Category Archives: Purple Team Adversarial Detection & Countermeasures

Detection and Alerting: Selecting a SIEM

Posted on by

Summary Basic SIEM requirements should be in place to create mature detections for a variety of log sources, including network logs, system logs, and application logs (including custom applications). This focuses on Security Operations and does not include the engineering side of SIEM management, e.g., licensing, hardware/cloud requirements, retention needs, etc. Each component of the…

The post Detection and Alerting: Selecting a SIEM appeared first on TrustedSec.

Continue reading Detection and Alerting: Selecting a SIEM

Splunk SPL Queries for Detecting gMSA Attacks

Posted on by

1    Introduction What is a group Managed Service Account (gMSA)? If your job is to break into networks, a gMSA can be a prime target for a path to escalate privileges, perform credential access, move laterally or even persist in a domain via a ‘golden’ opportunity. If you’re an enterprise defender, it’s something you need…

The post Splunk SPL Queries for Detecting gMSA Attacks appeared first on TrustedSec.

Continue reading Splunk SPL Queries for Detecting gMSA Attacks

g_CiOptions in a Virtualized World

Posted on by

With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced…

The post g_CiOptions in a Virtualized World appeared first on TrustedSec.

Continue reading g_CiOptions in a Virtualized World

An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

Posted on by

1.0 Introduction On Friday, December 10, 2021, Charlie Clark (@exploitph) published a blog post detailing the weaponization of CVEs 2021-42287 and 2021-42278. In the blog post, Charlie extensively covered the background of the vulnerabilities, how the vulnerabilities were weaponized into Rubeus, with help from Ceri Coburn (@_EthicalChaos_), the full ‘attack chain,’ mitigations, and some detections….

The post An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278 appeared first on TrustedSec.

Continue reading An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278

Creating a Malicious Azure AD OAuth2 Application

Posted on by

THIS POST WAS WRITTEN BY @NYXGEEK I decided to write this blog because I’ve seen a lot of articles mentioning that attackers will use a malicious OAuth web app with Azure AD, but I hadn’t actually seen much in the way of good examples of doing so. I’m sure I will find a dozen fantastic examples…

The post Creating a Malicious Azure AD OAuth2 Application appeared first on TrustedSec.

Continue reading Creating a Malicious Azure AD OAuth2 Application

Obsidian, Taming a Collective Consciousness

Posted on by

The Problem On August 05, 2021, a member of the Conti ransomware group leaked some of the group’s internal playbooks and technical documentation. Irrespective of any details surrounding the leak or its contents, the event itself prompted a more widespread examination of how teams’ maintain their operational playbooks and documentation. A tweet by Mubix came…

The post Obsidian, Taming a Collective Consciousness appeared first on TrustedSec.

Continue reading Obsidian, Taming a Collective Consciousness

Simple Data Exfiltration Through XSS

Posted on by

During a recent engagement, I found a cross-site scripting (XSS) vulnerability in a legal document management application and created a quick and dirty document exfiltration payload. Unfortunately, this discovery and coding happened on the final day of the engagement (*cough* reporting bonus hacking day), and I didn’t have a chance to actually put the exfiltrated…

The post Simple Data Exfiltration Through XSS appeared first on TrustedSec.

Continue reading Simple Data Exfiltration Through XSS

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

Posted on by

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

Posted on by

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2

Posted on by

This is a continuation of The Tale of the Lost, but not Forgotten, Undocumented NetSync (part 1) and in this section, we will look to answer: What are Some Early Indicators to Detect NetSync at the Host-based Level? What are Some Possible Controls to Deter NetSync? In an accompanying blog post, Wes Lambert (@therealwlambert) steps…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2