13reak :fedora:<p>Interesting defense against attacks: </p><p>Move your SSH <code>authorized_keys</code> to a different location and set the rights to <code>0444</code>. Then an attacker needs root rights to place an SSH backdoor.</p><p><a href="https://isc.sans.edu/diary/31986" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">isc.sans.edu/diary/31986</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/hardening" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hardening</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.
Administered by:
Server stats:
14Kactive users
mstdn.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.8
#knowledgedrop
1 post · 1 participant · 0 posts today
13reak :fedora:<p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/Knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Knowledgedrop</span></a></p><p>Attackers are still actively exploiting firewall "../" vulnerabilities. Be aware and patch your firewalls!</p>
13reak :fedora:<p>Most organizations do not have multi-factor authentication (MFA) enabled for their Azure service principals.</p><p>Why? </p><p>You need a special license <strong>for every single application</strong> you want to enable MFA for.</p><p><a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pentesting</span></a></p>
13reak :fedora:<p>Watch out with your <u>Azure Automation Account</u> / <u>Runbooks</u>.</p><ul><li>they often include hard-coded credentials</li><li>their output is not protected. So attackers can see your results</li><li>they can use <u>Shared Resources</u> (i.e. credentials or certificates)</li><li><u>Hybrid Worker</u> and <u>Azure Arc</u> allow access to your on-premise infrastructure </li></ul><p>Dangerous stuff if not managed correctly!</p><p><a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pentesting</span></a> <a href="https://infosec.exchange/tags/privilegeescalation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>privilegeescalation</span></a></p>
13reak :fedora:<p>How to reconstruct OneDrive?</p><p>OneDriveExplorer (by <span class="h-card" translate="no"><a href="https://infosec.exchange/@Beercow" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Beercow</span></a></span>) can reconstruct OneDrive from <code><UserCid>.dat</code> or SQLite databases etc.</p><p>Check it out:<br><a href="https://github.com/Beercow/OneDriveExplorer" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Beercow/OneDriveExp</span><span class="invisible">lorer</span></a></p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/artifact" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>artifact</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/onedrive" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>onedrive</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a></p>
13reak :fedora:<p>Today a pentester asked me if attackers really use brute force.</p><p>Yes, they do, especially in cloud environments. That's why multi factor authentication (MFA) is so important there.</p><p><a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/purpleteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>purpleteam</span></a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a></p>
13reak :fedora:<p>I hear very often that the cloud is secure because Multi Factor Authentication (MFA) is enabled, so all accounts are secure. </p><p>What about the service accounts and the (break glass) global administrator account?</p><p>Or in Azure: do you have a conditional access policy that excludes accounts from MFA?</p><p>What about MFA phishing with evilginx?</p><p>=> Apply a defense-in-depth strategy also in cloud environments.</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/mfa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mfa</span></a> <a href="https://infosec.exchange/tags/multifactorauthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>multifactorauthentication</span></a></p>
13reak :fedora:<p>How to filter zeek logs:</p><p><code>cat conn.log | zeek-cut <columns> | column -t | less -S</code></p><p>(column and less display the columns aligned and readable)</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/NIDS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NIDS</span></a> <a href="https://infosec.exchange/tags/zeek" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>zeek</span></a></p>
13reak :fedora:<p>I encountered some third party firewall logs recently. Timestamps were in Linux format and requests in hexdump. We knew the IP range of the attackers and that they uploaded a webshell.</p><p><code>grep</code> is an awesome tool for that. Looking for successful (code 200) uploads (POST requests) from IP:</p><p><code>grep -e "666.666.666.... POST 200" firewall.log > attack.txt</code></p><p>To find the script I searched for the longest request since most legitimate requests were rather short. Word count can give us that with <code>-L</code>:</p><p><code>cat attack.txt | wc -L</code><br>1337</p><p>And let's extract that longest line with grep:</p><p><code>grep -e "^.{1337}$" attack.txt</code></p><p>Hex requests could then be parsed easily with Cyerchef's <code>From Hex</code>.</p><p>Hope that helps someone! Adjust to your needs. :blobsmile: </p><p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/firewall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>firewall</span></a> <a href="https://infosec.exchange/tags/bash" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bash</span></a></p>
13reak :fedora:<p>I noticed today that a lot of people are struggling with antivirus alerts, specifically Microsoft Defender:</p><p>1) try to understand the alarm itself and at which point in the attack this would happen: phishing email = early, credential access (especially admin credentials) or suspicious C2 IPs = middle, ransomware/data upload = late.</p><p>2) what should be the attackers previous and next step then? (just look at 1 again: early/middle/late)</p><p>3) can you see this previous/next step in the logs? Look especially for evidence of execution. Attackers want to "do" something. Executables, scripts, PowerShell, command line, services, scheduled tasks?</p><p>If you cannot see any previous or any next steps, ask yourself if you're blind (are your logs empty? Timeframe not available?) or if there really aren't any. If there aren't any, it's likely a false positive. If there are, escalate.</p><p>Happy hunting!</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/microsoftdefender" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>microsoftdefender</span></a> <a href="https://infosec.exchange/tags/antivirus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>antivirus</span></a></p>
13reak :fedora:<p>Velociraptor <code>tempfile</code> is gone when your <code>SELECT</code> query terminates.</p><p>That means if you start with a <code>LET tmp = SELECT ...</code> and continue in your main query, the <code>tempfile</code> is already gone at your main query!</p><p>Took me a while today to figure this out...</p><p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/velociraptor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>velociraptor</span></a></p>
13reak :fedora:<p>If using Kubernetes on Azure (AKS), the following logs exist:</p><ul><li>activity logs (enabled by default) </li><li>resource logs (disabled by default) </li><li>AKS logs (disabled by default) </li><li>container insights (disabled by default)</li></ul><p>Remember to turn on your logs :blobwink: </p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/aks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>aks</span></a> <a href="https://infosec.exchange/tags/kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>kubernetes</span></a> <a href="https://infosec.exchange/tags/k8s" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>k8s</span></a></p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/networkforensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>networkforensics</span></a> </p><p>Came across this gem again: a nice network analysis framework<br><a href="https://github.com/arkime/arkime" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/arkime/arkime</span><span class="invisible"></span></a></p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/m365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>m365</span></a></p><p>I noticed recently that M365/Azure Personal licenses ("Px") in contrast to Enterprise ("Ex") licenses do not seem to include all logs. E.g. Azure SignIn Logs only exist for 7 days not 90/180 days.</p><p>So when combining a M365 Business with a small Azure license, there are hardly any logs.</p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a></p><p>The most important logfiles in <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> are:</p><p>ENABLED by default:</p><p>1) Tenant Logs: Sign-In Logs & Audit Logs<br>2) Subscription Logs: Activity Logs<br>3) Security Logs (Risky Users)</p><p>DISABLED by default:</p><p>4) Resource Logs<br>5) Diagnostic Logs: Operating System Logs<br>6) Diagnostic Logs: Application Logs</p><p><a href="https://infosec.exchange/tags/m365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>m365</span></a> also has: </p><p>7) Unified Audit Log (UAL) - enabled by default <br>8) (specialized logs for applications like Exchange, SharePoint, etc. - an extract is also in UAL)</p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a></p><p>If you need to acquire <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> / <a href="https://infosec.exchange/tags/m365" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>m365</span></a> logs, be aware that the webUI only allows extracting a small amount.</p><p>If you want to extract all the logs, have a look at <a href="https://github.com/invictus-ir/Microsoft-Extractor-Suite" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/invictus-ir/Microso</span><span class="invisible">ft-Extractor-Suite</span></a> </p><p>You need "global reader" permissions and watch out with conditional access policies - they can block your access and result in really weird error messages (e.g. that the module does not exist).</p><p>Most important logs are (usually) SignIn logs and UAL.</p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> </p><p><a href="https://infosec.exchange/tags/psexec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>psexec</span></a> can be detected by .key files:</p><p>"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]</p><p>[1] <a href="https://aboutdfir.com/the-key-to-identify-psexec/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">aboutdfir.com/the-key-to-ident</span><span class="invisible">ify-psexec/</span></a></p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://infosec.exchange/tags/activedirectory" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>activedirectory</span></a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> </p><p>I learned today that depending how you access your network shares, it triggers different protocols: </p><p>\\IP => NTLM</p><p>\\servername => NTLM</p><p>\\FQDN => Kerberos</p><p>PS: for everyone who doesn't know Windows protocols: NTLM is less secure and an easier target for attackers.</p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> </p><p>There's a new'ish <a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>linux</span></a> tool similar to <a href="https://infosec.exchange/tags/sysmon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sysmon</span></a> by <span class="h-card" translate="no"><a href="https://infosec.exchange/@0xrawsec" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>0xrawsec</span></a></span> from <span class="h-card" translate="no"><a href="https://social.circl.lu/@circl" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>circl</span></a></span> </p><p><a href="https://why.kunai.rocks/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">why.kunai.rocks/</span><span class="invisible"></span></a><br>(see also <span class="h-card" translate="no"><a href="https://infosec.exchange/@kunai_project" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>kunai_project</span></a></span> )</p><p>PS: it is written in <a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rust</span></a> :blobwink:</p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a></p><p>I compared a few sources for <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> use cases this week and all of them mentioned these two <a href="https://infosec.exchange/tags/mitre" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mitre</span></a> techniques:</p><p>T1078.004 Cloud Accounts</p><p>T1530 Data from Cloud Storage</p><p>Seems to be the main ways for attackers to beach clouds. Compromise an account or find data in a bucket etc.</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload