penetrationtesting Pentesting 101 Part 1: So, you need or want a Pentest So, that day has finally come when you've been tasked with obtaining a penetration test for that project you've built or are accountable for, or perhaps you've been informed that it's necessary due to "compliance requirements".
penetrationtesting Featured Introducing Scraping Kit Scraping Kit comprises several tools for scraping services for keywords, useful for the initial enumeration of Domain Controllers or if you have popped a user's desktop with access to their Outlook client.
cloud Featured 5 Recurring Cloud Security Observations This blog post will discuss the top security vulnerabilities commonly associated with cloud computing and touch on areas we observe frequently on penetration tests. By understanding these risks, you can take steps to protect yourself and your data while using cloud-based services.
penetrationtesting Outlook 365 for the PWN While macros with PowerShell are a dying art and fewer and fewer red teams use them, threat actors still get away with targeting less mature clients using these techniques.
penetrationtesting Living Off The Land - Built-In Pwning Living off the land in the context of cybersecurity involves using existing tools, utilities, or scripts found on a target system. This post will dive into some of the useful built-in modules.
redteam Featured Top 5 Insider Threat Findings Throughout 2022, the Lares Red Team has tracked several emerging trends when assisting clients with insider threat engagements. This blog post elaborates on the five most impactful findings in environments.
penetrationtesting Push Fatigue: We’re tired too. More and more organizations are enrolling users in Multi-Factor Authentication (hereafter referred to as MFA), wherein a secondary form of authentication occurs following a user inputting their credentials into a service to ensure a user is who they say they are.
redteam Multiple Paths to Compromise An Environment Every stage of an attack starts with reconnaissance, from an external attacker's perspective, profiling a company's exterior footprint or an insider threat and identifying what systems to go after. A wealth of information can be gathered during the reconnaissance phase of an assessment. I've written about the OSINT techniques that
passwords How I Compromised Your Complex Password from The Internet One of an attacker’s first goals is to gain a foothold in a target environment. The role or permissions of an end user does not matter if it can be leveraged to gain access.
purpleteam Azure and Azure Active Directory Monitoring Use Cases Wrangling data exposed by various Azure services is a daunting challenge. Because numerous tables exist with many available data types, finding the table with a particular Azure action or its associated query often proves difficult. Azure Monitor can aid you in this journey. Azure Sentinel comes with several preconfigured analytic
purpleteam The Lowdown on Lateral Movement What Is Lateral Movement ? Lateral movement is a broad MITRE ATT&CK category, consisting of nine distinct techniques and numerous sub techniques. Due to its breadth and linkages between other areas of the ATT&CK framework, lateral movement becomes an increasingly interesting category, presenting numerous challenges to defenders. The category
purpleteam Kubernetes Hunting & Visibility Intro Enterprise workloads are increasingly shifting to modern micro-service architectures. This shift can potentially mean that visibility, hunting, and defensive frameworks lag behind their traditional on-premises architectures and deployments. This post provides Kubernetes monitoring and hunting examples from several defensive areas and visibility vantage points. Setup Although most enterprise micro-architecture
purpleteam Sysmon for Linux Test Drive If you have been within planetary orbit of our Purple Team, you will know that we are huge fans of Sysmon. You can imagine our excitement when Microsoft announced that Sysmon would be coming to Linux a few months ago. Well, the wait is now over and Sysmon is available
purpleteam Detection and Mitigation Advice for PrintNightmare PrintNightmare(CVE-2021-34527) was released as a proof of concept this week on Github. This post highlights how the exploit PoCs released on Github work and how the specific vulnerability can be fixed and detected.
purpleteam Introducing Sysmon Config Pusher When providing various services to clients, including Purple, Blue, and Red Team engagements, the Lares team often recommends Sysmon to close detection gaps. Indeed, Sysmon is an incredible and freely available tool that enhances visibility across Windows systems and provides rich data and telemetry from which to build alerting, detections
redteam Social Profiling – OSINT for Red/Blue One of the areas that I love when it comes to red/purple engagements is profiling organizations on LinkedIn and GitHub, looking for crucial information that can lead to more juicy enumeration.
purpleteam Emails and Malicious Macros – What Can Go Wrong? Intro A few months ago, we published a blog post that examined the telemetry available through Office 365, including email visibility. If you read the blog and thought to yourself, I wish that I could get more comprehensive email visibility, beyond just the basic meta-data, then the Splunk Microsoft O365
bluteam Getting into the Blue Team: A Practical Guide Are you a person who is new to the Information Security industry and want to get deeper into the defensive side of our wonderfully broad and complex industry? Have you read a few "getting into InfoSec" guides but been looking for something more practical, specific, and applicable to your interests
purpleteam Hunting in the Sysmon Call Trace The Sysmon ProcessAccess event has been used in threat hunting and detection efforts in order to alert on techniques such as process injection and credential access. According to the Sysinternals website, the Sysmon ProcessAccess event reports when a process opens another process, an operation that’s often followed by information
purpleteam Hunting Azure Admins for Vertical Escalation: Part 2 This post is part 2 in the Hunting Azure Admins for Vertical Escalation series. Part 1 of this series detailed the usage and functionality of Azure authentication tokens, file locations that cache the tokens during a user session (“%USERPROFILE%\.Azure\TokenCache.dat”), methods for locating user exported Azure context files
purpleteam Hunting Azure Admins for Vertical Escalation In this post, we will look at a rather simple, but important procedure when attacking organizations that leverage cloud providers such as Microsoft Azure. There is a lot of excellent public research on attacking Azure, however, most research tends to focus on tactics that assume you have first obtained some
