An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

January 6, 2022
By in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Testing & Analysis, Threat Hunting

1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….

Read

Log4j Detection and Response Playbook

December 13, 2021
By in Incident Response, Incident Response & Forensics, Threat Hunting

On December 09, 2021, a severe vulnerability for Apache Log4j was released (CVE-2021-44228). This vulnerability, also known as Log4Shell, allows remote code execution in many applications through web requests and without authentication. Almost immediately, many attackers on the Internet began to scan and exploit this vulnerability. This is meant to provide guidelines and recommendations on…

Read
threat-hunting-security-blog

Why your threat hunting program building shouldn’t stop once the engagement is over

September 14, 2021
By in Incident Response, Incident Response & Forensics, Threat Hunting

Let’s see, it looks like your organization just met an annual Threat Hunting assessment compliance requirement or achieved the introductory objective of experiencing a formal Threat Hunting assessment. Well done! Now, what should the organization take into consideration after successfully completing the assessment? Once a third-party Threat Hunting assessment concludes, many organizations may feel overwhelmed…

Read

TrustedSec Incident Response Team Slack AMA 02.17.2021

March 16, 2021
By in Incident Response, Incident Response & Forensics, Threat Hunting

On February 17, 2021 TrustedSec hosted an ‘Ask Me Anything’ on our Slack Workplace with TrustedSec’s Incident Response Team. Many great questions were asked and lots of information exchanged that we didn’t want to get lost with time, so we’ve put together this blog with questions and the conversation that blossomed from them. Please note:…

Read

Who Left the Backdoor Open? Using Startupinfo for the Win

February 18, 2021
By in Incident Response, Incident Response & Forensics, Table-Top Exercises, Technical Counter Surveillance Measures, Threat Hunting

In the endless quest to research additional Windows system forensic artifacts to use during an Incident Response investigation, I stumbled across something I thought was cool. This definitely wasn’t a new artifact, it was just a specific native Windows XML file that I wasn’t aware of. I noticed this file was not commonly used from…

Read

SolarWinds Backdoor (Sunburst) Incident Response Playbook

December 17, 2020
By in Incident Response, Incident Response & Forensics, Research, Security Remediation, Security Testing & Analysis, Technical Counter Surveillance Measures, Threat Hunting

Over the last several days, TrustedSec has received queries on the best ways to contain, eradicate, and remediate the SolarWinds backdoor (aka #solarigate aka Sunburst). The TrustedSec Incident Response team has put together a playbook of recommended actions to provide some level of assurance that your organization is no longer affected by the backdoor. This…

Read

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

October 27, 2020
By in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Testing & Analysis, Threat Hunting

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

Read

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2

October 27, 2020
By in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Testing & Analysis, Threat Hunting

This is a continuation of The Tale of the Lost, but not Forgotten, Undocumented NetSync (part 1) and in this section, we will look to answer: What are Some Early Indicators to Detect NetSync at the Host-based Level? What are Some Possible Controls to Deter NetSync? In an accompanying blog post, Are You Seeing What…

Read

SMS Phish – An Incident Walkthrough

September 3, 2020
By in Incident Response, Incident Response & Forensics, Threat Hunting

Opener The goal of this blog post is to provide an approach to analyzing a text-based phish link. I will primarily focus on the initial steps to properly view the phish site from a non-mobile browser, provide OPSEC setup and browsing analysis recommendations, and conclude with defense measures to protect against such attacks. Analysis Background…

Read

Become The Malware Analyst Series: PowerShell Obfuscation Shellcode

August 20, 2020
By in Incident Response, Incident Response & Forensics, Malware Analysis, Threat Hunting

In this second installment of the ‘Become a Malware Analyst Series,” Principal Incident Response & Research Consultant Scott Nusbaum focuses on PowerShell obfuscation by analyzing a PowerShell sample that was identified during an incident response. Scott will also touch on methods and tools to identify common Metasploit function hashes.

Read

  • Search the blog

  • Search by Author

  • Browse by date

  • Browse by Category

  • Clear Form