HackDig : Dig high-quality web security articles for hackers

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) and Michael Sandee 1. Introduction WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the
Publish At:2020-06-23 09:25 | Read:143 | Comments:0 | Tags:Blog Cobalt Strike Threat Intelligence evilcorp ransomware w

LDAPFragger: Command and Control over LDAP attributes

  Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to the same Active Directory domain, however only one network segment could connect to the internet. To control workstations in both segments remotely with Cobalt Strike, we built a tool
Publish At:2020-03-19 06:53 | Read:581 | Comments:0 | Tags:audits Blog Cobalt Strike pentest Uncategorized

Phishing – Ask and ye shall receive

During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to the username or password of the user that
Publish At:2019-09-19 23:30 | Read:991 | Comments:0 | Tags:audits Blog pentest Uncategorized

Your trust, our signature

Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario which looks
Publish At:2019-09-19 23:30 | Read:1262 | Comments:0 | Tags:audits Blog pentest Uncategorized email hacking phishing

Getting in the Zone: dumping Active Directory DNS using adidnsdump

Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any user can query
Publish At:2019-09-19 23:30 | Read:1134 | Comments:0 | Tags:Blog

Export corrupts Windows Event Log files

Exported .evtx files may contain corrupted data – Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged
Publish At:2019-09-19 23:30 | Read:1090 | Comments:0 | Tags:Blog

Syncing yourself to Global Administrator in Azure Active Directory

This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. Because of the way accounts are commonly configured, this could often enable an attacker to take over the h
Publish At:2019-09-19 23:30 | Read:1102 | Comments:0 | Tags:Blog pentest

Using Anomaly Detection to find malicious domains

Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of  our Security Operations Center. One of these areas is applying data science techniques to real world data in real worl
Publish At:2019-09-19 23:30 | Read:974 | Comments:0 | Tags:Blog

Office 365: prone to security breaches?

Author: Willem Zeeman “Office 365 again?”. At the Forensics and Incident Response department of Fox-IT, this is heard often.  Office 365 breach investigations are common at our department. You’ll find that this blog post actually doesn’t make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Offi
Publish At:2019-09-19 23:30 | Read:998 | Comments:0 | Tags:Blog

SetUID program exploitation: Crafting shared object files without a compiler

In this post we look at an alternative to compiling shared object files when exploiting vulnerable setUID programs on Linux. At a high level we’re just going to copy the binary and insert some shellcode. First we take a look the circumstances that might lead you to use this option. Also check out this previous post on setUID exploitation. A hacker chal
Publish At:2019-09-19 17:35 | Read:956 | Comments:0 | Tags:Blog analysis exploit root UNIX

An offensive introduction to Active Directory on UNIX

By way of an introduction to our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests. Background to Active Directory i
Publish At:2019-09-19 17:35 | Read:1146 | Comments:0 | Tags:Blog analysis auditing Black Hat Europe blue team conference

Reverse port forwarding SOCKS proxy via HTTP proxy (part 1)

In the context of a Red Team assessment, in this post I’ll look at some options for using SOCKS to gain external access to an internal network. I’ll cover the obvious methods and why I’m overlooking them, a crude method using standard tools (this post) and a more refined approach using modified tools (in part 2). I recently spent quite a lo
Publish At:2019-09-19 17:35 | Read:1265 | Comments:0 | Tags:Blog RDP red team Windows

Use Infrastructure as Code they said. Easier to audit they said… (part 1)

Whilst there are some great examples of how to assess infrastructure as code dynamically with things like the Center for Internet Security‘s Docker benchmark and CoreOS‘s Clair, these kinda run a little too late in the pipeline for my liking. If we want to treat infrastructure as code then surely we ought to be performing code reviews and if we&#
Publish At:2019-09-19 17:35 | Read:1030 | Comments:0 | Tags:Blog auditing devops devsecops infradev orchestration seceng

UNIX and Linux setUID advice and guidance

It is a topic that often comes up on client engagements, usually when running structured build reviews of Linux “gold builds”, but occasionally when trying to explain in detail how we used a Linux system to pivot internally. SetUID and setGID files are inevitably a risk, potentially allowing attackers to elevate privileges to root from a basic us
Publish At:2017-10-27 17:20 | Read:7569 | Comments:0 | Tags:Blog AIX analysis auditing blueteam FreeBSD Linux root Solar

SSTIC 2017 wrap-up

This year, one member of the Portcullis team went to one of the biggest security events in France: SSTIC (Symposium sur la sécurité des technologies de l’information et des communications). This post will highlight the most interesting presentations. Many of the slides, articles and videos are available on the SSTIC website, but they are mostly in Fren
Publish At:2017-10-27 17:20 | Read:4653 | Comments:0 | Tags:Blog analysis conference SSTIC


Share high-quality web security related articles with you:)