Tracing DNS Queries on Your Windows DNS Server

July 16, 2019 | By:

During a recent engagement, I successfully deployed a wildcard Domain Name System (DNS) record in conjunction with Responder. Within minutes, a misconfigured host made a query for a non-existent DNS record and was poisoned into connecting to our Responder instance. Unfortunately, the account was privileged enough that domain compromise was achieved. The techniques and tools…

Mobile Hacking: Using Frida to Monitor Encryption

July 09, 2019 | By:

This post will walk you through the creation of a Frida script that will be used to demonstrate the usage of the Frida Python bindings. The Frida script will be used to monitor encryption calls and capture details about the encryption type and keys in use. We will learn how to send messages from Frida…

Microsoft MVP Awards 2019

July 02, 2019 | By:

Who are MVPs? Microsoft Most Valuable Professionals, or MVPs, are technology experts who passionately share their knowledge with the community. For more information on this award, visit the Microsoft MVP Overview page. According to Microsoft, MVPs “are always on the ‘bleeding edge’ and have an unstoppable urge to get their hands on new, exciting technologies.”…

On the possibility of obfuscating code using neural networks

June 11, 2019 | By:

In this blog post, I will cover the current state of my research investigating the possibility of using neural networks to hide shellcode. But before we dig in, I will provide a little background information. For those unfamiliar with neural networks, they are a type of computer system design that is inspired by how human…

Is Ohio Senate Bill 220 an Example for the Other 49 States?

May 16, 2019 | By:

Passing with 24 yeas and 8 nays, effective as of November 2, 2018, Ohio Senate Bill 220 was touted as a way to use the ‘carrot approach’ for organizations to increase cybersecurity. This incentive was to encourage the shielding of data breach liability for organizations in certain situations. Excerpts from the bill are provided below….

Owning O365 Through Better Brute-Forcing

May 14, 2019 | By:

TL;DR: User Enumeration is key. Done enumerating? Do more. The classic passwords still work. Once you get some credentials, get more. Office 365 (O365) has become a trend in organizations. More and more, administrators are offloading their mail to The Cloud™. No longer are admins shackled to their Exchange servers, executing patch after patch in…

Next Gen Phishing – Leveraging Azure Information Protection

April 25, 2019 | By:

In this blog post, I will go over how to use Azure Information Protection (AIP) to improve phishing campaigns from the perspective of an attacker. The idea came during an engagement where I was having trouble getting phishing emails into users’ inboxes without being caught by a sandbox on the way. During this engagement, it…

Invoice Fraud is Soaring – What you need to know

April 23, 2019 | By:

Organizations are losing thousands—and sometimes millions—of dollars from invoice fraud, which is also known as Business Email Compromise (BEC). At TrustedSec, we have seen a marked uptick in panicked, embarrassed, and/or angry folks reaching out to us for Incident Response and forensics work following a scam. Sometimes, organizations are able to recover some or all…

Indicators of Compromise – Hunting for Meaning (Part 2)

April 11, 2019 | By:

In part one of this blog post series, we briefly looked at why IoC threat data enrichment is important, the value of knowing who your enemy is, and the process of turning threat data into threat intelligence. If you haven’t had a chance to read the first part of this series, take a few minutes…

Indicators of Compromise – Hunting for Meaning (Part 1)

April 09, 2019 | By:

By the time an Incident Response consultant is contacted, the security event in question is already in motion. So, the goals become: rapid triage, assist in identifying the related threat risks, and make every effort to identify the threat actors involved. Attribution is very difficult when dealing with seasoned and well-funded threat actors, but it…