Purple Team Adversarial Detection & Countermeasures

The Client/Server Relationship — A Match Made In Heaven

Posted on August 17, 2023 by Roza Maille

This blog post was co-authored with Charlie Clark and Jonathan Johnson of Binary Defense. 1 Introduction One thing often forgotten is that detection engineering isn’t always centered around 1 action to 1 query but also to drive effective incident response to optimize the triage of an alert. This is best served with context. We often…

The post The Client/Server Relationship — A Match Made In Heaven appeared first on TrustedSec.

Continue reading The Client/Server Relationship — A Match Made In Heaven→

Modeling Malicious Code: Hacking in 3D

Posted on July 13, 2023 by Roza Maille

Introduction Attackers are always looking for new ways to deliver or evade detection of their malicious code, scripts, executables, and other tools that will allow them to access a target. We on the Tactical Awareness and Countermeasures (TAC) team at TrustedSec strive to keep up with attacker techniques and look ahead to develop potential evolutions…

The post Modeling Malicious Code: Hacking in 3D appeared first on TrustedSec.

Continue reading Modeling Malicious Code: Hacking in 3D→

Cross Site Smallish Scripting (XSSS)

Posted on May 2, 2023 by Roza Maille

Having small XSS payloads or ways to shorten your payloads ensures that even the smallest unencoded output on a site can still lead to account compromise. A typical image tag with a onerror attribute takes up around 35 characters by itself. <img src=1 onerror=”alert(‘XSS’)”> If you would like to prove you can steal credentials or…

The post Cross Site Smallish Scripting (XSSS) appeared first on TrustedSec.

Continue reading Cross Site Smallish Scripting (XSSS)→

On the Road to Detection Engineering

Posted on April 11, 2023 by Roza Maille

Introduction People have asked numerous times on Twitter, LinkedIn, Discord, and Slack, “Leo, how do I get into Detection Engineering?” In this blog, I will highlight my unique experience, some learning resources you might want to get your hands on (all free or low cost), and extras that have helped me overall. I’m currently a…

The post On the Road to Detection Engineering appeared first on TrustedSec.

Continue reading On the Road to Detection Engineering→

Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

Posted on March 17, 2023 by Roza Maille

Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of…

The post <strong>Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)</strong> appeared first on TrustedSec.

Continue reading Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)→

Red vs. Blue: Kerberos Ticket Times, Checksums, and You!

Posted on March 14, 2023 by Roza Maille

This blog post was co-authored with Charlie Clark of Semperis. 1 Introduction At SANS Pen Test HackFest 2022, Charlie Clark (@exploitph) and I presented our talk ‘I’ve Got a Golden Twinkle in My Eye‘ whereby we built and demonstrated two tools that assist with more accurate detection of forged tickets being used. Although we demonstrated…

The post Red vs. Blue: Kerberos Ticket Times, Checksums, and You! appeared first on TrustedSec.

Continue reading Red vs. Blue: Kerberos Ticket Times, Checksums, and You!→

New Attacks, Old Tricks: How OneNote Malware is Evolving

Posted on January 31, 2023 by Roza Maille

1 Analysis of OneNote Malware A lot of information has been circulating regarding the distribution of malware through OneNote, so I thought it would be fun to look at a sample. It turns out there are a lot of similarities between embedding malicious code into a OneNote document and the old macro/VBA techniques for Office…

The post New Attacks, Old Tricks: How OneNote Malware is Evolving appeared first on TrustedSec.

Continue reading New Attacks, Old Tricks: How OneNote Malware is Evolving→

A LAPS(e) in Judgement

Posted on January 10, 2023 by Roza Maille

As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched applications and devices as well as the virtues of things like password managers and encrypted databases to protect our passwords and other…

The post A LAPS(e) in Judgement appeared first on TrustedSec.

Continue reading A LAPS(e) in Judgement→

The Art of Bypassing Kerberoast Detections with Orpheus

Posted on November 17, 2022 by Roza Maille

Back in May of 2018, I wrote a blog post detailing the steps I took to detect Kerberoast (T1558.003) attacks. This research allowed us to help organizations build a detection for when a threat actor requests the Kerberos ticket for accounts with a service principal name established. In this blog post, I am going to…

The post The Art of Bypassing Kerberoast Detections with Orpheus appeared first on TrustedSec.

Continue reading The Art of Bypassing Kerberoast Detections with Orpheus→

I Wanna Go Fast, Really Fast, like (Kerberos) FAST

Posted on September 20, 2022 by Nathan Noll

1 Introduction At TrustedSec, we weigh an information security program’s ability to defend against a single specified attack by measuring detection, deflection, and deterrence. Now while a majority of my blog posts have been concentrated around detection this post is more ‘deterrence’ focused. I first heard about Kerberos FAST from Steve Syfuhs (@SteveSyfuhs) of Microsoft…

The post I Wanna Go Fast, Really Fast, like (Kerberos) FAST appeared first on TrustedSec.

Continue reading I Wanna Go Fast, Really Fast, like (Kerberos) FAST→