Collaborate Disseminate
I briefly mentioned how easy it is to forge email sender addresses in a previous blog post that described the steps I took to determine whether a suspicious email was legitimate or a phishing attempt. In this post, we will take a deeper dive into why email sender addresses are so easy to forge and…
The post Real or Fake? How to Spoof Email appeared first on TrustedSec.
1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….
The post An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278 appeared first on TrustedSec.
Continue reading An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278
On December 09, 2021, a severe vulnerability for Apache Log4j was released (CVE-2021-44228). This vulnerability, also known as Log4Shell, allows remote code execution in many applications through web requests and without authentication. Almost immediately, many attackers on the Internet began to scan and exploit this vulnerability. This is meant to provide guidelines and recommendations on…
The post Log4j Detection and Response Playbook appeared first on TrustedSec.
Let’s see, it looks like your organization just met an annual Threat Hunting assessment compliance requirement or achieved the introductory objective of experiencing a formal Threat Hunting assessment. Well done! Now, what should the organization take into consideration after successfully completing the assessment? Once a third-party Threat Hunting assessment concludes, many organizations may feel overwhelmed…
The post Why your threat hunting program building shouldn’t stop once the engagement is over appeared first on TrustedSec.
Continue reading Why your threat hunting program building shouldn’t stop once the engagement is over
New challenges have emerged that make it difficult to transfer risk. Ransomware has changed the game An overlooked yet the increasingly important challenge in information risk management is finding the right balance between cybersecurity and cyber insurance. We continue to see organizations hit with ransomware from a variety of vectors, including spam emails, drive-by downloads,…
The post Is Cyber Insurance Becoming Worthless? appeared first on TrustedSec.
Black Hawk Down I’m guessing a lot of us in the IT and Security space have experienced the gut wrenching feeling of not receiving that ICMP ping reply you were expecting from a production system, be it a firewall, switch, or server. Was there a recent configuration change that happened prior to the last reboot?…
The post The Backup Paradigm Shift: Moving Toward Attack Response Systems appeared first on TrustedSec.
Continue reading The Backup Paradigm Shift: Moving Toward Attack Response Systems
On February 17, 2021 TrustedSec hosted an ‘Ask Me Anything’ on our Slack Workplace with TrustedSec’s Incident Response Team. Many great questions were asked and lots of information exchanged that we didn’t want to get lost with time, so we’ve put together this blog with questions and the conversation that blossomed from them. Please note:…
The post TrustedSec Incident Response Team Slack AMA 02.17.2021 appeared first on TrustedSec.
Continue reading TrustedSec Incident Response Team Slack AMA 02.17.2021
Over the last several days, many organizations have been affected by the Microsoft Exchange Hafnium attacks. As a result, TrustedSec’s Incident Response team has gained a lot of experience in a very short time on how to respond to these attacks and what to look for. Many of the compromised servers we have examined were…
The post New Service Launched in Response to Hafnium Attacks appeared first on TrustedSec.
Continue reading New Service Launched in Response to Hafnium Attacks
In the endless quest to research additional Windows system forensic artifacts to use during an Incident Response investigation, I stumbled across something I thought was cool. This definitely wasn’t a new artifact, it was just a specific native Windows XML file that I wasn’t aware of. I noticed this file was not commonly used from…
The post Who Left the Backdoor Open? Using Startupinfo for the Win appeared first on TrustedSec.
Continue reading Who Left the Backdoor Open? Using Startupinfo for the Win
Nearly three weeks after news regarding the widespread compromise of SolarWinds Orion customers became public, TrustedSec continues to receive inquiries from clients seeking more granular detail about the nature of the compromise. In most cases, clients have received a list of command and control (C2) domains from a major vendor and require assistance in investigating…
The post RisingSun: Decoding SUNBURST C2 to Identify Infected Hosts Without Network Telemetry appeared first on TrustedSec.