Featured

This post covers how to move SYSVOL to a new disk. It’s a little tricky because of the junction points and it is definately worth trying in a lab environment first to get comfortable. You should also engage Microsoft support during the process if that is an option for you....

If you’ve used dnSpy to make a simple modification to a binary you’ll know that it’s often as simple as finding the section of code requiring a small change, right click, “modify method”, then compile. Often though, the code you are looking at in dnSpy cannot be easily edited and...

The ask: Ensure that the front end logs from the Azure Application Proxies are flowing into the SEIM via Windows Event Forwarding (WEF). This post outlines the current challenges with the ask, and provides an approach for converting .ETL logs to .EVTX format as they arrive. Azure Application Proxy Overview...

I’ve been spending a big chunk of my time on an IAM project at work there and there hasn’t been much free time for “hacker crap” because of the deadlines attached to the project. In an effort to clear my mind I thought I’d take the rubber ducky for a...

Overview There’s a .dll which just about every process on my Windows machine is interested in called edgegdi.dll. Unfortunately, the dll: edgegdi.dll isn’t there (or anywhere on the system). You’ll see the status (NAME NOT FOUND) in any procmon trace you look at which makes it interesting for persistence at...

This post evaluates the protection Windows Defender Exploit Guard can offer a vulnerable application. We’re using vulnserver as an example, but thinking about it in the context of real applications that might still have unpatched vulnerabilities. Checking whether there are exploit guard capabilities that could offer protection even if the...

Regular

This post covers how to move SYSVOL to a new disk. It’s a little tricky because of the junction points and it is definately worth trying in a lab environment first to get comfortable. You should also engage Microsoft support during the process if that is an option for you....

If you’ve used dnSpy to make a simple modification to a binary you’ll know that it’s often as simple as finding the section of code requiring a small change, right click, “modify method”, then compile.

I recently discovered what appeared to be a backdoor installed in my wordpress site. This post is two parts. The first part is a complete ramble you should skip if you are just here for the malware/backdoor.

Another highly recommended Active Directory lab for attackers and defenders looking to sharpen their AD skills.

Elad Shamir’s post on Shadow Credentials is the right place to read the details of this interesting approach: https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab. He documented the approach back in June, 2018. Short Version for Blue Teamers: The way I simplify (probably oversimplify) this when talking to people about it is: There’s an Active Directory...

BLUF: (Bottom line(s) up front because you probably don’t really need this post at all; the setup of code ready containers is really simple. The post just captures some of the quirks i ran into) [1] Download Code Ready Containers from Redhat. Start here: https://developers.redhat.com/products/codeready-containers/overview [2] Extract the .zip file...

Sometime’s it makes sense to remove the “Apply Group Policy” right from the everyone group and slowly add users from specific groups as a way to roll out the change.

// This post will be updated regularily. Don’t rely on it, i’m learning.

I’ve been spending a big chunk of my time on an IAM project at work there and there hasn’t been much free time for “hacker crap” because of the deadlines attached to the project.

The place to learn the most about Windows Defender Application Control (WDAC) the fastest is youtube. Matt Graeber put together an amazing set of tutorials, and if you’re trying to learn how to do it the way a pro does, i’d recommend making them your first stop.

Very quick post to remind me how to set up the Wireguard client for Ubuntu quickly:

Comparison of Windows 10 2004 and Windows 10 20H2 installations that might assist others who need to check off some of these things in their pre-deployment security review.

Note 1: the best place to learn a lot about dll hijacking is https://institute.sektor7.net; the main purpose of this post is to capture my notes while applying some of the techniques taught by sektor7 in a real world example

This post details the mistakes I’ve made using and tuning Exploit Guard.

In the previous post we evaluated Exploit Guard controls against a simple buffer overflow vulnerability in a test application. We used Matt Graeber’s Exploit Guard documentation as a guide.

We’re going to try to move the main random password code from the previous blog post to Azure ‘Functions’ - the Azure serverless offering.

Looking into how we’d deploy, scale and secure a web service on Azure. Starting right at the very basics - a hand jammed basic web service deployed from inside VS Code.

Leveraging ansible and powershell together for remote management.

Notes while working through the (excellent) Sektor7 windows persistence course. Important point: don’t just rely on the notes here. They’re mainly reminders for me :) It’s the templates and tools as well as extra context that makes the training really valuable. (Tools include things like scripts to AES encrypt and...

Spending the day going over Docker topics.

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or...

Quick VPN endpoint all to yourself using your Azure (or AWS) subscription based on the Trail of Bits Algo project:

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

WinDBG is the right way to go to analyze windows crash dumps if you have builds that are throwing a blue screen. For a really large percentage of those cases you can get to a reasonable answer with the analyze -v command. As long as you are comfortable setting up...

You’re going to panic when something important is accidentally deleted. It’s scary. In the old days it was a little painful as well. Deleted objects had their links stripped (memberships) and the most appropriate recovery was via the last backup if you wanted things the way they really were. (Tombstone...

This might save someone a few hours working out the steps to set up and use a YubiHSM for code signing. This nifty little device seems to work flawlessly for small volume code signing work. YubiCo actually do a good job of publishing performance metrics on the product site but...

First of all, you shouldn’t do this. But in case you are hell bent on making a mess the following steps will allow you to modify objects that Active Directory would otherwise block you from changing.

Azure Virtual Machine Scale Sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule

Designing and implementing Azure networking capabilities is a critical part of your cloud solution. You’ll need to make networking design decisions to properly support your workloads and services.

Working through Ben Piper’s excellent course on Pluralsight: AWS Networking Deep Dive: Route 53 DNS. This post captures the notes i took along the way.

Active Directory does a few important things whenever it is backed up or restored to keep it working the way it was intended. For that reason (in most situations) it is important that we don’t get too fancy with alternatives to the traditional ‘system state backup’.

I’m working on a larger post about the various types of login (network, local, rdp etc) and what each of them presents to an attacker; but i wanted to first understand a little more about NTLM based logon to a Windows/Active Directory environment.

Recent requirement to modify the access to LAPS attributes in one of our directories. We had a specific class of computer objects that we did not want all of our usual LAPS readers to be able to retrieve the local password for.

While i was working through the OSCE I remember folk were looking for something that would be roughly as challenging as the exam to practice the full fuzz RCE, full remote shell lifecycle.

Writes a new password to memory on the host (“mimikatz”) that will work in addition to the realpassword for any user.

An attacker has obtained a long term key for a service account. Often obtained via kerberoast against accounts with a SPN and offline cracking; but also via taking credentials from a compromised machine with mimikatz. PAC validation can fight this by verifying the PAC but it is rare.

Kerberos version pass the hash where we take the ntlm hash (mimikatz can get this from memory for you) and work towards a TGT with it. Possible because the NT hash is used to support Kerberos RC4 encryption (RC4-HMAC-MD5).

The attacker has retrieved the krbtgt long term key. The attacker can then create a forged TGT for any domain account because they are able to encrypt the request with the krbtgt long term key. There’s a small hitch with TGT’s older than 20 mins because they are sometimes verified;...

You need to convert to export the hash to an appropriate format first:

[WinEventLog://Application] disabled = false index = wineventlog sourcetype = wineventlog