Danny C.’s Post

Snort is a crucial tool for incident responders. It's efficient in sniffer, IDS, and IPS modes. With your rules, you can gain control over your traffic. Here's my write-up for the Snort challenge: The Basics. https://lnkd.in/djs-xEXR I hope y'all find it helpful! #soc #DIFR #Blueteam #tryhackme #snort #cybersecurity

Pass-the-Hash is a lateral movement technique in which attackers steal NTLM hash of a user's password to authenticate to a network system without knowing the plaintext password. Processes such as Mimikatz or other pass-the-hash tools, access the memory of the LSASS.exe process to change LogonSession credential materials (Authentication ID containing the stolen NThash). The article below explains how to detect a pass-the-hash activity via Windows event log alone or correlated with sysmon. The source host where pass-the-hash starts generates event 4624: An account was successfully logged on, reporting Logon Type 9 (NewCredentials, very rare), accompanied by the Process string "Seclogo." (empirically verified). To reduce false positives, if you have sysmon, you can include in the rule logic the event with ID 10: ProcessAccess, tracking access to LSASS.exe process.

The vulnerability, tracked as CVE-2024-48914 and assigned a CVSS score of 9.1, stems from a path traversal issue in the AssetServerPlugin when used with the LocalAssetStorageStrategy. This flaw allows attackers to craft malicious requests that exploit the lack of proper path normalization to access files outside the intended directory.

#HackTheBox EvilCUPS is live! You can probably guess what this box is all about. It’s launching straight to "retired," so you can find my video walkthrough here: https://lnkd.in/diRJD3ku. Spoilers Ahead - Stop reading if you want to play blind! I built this box, but the hardest part was honestly just setting up the OS—it’s vulnerable right out of the box. My main tweak was making the vulnerability easier to exploit with a Zero Click attack. I modified the CUPS Management Interface (TCP:631) to listen on all hosts. Anonymous users can print test pages, which helps trigger the vulnerability. This is a common configuration in many devices with a print server (e.g., NAS), so it maintains realism. Once you get a shell, the next step is to search for cached print jobs. An admin printed the root password, which may sound unrealistic, but I’ve done this myself as a Sysadmin. Our passwords were long random strings, so we'd print them in the server room and then go grab the printout. I always find it funny when password complexity requirements that are too strong, end up creating security violations. I don't think our policy stated we couldn't print passwords, but I'm certain it said passwords shouldn't be in plaintext. It’s ironic when strict password complexity rules lead to security issues. While I don't think our policy prohibited printing passwords, it definitely said they shouldn't be in plaintext. If I had to guess, the print job wasn't encrypted in transit and was stored as plaintext on the printer.

New blogpost alert! I recently deployed the complete GOAD lab to freshen up on Active Directory pentesting skills. The fully functional lab features several AD misconfigurations and vulnerabilities which I have been playing around and documenting into split writeups. In this first part, we cover some basics with enumeration of the environment and finding valid users, which we then leverage to carry out Password spraying, AS-REPRoasting and finally finish of with LLMNR Poisoning. In the future blogs, I will deploy the ELK stack and further explore the lab while maintaining better OPSEC #ActiveDirectory #Pentesting https://lnkd.in/dF4Biv3m

Recently Bishal Shrestha and I were paid for finding an SSRF/LFI bug by exploiting a PDF generator in a public Bugcrowd program. It was a crazy experience where we purchased a valid item from the store and upon cancelling the order and providing "cancelation reason", separate pdf would be generated. Here, we were able to inject our payload in the "cancelation reason" field and we were able to read arbitrary files using file:// protocol and make HTTP requests to internal network. Although the webapp had implemented certain security measures to restrict or block potentially malicious requests, it was bypassed using a simple 302 redirect 😉

✅ The answer to our Deep Hack of the week has been revealed... 🔥 If you answered A) SPDX and B) CycloneDX, then you are correct! 👉 If you want to view an explanation for this Deep Hack, check out the link in the comments. Come back next week for a new Deep Hack to test your developer security knowledge!

Check out 1400+ HackerOne reports in the link below and see how vulnerabilities are discovered, reported, and fixed. This is a treasure trove of insights to level up your skills and knowledge. ✅ Link to the reports: https://lnkd.in/dAQRwyna Stop guessing, start learning from the pros! 😀 #bugbounty #cybersecurity #hackerone #vulnerabilitymanagement #pentesting #infosec #learnfromthebest #bugbountytips #resources #ethicalhacking

There have been a few big changes to Dataverse and Power Platform security lately. Some of the things that have been "best practices" no longer apply: - You can create a security role from scratch and easily get the basic permissions that a model-driven app user needs to log in. Goodbye copying roles. - You can assign roles from different business units to the same user and handle some pretty complex matrix security solutions. I talk about these updates and answer some security questions from the community in this week's Power Platform Answers video.

Digital Forensic tips #2; 1. Analyze Pagefile.sys and Hiberfil.sys for Forgotten Artifacts: Windows uses pagefile.sys (swap file) and hiberfil.sys (hibernation file) to manage system memory and hibernation states. These files often store remnants of sensitive information, including credentials, encryption keys, and artifacts from malicious activity. Pagefile Analysis: Use tools like Volatility or strings to extract and analyze data in pagefile.sys. Hibernation File Analysis: Parse hiberfil.sys using memory forensic tools to reconstruct the memory state at the time of hibernation. These files are valuable when RAM dumps are unavailable, providing insights into active processes and system state. 2. Leverage AMCache.hve for Execution Traces: The AMCache.hve registry file in Windows stores metadata about executed binaries, including their paths, timestamps, and SHA1 hashes. Even if malware has been deleted, its trace often remains in AMCache. Location: C:\Windows\AppCompat\Programs\Amcache.hve Analysis: Use tools like AmcacheParser to extract details. This can uncover malicious executables and provide a timeline of execution. This method is particularly effective for understanding recent activities on the system, even if traditional execution logs have been wiped.