AWS IAM explained for RedTeam & BlueTeam
https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
#aws #iam #redteam #blueteam
https://infosecwriteups.com/aws-iam-explained-for-red-and-blue-teams-2dda8b20fbf7
#aws #iam #redteam #blueteam
Medium
AWS IAM explained for Red and Blue teams
Introduction
Suspicious Named Pipe Events
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
#windows #pipe #events #blueteam #redteam
https://medium.com/falconforce/falconfriday-suspicious-named-pipe-events-0xff1b-fe475d7ebd8
#windows #pipe #events #blueteam #redteam
Medium
FalconFriday — Suspicious named pipe events — 0xFF1B
TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…
Active Directory ACL Visualizer and Explorer
adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
https://github.com/lkarlslund/adalanche
#ad #acl #visualizer #blueteam #redteam
adalanche tool gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.
https://github.com/lkarlslund/adalanche
#ad #acl #visualizer #blueteam #redteam
Active Directory Checklist — Attack & Defense Cheatsheet
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
Cyber Security News
Active Directory Attack Kill Chain Checklist & Tools List- 2025
Here we are elaborating the tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance
Cobalt Strike, a Defender’s Guide
In this research, exposes adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools use to execute mission objectives. In most of cases, the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this articles is to expose the most common techniques from the intrusions track and provide detections. Having said that, not all of Cobalt Strike’s features will be discussed.
# https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
# https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
#cobaltstrike #research #blueteam
In this research, exposes adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools use to execute mission objectives. In most of cases, the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this articles is to expose the most common techniques from the intrusions track and provide detections. Having said that, not all of Cobalt Strike’s features will be discussed.
# https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
# https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
#cobaltstrike #research #blueteam
Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders
https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
#threatintel #dfir #blueteam #malware
StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders
https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
#threatintel #dfir #blueteam #malware
This media is not supported in your browser
VIEW IN TELEGRAM
SysWhispers is dead, long live SysWhispers!
In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
#edr #evasion #syscall #redteam #blueteam
In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
#edr #evasion #syscall #redteam #blueteam
👍1
Container Security Checklist
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
GitHub
GitHub - krol3/container-security-checklist: Checklist for container security - devsecops practices
Checklist for container security - devsecops practices - krol3/container-security-checklist
ntTraceControl — Powershell Event Tracing Toolbox
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
📒 Enabling ADCS Audit and Fix Bad Configs
Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.
To find the issue, run this command on every one of your CAs:
Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san
#adcs #audit #recommendations #blueteam
Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.
To find the issue, run this command on every one of your CAs:
certutil -getreg CA\AuditFilterTo enable all auditing, do this:
certutil –setreg CA\AuditFilter 127
net stop certsvc
net start certsvc
You'll also need to enable the Certificate Service advanced auditing subcategories in a GPO linked to the OU containing your CA host objects (Figure 1). Lastly, enforce the advanced auditing subcategories! All of your previous work will be for naught if you don't enforce (Figure 2).Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san
#adcs #audit #recommendations #blueteam
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
⏱ Scheduled Task Tampering
In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.
https://labs.f-secure.com/blog/scheduled-task-tampering/
#windows #schedule #task #redteam #blueteam
In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.
https://labs.f-secure.com/blog/scheduled-task-tampering/
#windows #schedule #task #redteam #blueteam
APT
NTLMRelay2Self over HTTP Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured…
🛡️Defending the Three Headed Relay
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
⚙️ WTFBins
WTFBin(n): a binary that behaves exactly like malware, except, somehow, it's not?
Site detailing noisy, false positive binaries created that's super helpful in getting filter ideas together for monitoring and hunting rules.
https://wtfbins.wtf/
#wtfbins #blueteam
WTFBin(n): a binary that behaves exactly like malware, except, somehow, it's not?
Site detailing noisy, false positive binaries created that's super helpful in getting filter ideas together for monitoring and hunting rules.
https://wtfbins.wtf/
#wtfbins #blueteam
👍4
📒Simulating attacks with Sysmon
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
Attack coverage:
— Process Events
— File Events
— Named Pipes Events
— Registry Actions
— Image Loading
— Network Connections
— Create Remote Thread
— Raw Access Read
— DNS Query
— WMI Events
— Clipboard Capture
— Process Image Tampering
Research:
https://rootdse.org/posts/understanding-sysmon-events/
Tool:
https://github.com/ScarredMonk/SysmonSimulator
#sysmon #simulator #blueteam #lab
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
Attack coverage:
— Process Events
— File Events
— Named Pipes Events
— Registry Actions
— Image Loading
— Network Connections
— Create Remote Thread
— Raw Access Read
— DNS Query
— WMI Events
— Clipboard Capture
— Process Image Tampering
Research:
https://rootdse.org/posts/understanding-sysmon-events/
Tool:
https://github.com/ScarredMonk/SysmonSimulator
#sysmon #simulator #blueteam #lab
👍9
🔓 Unprotect
A project that is meant to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. A catalog of over 200 tricks used by malware to bypass detection and protection tools. There are also rules for detecting these tricks.
https://unprotect.it/
#maldev #evasion #redteam #blueteam
A project that is meant to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. A catalog of over 200 tricks used by malware to bypass detection and protection tools. There are also rules for detecting these tricks.
https://unprotect.it/
#maldev #evasion #redteam #blueteam
👍3🔥1