DMARC Identifier Alignment: relax, don't do it, when you want to go to it Jan 25, 2023 From subdomain takeover to phishing mails TL;DR; if you have a subdomain takeover for a given domain, and default DMARC alignment settings, you can create emails that passes SPF and DMARC for phishing purposes. DKIM, however, cannot be passed for the domain but a trick is possible to make emails look more trustworthy. This post and more are now part of a book I wrote on email security: Introduction I like Mozilla’s definition of a subdomain takeover: ...
Microsoft Azure security technologies certification and beyond (book review) Jan 11, 2023 Book by David Okeyode
Nmap - detecting the network mapper Jan 03, 2023 Detecting network scans When we speak about detection, you can often hear “let’s detect attackers' scans”. I believe that sentence is thrown in order to detect intruders on early stages of an attack. However there are a few issues with this mindset as blindly detecting all types of scans made on a security perimeter will drive the SOC crazy with the amount of false positive and legit alerts generated. It will not improve the level of detection you have either because you will not be able to treat all the alerts and may miss the ones revealing the presence of intruders. ...
Divin'n'phishin with executable filetypes on Windows Oct 26, 2022 In order to find phishing payloads, one needs to understand how executable filetypes on Windows are handled, finding which ones can be delivered to mail clients, thus users, without being caught by mail defences in between and without requesting multiple validation steps from that user for execution once clicked on. Other filetypes are also relevant for phishing even if they are not executable per-se, they are also mentionned in this article. ...
Evading command-line detection with doskey Oct 22, 2022 the doskey command can be used to evade some command-line detection rules by hidding the executable name behind an alias.
Zero-point Security's Red Team Ops II (CRTL) review Oct 19, 2022 Context The recent release of the Red Team OPS II course by Zero-point Security caught my attention on Twitter in August. Since the Red Team Ops I course was, in my opinion, very good content, I decided to buy the RTO II bundle and give it a go. Course The course description and syllabus can be found on Zero-point Security website. Zero-point Security makes it clear this is a deeper dive into red teaming and I can only agree. ...
ELearnSecurity Certified Threat Hunting Professional (eCTHPv2) review Jul 10, 2022 Context Since I took the eLearnSecurity Certified Incident Responder (eCIR) a good while ago and that according to eLearn, the Certified Threat Hunting Professional (eCTHPv2) is the next stepping stone, I decided to give it a go. The person that made the course’s material also being one of my former colleagues, Slavi Parpulev, and the fact we joked internally about me getting certified by him gave me one more good reason to study for it. ...
Penetration testing Azure for ethical hackers (book review) Jun 05, 2022 Book by David Okeyode & Karl Fosaaen
Multiple vulnerabilities in cifs-utils May 12, 2022 I recently found two bugs in cifs-utils, the userland tools of SMB implementation in Linux, which led to the release of version 6.15. The full article can be read at https://improsec.com/tech-blog/multiple-vulnerabilities-in-cifs-utils. Useful links: Responsible disclosure CVE assigned: CVE-2022-27239, CVE-2022-29869 cifs-utils version 6.15 advisory
Zero-point Security's Red Team Ops (CRTO) review May 01, 2022 Context I recently took Zero-point Security’s Red Team Ops) course and associated exam (CRTO). It is also known as Daniel Duggan’s a.k.a Rastamouse course, even if since then Zero-point security has released other courses on offensive programming. It is so far the best learning experience I had on an online certification and I wanted to share a bit of what to expect from the course as well as what you can gain from it. ...