host or a lab environment for testing. In…

Read

Creating Honey Credentials with LSA Secrets

November 21, 2019

As an attacker, I frequently leverage LSASecrets to escalate privileges within the context of an ongoing compromise. Generally, the attack path is something like this: Gain Initial Foothold > Escalate to Limited User > Dump LSASecrets on Systems Where Credentials are Administrator A pretty slick way to identify targets to dump LSASecrets on is to…

Read

Playing With Old Hacks

November 19, 2019

Recently, I was prepping for a session and wanted to show the old hack where you boot into a Windows setup using a USB stick and change out the utilman.exe with cmd.exe. Utilman.exe is the binary behind this icon here on the logon screen: Figure 1 – Icon for Utilman.exe First, follow these instructions to…

Read

Discovering the Anti-Virus Signature and Bypassing It

October 24, 2019

In this post, I am going to go over how to find the specific Anti-Virus signature using manual testing and then show techniques that can be used to bypass them. I am a big fan of LOLBins so we are going to focus on the binary Regsvr32, which is a known binary that can be…

Read
  • Browse by Category

  • Clear Form