Risk management is easy! Isn’t it?

Information security theory and practises use a commonly understood and simple range of tools, methods, and practises to help organisations understand their risk portfolio and to enable them to make both strategic and tactical investment decisions….

Ok someone pinch me. this simply isn’t the reality I see on the ground. The theory is vast, complex and there are a multitude of good/best/insert phrase frameworks and tools that you can leverage to map, model, and communicate risks, vulnerabilities, controls, threats etc.

I’m not going to do a detailed analysis and comparison of different models here, but I am going to at least give people a view of some of the tools and frameworks that you can and may likely experience in the cyber security world. Read more “Risk management is easy! Isn’t it?” →

Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)

There’s a new CVE in town but don’t think it’s the only problem you get when you expose administrative interfaces to the wild west of the internet (yeeha or something). Let’s go on a quick exploration of what the world looks like with the help of our friends at Shodan and then let’s see the ramblings of Dan when looking at how benign enumeration and exploration of services can work. Let’s get started looking at the world, a quick face analysis on Shodan with vmware as a product shows a hit or two, what we are going to focus on is vCenter but you know.. you might want to review your attack surfaces so any exposed services (damn people expose some risky stuff!) Read more “Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)” →

How to restore AdminSDHolder Object Permissions using ADSIedit

Ok so the other day “we” as a community put out some guidance around post active directory compromise actions for when you can’t simply nuke the forest from orbit. Well, following on from that a friend asked about how to restore AdminSDHolder permissions? Read more “How to restore AdminSDHolder Object Permissions using ADSIedit” →

CAF Workbook

Undertsanding the current state of cyber capability maturity across an organisation is no simple feat. The team at NCSC have created a really good set of guidance with CAF. With all things there’s different ways on consuming, understanding and leveraging good practises.

I often find have XLS workbooks incredibly valuable when looking at indicators of good practise inside organisations. With this in mind, I started to put the GAF indicators into a workbook. This isn’t complete yet. It needs refactoring so it can be pivoted etc. It also needs some parts added for metadata capture and analysis.

I’m publishing this because sitting collecting virtual dust is probably the least valuable thing that can occur.

Hopefully this is helpful to people, even in it’s current half baked state. I’ll and complete this at some point!

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Vulnerability Management – Actually doing it!

Vulnerability Management, Assessments and Vulnerability scanning is sometimes treated a with distain in the Offensive security community, I personally don’t understand that. Vulnerability management is key to inputting into security strategy, architecture, and operations. It’s coupled heavily to many other processes such as:

Asset Management
Risk Management
Patch Management
Change & Release Management
Security Testing
Security Monitoring

Before we start deploying let’s think about some areas for consideration when performing vulnerability scans:

Scope
- Asset/Hosts
  - IP Ranges
  - Hostnames
- Connectivity
  - VPNs
  - LAN/WAN
- Device Types and Configuration
  - Domain
  - Workgroup
  - Appliance
  - ICS
  - Printers
  - Network Equipment
- Unauthenticated View
- Authenticated View
  - Auth Types
  - Protocols
- Scheduling
- Authority to execute
Impact
- Performance
- Availability
- Confidentiality
Objectives and Outcomes
Reporting
- Information Flow
- Report Storage and Confidentiality

How to Identify Hashes

Some hashes are obvious but even then, it’s a good job to check. There are a few ways to check a hash outside of manual validation.

Using the Hashcat example list:

https://hashcat.net/wiki/doku.php?id=example_hashes

Using hash-identifier:

https://github.com/blackploit/hash-identifier

Using cyberchef Analyse hash:

https://gchq.github.io/CyberChef/#recipe=Analyse_hash()

Using hash-id:

https://github.com/psypanda/hashID

Using HashTag:

https://github.com/SmeegeSec/HashTag

As you can see there are range of tools available to you, and remember if you want to keep the hashes to yourself you can download Cyberchef and run it locally!

Would you know if these remote access tools were…

Introduction

Remote management and monitoring (RMM) and other remote access solutions are fantastic for enabling remote support of environments. Like most things in life though the intent of the user changes the tool from a force for good to a weapon of evil (I hate the use of the word weapon with software but it’s a blog so I’ll self-cringe).

Kill Chain Summary

The kill chain in the attack outlind by sophos isn’t one that you will be suprised at:

Initial access was via a known software vulnerability (unpatched Exchange server)
The attackers dropped a web shell
The attackers had SYSTEM level access
The attackers dumped memory to obtain hashes
The hashes were cracked (they escalated to domain admin)
7 (yes seven!) backdoors were implaneted into the target network (hence this blog post)
Lateral movement was made to domain controllers
Large volumes of data were exfiltrated
The rest of the environment was then pwn3d

What might shock you more is the speed at which this was conducted. It’s not months or weeks, it’s hours and days (see the Sophos blog for more details!)

Conti Actors Remote Access Toolkits

Remote access tools being abused isn’t a new thing but following a great writeup (https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/?cmp=30728) of a Conti kill chain from Sophos Labs I figured I’d try and raise more awareness of some of the threats that organisations face, and the reality that defending against all threats is actually quite difficult for a lot of organisations (hell it’s technically not simply for anyone!) Read more “Would you know if these remote access tools were being used in your network environment?” →

Decoding Powershell Base64 Encoded commands in CyberChef

Firstly, you need some Powershell Base64 commands, you could search your security logs or Sysmon logs for these, or simply generate some yourself!

powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand bgBlAHQAIAB1AHMAZQByACAAcwBlAGMAYQB1AGQAaQB0ACAAUABAADUANQB3ADAAcgBkADEAMgAzACEAIAAvAEEARABEADsAbgBlAHQAIAB1AHMAZQByACAAcwBlAGMAYQB1AGQAaQB0ACAALwBhAGMAdABpAHYAZQA6AHkAZQBzADsAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAALwBhAGQAZAAgAHMAZQBjAGEAdQBkAGkAdAA=

Next, we head over to Cyber Chef!

https://gchq.github.io/CyberChef/

Now we copy the base64 component to the INPUT window:

We add the “From Base64” operation into our RECIPE! Read more “Decoding Powershell Base64 Encoded commands in CyberChef” →

Infection Monkey Overview

Have you ever wanted to see what would occur in an environment if a worm was a make its way in? I often work with customers to show them about lateral movement from a human operated perspective however sometimes it’s useful for people to visualise this better and to demonstrate what could occur if a worm was set loose. A great tool to help with this is Infection Monkey from Guardicore (https://www.guardicore.com/

High Level View

The process steps are as follows:

Scope Exercise
Prepare Environment
Deploy Infection Monkey Server (Monkey Island)
- Configure Server Credentials
Monkey Configuration
Release Monkey/s
Review
Report

Read more “Infection Monkey Overview” →