Open in app
Home
Notifications
Lists
Stories

Write
Michael Koczwara
Michael Koczwara

Home

Pinned

LAPSUS$ TTPs

LAPSUSS TTPs & MITRE ATT&CK Mapping LAPSUS$ whimsical.com Two interesting techniques used by LAPSUS$ (Code Signing, Disable and Modify Tools) TA0005: Defence Evasion T1553.002: Subvert Trust Controls: Code Signing Subvert Trust Controls: Code Signing Adversaries may create, acquire, or steal code-signing materials to sign their malware or tools. Code signing provides…attack.mitre.org NVIDIA certificates used to sign malicious software

Cybersecurity

4 min read

LAPSUS$ TTPs
LAPSUS$ TTPs

Pinned

Cobalt Strike PowerShell Payload Analysis

I have spotted this interesting tweet from Malwar3Ninja and decided to take a look and analyse the Cobalt Strike PowerShell payload. PowerShell Payload Analysis. We can spot the for function:

Malware Analysis

8 min read

Cobalt Strike PowerShell Payload Analysis
Cobalt Strike PowerShell Payload Analysis

Pinned

Cobalt Strike Hunting — DLL Hijacking/Attack Analysis

DLL Hijacking via Cobalt Strike & Attack Analysis. Agenda Hijack Execution Flow: DLL Search Order Hijacking. Payload extraction from the PCAP (VT, Triage, and CyberChef Analysis). Attack Analysis. DLL Hijacking via Cobalt Strike/Sysrep. Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run…

Cybersecurity

6 min read

Cobalt Strike Hunting  — DLL Hijacking/Attack Analysis
Cobalt Strike Hunting  — DLL Hijacking/Attack Analysis

Pinned

Cobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 Analysis

Agenda: Malleable C2 — jQuery profiles. Cobalt Strike — SpawnTo and Rundll32. PCAP & VT Analysis — Rundll32 connecting over TCP to Cobalt Strike C2. Cobalt Strike Malleable C2 User-Agents. Malleable C2 — jQuery profiles. Malleable C2 profiles have been widely adopted and used by Cobalt Strike, a popular framework used by Red Teamers, APT’s…

Cobalt Strike

4 min read

Cobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 Analysis
Cobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 Analysis

Pinned

Cobalt Strike Hunting — simple PCAP and Beacon Analysis

Legit healthcare company. Bonner General Health and Hospital | Sandpoint, North Idaho, Washington, Montana Bonner General Health is a 25-bed Critical Access Hospital and healthcare network of outpatient clinics and services…bonnergeneral.org https://bonnergeneral[.]org/

Cobalt Strike

4 min read

Cobalt Strike Hunting — simple PCAP and Beacon Analysis
Cobalt Strike Hunting — simple PCAP and Beacon Analysis

Jun 29

Follina (CVE-2022–30190) & Cobalt Strike C2 -Simple Analysis

Follina CVE-2022–30190 & Cobalt Strike C2 Simple Analysis using Twitter, Sublime Text, olevba, Shodan, VT, Triage, CyberChef, and DomainTools. Twitter Intel Initial Access Follina Exploit CVE-2022–30190

Cobalt Strike

3 min read

Follina (CVE-2022–30190) & Cobalt Strike C2 -Simple Analysis
Follina (CVE-2022–30190) & Cobalt Strike C2 -Simple Analysis

May 30

Diamond Model of Intrusion Analysis in Practice

LetsDefend: SOC171-Spring4Shell Log Analysis

Cybersecurity

3 min read

Diamond Model of Intrusion Analysis in Practice
Diamond Model of Intrusion Analysis in Practice

May 25

LetsDefend: Suspicious Certutil.exe Usage-LOLBAS TTPs

LetsDefend — SOC163 WriteUp — Walkthrough

Cybersecurity

3 min read

LetsDefend: Suspicious Certutil.exe Usage
LetsDefend: Suspicious Certutil.exe Usage

Apr 21

Server-Side Request Forgery (SSRF)- PortSwigger Labs

Lab: Blind SSRF with out-of-band detection —

Penetration Testing

2 min read

Server-Side Request Forgery (SSRF)- PortSwigger Labs
Server-Side Request Forgery (SSRF)- PortSwigger Labs
SSRF Attack Lifecycle

Server-Side Request Forgery (SSRF)- PortSwigger Labs

Lab: Blind SSRF with out-of-band detection

--

--


Apr 20

Server-Side Request Forgery (SSRF)- PortSwigger Labs

Lab: SSRF with filter bypass via open redirection vulnerability — Lab: SSRF with filter bypass via open redirection vulnerability Objectives: This lab has a stock check feature that fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you…

Penetration Testing

3 min read

Server-Side Request Forgery (SSRF)- PortSwigger Labs
Server-Side Request Forgery (SSRF)- PortSwigger Labs
Michael Koczwara

Michael Koczwara

Security Researcher [RED&BLUE]

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable