Active Directory Checklist — Attack & Defense Cheatsheet
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
https://cybersecuritynews.com/active-directory-checklist/
#ad #cheatsheet #redteam #blueteam
Cyber Security News
Active Directory Attack Kill Chain Checklist & Tools List- 2025
Here we are elaborating the tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory and guidance
Cobalt Strike, a Defender’s Guide
In this research, exposes adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools use to execute mission objectives. In most of cases, the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this articles is to expose the most common techniques from the intrusions track and provide detections. Having said that, not all of Cobalt Strike’s features will be discussed.
# https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
# https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
#cobaltstrike #research #blueteam
In this research, exposes adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools use to execute mission objectives. In most of cases, the threat actors utilizing Cobalt Strike. Therefore, defenders should know how to detect Cobalt Strike in various stages of its execution. The primary purpose of this articles is to expose the most common techniques from the intrusions track and provide detections. Having said that, not all of Cobalt Strike’s features will be discussed.
# https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
# https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
#cobaltstrike #research #blueteam
Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders
https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
#threatintel #dfir #blueteam #malware
StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders
https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
#threatintel #dfir #blueteam #malware
This media is not supported in your browser
VIEW IN TELEGRAM
SysWhispers is dead, long live SysWhispers!
In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
#edr #evasion #syscall #redteam #blueteam
In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
#edr #evasion #syscall #redteam #blueteam
👍1
Container Security Checklist
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
GitHub
GitHub - krol3/container-security-checklist: Checklist for container security - devsecops practices
Checklist for container security - devsecops practices - krol3/container-security-checklist
ntTraceControl — Powershell Event Tracing Toolbox
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
📒 Enabling ADCS Audit and Fix Bad Configs
Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.
To find the issue, run this command on every one of your CAs:
Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san
#adcs #audit #recommendations #blueteam
Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.
To find the issue, run this command on every one of your CAs:
certutil -getreg CA\AuditFilterTo enable all auditing, do this:
certutil –setreg CA\AuditFilter 127
net stop certsvc
net start certsvc
You'll also need to enable the Certificate Service advanced auditing subcategories in a GPO linked to the OU containing your CA host objects (Figure 1). Lastly, enforce the advanced auditing subcategories! All of your previous work will be for naught if you don't enforce (Figure 2).Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san
#adcs #audit #recommendations #blueteam
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
⏱ Scheduled Task Tampering
In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.
https://labs.f-secure.com/blog/scheduled-task-tampering/
#windows #schedule #task #redteam #blueteam
In this post we will explore two approaches that can be used to achieve the same result: create or modify a scheduled task and execute it, without generating the relevant telemetry. First, we will explore how direct registry manipulation could be used to create or modify tasks and how this did not generate the usual entries in the eventlog. Finally, an alternative route based on tampering with the Task Scheduler ETW will be presented that will completely suppress most of logging related to the Task Scheduler.
https://labs.f-secure.com/blog/scheduled-task-tampering/
#windows #schedule #task #redteam #blueteam
APT
NTLMRelay2Self over HTTP Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured…
🛡️Defending the Three Headed Relay
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
⚙️ WTFBins
WTFBin(n): a binary that behaves exactly like malware, except, somehow, it's not?
Site detailing noisy, false positive binaries created that's super helpful in getting filter ideas together for monitoring and hunting rules.
https://wtfbins.wtf/
#wtfbins #blueteam
WTFBin(n): a binary that behaves exactly like malware, except, somehow, it's not?
Site detailing noisy, false positive binaries created that's super helpful in getting filter ideas together for monitoring and hunting rules.
https://wtfbins.wtf/
#wtfbins #blueteam
👍4
📒Simulating attacks with Sysmon
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
Attack coverage:
— Process Events
— File Events
— Named Pipes Events
— Registry Actions
— Image Loading
— Network Connections
— Create Remote Thread
— Raw Access Read
— DNS Query
— WMI Events
— Clipboard Capture
— Process Image Tampering
Research:
https://rootdse.org/posts/understanding-sysmon-events/
Tool:
https://github.com/ScarredMonk/SysmonSimulator
#sysmon #simulator #blueteam #lab
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
Attack coverage:
— Process Events
— File Events
— Named Pipes Events
— Registry Actions
— Image Loading
— Network Connections
— Create Remote Thread
— Raw Access Read
— DNS Query
— WMI Events
— Clipboard Capture
— Process Image Tampering
Research:
https://rootdse.org/posts/understanding-sysmon-events/
Tool:
https://github.com/ScarredMonk/SysmonSimulator
#sysmon #simulator #blueteam #lab
👍9
🔓 Unprotect
A project that is meant to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. A catalog of over 200 tricks used by malware to bypass detection and protection tools. There are also rules for detecting these tricks.
https://unprotect.it/
#maldev #evasion #redteam #blueteam
A project that is meant to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. A catalog of over 200 tricks used by malware to bypass detection and protection tools. There are also rules for detecting these tricks.
https://unprotect.it/
#maldev #evasion #redteam #blueteam
👍3🔥2
🛡 On Detection: Tactical to Functional
The goal of this series is to facilitate a conversation about the more technical aspects of attacks and how a deeper understanding at the more foundational levels helps to provide a batter base to build assumptions from.
🔗 Part 1: Discovering API Function Usage through Source Code Review
🔗 Part 2: Operations
🔗 Part 3: Expanding the Function Call Graph
#maldev #pinvoke #winapi #detection #blueteam #ttp
The goal of this series is to facilitate a conversation about the more technical aspects of attacks and how a deeper understanding at the more foundational levels helps to provide a batter base to build assumptions from.
🔗 Part 1: Discovering API Function Usage through Source Code Review
🔗 Part 2: Operations
🔗 Part 3: Expanding the Function Call Graph
#maldev #pinvoke #winapi #detection #blueteam #ttp
Medium
On Detection: Tactical to Functional
Part 1: Discovering API Function Usage through Source Code Review
👍3
🦮 BlueHound
It is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network
It is a fork of NeoDash, reimagined, to make it suitable for defensive security purposes.
Blog:
🔗 https://zeronetworks.com/blog/bluehound-community-driven-resilience/
Tool:
🔗 https://github.com/zeronetworks/BlueHound
#ad #sharphound #blueteam
It is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network
It is a fork of NeoDash, reimagined, to make it suitable for defensive security purposes.
Blog:
🔗 https://zeronetworks.com/blog/bluehound-community-driven-resilience/
Tool:
🔗 https://github.com/zeronetworks/BlueHound
#ad #sharphound #blueteam
👍5
Azure Threat Research Matrix
The purpose of the Azure Threat Research Matrix is to conceptualize the known TTP that adversaries may use against Azure
https://microsoft.github.io/Azure-Threat-Research-Matrix/
#azure #ttp #blueteam
The purpose of the Azure Threat Research Matrix is to conceptualize the known TTP that adversaries may use against Azure
https://microsoft.github.io/Azure-Threat-Research-Matrix/
#azure #ttp #blueteam
👍2
📄 Detecting ADCS Web Services Abuse (ESC8)
One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.
https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36
#adcs #detection #esc8 #blueteam
One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.
https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36
#adcs #detection #esc8 #blueteam
Medium
FalconFriday — Detecting ADCS web services abuse — 0xFF20
One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…
👍3
This post provides a technical analysis of a Brute Ratel C4 badger/agent, a Red Team tool. The analysis includes API hashing, memory injection, encrypted C2 communications, and the first 20 C2 commands for remote control.
🔗 Source:
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
#analysis #brc4 #redteam #blueteam
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥13👍4❤🔥1