PinnedMember-onlyLAPSUS$ TTPsLAPSUSS TTPs & MITRE ATT&CK Mapping LAPSUS$ whimsical.com Two interesting techniques used by LAPSUS$ (Code Signing, Disable and Modify Tools) TA0005: Defence Evasion T1553.002: Subvert Trust Controls: Code Signing Subvert Trust Controls: Code Signing Adversaries may create, acquire, or steal code-signing materials to sign their malware or tools. Code signing provides…attack.mitre.org NVIDIA certificates used to sign malicious softwareCybersecurity4 min read
PinnedMember-onlyCobalt Strike PowerShell Payload AnalysisI have spotted this interesting tweet from Malwar3Ninja and decided to take a look and analyse the Cobalt Strike PowerShell payload. PowerShell Payload Analysis. We can spot the for function:Malware Analysis8 min read
PinnedMember-onlyCobalt Strike Hunting — DLL Hijacking/Attack AnalysisDLL Hijacking via Cobalt Strike & Attack Analysis. Agenda Hijack Execution Flow: DLL Search Order Hijacking. Payload extraction from the PCAP (VT, Triage, and CyberChef Analysis). Attack Analysis. DLL Hijacking via Cobalt Strike/Sysrep. Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run…Cybersecurity6 min read
PinnedMember-onlyCobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 AnalysisAgenda: Malleable C2 — jQuery profiles. Cobalt Strike — SpawnTo and Rundll32. PCAP & VT Analysis — Rundll32 connecting over TCP to Cobalt Strike C2. Cobalt Strike Malleable C2 User-Agents. Malleable C2 — jQuery profiles. Malleable C2 profiles have been widely adopted and used by Cobalt Strike, a popular framework used by Red Teamers, APT’s…Cobalt Strike4 min read
PinnedCobalt Strike Hunting — simple PCAP and Beacon AnalysisLegit healthcare company. Bonner General Health and Hospital | Sandpoint, North Idaho, Washington, Montana Bonner General Health is a 25-bed Critical Access Hospital and healthcare network of outpatient clinics and services…bonnergeneral.org https://bonnergeneral[.]org/Cobalt Strike4 min read
Jun 29Member-onlyFollina (CVE-2022–30190) & Cobalt Strike C2 -Simple AnalysisFollina CVE-2022–30190 & Cobalt Strike C2 Simple Analysis using Twitter, Sublime Text, olevba, Shodan, VT, Triage, CyberChef, and DomainTools. Twitter Intel Initial Access Follina Exploit CVE-2022–30190Cobalt Strike3 min read
May 30Member-onlyDiamond Model of Intrusion Analysis in PracticeLetsDefend: SOC171-Spring4Shell Log AnalysisCybersecurity3 min read
May 25Member-onlyLetsDefend: Suspicious Certutil.exe Usage-LOLBAS TTPsLetsDefend — SOC163 WriteUp — WalkthroughCybersecurity3 min read
Apr 21Member-onlyServer-Side Request Forgery (SSRF)- PortSwigger LabsLab: Blind SSRF with out-of-band detection — Penetration Testing2 min readSSRF Attack LifecycleServer-Side Request Forgery (SSRF)- PortSwigger LabsLab: Blind SSRF with out-of-band detection----
Apr 20Member-onlyServer-Side Request Forgery (SSRF)- PortSwigger LabsLab: SSRF with filter bypass via open redirection vulnerability — Lab: SSRF with filter bypass via open redirection vulnerability Objectives: This lab has a stock check feature that fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you…Penetration Testing3 min read
