Based on some discussion during one of our training exercises I've created this simple tool to calculate TGT TicketOptions in Hex, Binary and Decimal. It may be useful to you too ;)
https://t.co/Nl8XoEJvcS
In today's WTF?!?!? moment
When a ESXi server is domain-joined, it assumes any "ESX Admins" group & its members should have full admin rights.
So.... anyone who can create & manage a group in AD, can get full admin rights to the VMware ESX hypervisors!
https://t.co/U3DiXHWQMR
In our #purpleteam service, we take a depth & quality approach & run many diverse test cases for a given technique. In our latest blog post, @gwhitekc walks through the process we use to define & implement the test cases for our purple team runbooks. https://t.co/KWHrOA8KZI
Check out this awesome report by Sophos on Chinese APT threat actors. There is much to learn from this technical breakdown; it's not your ordinary threat actor.
Reading this report, you will notice that they used tools like impacket for lateral movement, which provides an opportunity for detection.
➡️Interesting use of Living-Off-the-Land binaries that I personally haven't seen before - instsrv.exe and srvany.exe.
➡️Multiple defense evasion methods to hide their tracks and evade detection, including a clever way to read DNS traffic and block AV/EDR-related domains. (but still uses impacket 🤷♂️🤦♂️)
➡️Interesting choice of data being staged for exfiltration.
Overall, this prolonged intrusion had everything, and the authors did an incredible job of laying out all the details for the rest of the community. 🙏👏
Check it out here 🔗: https://t.co/1ZieUUd6w2
@nas_bench From my experience there are orgs that will provide feedback, what we detected and what not and how we can improve. On the other hand, you have orgs telling you they have a red team in a specific timeframe, tell you "ignore any alerts" and you never hear about it's results again.
Partner Tier2 Support is an attractive role for adversaries installing a backdoor in Entra:
● Can promote self to Global Admin
● Role is invisible in Entra ID portal
● Built into every Entra tenant
Read more here: https://t.co/DpY84MH3Nt
Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee.
Some proxy hunting regex for #BunnyLoader based on ZScalers post:
Proxy Urls: \/Bunny\/\w+\.php
User Agents: (?i)(Bunny(?:loader(?:_dropper)?|requester|tasks|stealer|shell)|TaskCompleted|HeartBeat_sender)
Reference: https://t.co/4Orwq62kza
FYI: Since the release of VMware Carbon Black Cloud Windows Sensor 3.8.0.398, you can search for API information on cross process events with crossproc_api field.
Example: Searching for MiniDumpWriteDump API call to detect LSASS dumping.