Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]  ( 4 min )

This improved experience reduces time to launch, which is vital when your organization is up against an urgent timeline to complete a pentest due to a  ( 4 min )

MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.  ( 5 min )

(The version of Ghidra used in this article is 10.1.2. For the Go string recovery tool release, skip ahead to Ghostrings Release.) Introduction A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many … Continue reading earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts →  ( 22 min )

Introduction Ghostrings is a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis. A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many of the constant string values … Continue reading Tool Release – Ghostrings →  ( 5 min )

In my last article, we created a new VM for Kali Linux, mounted the ISO file to its virtual DVD drive, and changed the boot order so that the VM could boot from the virtual DVD drive. Here, I will show how to start and stop a Hyper-V with PowerShell. You'll also learn how to disable secure boot with PowerShell. Start and stop a Hyper-V VM with PowerShell first appeared on 4sysops.  ( 3 min )

TL;DR Galleon Systems’ GPS NTP time server had a command injection vulnerability in the firmware of their NTS GPS device which could allow total control of the device through the […] Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) first appeared on Pen Test Partners.  ( 5 min )

Software developers using GitLab CI are being targeted with malware through a typosquatting attack, putting downstream users at risk.  ( 6 min )

In this guide, I'll take a closer look at the process of restoring a BitLocker-encrypted drive from an image backup. Along the way, you'll learn about a solution for BitLocker backups that allows you to avoid re-encryption of the system drive after the restore. Restore BitLocker-encrypted drives from image backup first appeared on 4sysops.  ( 5 min )

Pwn2Own Vancouver for 2022 is underway, and the 15th anniversary of the contest has already seen some amazing research demonstrated. Stay tuned to this blog for updated results, picture, and videos from the event. We’ll be posting it all here - including the most recent Master of Pwn leaderboard. Jump to Day One results; Jump to Day Two results; Jump to Day Three results Here are the current standings for the Master of Pwn: Current as of May 18, 17:00 Pacific Day One - May 18, 2022 SUCCESS - Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points. Hector “p3rr0” Peralta demonstrates a improper configuration bug on Microsoft Teams by launching calc. SUCCESS - Billy Jheng Bing-Jhong (@st424204), Muh…

How Are Bug Bounty Programs and Vulnerability Disclosure Programs Different? Let’s start with the similarities. Both bug bounties and VDPs aim to  ( 6 min )

In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.  ( 7 min )

EntropyCapture extracts the DPAPI optional entropy using API hooking.  ( 3 min )

If, at logon, you receive an error message that the trust relationship between a workstation and the primary domain failed, and you cannot logon, there are several ways to deal with the issue. These solutions also work on Windows 11 systems, where you may still log on, but the network connections tray icon in the system claims that the computer is part of an unidentified network. When the trust relationship between a workstation and the primary AD domain fails first appeared on 4sysops.

Cybersecurity is no longer just about technology, it's about people.  ( 6 min )

Welcome to Pwn2Own Vancouver 2022! This year marks the 15th anniversary of the contest, and we plan on celebrating by putting some amazing research on display. For this year’s event, we have 17 contestants attempting to exploit 21 targets across multiple categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here. The complete schedule for the contest is below (all times Pacific [GMT -7:00]). Note: All times subject to change - You can see the results and live updates here once they become available. Entries marked with a 📷 icon will be live-streamed on YouTube, Twitch, and Twitter. Wednesday, May 18, 2022 0930: Hector “p3rr0” Peralta targeting Microsoft Teams in the Enterprise Communications categ…

Exchange administrators should know the maximum possible mailbox size in the environment they are managing, whether on-prem or in the cloud. In an on-prem installation, admins can use this information to prevent excessive database growth. In the cloud, excessive mailbox sizes might require an upgrade of the M365 plan. The configuration of the mailbox quota is possible both in the Exchange admin center (EAC) and via Exchange PowerShell. Configure mailbox size and quota in Exchange 2016/2019 and Exchange Online first appeared on 4sysops.  ( 6 min )

By Francesco Bertolaccini Rellic is a framework for analyzing and decompiling LLVM modules into C code, implementing the concepts described in the original paper presenting the Dream decompiler and its successor, Dream++. It recently made an appearance on this blog when I presented rellic-headergen, a tool for extracting debug metadata from LLVM modules and turning […]  ( 6 min )

A guide to relaying credentials everywhere in 2022 NTLM relay is a well-known technique that has been with us for many years and never seems to go away. Almost every article about NTLM relay could start with that phrase. It could be a cliché but it’s almost true. The first implementation of this attack date […] The post We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere appeared first on SecureAuth.  ( 17 min )

"Word". We heard that a lot of you have been having problems finding a truly dope vulnerable web application to wave your scanner at. As makers of the web's OG vulnerability scanner, we couldn't be le  ( 3 min )

In this new post of my Hyper-V management series, I will explain how create a Hyper-VM with PowerShell. How to create a Hyper-V VM with PowerShell first appeared on 4sysops.  ( 4 min )

Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique […] Got the security controls wrong in OT and maritime? Watch as engineers work around them first appeared on Pen Test Partners.  ( 5 min )

Summary of SANS Cybersecurity Leadership Curriculum which is developing cyber security managers and leaders worldwide.  ( 9 min )

Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks →  ( 4 min )

Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks →  ( 4 min )

Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops with trusted BLE device functionality. … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks →  ( 4 min )

This new version of base64dump adds decoding of netbios name encoding with lowercase letters. base64dump_V0_0_21.zip (http)MD5: 5701B6D9691E366ED5E2EE6D06689012SHA256: BE939E0225C83319A31A096DA29C1CA9D3C575DCCE9C1795814B335BD0871E92  ( 3 min )

With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced with an attacker set on escaping to Ring-0.  ( 8 min )

For better or worse, however, not everyone processes conflict and competition the same way. This is where things get interesting (and potentially dangerous).

ldapsearch is a extremely powerful tool, especially for Windows Active Directory enumeration. It’s one of my primary tools when performing pentesting or red teaming against an environment with Active Directory, but also comes in quiet handy to know as many times it can come default installed or part of a base image, so its a bit Living-Off-The-Land-esq. Another point towards ldapsearch is that it’s easy to forget that Active Directory isn’t the only LDAP server in most environments and the ability to utilize a tool like this can come in extremely handy. If you want to find Active Directory LDAP servers, use the following command: $ dig -t SRV _ldap._tcp.dc._msdcs.sittingduck.info Basic Usage -x Basic Authentication, you usually use this if you are going to include a username and password…  ( 8 min )

This new version of oledump.py brings support for user defined properties and an update to plugin plugin_msg_summary.py Office documents with VSTO applications have user defined properties. These properties can be extracted with my plugin plugin_medata.py, but not with the current version of olefile.However, the development version of olefile can be used to extract these properties. […]  ( 3 min )

* Caveats apply. Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog" blog post is a devious way of exploiting Kerberos to elevate privileged on a local  Windows machine. All it requires is write access to local computer's domain account to modify the msDS-AllowedToActOnBehalfOfOtherIdentity LDAP attribute to add another account's SID. You can then use that account with the Services For User (S4U) protocols to get a Kerberos service ticket for the local machine as any user on the domain including local administrators. From there you can create a new service or whatever else you need to do. The key is how you write to the LDAP server under the local computer's domain account. There's been various approaches usually abusing authen…  ( 5 min )

Failed Request Tracing is the most important IIS feature for diagnosing and troubleshooting any problem. It helps you determine what is exactly going on with your requests and why, provided you could reproduce the problem after enabling the failed request tracing feature. IIS Failed Request Tracing first appeared on 4sysops.  ( 9 min )

Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading audit  ( 3 min )

NVISO is proud to announce that it has successfully qualified as an APT Response service provider and is now recommended on the website of the German Federal Office for Information Security (BSI).   Advanced Persistent Threats (APT) are typically described as attack campaigns in which highly skilled, often state-sponsored, intruders orchestrate targeted, long-term attacks. Due to their … Continue reading NVISO approved as APT Response Service Provider →  ( 3 min )

This is just a bugfix version. zipdump_v0_0_22.zip (http)MD5: 68F9F3809E4E1F9ADE4A4C3835CDF475SHA256: 92ED372579001C826D5AF31615B8334CC798FF2DA4AF8B7C46267BF7D995C757  ( 3 min )

A comment on the previous post about deploying Chrome extensions posed the question of whether PowerShell could be used to remove Chrome extensions. Remove or block Chrome extensions with PowerShell first appeared on 4sysops.  ( 6 min )

Earlier this week, Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. We are excited about this announcement and applaud the players involved. It will accelerate momentum towards eliminating passwords entirely in the future. And to be a […] The post SecureAuth Welcomes Apple, Google, and Microsoft’s Commitment to Passwordless by FIDO Alliance   appeared first on SecureAuth.  ( 4 min )

SANS Cybersecurity Blog pertaining to a summary of the SANS Neurodiversity in Cybersecurity Summit  ( 5 min )

EIP-3b20d7b3 A command injection vulnerability exists within the web management interface of the D-Link DIR-1260 Wi-Fi router that allows for unauthenticated attackers to execute arbitrary commands on the device with root privileges. The flaw specifically exists within the SetDest/Dest/Target arguments to the GetDeviceSettings form. The management interface is accessible over HTTP and HTTPS on the local ... Read more D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability The post D-Link DIR-1260 GetDeviceSettings Pre-Auth Command Injection Vulnerability appeared first on Exodus Intelligence.  ( 1 min )

Visualizing data is integral to threat research. See how we used this timeline analysis tool to track activity in the Ukrainian cyber conflict.  ( 7 min )

Certificate-based authentication is an extremely robust and secure mechanism for validating a user's identity. However, until recently, you had to deploy Active Directory Federation Services (AD FS) to make it available for Azure AD. Microsoft has recently introduced an Azure AD certificate-based authentication service (Azure CBA), which significantly simplifies implementing certificate-based authentication. Azure AD certificate-based user authentication first appeared on 4sysops.  ( 6 min )

Below are the writeups for two vulnerabilities I discovered in Solana rBPF, a self-described “Rust virtual machine and JIT compiler for eBPF programs”. These vulnerabilities were responsibly disclosed according to Solana’s Security Policy and I have permission from the engineers and from the Solana Head of Business Development to publish these vulnerabilities as shown below.  ( 14 min )

By applying well-known fuzzing techniques to a popular target, I found several bugs that in total yielded over $200K in bounties. In this article I will demonstrate how powerful fuzzing can be when applied to software which has not yet faced sufficient testing.  ( 33 min )

A misunderstood but deeply important feature to lock down when deploying workloads in cloud. Learn about Cloud Instance Metadata Services (IMDS) in this blog post.  ( 9 min )

ol{margin:0;padding:0}table td,table th{padding:0}.RmvCPDuePa-c3{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left;height:11pt}.RmvCPDuePa-c0{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Arial";font-style:normal}.RmvCPDuePa-c7{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.RmvCPDuePa-c2{padding-top:0pt;padding-bottom:0pt;line-height:1.0;text-align:left}.RmvCPDuePa-c6{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.RmvCPDuePa-c4{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.RmvCPDuePa-c1{color:inherit;text-decoration:inherit}.RmvCPDuePa-c5{border:1px solid black;margin:5px}.title…  ( 2 min )

It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their exploits still work or were patched out. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. Adobe Patches for May 2022 For May, Adobe released five bulletins addressing 18 CVEs in Adobe CloudFusion, InCopy, Framemaker, InDesign, and Adobe Character Animator. A total of 17 of these CVEs were reported by ZDI vulnerability researcher Mat Powell. The largest of these patches is the fix for Framemaker with 1…

A Security Survey on How to Close Your Organization's Attack Resistance Gap  ( 6 min )

It is important for an administrator to know what Windows PowerShell and PowerShell edition and version are installed on a system, especially due to script compatibility. This article covers all the ways to check the PowerShell version on Windows, Linux, and MacOS and offers tips and tricks. I will also discuss the changes in PowerShell 7 and PowerShell 7.2. How to check the PowerShell version first appeared on 4sysops.  ( 5 min )

With all the talk about the growing obsolescence of passwords, it may seem strange that there exists such a thing as World Password Day. Aren’t we trying to move away from, rather than center on, passwords? This is, in fact, the real purpose of World Password Day: to draw attention to the increasing vulnerability of […] The post Reflections on World Password Day: Are You Going Passwordless Yet? appeared first on SecureAuth.  ( 5 min )

Introduction During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, … Continue reading Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound →

By default, the IIS server is set to show detailed errors for local requests only, whereas it displays a custom error page for remote requests. This is done for security reasons, since detailed errors could reveal potentially detailed technical information about the web server and website. Enable detailed IIS errors first appeared on 4sysops.  ( 6 min )

It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with […] Constrained environment breakout. .NET Assembly exfiltration via Internet Options first appeared on Pen Test Partners.  ( 9 min )

In this update for cs-parse-traffic.py, my tool to decrypt & parse Cobalt Strike traffic, I added some error handling. cs-parse-traffic_V0_0_5.zip (http)MD5: CFF6D97E816B23065F051D91B0F101A6SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302  ( 3 min )

Lessons Learned Slides Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11 Lesson 2 - Least Privilege No one should have administrative access. All elevated access should be checked out when you need it and checked back in (automatically if possible). Just like UAC. MFA should be required, proximity or push based. And every use of a break glass account should be highly monitored I think “Least Privilege” has been harped on at least … you know what, let me wager that you can’t find a single infosec or hacking conference from 2000 until now (2022) that doesn’t have 4 talks with the words “least privilege” in the talk. But maybe a handful out of all of those talks tell you how to accomplish such a feat. The Goal Lets talk about the goal first …  ( 3 min )

Lessons Learned Slides Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11 Lesson 1 - YOU could be “Legacy” Stop thinking that just because it did or didn’t work X way when you learned it, it still does or doesn’t. That could be 20 years ago. Technology changes faster than you do. I guess that’s a bit mean for a title but here’s the thing: One of the greatest yet most challenging things about doing any job in technology is staying current. Everyone struggles to stay up to date with as much of what is going on around you. Many people specialize, which makes it easier to stay up to date with a specific thing. Yet that can lead to tunnel vision as well. All I’m trying to say here is that sometimes, the person with the least amount of “experience” in a given technology field is going to have the most open mind to what is possible. No matter how long you have been in cyber security or technology in general, you should consider your knowledge on a specific topic a point in time piece of information. At that exact moment in your life, that fact was true. This doesn’t mean that it stays that way. Take passwords for example. Everyone said “8 character passwords are secure” for decades. I’m still hearing that. Or “never write your passwords down”. This is just one example. “Never use X software, it’s insecure”, is it still?. One of the ways I stay “current” is by always challenging my knowledge of how I think things should work vs how they do. This is why during my keynote I noted when and where I leaned these lessons, there is every possibility I am complete off base with all of them. This is also why it’s my beautiful basics lesson #1. Something to always keep top of mind.  ( 1 min )

Our intent with FRAME is to bind the functions of model-based red teaming to security risk awareness across the extended enterprise. Among other things, we’re intentionally expanding the field of vision to include strategic and operational functions.

Having a good red team development workstation is essential for creating payloads, testing out new tools and keeping your work organized…  ( 7 min )

Summary Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in … Continue reading Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) →  ( 3 min )

The widgets in Windows 11 are essentially the successors of News and interests, known from Windows 10. Like these, the widgets are often annoying in professional environments and therefore not desired. You can only completely disable Windows 11 widgets with Group Policy. Disable Windows 11 widgets using Group Policy first appeared on 4sysops.  ( 5 min )

Cryptographic weaknesses often arise in applications when the core security concepts are misunderstood or misused by developers. For this reason, a thorough review of all cryptographic implementations can be a juicy target when designing an application or starting a security assessment. Often, cryptography is used in the context of communication (e.g. a key exchange or […] The post Signing and Encrypting with JSON Web Tokens appeared first on Praetorian.  ( 9 min )

This new version of oledump.py brings some fixes and an update to plugin plugin_vbaproject to decode and display the password for plaintext passwords: oledump_V0_0_66.zip (http)MD5: 20D89F0477ED7B533C2B0C6D27EC4255SHA256: F67051EF2FA3FD42206C5ADFAC807C94ECD5F7F0F6427433B366217F675D3195  ( 3 min )

Overview Recently I’ve been working on writing a custom SMB client that implements the initial handshake and NTLM authentication functionality to perform port fingerprinting within Chariot Identify, our attack surface management product. While reading through the SMB specification, I got to thinking about Computer AdminTo Computer vulnerabilities we have exploited over the last few years […] The post Computer Account Relaying Vulnerabilities Part 2 appeared first on Praetorian.  ( 6 min )

Two high-severity flaws in popular end user security tools allow attackers to elevate privileges and compromise devices.  ( 5 min )

This guide has been updated for the latest Windows versions Windows 11 and Windows Server 2022. You'll learn how to install the Active Directory (AD) module for PowerShell Core 6.0, PowerShell 7 and Windows PowerShell. For Windows PowerShell, the tutorial describes how to install the AD module for Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016, Windows Server 2010 and Windows Server 2022. You'll also learn how to work with the AD module on other systems such as macOS or Linux with the help of PowerShell remoting. How to install the PowerShell Active Directory module first appeared on 4sysops.  ( 12 min )

This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.  ( 5 min )

ICS Security Summit & Training kicks off June 1. Register today.  ( 7 min )

Today is the perfect opportunity to talk about strong passwords.  ( 8 min )

In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting…  ( 19 min )

So you’ve heard of Pwn2Own and think you are up to the challenge of competing in the world’s most prestigious hacking competition. Great! We would love to have you! However, there are a few things you should know before we get started. With Pwn2Own Vancouver just around the corner, here are 10 things you need to know before participating in Pwn2Own. 1.     You need to register before the contest. We try to make this as apparent as possible in the rules, but we still have people walk into the room on the first day of the contest hoping to participate. There are a lot of logistics around Pwn2Own, so we need everyone to complete their registration before the contest starts. We can’t support anyone who wants to join on the first day of the competition. 2.     You need to answer the vetting em…

The purpose of this article is to raise awareness of the possibility of sending mail anonymously through Microsoft Exchange Servers and to show mitigations for the resulting risks. After setting up Exchange Server 2019, you might be unaware that it's possible to send mail anonymously to internal recipients by default. This means that, using PowerShell, for example, anyone in your LAN may send messages to internal accounts without revealing their identity. Sending email anonymously through Exchange Servers first appeared on 4sysops.  ( 8 min )

Today, we are pleased to announce the release of the latest version of Impacket, our collection of Python classes for working with network protocols, and much more. Impacket release 0.10.0 is available now and brings several new features and enhancements including a refreshed NTLMrelayx, the Kerberos Key List attack implementation, a refactored Credential Cache, the sunsetting […] The post Impacket v0.10.0 Now Available appeared first on SecureAuth.  ( 7 min )

No content preview  ( 3 min )

Microsoft started to provide language packs as Language Experience Packs (LXP) in Windows 10 1903. At the same time, LPs have still been shipped as CAB files. The duplicate formats have led to inconsistent administration of language settings. Windows 11 now removes some of these issues. Add a language pack in Windows 11 first appeared on 4sysops.  ( 6 min )

By William Woodruff Last week, over 500 cryptographers from around the world gathered in Amsterdam for Real World Crypto 2022, meeting in person for the first time in over two years. As in previous years, we dispatched a handful of our researchers and engineers to attend the conference, listen to talks, and schmooze observe the […]  ( 13 min )

SANS Cloud Security Blog pertaining to a summary of the SANS CloudSecNext Summit  ( 5 min )

The agenda for the SANS 2022 Security Awareness Summit, Aug. 3-4, is live and the event is epic!  ( 6 min )

RISC-V (pronounced “risk-five” ) is an open standard instruction set architecture (ISA) based on established reduced instruction set computer (RISC) principles. Unlike most other ISA designs, RISC-V is provided under open source licenses that do not require fees to use. … Continue reading →  ( 4 min )

Red team input can break prevailing “business as usual” perspectives, processes, priorities, and planning. Then again, an unexpected adversarial event can do the same, only worse (pay a little now or pay a lot later).

No content preview  ( 2 min )

Chinese-aligned APT group Moshen Dragon caught sideloading malware through multiple AV products to infect telecoms sector.  ( 5 min )

Pass-through authentication is an alternative to AD FS and password hash synchronization in Azure AD. This technology allows users to access cloud apps after authenticating against the local Active Directory. The configuration of pass-through authentication is less complex than that of AD FS, for example. Configuring SSO between Active Directory and Azure using pass-through authentication first appeared on 4sysops.  ( 7 min )

NVISO employees in Frankfurt and Munich showcased their work in Cybersecurity to the girls with live hacking demos, a view behind the scenes of NVISO and hands-on tips for their personal online security. Participating in the Germany- Wide “Girls Day”, we further widened the field of future career choices for the young visitors and brought … Continue reading Girls Day at NVISO Encourages Young Guests To Find Their Dream Job →

Today I keynoted @BSidesVancouver. It was an honor to be asked and I had a great time. Conference Link: https://hopin.com/events/bsides-vancouver-2022/ I talked about 11 lessons learned over my career that contradict some of the edicts that are well known in the Cyber Security space. Before we get into the lessons though, let me attack the things I know many of you reading this already have queued up in your head. Counter Point 1 “All of that is well and good, but it’ll never work where I work.” Why not? Every single one of these lessons learned are things that I was told wasn’t possible. For the most part they were things I didn’t even do, they were things either already in place when I joined the company or put into place while I worked there. I saw first hand that something I was told was “impossible” was not only possible but accomplished much more than I could have imagined. Until you see something for yourself, it’s hard to go against what you are taught, but as Security Professionals isn’t that what we are supposed to do? Look beyond the scope of what is seen as “possible”? Counter Point 2 “It’s not as easy as you are making it sound.” You are right, none of this is easy. Good work hardly ever is. If you are looking for the easy solution, something that can be done in a day or a week this is not the blog series for you. Counter Point 3 “We already known all of this” Awesome! I wish I would have known these things earlier in my career. Lessons Learned Lesson 1 Lesson 2 Lesson 3 Lesson 4 Lesson 5 Lesson 6 Lesson 7 Lesson 8 Lesson 9 Lesson 10 Lesson 11  ( 1 min )

SANS Vulnerability Management Resources for Cloud and Enterprise collected in one place for easy access  ( 8 min )

Here is an overview of content I published in April: Blog posts: Power Consumption Of A Philips Hue lamp In Off State .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 New Tool: myjson-filter.py Update: cut-bytes.py Version 0.0.14 Update: 1768.py Version 0.0.13 New Tool: pngdump.py (Beta) Update: re-search.py Version 0.0.19 Update: […]  ( 3 min )

Someone asked me what the byte sequence is for an infinite loop in x86 machine code (it’s something you could use while debugging, for example). That byte sequence is just 2 bytes long: EB FE. It’s something you can check with nasm, for example. File jump-infinite-loop.asm: nasm jump-infinite-loop.asm -l jump-infinite-loop.lst File jump-infinite-loop.lst: Quickpost info  ( 3 min )

[…]  ( 13 min )

BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis  ( 5 min )

VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for … Continue reading Analyzing VSTO Office Files →

This new version of oledump.py brings a new plugin (plugin_metadata) and Python 3 fixes for 2 plugins (plugin_msi and plugin_ppt). The new plugin is actually an old unpublished plugin, that I updated recently. This plugin parses Office document metadata as defined in document [MS-OLEPS]. I started to write this in 2015 to parse the metadata […]  ( 3 min )

In this second post in my series about Hyper-V management with PowerShell I will explain how to create a Hyper-V virtual switch with PowerShell. In my previous post I explained how to install Hyper-V with PowerShell. Virtual switch types Create a Hyper-V virtual switch with PowerShell first appeared on 4sysops.  ( 3 min )

No content preview  ( 7 min )

Introduction Azure has an insecure default guest user setting, and your organization is probably using it. The default settings Azure provides would allow any user within the organization (including guest users) to invite guest users from any domain, bypassing any central identity management solutions (e.g. Okta, Auth0) and onboarding processes. Additionally, an attacker may use […] The post Guest who? Insecure Azure Defaults! appeared first on Praetorian.  ( 6 min )

This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.  ( 5 min )

Introduction Every automated task in Cortex XSOAR relies on executing commands from integrations or automations either in a playbook or directly in the incident war room or playground. But what if you wanted to incorporate a command or automation from Cortex XSOAR into your own custom scripts? For that you can use the API. In … Continue reading Cortex XSOAR Tips & Tricks – Execute Commands Using The API →

In this first post of my series about managing Hyper-V with PowerShell I will outline how to install Hyper-V Server and the Hyper-V role with PowerShell. Install Hyper-V with PowerShell first appeared on 4sysops.  ( 3 min )

Korzybski to the rescue once again! In part 1, we look at how two-valued orientation can shape and constrain thinking.

Long-running LockBit ransomware attempts to evade Windows ETW, AMSI and EDR by leveraging legitimate VMware logging command line utility.  ( 8 min )

Speaking to Burp Suite Enterprise Edition users, one thing has come up time and time again as a blocker to your understanding of the product. This has been our use of the term "agent" when describing  ( 3 min )

Burp Suite Enterprise Edition is the dynamic web vulnerability scanner that can help you to secure your whole portfolio. To help you achieve that, this article contains some advice on how to optimize  ( 3 min )

Innovative Method of Biobehavioral Credentials Deliver Frictionless Authentication to Prevent Fraud using Dynamic Level of Assurance IRVINE, Calif. – April 25 2022 – SecureAuth, a leader in next-generation access management and authentication, announces that the United States Patent and Trademark Office (USPTO) granted the company four groundbreaking methods for authenticating users’ claimed identities for frictionless […] The post SecureAuth Announces New Behavioral Modeling Patents to Fortify Passwordless Continuous Authentication appeared first on SecureAuth.  ( 5 min )

The Python module Paramiko enables you to leverage Python to automate the management of CISCO routers and switches. In this guide, I will explain how to install Paramiko via pip and provide a usage example. The module makes Python act as an SSH client or server, enabling us to automate any device to which we can connect via SSH. Python module Paramiko for managing CISCO devices: Installation and usage example first appeared on 4sysops.  ( 7 min )

The SANS Security Awareness Professional (SSAP) is the world’s leading industry-recognized credential that signifies that the holder has the knowledge and expertise to build, maintain and measure a mature security awareness program.  ( 5 min )

In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project…  ( 20 min )

The post CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions appeared first on Rhino Security Labs.  ( 5 min )

The IACR’s annual Real World Cryptography (RWC) conference took place in Amsterdam a few weeks ago. It remains the best venue for highlights of cryptographic constructions and attacks for the real world. While the conference was fully remote last year, this year it was a 3-day hybrid event, live-streamed from a conference center in charming … Continue reading Real World Cryptography Conference 2022 →  ( 21 min )

By Christian Presa Schnell During my winternship, I used the findings from recent Go audits to make several improvements to go-fuzz, a coverage-based fuzzer for projects written in Go. I focused on three enhancements to improve the effectiveness of Go fuzzing campaigns and provide a better experience for users. I contributed to fixing type alias […]  ( 9 min )

Since version 80, Firefox has allowed you to import passwords in CSV format. This can be used, for example, to export passwords from Firefox and transfer them to another PC. If you format the data accordingly, you can also import them from other programs, such as password managers. Export and import passwords in Firefox first appeared on 4sysops.  ( 5 min )

Introduction This article introduces VirtualBox research and explains how to build a coverage-based fuzzer, focusing on the emulated network device drivers. In the examples below, we explain how to create a harness for the non-default network device driver PCNet. The example can be readily adjusted for a different network driver or even different device driver components. We are aware that there are excellent resources related to this topic - see [1], [2]. However, these cover the fuzzing process from a high-level perspective or omit some important technical details. Our goal is to present all the necessary steps and code required to instrument and debug the latest stable version of VirtualBox (6.1.30 at the time of writing). As the SVN version is out-of-sync, we download the tarball inste…  ( 11 min )

CISA Shields Up in response to looming Russian Cyberattacks, Exodus Intelligence wants to help The Cybersecurity and Infrastructure Security Agency (CISA) recently launched the #ShieldsUp Campaign to provide organizations resources and recommended actions to heighten their security posture in light of the Russian invasion of Ukraine.  Evolving intelligence indicates that the Russian Government is exploring ... Read more Exodus Wants to help CISA Shields Up The post Exodus Wants to help CISA Shields Up appeared first on Exodus Intelligence.  ( 1 min )

Getting rid of unsecure password authentication is becoming a priority for many businesses. Companies using Microsoft's Azure Active Directory have many options to implement passwordless authentication. One of these is using a FIDO2 security key. Passwordless authentication with FIDO2 and Azure Active Directory first appeared on 4sysops.  ( 6 min )

Organizations Now Have the Ability to Use Common FIDO2 Experience Across Browsers, Conditional Passwordless, Hybrid and Cloud Deployment for Azure AD Support As we emerge from the pandemic, trends of digital transformation with a dispersed workforce and a complete restructuring of Information Technology (IT) and Operational Technology (OT) architecture accelerates the need for security and […] The post SecureAuth Latest Release Delivers Enhanced Passwordless Authentication with Improved User Experience appeared first on SecureAuth.  ( 4 min )

Join us this year at the 2022 SANS DFIR Summit Live Online or attend in Austin! If you’ve attended before, you know you’ll walk away from the summit with a story, connection, and maybe even one of those limited edition DFIR Mascot Legos. If it’s your first time attending, we look forward to meeting you at the most comprehensive DFIR event of the year!  ( 8 min )

This is a Python3 stdin fix for re-search.py, my tool to search with regular expressions. re-search_V0_0_19.zip (http)MD5: 4007A3E5540871221B55591B50E2239BSHA256: 263236ABE75B93F1F999474D690A9EB2575EBE42CED8F369FF98B349A5116D11  ( 3 min )

Table of Contents Introduction Moneta and the first IOC Moneta and the final IOC The PeSieve Bypass Conclusion TLDR; POC is here: https://github.com/waldo-irc/YouMayPasser/.  Usage isn't super straight forward but I'd rather it wasn't.  Good Luck! Introduction The title  ( 19 min )

I know your question. Why would anybody want to use Covenant C2? It’s not supported, it’s outdated and everybody has moved on! Let’s at…  ( 4 min )

In my last article, titled "What is serverless computing? An introduction to AWS Lambda," we took a detailed look at what serverless computing does. Taking the next step, we will create a working example in AWS Lambda using the Go programming language (often referred to as Golang). Writing an AWS Lambda function using Go (Golang) first appeared on 4sysops.  ( 9 min )

Отримайте доступ до ресурсів, які допоможуть вашій організації орієнтуватися в кіберризиках, пов’язаних з російсько-українським конфліктом.  ( 8 min )

Every once in a while someone drops a salary bomb discussion on social media and the speculations follow. The salary bomb value du jour it is the mythical 450K USD […]  ( 6 min )

Bypassing AV solutions is essential for initial access, lateral movement and full domain compromise. Over the last couple of years, we’ve…  ( 4 min )

Times are volatile, and everyone we encounter seems slightly on edge. In an environment like this, it’s no surprise that red teaming is tough. But that’s no excuse for us to throw up our hands. It just means we need to revisit our fundamental mission and work harder than ever to refine our red teaming methods and manners.

Nemty developers have created a new, flawed update to the Karma ransomware variant in a bid to avoid detection and mislead attribution.  ( 7 min )

Reducing risk is fundamental to Wix’s approach to cybersecurity, and as the threat landscape evolves, they turn to HackerOne Bounty to protect their security posture. Since 2018, Wix has invited tens of thousands of ethical hackers worldwide to ensure new and existing features are secure. We recently met with two Wix security team members to learn how they leverage ethical hackers to detect risks before they become threats and how vulnerability insights help strengthen their security posture.  ( 7 min )