CVE-2023-36631: Circumventing Windows Firewall controls with... Malwarebytes' Windows Firewall Control
Jun 21, 2023
Malwarebytes' software for firewall management let unprivileged users perform administrative firewall actions without access controls allowing for local network rules bypass.
OSINT from images' metadata hosted on websites
Apr 13, 2023
TL;DR; Images hosted by websites contains numerous metadata fields depending on their filetype (JPG, PNG…). These fields include interesting information for reconnaissance purposes such as: names, telephone numbers, email addresses or URLs. Often, website editors do not strip the images hosted on their websites, making leaks of information possible.
Introduction Imagine you are part of a red team and your task is to penetrate inside a company’s perimeter. First, you want to gather intelligence.
...
➦
DMARC Identifier Alignment: relax, don't do it, when you want to go to it
Jan 25, 2023
From subdomain takeover to phishing mails
TL;DR; if you have a subdomain takeover for a given domain, and default DMARC alignment settings, you can create emails that passes SPF and DMARC for phishing purposes. DKIM, however, cannot be passed for the domain but a trick is possible to make emails look more trustworthy.
This post and more are now part of a book I wrote on email security:
Introduction I like Mozilla’s definition of a subdomain takeover:
...
➦
Nmap - detecting the network mapper
Jan 03, 2023
Detecting network scans When we speak about detection, you can often hear “let’s detect attackers' scans”. I believe that sentence is thrown in order to detect intruders on early stages of an attack. However there are a few issues with this mindset as blindly detecting all types of scans made on a security perimeter will drive the SOC crazy with the amount of false positive and legit alerts generated. It will not improve the level of detection you have either because you will not be able to treat all the alerts and may miss the ones revealing the presence of intruders.
...
➦
Divin'n'phishin with executable filetypes on Windows
Oct 26, 2022
In order to find phishing payloads, one needs to understand how executable filetypes on Windows are handled, finding which ones can be delivered to mail clients, thus users, without being caught by mail defences in between and without requesting multiple validation steps from that user for execution once clicked on.
Other filetypes are also relevant for phishing even if they are not executable per-se, they are also mentionned in this article.
...
➦
Evading command-line detection with doskey
Oct 22, 2022
the doskey command can be used to evade some command-line detection rules by hidding the executable name behind an alias.
Zero-point Security's Red Team Ops II (CRTL) review
Oct 19, 2022
Context The recent release of the Red Team OPS II course by Zero-point Security caught my attention on Twitter in August. Since the Red Team Ops I course was, in my opinion, very good content, I decided to buy the RTO II bundle and give it a go.
Course The course description and syllabus can be found on Zero-point Security website. Zero-point Security makes it clear this is a deeper dive into red teaming and I can only agree.
...
➦
ELearnSecurity Certified Threat Hunting Professional (eCTHPv2) review
Jul 10, 2022
Context Since I took the eLearnSecurity Certified Incident Responder (eCIR) a good while ago and that according to eLearn, the Certified Threat Hunting Professional (eCTHPv2) is the next stepping stone, I decided to give it a go. The person that made the course’s material also being one of my former colleagues, Slavi Parpulev, and the fact we joked internally about me getting certified by him gave me one more good reason to study for it.
...
➦
