Red Team Adversarial Attack Simulation

Okta for Red Teamers

Posted on September 18, 2023 by Roza Maille

For a long time, Red Teamers have been preaching the mantra “Don’t make Domain Admin the goal of the assessment” and it appears that customers are listening. Now, you’re much more likely to see objectives focused on services critical to an organization, with many being hosted in the cloud. With this shift in delegating some…

The post Okta for Red Teamers appeared first on TrustedSec.

Continue reading Okta for Red Teamers→

Creative Process Enumeration

Posted on September 5, 2023 by Roza Maille

Very often in engagements, you’ll want to list out processes running on a host. One thing that is beneficial is to know is if the processes is a 64-bit or 32-bit process. Why do you need to know the process architecture, you might ask? The reasons are many, but one common example is that you…

The post Creative Process Enumeration appeared first on TrustedSec.

Continue reading Creative Process Enumeration→

Modeling Malicious Code: Hacking in 3D

Posted on July 13, 2023 by Roza Maille

Introduction Attackers are always looking for new ways to deliver or evade detection of their malicious code, scripts, executables, and other tools that will allow them to access a target. We on the Tactical Awareness and Countermeasures (TAC) team at TrustedSec strive to keep up with attacker techniques and look ahead to develop potential evolutions…

The post Modeling Malicious Code: Hacking in 3D appeared first on TrustedSec.

Continue reading Modeling Malicious Code: Hacking in 3D→

Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams

Posted on May 18, 2023 by Roza Maille

Analyze the balance between gaining useful information and avoiding detection, detailing recon techniques that can be employed without compromising stealth. Rob Joyce, who at the time was Head of the NSA’s Tailored Access Operations group, had this great quote from a 2016 USENIX talk: “We put the time in to know that network. We put…

The post Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams appeared first on TrustedSec.

Continue reading Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams→

TeamFiltration V3.5.0 – Improve All the Things!

Posted on February 7, 2023 by Roza Maille

TeamFiltration was publicly released during the DefCON30 talk, “Taking a Dump In The Cloud”. Before the public release, TeamFiltration was an internal tool for TrustedSec’s offensive security operations, which was shared internally back in January 2021. In short terms, TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts….

The post TeamFiltration V3.5.0 – Improve All the Things! appeared first on TrustedSec.

Continue reading TeamFiltration V3.5.0 – Improve All the Things!→

The Art of Bypassing Kerberoast Detections with Orpheus

Posted on November 17, 2022 by Roza Maille

Back in May of 2018, I wrote a blog post detailing the steps I took to detect Kerberoast (T1558.003) attacks. This research allowed us to help organizations build a detection for when a threat actor requests the Kerberos ticket for accounts with a service principal name established. In this blog post, I am going to…

The post The Art of Bypassing Kerberoast Detections with Orpheus appeared first on TrustedSec.

Continue reading The Art of Bypassing Kerberoast Detections with Orpheus→

Windows Processes, Nefarious Anomalies, and You: Threads

Posted on November 3, 2022 by Nathan Noll

In part 1 of this blog mini-series, we looked at memory regions and analyzed them to find some potential malicious behavior. In part 2, we will do the same thing with enumerating threads. Nobody explains it better than Microsoft—here is their explanation of what a thread is: “A thread is the basic unit to which…

The post Windows Processes, Nefarious Anomalies, and You: Threads appeared first on TrustedSec.

Continue reading Windows Processes, Nefarious Anomalies, and You: Threads→

I Wanna Go Fast, Really Fast, like (Kerberos) FAST

Posted on September 20, 2022 by Nathan Noll

1 Introduction At TrustedSec, we weigh an information security program’s ability to defend against a single specified attack by measuring detection, deflection, and deterrence. Now while a majority of my blog posts have been concentrated around detection this post is more ‘deterrence’ focused. I first heard about Kerberos FAST from Steve Syfuhs (@SteveSyfuhs) of Microsoft…

The post I Wanna Go Fast, Really Fast, like (Kerberos) FAST appeared first on TrustedSec.

Continue reading I Wanna Go Fast, Really Fast, like (Kerberos) FAST→

Scraping Login Credentials With XSS

Posted on July 7, 2022 by Nathan Noll

Unauthenticated JavaScript Fun In prior blog posts I’ve shown the types of weaponized XSS attacks one can perform against authenticated users, using their session to access and exfiltrate data, or perform actions in the application as that user. But what if you only have unauthenticated XSS? Perhaps your client hasn’t provided you with credentials to…

The post Scraping Login Credentials With XSS appeared first on TrustedSec.

Continue reading Scraping Login Credentials With XSS→

A Diamond in the Ruff

Posted on July 5, 2022 by Nathan Noll

This blog post was co-authored with Charlie Clark at Semperis 1.1 Background of the ‘Diamond’ Attack One day, while browsing YouTube, we came across an older presentation from Blackhat 2015 by Tal Be’ery and Michael Cherny. In their talk, and subsequent brief, WATCHING THE WATCHDOG: PROTECTING KERBEROS AUTHENTICATION WITH NETWORK MONITORING, they outlined something we…

The post A Diamond in the Ruff appeared first on TrustedSec.

Continue reading A Diamond in the Ruff→