tag:blogger.com,1999:blog-87742451302673395252024-03-14T08:03:32.708+11:00Maximus IT<b> Protect your digital assets with us. </b> Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.comBlogger103125tag:blogger.com,1999:blog-8774245130267339525.post-16390460571376230422023-10-08T14:32:00.002+11:002023-10-08T14:32:25.651+11:00MGM Cyber Attack cost 110 Million<p>In September the hospitality and entertainment company <b>#MGM</b> Resorts was hit by a <b>#ransomware</b> attack that shut down its systems at MGM Hotels and Casinos.</p>
<p dir="ltr">The incident affected <b>#hotel</b> reservation systems in the United States and other IT systems that run the casino floors.</p>
<p dir="ltr">The company now revealed that the costs from the <b>#ransomware</b> attack have exceeded $110 million. The company paid third-party experts $10 million to clean up its systems.</p>
<p dir="ltr">Allegedly, a criminal gang made up of U.S. and U.K.-based individuals that cybersecurity experts call <b>#Scattered</b> Spider (aka Roasted 0ktapus, UNC3944 or Storm-0875) initiated a social engineering attack that led to the near shutdown of <b>#MGM</b> Resorts International.</p>
<p dir="ltr">Scattered Spider <b>#encrypted</b> several hundred of their <b>#ESXi</b> servers, which hosted thousands of VMs supporting hundreds of systems widely used in the hospitality industry. This caused cascading chaos. As the <b>#ESXi</b> hosts became encrypted one after another, the applications running on them crashed … one after another … after another. Hotel room keys no longer worked. Dinner reservation systems were down. Point-of-sale systems were unable to take payments. Guests were unable to check in or out. Slot machines were completely unavailable. At this point, MGM was hemorrhaging money – and potentially its credibility.</p>
<p dir="ltr">A nice deep technical Analysis by cyber <b>#security</b> company <b>#CyberArk</b> whic details the <b>#attack</b> based on the information currently available, analyze its root causes and discuss key takeaways to help organizations strengthen their security posture.</p>
<p dir="ltr"><b>#cyber</b> <b>#databreach</b> <b>#socialengineering</b> <b>#ransomware</b> <b>#okta</b> <b>#security</b> </p>
<p dir="ltr">https://www.cyberark.com/resources/blog/the-mgm-resorts-attack-initial-anaysis</p><p dir="ltr"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSgW9O7OaBSSjqqUzb91cxkkLI9DW-s2uvnHlZY-HPve_bzG_Am7WmFhCrwQArJN_0j2v5GLC1n-ySJfjRXTAvRyPUMBEw8gLNBXCkCmd1JsvSjshvn4yUcc2YklGNySjVIE0qzLsAcsCtTBOewsgep_hT_uzO0vzQj8u_uEf3uP8TmwfkSt9Jdnu4UoUg/s1024/mgm-cyberattack-1024x576.webp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="576" data-original-width="1024" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSgW9O7OaBSSjqqUzb91cxkkLI9DW-s2uvnHlZY-HPve_bzG_Am7WmFhCrwQArJN_0j2v5GLC1n-ySJfjRXTAvRyPUMBEw8gLNBXCkCmd1JsvSjshvn4yUcc2YklGNySjVIE0qzLsAcsCtTBOewsgep_hT_uzO0vzQj8u_uEf3uP8TmwfkSt9Jdnu4UoUg/s320/mgm-cyberattack-1024x576.webp" width="320" /></a></div><br /><p dir="ltr"><br /></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-40984574164586423142023-06-04T14:00:00.010+10:002023-06-06T04:19:55.841+10:00Developing and implementing security controls for Azure Active Directory (Azure AD)<p>Today we will share the list of things you need to consider for Developing and implementing security controls for Azure Active Directory (Azure AD):</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrQEqUTKfxgH5HsZP5wx4fjLNTCMmANb5tbafYE2IyJ6cVK6Y--pCFufss1wuDREhN1wZSov9-2D74JWPDhKxQNjuwwbswHDhMyv_jPDGasqQmgaipOZCMYdWQlghTcE_WahPsFpyUnKXY5MJeaEcE1OBEqIfvh74BJB5w9jiFXo2AT6HMRx8NiuTEFg/s582/Azure%20AD.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="582" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrQEqUTKfxgH5HsZP5wx4fjLNTCMmANb5tbafYE2IyJ6cVK6Y--pCFufss1wuDREhN1wZSov9-2D74JWPDhKxQNjuwwbswHDhMyv_jPDGasqQmgaipOZCMYdWQlghTcE_WahPsFpyUnKXY5MJeaEcE1OBEqIfvh74BJB5w9jiFXo2AT6HMRx8NiuTEFg/s320/Azure%20AD.png" width="320" /></a></div><br /><p><br /></p><p>1. Identify Azure AD Assets:</p><p> - Create an inventory of all Azure AD assets, including user accounts, groups, applications, service principals, and Azure AD resources.</p><p> - Document the purpose and sensitivity level of each asset.</p><p> - Classify assets based on their importance and criticality to the organization, considering factors such as the data they provide access to or the applications they authenticate.</p><p><br /></p><p>2. Perform a Risk Assessment:</p><p> - Identify potential threats to your Azure AD environment, such as unauthorized access, identity theft, insider threats, or data breaches.</p><p> - Assess vulnerabilities that could be exploited by conducting a comprehensive assessment of your Azure AD configuration and associated resources.</p><p> - Evaluate the potential impact of each threat and vulnerability on the confidentiality, integrity, and availability of your Azure AD assets.</p><p> - Determine the likelihood of each risk occurring based on historical data, industry trends, and the organization's threat landscape.</p><p> - Prioritize risks based on their potential impact and likelihood, focusing on those with the highest potential risk to your Azure AD environment.</p><p><br /></p><p>3. Define Security Objectives:</p><p> - Review your organization's overall security strategy and compliance requirements, including any specific Azure AD security requirements.</p><p> - Identify specific security objectives that align with these requirements and the risk assessment findings. Ensure these objectives are measurable and relevant to your organization's needs.</p><p> - Examples of security objectives for Azure AD may include enforcing strong authentication policies, implementing conditional access controls, and protecting privileged accounts.</p><p><br /></p><p>4. Select Security Controls:</p><p> - Research and review Azure AD security best practices, Azure Security Center recommendations, and Azure AD-specific security frameworks.</p><p> - Identify security controls available in Azure AD that address the identified risks and align with your security objectives.</p><p> - Examples of security controls for Azure AD include enabling multi-factor authentication (MFA), implementing conditional access policies, using Azure AD Privileged Identity Management (PIM), and leveraging Azure AD Identity Protection.</p><p> - Consider using Azure AD security features such as Azure AD Conditional Access, Azure AD Identity Governance, and Azure AD Privileged Identity Management to enhance your security posture.</p><p><br /></p><p>5. Design Azure AD Security Architecture:</p><p> - Plan the structure of your Azure AD tenant, considering factors such as the number of Azure AD directories, users, groups, and applications required.</p><p> - Define the authentication and access models to be used, such as cloud-only identities, hybrid identities with Azure AD Connect, or federation with external identity providers.</p><p> - Determine the appropriate Azure AD license level and edition based on your organization's needs for advanced security features.</p><p> - Design RBAC roles and assignments for Azure AD resources, ensuring least privilege principles are followed.</p><p> - Establish Azure AD security policies, including password policies, sign-in risk policies, and device compliance policies.</p><p><br /></p><p>6. Implement Security Controls:</p><p> - Enable multi-factor authentication (MFA) for Azure AD accounts, especially for privileged accounts and accounts with access to sensitive resources.</p><p> - Implement conditional access policies to enforce granular access controls based on user, device, location, and risk factors.</p><p> - Utilize Azure AD Identity Protection to detect and respond to suspicious sign-in activities and risky user behaviors.</p><p> - Leverage Azure AD Privileged Identity Management (PIM) to manage and monitor privileged access to Azure AD and other Azure resources.</p><p> - Regularly review and remediate risky sign-in events, risky users, and vulnerable configurations identified by Azure AD security features.</p><p><br /></p><p>7. Provide User Training and Awareness:</p><p> - Develop training materials and conduct sessions to educate users about Azure AD security best practices.</p><p> - Train users on the importance of strong passwords, avoiding password reuse, and using MFA for enhanced security.</p><p> - Educate users about recognizing and reporting phishing attempts, suspicious sign-in activities, and other potential security risks.</p><p> - Raise awareness about the importance of safeguarding Azure AD credentials, avoiding sharing of accounts, and promptly reporting any unusual activities or potential security breaches.</p><p><br /></p><p>8. Establish Incident Response Procedures:</p><p> - Develop an incident response plan specifically for Azure AD security incidents.</p><p> - Define roles and responsibilities for incident response team members, including those responsible for handling Azure AD security incidents.</p><p> - Establish communication protocols and reporting mechanisms to ensure prompt detection, response, and resolution of Azure AD security incidents.</p><p> - Document step-by-step procedures for isolating affected accounts, investigating potential breaches, resetting compromised credentials, and implementing necessary security measures to prevent future incidents.</p><p> - Conduct regular drills and exercises to test the effectiveness of the incident response procedures and identify areas for improvement.</p><p><br /></p><p>9. Implement Monitoring and Auditing:</p><p> - Enable Azure AD auditing to track and monitor activities such as user sign-ins, application registrations, role assignments, and directory changes.</p><p> - Utilize Azure AD logs and Azure Monitor to collect and analyze security-related events and alerts.</p><p> - Configure alerts and notifications for suspicious activities, such as multiple failed sign-in attempts or privilege escalations.</p><p> - Integrate Azure AD with a Security Information and Event Management (SIEM) system for centralized log management, analysis, and correlation.</p><p> - Regularly review and analyze Azure AD logs and security reports to identify anomalies, detect security incidents, and take appropriate actions to mitigate risks.</p><p><br /></p><p>10. Regular Assessment and Improvement:</p><p> - Continuously assess the effectiveness of your Azure AD security controls.</p><p> - Stay informed about Azure AD security updates, new security features, and best practices provided by Microsoft.</p><p> - Conduct periodic security assessments and penetration testing to identify vulnerabilities and weaknesses in your Azure AD environment.</p><p> - Monitor Azure Security Center recommendations and implement necessary security improvements.</p><p> - Regularly review and update your Azure AD security controls, policies, and procedures to adapt to emerging threats, industry standards, and regulatory requirements.</p><p>Certainly! Here's an expanded and elaborated checklist for developing and implementing security controls in Azure AD and AWS:</p><p><br /></p><p>Checklist for Azure AD Security:</p><p>------------------------------------</p><p>| Step | Status </p><p>1 Identify Azure AD Assets </p><p> - List all Azure AD resources and services being used, such as users, groups, applications, and roles. </p><p>2 Perform a Risk Assessment </p><p> - Identify potential threats and vulnerabilities specific to Azure AD. </p><p> - Assess the impact and likelihood of each risk. </p><p>3 Define Security Objectives </p><p> - Clearly define and document the desired security objectives for Azure AD. </p><p> - Ensure objectives align with organizational requirements and compliance standards. </p><p>4 Select Security Controls </p><p> - Research and identify Azure AD-specific security controls provided by Microsoft. </p><p> - Choose controls that address identified risks and align with security objectives. </p><p>5 Design Azure AD Security Architecture </p><p> - Plan the structure of Azure AD, including directory structure and role assignments. </p><p> - Define secure connectivity options and network configurations. </p><p> - Establish data encryption strategies for Azure AD. </p><p>6 Implement Security Controls </p><p> - Enable multi-factor authentication (MFA) for Azure AD users. </p><p> - Configure strong password policies and password rotation requirements. </p><p> - Implement Azure AD Privileged Identity Management (PIM) for access management. </p><p> - Enable auditing and logging for Azure AD activities. </p><p>7 Provide User Training and Awareness </p><p> - Educate users about Azure AD security best practices and potential threats. </p><p> - Train users on recognizing and reporting security incidents or suspicious activities. </p><p>7 Establish Incident Response Procedures </p><p> - Develop an incident response plan specific to Azure AD security incidents. </p><p> - Define roles and responsibilities for incident response team members. </p><p> - Establish communication protocols and reporting mechanisms for incidents. </p><p>9 Implement Monitoring and Auditing </p><p> - Enable Azure AD auditing and configure logs for monitoring and analysis. </p><p> - Set up alerts and notifications for suspicious activities or policy violations. </p><p> - Integrate Azure AD logs with a centralized logging and monitoring system. </p><p>10 Regular Assessment and Improvement </p><p> - Conduct regular security assessments and vulnerability scans for Azure AD. </p><p> - Stay informed about Azure AD security updates and best practices. </p><p> - Continuously review and update Azure AD security controls and policies. </p><p>Remember that security is an ongoing process, and it's important to regularly evaluate and improve the security posture of your Azure AD environment to stay ahead of potential threats and ensure the protection of your organization's identity and access management infrastructure.</p><p>Finally here is an excellent blogpost by Mandiant for cloud platform compromise with multiple components that would require investigation</p><p><a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations">https://www.mandiant.com/resources/blog/cloud-bad-log-configurations</a></p><p><br /></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-51577436386454832023-05-31T00:05:00.005+10:002023-05-31T01:02:05.309+10:00Explore Microsoft Bing Chat <div style="text-align: center;"><p><span style="font-family: inherit;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOi7oZxC0-qzKjKVcqQ2owaafx6Nke05AJ8QF4Gqsp2Mbi8Md2Z3NFA-wUazIDnmddzX7n9iPh3YGUYdxaBg_TV5eYaK7x2eoJsX3lpEXNqdlqYWco85ZMkkUXA8z1bZFp9r-kyzDIdZhbvzoUqNxhxw9FWjrXnhtlTanWxnhnMoq-8Q9GDP_x9AYF7w/s538/AI.png" imageanchor="1" style="font-family: verdana; margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="324" data-original-width="538" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOi7oZxC0-qzKjKVcqQ2owaafx6Nke05AJ8QF4Gqsp2Mbi8Md2Z3NFA-wUazIDnmddzX7n9iPh3YGUYdxaBg_TV5eYaK7x2eoJsX3lpEXNqdlqYWco85ZMkkUXA8z1bZFp9r-kyzDIdZhbvzoUqNxhxw9FWjrXnhtlTanWxnhnMoq-8Q9GDP_x9AYF7w/w380-h229/AI.png" width="380" /></a><span style="font-family: verdana;"> </span></span></div><p></p></div><div style="text-align: justify;"><p><span style="font-family: verdana;"> </span></p></div><div style="text-align: justify;"><p><span style="font-family: verdana;">Explore Microsoft Bing Chat is a new feature that allows business users to interact with Microsoft Bing in a conversational way. You can ask Microsoft Bing questions, get insights, create content, and more in natural language. Microsoft Bing responds with informative, intuitive, logical, and actionable responses to help you get things done faster and easier. In this blog post, we'll show you how to use Discover chat on Microsoft Bing and how it can benefit your work.</span></p></div><div style="text-align: justify;"><p><span style="font-family: verdana;"> </span></p></div><div style="text-align: justify;"><div style="text-align: justify;"><p><span style="font-family: verdana;"> Here are some steps to get started: </span></p></div><ul><li style="text-align: justify;"><p><span style="font-family: verdana;">Go to https://www.bing.com and click the chat icon in the lower right corner of the screen. </span></p></li><li style="text-align: justify;"><p><span style="font-family: verdana;"> Select your preferred language and mode from the options.You can switch
between Balanced, Creative, and Precision modes according to your needs
and preferences. </span></p></li><li style="text-align: justify;"><p><span style="font-family: verdana;">Type or speak your request or message to Microsoft Bing. </span></p></li><li style="text-align: justify;"><p><span style="font-family: verdana;">You can use voice input by clicking the microphone icon next to the text box. </span></p></li><li style="text-align: justify;"><p><span style="font-family: verdana;">Microsoft Bing will respond with relevant and engaging feedback,
which can include web results, images, tables, lists, code blocks, LaTex
expressions, and more. You can also see suggestions for the next user
at the bottom of the chat box. </span></p></li><li style="text-align: justify;"><p><span style="font-family: verdana;">You can continue the conversation by following the suggestions or by
typing or speaking your own request or message. You can also click on
the link or reference in the Microsoft Bing response to explore more
information. <br /></span></p></li></ul><p><span style="font-family: verdana;"> </span></p></div><div style="text-align: center;"><p><span style="font-family: verdana;"> </span><span style="font-family: verdana;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLi61bAed8Qw8CsVBcWbyDXNiTZzdOyOEpCRjCs2uzXckgtigkBXP3hZmoGzVNFkpgMttERz0Gpak5H8CbA2kUsGA7GgZoVah5lqR3J4JuN-MFxrk-e3k04lEzEq12PA7wmxpdBR_wbiqyVZbEyfzTghDbHArL0fufnXDddXx3kcfZjuAoP3iRampPkQ/s563/BING%20chat%20compose.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="325" data-original-width="563" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLi61bAed8Qw8CsVBcWbyDXNiTZzdOyOEpCRjCs2uzXckgtigkBXP3hZmoGzVNFkpgMttERz0Gpak5H8CbA2kUsGA7GgZoVah5lqR3J4JuN-MFxrk-e3k04lEzEq12PA7wmxpdBR_wbiqyVZbEyfzTghDbHArL0fufnXDddXx3kcfZjuAoP3iRampPkQ/s320/BING%20chat%20compose.png" width="320" /></a></span></p></div><div style="text-align: center;"><p><span style="font-family: verdana;"> </span></p></div><div style="text-align: center;"><p><span style="font-family: verdana;"> </span><span style="font-family: verdana;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXue50jfBvhYEuCPf5vxWfjxAHqkzh6ZGQj_vt5ew0osHzPKIxMmTEJwf69fNZYannvwFz8cmw8Rpj75s1P5q0LfpTiKEO7ll7HRxghKwp0m4jTzGd1vrCorS6A6-p21Vu9oyYLySwadpPXWoJElhVgfh8yc4ljwYdCSz_JGj98AOdH-PMxZDTeRpMIQ/s595/BING%20chat.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="593" data-original-width="595" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXue50jfBvhYEuCPf5vxWfjxAHqkzh6ZGQj_vt5ew0osHzPKIxMmTEJwf69fNZYannvwFz8cmw8Rpj75s1P5q0LfpTiKEO7ll7HRxghKwp0m4jTzGd1vrCorS6A6-p21Vu9oyYLySwadpPXWoJElhVgfh8yc4ljwYdCSz_JGj98AOdH-PMxZDTeRpMIQ/s320/BING%20chat.png" width="320" /></a></span></p></div><div style="text-align: center;"><p><span style="font-family: verdana;"> <br /></span></p></div><div style="text-align: justify;"><p><span style="font-family: verdana;">Chat on Microsoft Bing is a feature that allows you to interact with Bing in a conversational way. You can ask questions, get information, and even generate content using natural language. Chat on Microsoft Bing has three main components:<br /><br />- <b>Chat:</b> This is where you can type your messages and see Bing's responses. You can also switch between different modes, such as Balanced, Creative, and Precise, to get different types of responses from Bing.</span></p><p><span style="font-family: verdana;"><br />- <b>Compose:</b> This is where you can use Bing's creativity and intelligence to help you write or improve your own content. You can ask Bing to generate poems, stories, code, summaries, lyrics, and more. You can also ask Bing to rewrite, optimize, or enhance your content.</span></p><p><span style="font-family: verdana;"><br /><b>- Insights: </b>This is where you can see additional information and details related to your chat messages. You can see web search results, question answering results, advertisements, and suggestions for the next user turn. <br /></span></p></div><div style="text-align: justify;"><p><span style="font-family: verdana;"><br /></span></p></div><div style="text-align: justify;"><p><span style="font-family: verdana;">Microsoft Bing chat discovery is designed to help you find answers, create content, and complete tasks naturally and intuitively. Whether you need to research a topic, write a report, create a presentation, or just have fun, you can use the Explore chat on Microsoft Bing to boost your productivity and creativity. Try it today and let us know what you think.</span></p></div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-11863221721456152222023-05-17T18:38:00.001+10:002023-05-17T18:38:11.491+10:00Recommendations for Mitigating BianLian Ransomware Group attack<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr3iHZxVbo_ZuX-yzZ6oS3MTuFuR9hBCIsWn8qxum32LWYOEX1fCBZpaD3EN7YbPjGCpkti33Svn3EIB9s3hqCVAurLH8sUdKnoY9Eo0rLLVsG0-ZR_-ZmQvz-R1dgNBiMZqZW39GNtdsa1vTCrCDWWf2g_j3EpJYo9_CSA81GAp-Vf1ERM3LrRudq0A/s739/BianLian%20Ransomware%20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="415" data-original-width="739" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr3iHZxVbo_ZuX-yzZ6oS3MTuFuR9hBCIsWn8qxum32LWYOEX1fCBZpaD3EN7YbPjGCpkti33Svn3EIB9s3hqCVAurLH8sUdKnoY9Eo0rLLVsG0-ZR_-ZmQvz-R1dgNBiMZqZW39GNtdsa1vTCrCDWWf2g_j3EpJYo9_CSA81GAp-Vf1ERM3LrRudq0A/s320/BianLian%20Ransomware%20.jpg" width="320" /></a></div><br /><p><br /></p><p>To enhance your organization's cybersecurity posture and counter the activities of the BianLian Ransomware Group, we advise implementing the following mitigations. These measures align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST (the National Institute of Standards and Technology). The CPGs outline a minimum set of practices and protections recommended for all organizations, based on existing cybersecurity frameworks and guidance that target common and impactful threats and tactics.</p><p><br /></p><p>1. Reduce the risk of malicious actors using remote access tools by taking the following actions:</p><p> - Conduct an audit of remote access tools on your network to identify authorized and currently used software.</p><p> - Review logs to detect abnormal use of portable executable programs running remote access software.</p><p> - Utilize security software capable of detecting instances where remote access software is loaded only in memory.</p><p> - Allow authorized remote access solutions strictly from within your network, using approved methods like virtual private networks (VPNs) or virtual desktop interfaces (VDIs).</p><p> - Block inbound and outbound connections on common remote access software ports and protocols at the network perimeter.</p><p> - Implement application controls to manage and control the execution of software, including allowing only approved remote access programs.</p><p> - Employ application allowlisting to prevent the installation and execution of unauthorized remote access software, including portable versions that evade traditional antivirus solutions.</p><p><br /></p><p>For additional guidance, refer to the NSA Cybersecurity Information Sheet on enforcing signed software execution policies.</p><p><br /></p><p>2. Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, adhere to best practices such as:</p><p> - Conduct network audits to identify systems using RDP.</p><p> - Close unused RDP ports.</p><p> - Enforce account lockouts after a specified number of failed login attempts.</p><p> - Implement phishing-resistant multifactor authentication (MFA).</p><p> - Log RDP login attempts.</p><p> - Disable command-line and scripting activities and permissions.</p><p> - Restrict the use of PowerShell to specific users who manage the network or Windows operating systems.</p><p> - Keep PowerShell updated to the latest version and uninstall older versions.</p><p> - Enable enhanced PowerShell logging to capture valuable data for monitoring and incident response.</p><p><br /></p><p>3. Review domain controllers, servers, workstations, and active directories to identify any new or unrecognized accounts. Audit user accounts with administrative privileges and configure access controls based on the principle of least privilege.</p><p><br /></p><p>4. Reduce the risk of credential compromise by implementing the following measures:</p><p> - Place domain admin accounts in the protected users' group to prevent local caching of password hashes.</p><p> - Implement Credential Guard for Windows 10 and Server 2016, or enable Protected Process Light for Local Security Authority (LSA) on Windows Server 2012R2.</p><p> - Avoid storing plaintext credentials in scripts.</p><p> - Implement time-based access for admin-level accounts using methods like Just-in-Time (JIT) access provisioning.</p><p><br /></p><p>In addition to the above recommendations, the FBI, CISA, and ACSC suggest the following mitigations to limit the adversarial use of system and network discovery techniques and reduce the impact and risk of ransomware or data extortion:</p><p><br /></p><p>1. Develop and maintain a recovery plan that includes multiple copies of sensitive data and servers stored in physically separate, segmented, and secure locations. Maintain offline backups of data, following the 3-2-1 backup strategy (three copies, two media types, one off-site).</p><p><br /></p><p>2. Ensure that all accounts with password logins comply with NIST standards for password policies. Use longer passwords, store passwords in hashed format using recognized password managers, add password user "salts" to shared login credentials, avoid password reuse, implement multiple failed login attempt account lockouts, disable password hints, and limit</p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-76809116598120854832023-05-14T01:47:00.002+10:002023-05-14T01:47:32.756+10:00Are you ready to break into the exciting and dynamic world of cybersecurity? <div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;"><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp_q3mwePu14__he2i5iKKxbNgz1l3awx3I-Jg-X8iXpPg3rTLFhzGOuNGEE-rOnuPHvOP-gJxhRQc6Qud6QlZ_dfeUzq3O6H9-w31KmM3o3uBTv1DIlsD0hCipUl1Qw1OGzwSbOPK9dtoEHp_R5PPo30naP1OupG7O-jjzxL7V32iiPogVsXPmGSmRA/s713/Cyber%20Security%20Professional.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="713" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp_q3mwePu14__he2i5iKKxbNgz1l3awx3I-Jg-X8iXpPg3rTLFhzGOuNGEE-rOnuPHvOP-gJxhRQc6Qud6QlZ_dfeUzq3O6H9-w31KmM3o3uBTv1DIlsD0hCipUl1Qw1OGzwSbOPK9dtoEHp_R5PPo30naP1OupG7O-jjzxL7V32iiPogVsXPmGSmRA/s320/Cyber%20Security%20Professional.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">Are you ready to break into the exciting and dynamic world of cybersecurity? It's not just a job, it's a lifestyle that attracts a passionate and innovative community of professionals. If you're eager to join their ranks, follow these 10 steps to cheat your way to success!</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">1.Build a Strong Foundation - turbocharge your career with a comprehensive education in cybersecurity, available through a variety of programs like bootcamps, online courses, degrees, or certifications.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">2. Master Technical Skills - impress potential employers by developing a wide range of technical proficiencies, including hardware, software, Windows/Linux, networking, vulnerability scanners, packet sniffers, Nmap, and other cutting-edge professional tools.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">3.Network Like a Pro - build relationships with cybersecurity experts by joining local or online groups, meeting like-minded individuals, finding mentors, and learning from the best.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">4.Gain Real-World Experience - demonstrate your value by volunteering your skills to help your community and participating in Capture the Flag events to gain hands-on experience.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">5.Choose Your Specialty - customize your career path by specializing in a specific area of cybersecurity, such as offense, defense, GRC, sales, or other specialties.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">6.Stay Ahead of the Curve - stay up-to-date with the latest cybersecurity trends, techniques, and tools by attending security conferences, reading blogs, and constantly improving your skillset.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">7.Build Your Reputation - establish your professional presence online through social media, websites, blogs, podcasts, and other outlets. Give back to the cybersecurity community by sharing your knowledge and expertise.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">8.Get Involved - gain exposure by participating in cybersecurity events and workshops, and volunteering to speak or teach whenever possible.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">9.Stay Ethical - maintain a sterling reputation by always adhering to industry standards and best practices, and never attempting to breach security systems without permission.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">10.Hone Your Soft Skills - sharpen your communication, problem-solving, and teamwork skills, which are essential to your success in the fast-paced world of cybersecurity.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">By following these 10 steps, you'll be well on your way to building a successful and rewarding career in cybersecurity. Don't just dream about it – cheat your way to the top with these powerful tips and tricks!</div></div></div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-73536463246190630652023-05-11T22:38:00.004+10:002023-05-11T22:56:02.594+10:00Ransomware Response Plan<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ8TUNVLxO0P40N6B_qW8sxyBlVyMMZR_isLM0O1Q4Yw7o_uE2ONYleApTbDNf5nngpM8cvGXq5O1U7XqpyGBflwOwgkTG_5xc7LjzKMRCI28hqAxg75YDMWY1aZ3yd2GnPxnRbEZzCQx6-KHEcq4Lb-rG4wxJjIdpMB8iEwsUuf9ZP70FtThQUie8qA/s720/Ransomware%20MaximusIT.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="378" data-original-width="720" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ8TUNVLxO0P40N6B_qW8sxyBlVyMMZR_isLM0O1Q4Yw7o_uE2ONYleApTbDNf5nngpM8cvGXq5O1U7XqpyGBflwOwgkTG_5xc7LjzKMRCI28hqAxg75YDMWY1aZ3yd2GnPxnRbEZzCQx6-KHEcq4Lb-rG4wxJjIdpMB8iEwsUuf9ZP70FtThQUie8qA/s320/Ransomware%20MaximusIT.jpg" width="320" /></a></div>
Here are the key steps for an effective response plan: <div><br /></div><div> 1. Don't Panic: </div><div>- Stay calm and act purposefully when targeted by ransomware. </div><div>- Seek help from security vendors or report the incident to your insurance company. </div><div><br /></div><div> 2. Isolate Your Systems and Stop the Spread:</div><div> - Identify the range of the attack and implement network-level blocks or device-level isolation.</div><div> - Utilize endpoint detection and response (EDR) technology to block the attack at the process level.</div><div><br /></div><div> 3. Identify the Ransomware Variant: </div><div>- Determine the specific strain of ransomware to understand its behavior and possible decryption options. </div><div><br /></div><div> 4. Identify Initial Access:</div><div> - Determine the entry point of the attack to close security holes</div><div>.
- Consult digital forensics teams and incident response experts if needed.</div><div><br /></div><div> 5. Identify All Infected Systems and Accounts (Scope):
- </div><div>Identify active malware and persistent elements in systems communicating with the command-and-control server.</div><div><br /></div><div> 6. Determine if Data Was Exfiltrated: </div><div>- Look for signs of data exfiltration, such as large data transfers or unusual communications. </div><div><br /></div><div> 7. Locate Your Backups and Determine Integrity:
-</div><div> Ensure backup technology was not affected and scan backups for integrity.</div><div><br /></div><div> 8. Sanitize Systems or Create New Builds: </div><div>- Remove malware and incidents of persistence, or consider creating new, clean systems</div><div>.
- Implement appropriate security controls to prevent reinfection.</div><div><br /></div><div> 9. Report the Incident: </div><div>- Report the incident and determine if law enforcement should be involved.
Consider legal obligations regarding regulated data.</div><div><br /></div><div> 10. Paying the Ransom? </div><div>- Law enforcement advises against paying the ransom</div><div><br /></div><div>.
11. Conduct a Post-Incident Review: </div><div>- Evaluate the ransomware response and identify areas for improvement. </div><div>- Simulate attack scenarios and consider proactive playbook building. </div><div>- Consider external services if IT or security team staffing is limited.</div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-74859043530274459752023-01-26T06:37:00.005+11:002023-05-11T23:35:14.996+10:00Chat GPT Alternatives<p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7LfakBsaJPDZEQGKHWlIenlGZfmRxU9qWA03moHiR9oADkub6ui8PrjlB_5NQ9sy7RMDX1A1jSZPHruC55iyKM7hKoR1CY9DEOqmCOPgslH45enewQKlYRqNg1qYLvV6fPsRyK9da_wpdzFNtUl1pUbdKjLBe180tEp-bylC_1qgVMt8csq13NVFOeA/s739/Chat%20GPT.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="415" data-original-width="739" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7LfakBsaJPDZEQGKHWlIenlGZfmRxU9qWA03moHiR9oADkub6ui8PrjlB_5NQ9sy7RMDX1A1jSZPHruC55iyKM7hKoR1CY9DEOqmCOPgslH45enewQKlYRqNg1qYLvV6fPsRyK9da_wpdzFNtUl1pUbdKjLBe180tEp-bylC_1qgVMt8csq13NVFOeA/s320/Chat%20GPT.jpg" width="320" /></a></div><br /><p><br /></p><p>OpenAI’s Chat GPT offers the reality of high-performing AI chatbots. The purpose of these chatbots is to communicate with users in a conversational manner. And being open source, users can suggest any improvements. </p><p>As a result, this technology has taken the internet by storm. Millions of users are using it, but there have been some issues with this chatbot. Particularly when Chat GPT is at capacity and users cannot access it.</p><p>Therefore it’s good to know about some quality Chat GPT alternatives. Here are some options that can help you to level up with AI more easily if Chat GPT is not working for you. Some are more complex, and others far more accessible, while some are free and others have pricing structures too.</p><p>Chat GPT Alternatives – examples</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_r7cLaeJ3tK7uTrmQiDt3IYuOOgz7z3JPrugmAKdWe1bwao7u8RpwJ52XXAxeMlibaj-8fiC6uJ6NgT6wn12qWtr9AD_mn9nH2RDWNU576vviDIA-JNx8qE10aR24plvEJbqChcbWXI_mNNq30ay7VZlY0j1zxC3vDK4hq9WLQt87mtKOAa5WUFaF7Q/s1412/Chat%20GPT%20alternative.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1412" data-original-width="1066" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_r7cLaeJ3tK7uTrmQiDt3IYuOOgz7z3JPrugmAKdWe1bwao7u8RpwJ52XXAxeMlibaj-8fiC6uJ6NgT6wn12qWtr9AD_mn9nH2RDWNU576vviDIA-JNx8qE10aR24plvEJbqChcbWXI_mNNq30ay7VZlY0j1zxC3vDK4hq9WLQt87mtKOAa5WUFaF7Q/s320/Chat%20GPT%20alternative.jpg" width="242" /></a></div><br /><p><br /></p><p><b>Bloom</b></p><p>Blo Bloom om is an open-source multi-language model. This Chat GPT alternative added 384 graphic cards with a total of 80 GB of memory to 176 billion parameters to train – 1 billion more than the GPT 3 model.</p><p><br /></p><p><b>Chinchilla</b></p><p>DeepMind researchers developed a project named Chinchilla, which is more intimately known as the GPT3 killer.</p><p>It’s an optimal computing model that has 70 billion protocols. It has four times more data than Gopher, also developed by DeepMind. Chinchilla is reportedly one of the best options for downstream evaluation tasks (also known as the task a user wants to solve).</p><p>It’s a top-notch AI-based writing tool and has educational data on history. Therefore, it can create articles with proper style and structure minus grammatical errors. Without human help, it can produce a useful and readable article in less than an hour.</p><p><br /></p><p><b>Megatron</b>-Turing Natural Language Generation</p><p>Microsoft and Nvidia made a language model with 530 billion parameters, making it bigger and better than others available. Called Megatron-Turing Natural Language Generation, it is one of the best English language models – trained on SuperPOD by the Selene supercomputer.</p><p><b><br /></b></p><p><b>Jasper</b></p><p>Jasper AI is a writing model previously known as Jarvis. Jasper has bought other writing tools, such as Shortly AI and Headline, and these will be integrated into Jasper in the coming years.</p><p>You can select a topic and fill out the relevant form, and Jasper will create the article for you according to the instructions you have entered. Jasper has a 5-day free trial, with its ‘starter’ plan starting at $24 per month.</p><p><br /></p><p><b>Replika</b></p><p>Replika is pretty close to Chat GPT in conversational uses, and you can have similar conversations here, too. It can talk and give text replies at any time without delay. It is primarily an AI chatbot you can use to discuss general topics like love and life, just like you do with friends.</p><p><br /></p><p><b>ELSA</b></p><p>ELSA stands for English Language Speech Assistant, a language learning app. It is available on Android and iOS platforms to download. The app analyzes users’ speech and helps them learn and understand the language.</p><p>There are more Chat GPT alternatives too, some with more specific applications than others. Here’s a list of a few, including those mentioned above.</p><p><br /></p><p>ELSA has free and Pro options and Pro costs $11.99 for one month, $8.66p/m for three months, and $6.25p/m for one-year access.</p><p><br /></p><p>Final thoughts</p><p>We have discussed some of the top alternatives of Chat GPT above. You can perform a wide range of functions using these alternatives, and there are others too – including Rytr, Socratic and Faceapp – which uses AI modeling on imagery.</p><p><br /></p><p>So, when Chat GPT is not working, you’re not sure about the price or if you require another specific application that is more easily served by an alternative, you can use one of these instead.</p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-61640206808782379942023-01-06T23:07:00.008+11:002023-05-11T23:02:49.295+10:00What is Phishing and key points to remember<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_YGHfnHdI1WI9OQFyxiNnrd4S3SzUOv2lu95I3BpwwkWUh9l1HwqAohbdAZZ3igDSirFnsqjvKoP9CgFHLVoWq1raLhT7rx7rjM-Xdusl2dWgjil43snDDicLzyiaZl2RNgXD_xc1RCCHM82ROi18E3P6lYdol6B0q9LwnmvaP-T-ztKG2J9yxMvphA/s650/Phishing%20attack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="650" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_YGHfnHdI1WI9OQFyxiNnrd4S3SzUOv2lu95I3BpwwkWUh9l1HwqAohbdAZZ3igDSirFnsqjvKoP9CgFHLVoWq1raLhT7rx7rjM-Xdusl2dWgjil43snDDicLzyiaZl2RNgXD_xc1RCCHM82ROi18E3P6lYdol6B0q9LwnmvaP-T-ztKG2J9yxMvphA/s320/Phishing%20attack.jpg" width="320" /></a></div><br /><p><br /></p><p><br /></p><p>What is phishing</p><p>Phishing is a type of online scam in which attackers send fraudulent emails or create fake websites with the intention of tricking individuals into divulging sensitive information such as login credentials, credit card numbers, and other financial information. The attackers often pose as trusted organizations or individuals and use various tactics to persuade the victim to click on a link or download an attachment. The link or attachment may contain malware that can infect the victim's device or redirect the victim to a fake website where they are prompted to enter their personal information.</p><p><br /></p><p>Phishing attacks can be difficult to recognize because the attackers go to great lengths to make their emails and websites look legitimate. To protect against phishing attacks, it is important to be cautious when clicking on links or downloading attachments in emails, and to verify the authenticity of the sender and the website before entering any personal information. It is also a good idea to use a secure web browser and to keep your antivirus software up to date.</p><p><br /></p><p>What is smishing</p><p><br /></p><p>Smishing is a type of social engineering attack that involves the use of SMS text messages to trick individuals into divulging sensitive information or clicking on malicious links. Smishing attacks often target mobile phone users and can be used to steal personal information such as login credentials, credit card numbers, and other financial information. Smishers use a variety of tactics to lure victims into falling for their scams, including posing as trusted organizations or individuals, creating a sense of urgency or fear, and offering incentives or rewards. To protect against smishing attacks, it is important to be cautious when receiving text messages from unknown numbers and to verify the authenticity of the message before clicking on any links or providing personal information.</p><p><br /></p><p>Different type of phishing and their defination</p><p><br /></p><p>There are several different types of phishing attacks, including:</p><p><br /></p><p>Spear phishing: This type of phishing attack is targeted at a specific individual or organization and often involves the attacker posing as someone the victim knows or trusts.</p><p><br /></p><p>Whaling: Similar to spear phishing, but the target is a high-level executive or someone with significant influence within an organization.</p><p><br /></p><p>Clone phishing: This type of attack involves the attacker sending a legitimate email or creating a fake website that is a copy of a legitimate one, but with a malicious link or attachment.</p><p><br /></p><p>Vishing: This type of attack involves the use of voice calls or voicemails to trick victims into divulging sensitive information.</p><p><br /></p><p>Impersonation attacks: These attacks involve the attacker pretending to be someone else, such as a colleague or a customer service representative, in order to obtain sensitive information.</p><p><br /></p><p>CEO fraud: Also known as "business email compromise," this type of attack involves the attacker pretending to be the CEO or another high-level executive and requesting sensitive information or money from an employee.</p><p><br /></p><p>Some key points to remember about phishing:</p><p></p><ol style="text-align: left;"><li>Be wary of unexpected or suspicious emails, especially those that contain links or attachments.</li><li>Do not click on links or download attachments from unfamiliar or untrusted sources.</li><li>Be cautious when providing personal or financial information online, especially in response to an email or unsolicited request.</li><li>Pay attention to the website's address, or URL, before entering sensitive information. Make sure it begins with "https" and has a lock icon, indicating that it is a secure site.</li><li>Use anti-virus and anti-malware software and keep it up-to-date.</li><li>Use strong and unique passwords for all of your accounts, and enable two-factor authentication if it is available.</li><li>Keep your operating system and other software up-to-date with the latest security patches.</li><li>Be aware of phishing attacks that use phone calls or text messages as well as email. Do not provide personal or financial information in response to unsolicited phone calls or text messages.</li></ol><p></p><p>Remember, if something seems too good to be true or seems suspicious, it is always better to err on the side of caution and not click on links or download attachments from unfamiliar or untrusted sources.</p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-67949997436924679652023-01-06T22:53:00.002+11:002023-05-11T23:03:30.796+10:00How to become a successfull cyber security engineer from cyber security analyst<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg31ZOJP25zVybeb9-a2D38_xajPnoSIGqLP0GjzZhkxEp3w-HtmtGCqSjpW2bFYfS9A2dksKs7jS1D2qbgrnqhPKC7vzXRhPIfiwpm2G6FoFXjXGD_pnCF0rZzLUW959Hota738iRS2AXpVi70OHzN83J1MrPxm7B_zW10MBXl9ivKd3_PkKIJkmtJVg/s738/Cyber%20Engineer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="415" data-original-width="738" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg31ZOJP25zVybeb9-a2D38_xajPnoSIGqLP0GjzZhkxEp3w-HtmtGCqSjpW2bFYfS9A2dksKs7jS1D2qbgrnqhPKC7vzXRhPIfiwpm2G6FoFXjXGD_pnCF0rZzLUW959Hota738iRS2AXpVi70OHzN83J1MrPxm7B_zW10MBXl9ivKd3_PkKIJkmtJVg/s320/Cyber%20Engineer.jpg" width="320" /></a></div><br /><p><br /></p><p><br /></p><p>Here are some steps you can take to become a successful cyber security engineer from a cyber security analyst:</p><p><br /></p><p>Build your technical skills: As a cyber security analyst, you may already have a strong foundation in cyber security technologies and practices. However, to become a cyber security engineer, you should aim to expand your technical skillset and knowledge in areas such as network security, security architecture, and system design.</p><p><br /></p><p>Gain practical experience: Hands-on experience is crucial in the field of cyber security. Consider volunteering for security-related projects or internships to gain practical experience and build your portfolio.</p><p><br /></p><p>Pursue additional certifications: Earning industry-recognized certifications such as the Certified Information Systems Security Professional (CISSP) can demonstrate your expertise and commitment to the field.</p><p><br /></p><p>Develop your leadership skills: Cyber security engineering roles often involve leading and managing teams of analysts. To prepare for these responsibilities, consider taking courses or seeking opportunities to develop your leadership and management skills.</p><p><br /></p><p>Stay up-to-date: The field of cyber security is constantly evolving, so it's important to stay current with the latest technologies, trends, and best practices. Consider joining professional organizations or attending conferences to stay informed and connected to the industry.</p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-1234740912568123242023-01-06T22:49:00.004+11:002023-05-11T23:13:20.486+10:00What are the key tools to know for cyber security engineering role<div class="sticky top-0 z-10 flex items-center border-b border-white/20 bg-gray-800 pl-1 pt-1 text-gray-200 sm:pl-3 md:hidden" style="--tw-bg-opacity: 1; --tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(59,130,246,0.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-text-opacity: 1; --tw-translate-x: 0; --tw-translate-y: 0; align-items: center; border-color: rgba(255, 255, 255, 0.2); border-image: initial; border-style: solid; border-width: 0px 0px 1px; box-sizing: border-box; color: rgba(217,217,227,var(--tw-text-opacity)); display: flex; padding-left: 0.25rem; padding-top: 0.25rem; position: sticky; top: 0px; z-index: 10;"><div style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px; text-align: left;"><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtFA3maOyqKZzkyxZw9-7RP6VVTA57nlIvi7tIN1DoL1DLjZFk4SAX1ZtyJY4A66L8rmmyOD9Lt4rq5vctzxoPjyRA_kmvLM9tCD4obLT2h7Wta1AZuxUtjhDh4uf_-najuIYq4GvanGDFn3s-Nh_AR4uLCHAuWv64MBROoBsxo3uOBd9P8n4Q6z3tVw/s774/Cyber%20tools.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="396" data-original-width="774" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtFA3maOyqKZzkyxZw9-7RP6VVTA57nlIvi7tIN1DoL1DLjZFk4SAX1ZtyJY4A66L8rmmyOD9Lt4rq5vctzxoPjyRA_kmvLM9tCD4obLT2h7Wta1AZuxUtjhDh4uf_-najuIYq4GvanGDFn3s-Nh_AR4uLCHAuWv64MBROoBsxo3uOBd9P8n4Q6z3tVw/s320/Cyber%20tools.jpg" width="320" /></a></div><br /><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Here are some key tools that are commonly used in cyber security engineering roles:</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Network monitoring tools: These tools allow security engineers to monitor network traffic and identify unusual activity or potential threats. Examples include Wireshark, Splunk, and SolarWinds.</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Vulnerability scanners: These tools scan systems and networks for known vulnerabilities and provide recommendations for remediation. Examples include Nessus, Qualys, and Rapid7.</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Security information and event management (SIEM) systems: These systems collect and analyze security-related data from various sources to identify potential threats and provide alerts. Examples include Splunk, LogRhythm, and IBM QRadar.</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Password managers: These tools help security engineers store and manage complex passwords securely. Examples include LastPass and 1Password.</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Encryption tools: These tools are used to protect data by encoding it in a way that can only be accessed by those with the correct decryption key. Examples include BitLocker (for Windows) and FileVault (for Mac).</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Firewalls: These tools act as a barrier between a network and the Internet, blocking unauthorized access and protecting against cyber threats. Examples include Palo Alto Networks and Check Point.</p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;"><br /></p><p style="border: 0px solid rgb(217, 217, 227); box-sizing: border-box; flex: 1 1 0%; line-height: 1.5rem; margin: 0px;">Risk assessment and management tools: These tools help security engineers identify and prioritize risks, and develop strategies for mitigating them. Examples include GRC platforms such as RSA Archer and MetricStream.</p></div></div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0Melbourne VIC, Australia-37.8136276 144.9630576-55.81498282554233 109.80680760000001 -19.812272374457663 -179.8806924tag:blogger.com,1999:blog-8774245130267339525.post-8379041245451255232022-10-14T01:23:00.003+11:002022-10-21T02:18:39.721+11:00 Cyber incident in medibank<p>T<span face="-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif" style="color: #111826; font-size: 16px; letter-spacing: -0.16px;">he Medibank Group detected unusual activity on its network.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_YKY4_SyA_80Uj2kzWaaJQYMeucA5mgZ2oOSIjffRkFHfXey-KDIwDfXNzUlCrny9C_M6ql-qDB74JSsGZJbZvXv9xDF1wKveob30ya2NC8j4ZjahW6zdUXspHLsUlMC-lfTXUwvu8X2fY1cKGVhbnjbvnpYnrTiy5QE2C6FPkwKygMUKSBWIU-GMg/s739/Medibank.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="415" data-original-width="739" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_YKY4_SyA_80Uj2kzWaaJQYMeucA5mgZ2oOSIjffRkFHfXey-KDIwDfXNzUlCrny9C_M6ql-qDB74JSsGZJbZvXv9xDF1wKveob30ya2NC8j4ZjahW6zdUXspHLsUlMC-lfTXUwvu8X2fY1cKGVhbnjbvnpYnrTiy5QE2C6FPkwKygMUKSBWIU-GMg/s320/Medibank.jpg" width="320" /></a></div><br /><span face="-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif" style="color: #111826; font-size: 16px; letter-spacing: -0.16px;"><br /></span><p></p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">In response to this event, as per Medibank they took immediate steps to contain the incident, and engaged specialised cyber security firms.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">At this stage there is no evidence that any sensitive data, including customer data, has been accessed.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">As part of response to this incident, #Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">As Medibank continue to investigate this incident, their priorities are to ensure the ongoing security of customers, our employees, and stakeholder information, and the continued delivery of Medibank services.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">Investigations are ongoing, and #Medibank will provide regular updates. Medibank's health services continue to be available to their customers, this includes ability to access customer health providers, as Medibank work through this incident.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;"><span color="inherit" style="-webkit-font-smoothing: antialiased; box-sizing: border-box; font-weight: 700;">Medibank CEO David Koczkar said:</span></p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">“I apologise and acknowledge that in the current environment this news may make people concerned.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">"Our highest priority is resolving this matter as transparently and quickly as possible.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">“We will continue to take decisive action to protect Medibank Group customers and our people.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">“We recognise the significant responsibility we have to the people who rely on us to look after their health and wellbeing and whose data we hold.</p><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;">"We are working around the clock to understand the full nature of the incident, and any additional impact this incident may have on our customers, our people and our broader ecosystem."</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV0nLzdJhNskk3vHShv9hmg5tzLTRr4PG4wnluPaQdZrRObCpDQ3Wyw3DFlhCdUr9D_i_YXqrqQABmeWlGbsjORYyO0DMfonV5po6VJz5MXaS7esZ_MFUSCCOMb9S-3Mm7_M_lfrJ-mEGCcUmauJZ1s2_39yNcfziK4hsucu6Xq1DfjGrcEx38yTMmgA/s1080/image_0adf4764-8d68-4848-8bd3-8cc9e25cf23420221021_021629.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="868" data-original-width="1080" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV0nLzdJhNskk3vHShv9hmg5tzLTRr4PG4wnluPaQdZrRObCpDQ3Wyw3DFlhCdUr9D_i_YXqrqQABmeWlGbsjORYyO0DMfonV5po6VJz5MXaS7esZ_MFUSCCOMb9S-3Mm7_M_lfrJ-mEGCcUmauJZ1s2_39yNcfziK4hsucu6Xq1DfjGrcEx38yTMmgA/w320-h257/image_0adf4764-8d68-4848-8bd3-8cc9e25cf23420221021_021629.jpg" width="320" /></a></div><br /><p style="-webkit-font-smoothing: antialiased; box-sizing: border-box; color: #111826; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 16px; letter-spacing: -0.16px; line-height: 1.4;"><br /></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0Melbourne VIC, Australia-37.8136276 144.9630576-66.123861436178842 109.80680760000001 -9.5033937638211512 -179.8806924tag:blogger.com,1999:blog-8774245130267339525.post-30438336174851663722022-10-02T03:59:00.002+11:002022-10-02T04:01:01.798+11:00Zero-day Vulnerabilities in Microsoft Exchange Server.<p>Microsoft has released Customer Guidance for Reported <b>#zeroday</b> <b>#Vulnerabilities</b> in <b>#Microsoft</b> <b>#Exchange</b> Server. According to the blog post, “Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.”</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGLusOdsEkOh2atocBhbQadFJ5WPYEXhLai5KSRecfwv7xtlxqBSf5QTICFpVyxFtAzCI1OVExg1JqkMmN4deevnf0Q-2D_Am3bIzNeihOpYVjshk-Q1K2VEVYmaoF1_Hs9tsTUtmw4zrQtD5P8yLvCyzWdvq15LxDhbGJjYZdE9U-OiIV8qGXUb1y4w/s1024/Microsoft%20Exchange%20zeroday.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="642" data-original-width="1024" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGLusOdsEkOh2atocBhbQadFJ5WPYEXhLai5KSRecfwv7xtlxqBSf5QTICFpVyxFtAzCI1OVExg1JqkMmN4deevnf0Q-2D_Am3bIzNeihOpYVjshk-Q1K2VEVYmaoF1_Hs9tsTUtmw4zrQtD5P8yLvCyzWdvq15LxDhbGJjYZdE9U-OiIV8qGXUb1y4w/s320/Microsoft%20Exchange%20zeroday.png" width="320" /></a></div><br /><p><br /></p>
<p dir="ltr">The two vulnerabilities are CVE-2022-41040 and CVE-2022-41082, affecting on-premises Microsoft <b>#Exchange</b> Server 2013, 2016, and 2019. Note: Microsoft Exchange Online is not affected. </p>
<p dir="ltr">An attacker could exploit these vulnerabilities to take control of an affected system.</p>
<p dir="ltr">The current Exchange Server <b>#mitigation</b> is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns how to do it is describe in the below microsoft blogpost</p>
<p dir="ltr"><a href="https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/">https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/</a></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-53098753977542543482022-09-27T12:24:00.006+10:002022-09-28T03:32:26.341+10:00Optus data breach: what to do if you think you're at risk<div style="background-color: #141414; color: #e1e1e1; margin: 0cm 0cm 0.0001pt; text-align: left;"><span style="font-family: verdana;"><span face="Calibri, sans-serif" style="color: #e1e1e1;"><span>On 22 September 2022, Optus published an article on its website, advising customers of a Cyberattack which may have resulted in unauthorised access to current and former customers’ information.</span></span><span face="Calibri, sans-serif" style="color: #e1e1e1;"><span><br /></span></span><span face="Calibri, sans-serif" style="color: #e1e1e1;"><span><br /></span></span><span face="Calibri, sans-serif" style="color: #e1e1e1;"><span>Optus has advised the information potentially exposed may include customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, and ID document numbers such as driver license or passport numbers.</span></span><br /> <br /><b>Payment detail and account passwords have not been compromised.<br /></b> <br />Optus has advised that customers that had the most fields exposed would be contacted first over the next few days. It is likely that if you are not contacted by Optus in the next few days, that you are not in this cohort of individuals.</span></div><div style="background-color: #141414; color: #e1e1e1; margin: 0cm 0cm 0.0001pt; text-align: left;"><span style="font-family: verdana;"><br />Please note that notification from Optus is occurring via email and Optus will not provide any links in email or contact you via sms or phone call asking you to verify any personal details or billing information. If you are contacted via SMS or phone, do not engage, contact Optus directly through a verified point of contact.<br /> <br />If you have received an email, by Optus for data breach notification. By acting quickly, you can reduce your chance of experiencing harm.</span></div><div style="background-color: #141414; color: #e1e1e1; margin: 0cm 0cm 0.0001pt; text-align: left;"><span style="font-family: verdana;"><br /></span></div><div style="background-color: #141414; color: #e1e1e1; margin: 0cm 0cm 0.0001pt; text-align: left;"><p style="background-color: white; box-sizing: border-box; color: #404040; line-height: 1.5; margin: 24px 0px 6px;"><span style="font-family: verdana;">how you can check exactly what data of yours might have been leaked. First log-in here: <a href="https://www.optus.com.au/" style="background-color: transparent; box-sizing: border-box; color: #008aff; text-decoration-line: none;">https://www.optus.com.au/</a> and then once logged-in, visit <a href="https://www.optus.com.au/mcssapi/rp-webapp-9-common/user/information" style="background-color: transparent; box-sizing: border-box; color: #008aff; text-decoration-line: none;">this link</a> and you should see a JSON encoded response that contains your personal information. Check in particular the <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;">indentType</code> [sic] field, which should tell you what kind of document has been exposed; and the <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;">indentValue</code> [again, sic—who wrote this data schema?] which in my case tells me exactly which document I should get re-issued.</span></p><p style="background-color: white; box-sizing: border-box; color: #404040; line-height: 1.5; margin: 24px 0px 6px;"><span style="font-family: verdana;">If you don’t mind jumping through a few hoops, you can also confirm what street address details might have been exposed. To do that, first write down the numeric <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;">contactId</code> value from the JSON response you got above. Then take the following URL <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;"><a class="vglnk" href="https://www.optus.com.au/mcssapi/rp-webapp-9-common/customer-management/contact-person/%7BcontactId%7D?lo=en_US&sc=SS" rel="nofollow" style="background-color: transparent; box-sizing: border-box; color: #008aff; text-decoration-line: none;"><span style="box-sizing: border-box;">https</span><span style="box-sizing: border-box;">://</span><span style="box-sizing: border-box;">www</span><span style="box-sizing: border-box;">.</span><span style="box-sizing: border-box;">optus</span><span style="box-sizing: border-box;">.</span><span style="box-sizing: border-box;">com</span><span style="box-sizing: border-box;">.</span><span style="box-sizing: border-box;">au</span><span style="box-sizing: border-box;">/</span><span style="box-sizing: border-box;">mcssapi</span><span style="box-sizing: border-box;">/</span><span style="box-sizing: border-box;">rp</span><span style="box-sizing: border-box;">-</span><span style="box-sizing: border-box;">webapp</span><span style="box-sizing: border-box;">-</span><span style="box-sizing: border-box;">9</span><span style="box-sizing: border-box;">-</span><span style="box-sizing: border-box;">common</span><span style="box-sizing: border-box;">/</span><span style="box-sizing: border-box;">customer</span><span style="box-sizing: border-box;">-</span><span style="box-sizing: border-box;">management</span><span style="box-sizing: border-box;">/</span><span style="box-sizing: border-box;">contact</span><span style="box-sizing: border-box;">-</span><span style="box-sizing: border-box;">person</span><span style="box-sizing: border-box;">/{</span><span style="box-sizing: border-box;">contactId</span><span style="box-sizing: border-box;">}?</span><span style="box-sizing: border-box;">lo</span><span style="box-sizing: border-box;">=</span><span style="box-sizing: border-box;">en</span><span style="box-sizing: border-box;">_</span><span style="box-sizing: border-box;">US</span><span style="box-sizing: border-box;">&</span><span style="box-sizing: border-box;">sc</span><span style="box-sizing: border-box;">=</span><span style="box-sizing: border-box;">SS</span></a></code> and copy and paste it into the address bar of your browser. Manually replace the part that says <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;">{contactId}</code> with the numeric value you wrote down. It should return yet another JSON encoded response that includes street address information. This response for me also included the ID document information in the <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;">documentType</code> and <code style="background-color: #f9f2f4; border-radius: 4px; box-sizing: border-box; color: #c7254e; padding: 2px 4px;">documentNumber</code> fields, plus (worryingly) information that would seem to pertain to the expiration date of the document</span></p><span style="font-family: verdana;"> <br />It is vital to monitor for suspicious activity on your accounts and report any you see to the relevant provider. Be wary of any spam calls/texts/emails, even on social media, and never click on suspicious links.<br /> <br />Banks, government bodies, and other institutions make it a policy to never contact you over text, phone, or email asking for personal information. If you receive suspicious communications, do not hand out your details. You can contact the provider directly to follow up or check the ACCC's <a href="https://www.scamwatch.gov.au/" style="color: #0086f0;">Scamwatch</a> to see if similar frauds have occurred.<br /> <br />Optus has explicitly stated it will not be sending links in data breach emails, so if you receive an email from "Optus" with a "click here for more details" button, it's likely not from the telco. Although Optus advised the user password is not breached, As a precautionary measure there are proactive response actions we recommend that you may wish to consider:<br /> </span><ol style="text-align: left;"><li><span style="font-family: verdana;">Changing your Optus email and account passwords. Make sure you have strong passwords that you haven’t used for other accounts. (if you use same password as your Optus to the other accounts before make sure to change them).</span></li><li><span style="font-family: verdana;">When updating your internet banking passwords, go to the financial institution’s website directly by typing their web address into your web browser. Generally, a financial institution won’t ask you in an email to click on a link to update your password.</span></li><li><span style="font-family: verdana;"><span><span style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;"> </span></span>Enable two-factor authentication on all your accounts, especially mobile banking or money management apps. This helps protect your data since hackers need more than just your password to access your account.</span></li><li><span style="font-family: verdana;"><span><span style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;"> </span></span>You could also make regular backups of your phone’s data to a secure hard drive.</span></li><li><span style="font-family: verdana;">Monitor your account transactions online or using paper account statements if you receive them. If you spot any purchases you didn’t make, report these immediately to your financial institution.</span></li><li><span style="font-family: verdana;">Place limits on your accounts or ask you bank how you can secure your money.</span></li><li><span style="font-family: verdana;"><span><span style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;"> </span></span>If you suspect fraud you can request a ban on your credit report.</span></li><li><span style="font-family: verdana;">Change your Driver licence, Medicare and passport number if you received email from optus that your data is breached.</span></li></ol><span style="font-family: verdana;"><br /> <br />If you require more info you can follow the guides below<br /> <br /><a href="https://www.oaic.gov.au/__data/assets/pdf_file/0014/1409/oaic-what-to-do-if-there-is-a-data-breach.pdf" style="color: #0086f0;">What to do if there is a data breach (oaic.gov.au)<br /></a>Also consider the steps outlined in <a href="https://assets.website-files.com/5af4dc294c01df9fc297c900/632e67b2ca8ee2c0a1e7361b_IDCARE%20Response%20Fact%20Sheet%20-%20Optus%20Data%20Breach.pdf" style="color: #0086f0;">IDCARE Optus Data Breach Response Fact sheet.<br /></a> </span></div><p class="MsoListParagraph" style="background-color: #141414; color: #e1e1e1; font-family: Calibri, sans-serif; font-size: 11pt; margin: 0cm 0cm 0.0001pt 36pt; text-align: left; text-indent: -18pt;"></p><p style="text-align: left;"></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0Australia-25.274398 133.775136-53.584631836178843 98.618886 3.035835836178844 168.931386tag:blogger.com,1999:blog-8774245130267339525.post-19300077179687544882022-09-22T21:06:00.003+10:002022-09-22T21:06:42.755+10:00Optus Telecom company got hacked<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWg79erRqRYIYSovTGigpURHQ6V0cPWtdmIF_BHw8kLtVe59Fxdg5fFebGg5A1XLLG-nKSkAIB9ChR8kCb5zXdtrnieXnSgBeP1pCVQwxiWfpBuao6NZ_pd5nvaJjdXl0e8gyG0-Gfsf5B7tMvpN1Vc70WUSMq5zCE8CIZfaSZqJV_C3EcQv2WHyc0Dw/s850/Optus%20hacked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="547" data-original-width="850" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWg79erRqRYIYSovTGigpURHQ6V0cPWtdmIF_BHw8kLtVe59Fxdg5fFebGg5A1XLLG-nKSkAIB9ChR8kCb5zXdtrnieXnSgBeP1pCVQwxiWfpBuao6NZ_pd5nvaJjdXl0e8gyG0-Gfsf5B7tMvpN1Vc70WUSMq5zCE8CIZfaSZqJV_C3EcQv2WHyc0Dw/s320/Optus%20hacked.png" width="320" /></a></div><br /><p></p><p dir="ltr">Now our own <b>#Optus</b> got hacked.<br />
<b>#optus</b> is investigating the possible unauthorised access of current and former customers’ information.</p>
<p dir="ltr">Upon discovering this, Optus immediately shut down the attack. Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.</p>
<p dir="ltr">Up to 3 million users have had all their data stolen, including passport numbers and birth dates. Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. Payment detail and account passwords have not been compromised.</p>
<p dir="ltr">Optus <b>#services</b>, including <b>#mobile</b> and home <b>#internet</b>, are not affected, and messages and voice calls have not been compromised. Optus services remain safe to use and operate as per normal.</p>
<p dir="ltr">Customers whos data that got hacked optus is yet to inform individual person.</p>
<p dir="ltr">No technical details on how the hack occuer is not published yet.</p>
<p dir="ltr"> <b>#cybersecurity</b> <b>#police</b> <b>#hacking</b> <b>#acsc</b> <b>#databreach</b> <b>#cyberattack</b> <b>#customerdata</b> </p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0Melbourne VIC, Australia-37.8136276 144.9630576-66.123861436178842 109.80680760000001 -9.5033937638211512 -179.8806924tag:blogger.com,1999:blog-8774245130267339525.post-5059088129262347812022-09-21T15:23:00.000+10:002022-09-21T15:23:03.394+10:00Uber Got Hacked badly.<p><b>#Uber</b> got hacked. The hack was successful because of <b>#socialengineering</b> so be carefull when you receive <b>#email</b> or message check it out before clicking any link or giving away your login info etc.</p>
<p dir="ltr">Secondly change your Uber password, these are the two key takeway.</p>
<p dir="ltr">Now to the technical stuff, The hacker claim they Social Engineered an employee then found admin credentials in a powershell script on a network share. As the hacker says</p>
<p dir="ltr">"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite"</p>
<p dir="ltr"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKl9qDd05_p61ZqBwwzwopyI-CyZgIKIlbwujhiz_fSGD8mZ_fRHtoHPIHfi0HEFkJQHdW9diYXl9URT_PR0FxBG_npQ63WIptFhTTnP0luJl-x47wjxy4tG-mTyUuIiDDP4BQ6LvDQ2SL4xnwGCYUGzFRS6a6aqIPsjwfWb1Y2VmVHwJzpzbhk8Bl3w/s1280/20220918_013550.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="686" data-original-width="1280" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKl9qDd05_p61ZqBwwzwopyI-CyZgIKIlbwujhiz_fSGD8mZ_fRHtoHPIHfi0HEFkJQHdW9diYXl9URT_PR0FxBG_npQ63WIptFhTTnP0luJl-x47wjxy4tG-mTyUuIiDDP4BQ6LvDQ2SL4xnwGCYUGzFRS6a6aqIPsjwfWb1Y2VmVHwJzpzbhk8Bl3w/s320/20220918_013550.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRBiungD0oDsKQjKZK16Xbxyd1IdfEcHp5ot3y5IIKTPLPRJeKiID6-xT7qd2qbe7Q9Gg0DOX6n4yC6r0npP8RWhOMT24Qb5aJRE7lYHn1vnedW3qeVv5At8iwXdh8bJij1CBLtThQIe-_6FwpU6KbzkREd_i6Dw3rYc6-iFiTtBan5wT_10gdkx7XgQ/s960/20220918_013701.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="291" data-original-width="960" height="97" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRBiungD0oDsKQjKZK16Xbxyd1IdfEcHp5ot3y5IIKTPLPRJeKiID6-xT7qd2qbe7Q9Gg0DOX6n4yC6r0npP8RWhOMT24Qb5aJRE7lYHn1vnedW3qeVv5At8iwXdh8bJij1CBLtThQIe-_6FwpU6KbzkREd_i6Dw3rYc6-iFiTtBan5wT_10gdkx7XgQ/s320/20220918_013701.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5EWcpTcHn4dXEua0hhwgUSkRwNF_bwth4Q73OUuTevEJPwP65iXCCxRmrjIXnAZ9FATx264znUzksXsRr-jyX_-vkHM8J2g5pVZ9d1uwOH72Dr4_fM5LPQidxIzx8i7iDtLR6-1Q0grYNyI_mOBaNjtU6IFmBTUhMsct_QPVzIYS9J7rZDx49pbh9mQ/s781/20220918_013939.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="781" data-original-width="671" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5EWcpTcHn4dXEua0hhwgUSkRwNF_bwth4Q73OUuTevEJPwP65iXCCxRmrjIXnAZ9FATx264znUzksXsRr-jyX_-vkHM8J2g5pVZ9d1uwOH72Dr4_fM5LPQidxIzx8i7iDtLR6-1Q0grYNyI_mOBaNjtU6IFmBTUhMsct_QPVzIYS9J7rZDx49pbh9mQ/s320/20220918_013939.jpg" width="275" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcgAeDqK7-VUZgKVMnjR47wz9pJ8pOxr9OzHy_uZDJKZmRrcHQxpEOldFLybV-AWMokX4okQn5A3JKZW9va3H8tHHqxK0WipKr_rWQoB-Xg5TQ1qvSrAdce_tbu0gFr3pPztLlWxbL61y9EGxp8hOmYZNmYKsqwu-NkFpXSnotTTLWE0sxjOz_fWSa2Q/s1280/Fcvh_tEXkAMsCN4.jpeg.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="686" data-original-width="1280" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcgAeDqK7-VUZgKVMnjR47wz9pJ8pOxr9OzHy_uZDJKZmRrcHQxpEOldFLybV-AWMokX4okQn5A3JKZW9va3H8tHHqxK0WipKr_rWQoB-Xg5TQ1qvSrAdce_tbu0gFr3pPztLlWxbL61y9EGxp8hOmYZNmYKsqwu-NkFpXSnotTTLWE0sxjOz_fWSa2Q/s320/Fcvh_tEXkAMsCN4.jpeg.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuAiMmyzVALzufY7EWLfAjk7lfvcvx2AaQMuqp_jNhA1gfcos9ENZbYb0Gbk-akAHGjkklK_m1FBsmC_ES1J6Ar3UG48E8fv5haAB0VrKErYxvSsF754FHMVDQGzKe1Z-zuEmlvRWLRLYNukyfh2Nh3ky4U5V7-Xfg_VTfejiMd-CBFEwhAjPygA76Sw/s1280/FcviAMrXgAUOF5u.jpeg.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="686" data-original-width="1280" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuAiMmyzVALzufY7EWLfAjk7lfvcvx2AaQMuqp_jNhA1gfcos9ENZbYb0Gbk-akAHGjkklK_m1FBsmC_ES1J6Ar3UG48E8fv5haAB0VrKErYxvSsF754FHMVDQGzKe1Z-zuEmlvRWLRLYNukyfh2Nh3ky4U5V7-Xfg_VTfejiMd-CBFEwhAjPygA76Sw/s320/FcviAMrXgAUOF5u.jpeg.jpg" width="320" /></a></div><br /><p dir="ltr"><br /></p><p dir="ltr">Attacker basically got access to almost everything (allegedly)</p>
<p dir="ltr">- Slack<br />
- Google Workspace Admin<br />
- AWS Accounts<br />
- HackerOne Admin<br />
- SentinelOne EDR<br />
- vSphere<br />
- Financial Dashboards</p>
<p dir="ltr">Don’t point and laugh. It could be you next time. Focus on your IT security and employee training on Social Engineering.</p>
<p dir="ltr"><br /></p><p dir="ltr">** Also another key point if you capable speand and invest in people early not after the breach as we seen so many cases</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ9LjCOGORFqUPqaqfM5z_dWUKCEPf4XwyT-Gah5L8Lkg1kEnPd4W3MAqgOKWi2bRllgFEuwrP-LiiW-zoAwK8nvVWMnfAsY0gRjc-Y8h_UYSc_dI-8UDi1bQVWB24NVU9NCmRkCNO-jRaOfzXT6QG24xhlXfCmkuRbn3pcOLf7tzR5F0metY48ANBoQ/s852/tmp_fdb3ce43-13dc-440f-bba1-3e442dc1b28d.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="852" data-original-width="540" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ9LjCOGORFqUPqaqfM5z_dWUKCEPf4XwyT-Gah5L8Lkg1kEnPd4W3MAqgOKWi2bRllgFEuwrP-LiiW-zoAwK8nvVWMnfAsY0gRjc-Y8h_UYSc_dI-8UDi1bQVWB24NVU9NCmRkCNO-jRaOfzXT6QG24xhlXfCmkuRbn3pcOLf7tzR5F0metY48ANBoQ/s320/tmp_fdb3ce43-13dc-440f-bba1-3e442dc1b28d.png" width="203" /></a></div><p dir="ltr"><br /></p><p dir="ltr">Good Luck.</p><p dir="ltr"><br /></p><p dir="ltr"><br /></p>
<p dir="ltr"> <b>#hacked</b> <b>#hacker</b> <b>#password</b> <b>#credentials</b> <b>#user</b> <b>#powershell</b> <b>#aws</b> <b>#share</b> <b>#uber</b> <b>#vsphere</b> <b>#slack</b> <b>#gsuite</b> <b>#sentinelone</b> </p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-33331921028858382192022-09-19T12:31:00.001+10:002022-09-19T12:31:25.174+10:00Evil PLC Attack: Using a Controller as Predator Rather than Prey<p>Team82 has developed a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade <b>#OT</b> and enterprise networks. They’re calling this the Evil <b>#PLC</b> Attack. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAuZ89ftf4TB7CITaTDJei7uC_x4xGjwD66yyjTiY5J8kAI2YFqMEsXW94gfXS3Ygnn0wl3KVk1iH2lLRU2DqCb2qjeIdX9p8-meXBFqb4H2hQyhfvfVj5cSMWEI3D9eDw18GvVOYd2mn09t0gkDZtqv9VdeEDG1C8llG_Xp07l9wMyZ3hgu6Eu6qTnA/s1072/Evil%20PLC%20attack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="674" data-original-width="1072" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAuZ89ftf4TB7CITaTDJei7uC_x4xGjwD66yyjTiY5J8kAI2YFqMEsXW94gfXS3Ygnn0wl3KVk1iH2lLRU2DqCb2qjeIdX9p8-meXBFqb4H2hQyhfvfVj5cSMWEI3D9eDw18GvVOYd2mn09t0gkDZtqv9VdeEDG1C8llG_Xp07l9wMyZ3hgu6Eu6qTnA/s320/Evil%20PLC%20attack.jpg" width="320" /></a></div><br /><p><br /></p>
<p dir="ltr">The attack targets engineers working every day on industrial networks, configuring and troubleshooting #PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive, among others.</p>
<p dir="ltr">The Evil <b>#plc</b> Attack research resulted in working proof-of-concept exploits against seven market-leading automation companies, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.</p>
<p dir="ltr">The Evil PLC Attack turns the PLCs into the tool rather than the target. By weaponizing one PLC, an attacker may in turn compromise the engineer’s workstation, which is the best source for process-related information and would have access to all the other PLCs on the network. With this access and information, the attacker can easily alter the logic on any PLC. </p>
<p dir="ltr">The trick would be to lure an engineer to connect to a compromised PLC; the quickest way is to cause a fault on the PLC. That is a typical scenario an engineer would respond to, and connect using their engineering workstation application as a troubleshooting tool. <br /></p>
<p dir="ltr">Full report here https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey<a href="https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey">https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey</a></p>
<p dir="ltr"><b>#plcprogramming</b> <b>#plcscada</b> <b>#otsecurity</b> <b>#cyber</b> <b>#scada</b> <b>#ot</b> <b>#itsecurity</b> <b>#cybersecurity</b> <b>#redteam</b> <b>#pentest</b> <b>#pentesting</b> <b>#hacking</b> <b>#hackers</b> <b>#coding</b> <b>#malware</b></p>
<p dir="ltr"><b>#utilities</b> <b>#electricity</b> <b>#water</b> <b>#wastewater</b> <b>#heavyindustry</b> <b>#manufacturing</b> <b>#automotive</b><br />
</p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-20182389410620898332022-07-23T00:32:00.001+10:002022-11-10T01:29:52.720+11:00Google Hacking :-<div dir="ltr" style="text-align: left;" trbidi="on"><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style="font-family: Calibri;"><strong><span style="color: red;">Basic Operators:-</span></strong> <br />
<strong><span style="color: #3d85c6;">1) And (+) :-</span></strong> This operator is used to include multiple terms in a query which is to be searched in google.<br />
example:- if we type "hacker+yahoo+science" in google search box and click search, it will reveal the results something which are related to all the three words simultaneously i.e. hacker, yahoo and science.<br />
<br />
<strong><span style="color: #3d85c6;">2 ) OR (|) :-</span></strong> The OR operator, represented by symbol( | ) or simply the word OR in uppercase letters, instructs google to locate either one term or another term in a query.<br />
<br />
<strong><span style="color: #3d85c6;">3) NOT :-</span></strong> It is opposite of AND operator, a NOT operator excludes a word from search.<br />
example:- If we want to search websites containing the terms google and hacking but not security then we enter the query like "google+hacking" NOT "security".<br />
<br />
<br /><br /><br />
<strong><span style="color: red;">Advanced Operators:-</span></strong> <br />
<strong><span style="color: #3d85c6;">1) Intitle :-</span></strong> This operator searches within the title tags.<br />
examples:- intitle:hacking returns all pages that have the string "hacking" in their title.<br />
<br />
intitle:"index of" returns all pages that have string "index of" in their title.<br />
<br />
Companion operator:- "allintitle".<br />
<br /><br /><br />
<strong><span style="color: #3d85c6;">2) Inurl :-</span></strong> Returns all matches, where url of the pages contains given word.<br />
example:- inurl:admin returns all matches, where url of searched pages must contains the word "admin".<br />
<br />
Companion operator:- "allinurl".<br style="mso-special-character: line-break;" /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXNJolo1YFHr0rGLgs4Pv9HV9CdzBHBr-ecJ9q80koEhnyM6gq7YyO3QMRPgSL-n7nT-keS19r6LdYfFUVLSEPhNz86ztfMRN2fpB-1vP_2fZbObb3UqQdpphZFkysdJCyElCCRvsgZmSQRtpauZ25uRxMtNSD7aNSl-GxnkN6ydZ0OBZXObZ6guZuIQ/s2018/Google%20dork%20search%20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2018" data-original-width="1054" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXNJolo1YFHr0rGLgs4Pv9HV9CdzBHBr-ecJ9q80koEhnyM6gq7YyO3QMRPgSL-n7nT-keS19r6LdYfFUVLSEPhNz86ztfMRN2fpB-1vP_2fZbObb3UqQdpphZFkysdJCyElCCRvsgZmSQRtpauZ25uRxMtNSD7aNSl-GxnkN6ydZ0OBZXObZ6guZuIQ/s320/Google%20dork%20search%20.jpg" width="167" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><span style="font-family: Calibri;"><strong><span style="color: #3d85c6;">3) Site :-</span></strong> This operator narrows search to specific website. It will search results only from given domain. Can be used to carry out information gathering on specific domain.<br />
example:- site:www.microsoft.com will find results only from the domain www.microsoft.com<br />
<br />
<strong><span style="color: #3d85c6;">4) Link :-</span></strong> This operator allows you to search for pages that links to given website.<br />
example:- link:www.microsoft.com<br />
Here, each of the searched result contains asp links to <a href="http://www.microsoft.com/">www.microsoft.com</a><br />
<br />
<strong><span style="color: #3d85c6;">5) Info :-</span></strong> This operator shows summary information for a site and provides links to other google searches that might pertain to that site.<br />
example:- info:www.yahoo.com<br />
<br />
<strong><span style="color: #3d85c6;">6) Define :-</span></strong> This operator shows definition for any term.<br />
example:- define:security<br />
It gives various definitions for the word "security" in different manner from all over the world.<br />
<br />
<strong><span style="color: #3d85c6;">7) Filetype :-</span></strong> This operator allows us to search specific files on the internet. The supported file types can be pdf, xls, ppt, doc, txt, asp, swf, rtf, etc..<br />
example:- If you want to search for all text documents presented on domain www.microsoft.com then we enter the query something like following.<br />
"inurl:www.microsoft.com filetype:txt"<br />
<br />
<br />
<strong><span style="color: red;">POPULAR SEARCH:</span></strong> <br />
<strong><span style="color: #3d85c6;">Google Search :- "Active Webcam Page" inurl:8080</span></strong> Description- Active WebCam is a shareware program for capturing and sharing the video streams from a lot of video devices. Known bugs: directory traversal and cross site scripting.<br style="mso-special-character: line-break;" /> <br style="mso-special-character: line-break;" /> </span><span style="font-family: Calibri;"><strong><span style="color: #3d85c6;">Google Search :- "delete entries" inurl:admin/delete.asp</span></strong> Description- AspJar contains a flaw that may allow a malicious user to delete arbitrary messages. The issue is triggered when the authentication method is bypassed and /admin/delete.asp is accessed directly. It is possible that the flaw may allow a malicious user to delete messages resulting in a loss of integrity.<br />
<br />
<strong><span style="color: #3d85c6;">Google Search :- "phone * * *" "address *" "e-mail" intitle:"curriculum vitae"</span></strong><br />
Description- This search gives hundreds of existing curriculum vitae with names and address. An attacker could steal identity if there is an SSN in the document.<br />
<br />
<strong><span style="color: #3d85c6;">Google Search :- intitle:"index of" finance.xls</span></strong> Description- Secret financial spreadsheets 'finance.xls' or 'finances.xls' of companies may revealed by this query.<br />
<br />
<strong><span style="color: #3d85c6;">Google Search :- intitle:"index.of" robots.txt</span></strong> Description- The robots.txt file contains "rules" about where web spiders are allowed (and NOT allowed) to look in a website's directory structure. Without over-complicating things, this means that the robots.txt file gives a mini-roadmap of what's somewhat public and what's considered more private on a web site. Have a look at the robots.txt file itself, it contains interesting stuff. However, don't forget to check out the other files in these directories since they are usually at the top directory level of the web server!<br />
<br />
<strong><span style="color: #3d85c6;">Google Search :- intitle:index.of.admin</span></strong> Description- Locate "admin" directories that are accessible from directory listings.<br />
<br />
<strong><span style="color: #3d85c6;">Google Search :- inurl:"nph-proxy.cgi" "start browsing"</span></strong> Description- Returns lots of proxy servers that protects your identity online.<o:p></o:p></span></div></div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com1tag:blogger.com,1999:blog-8774245130267339525.post-10451162562096094892022-06-19T02:54:00.005+10:002022-06-19T02:54:49.635+10:00DNS Logs Anomaly Hunting Checklist for Security and SOC Analyst<p>
</p><h2 lang="en-US" style="font-family: Calibri; font-size: 11pt; margin: 0in; text-align: left;"><span style="background-color: #ffa400;"><span style="font-weight: bold;">DNS Logs Anomaly Hunting Checklist for SOC Analyst <br /></span></span></h2>
<p lang="en-US" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;"> </p>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="font-weight: bold;"> </span></span></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifUMaka5r1pyHs-GpS5h0qlpVKMtX6VgFzGbo0KWsOTLccEEquUzQALkBQKRn-GwlFfAVSwaRzDMrPDOEP0idrZZqr5xX3UK7lsVZHvV_8pNLI5b-Cos15lIvVYebxSs_FAAIcsq74wdM4gaj7E-2Ppof1bQ35UTRxDRfoIdHx_wtllerOpL_eHFb94g/s751/DNS%20log.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="557" data-original-width="751" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifUMaka5r1pyHs-GpS5h0qlpVKMtX6VgFzGbo0KWsOTLccEEquUzQALkBQKRn-GwlFfAVSwaRzDMrPDOEP0idrZZqr5xX3UK7lsVZHvV_8pNLI5b-Cos15lIvVYebxSs_FAAIcsq74wdM4gaj7E-2Ppof1bQ35UTRxDRfoIdHx_wtllerOpL_eHFb94g/w400-h296/DNS%20log.png" width="400" /></a></span></div><span style="font-size: small;"><br /></span><p></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="font-weight: bold;">• </span>Check for the hosts with a
high volume of uncommon record types (TXT, NULL, CNAME, etc.)</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Command and control channels may utilize specific DNS records such
as ( TXT and CNAME requests ) to execute malware.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Explore Top Level Domains, TLDs (.xyz, .me, .biz, etc ),
and TLDs for geographical regions in which your organization does not regularly
operate.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• The proliferation of TLDs has made it easier for attackers to
continually add new domains to their infrastructure to evade threat intel
lists, as well as register doppelganger domains for common websites.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Inbound/ Outbound Requests for TLDs of geographical regions
outside of your organization’s point of presence should be considered
suspicious and reviewed, especially regions synonymous
with cybercrime and anonymization.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Aggregate and Filter on DNS application logs with the response
code NXDOMAIN (domain does not exist) to review hosts seen with a
high volume of DNS resolution failures.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• There are many benign reasons for failed DNS queries; however, the
abnormal volume can be a strong indicator of possible threat activity. For
example, malware utilizing Domain generation algorithms ( DGAs ) will
cycle through multiple generated domains until a valid reply is received. Since
most of the domains requested will not exist, it will generate a high volume of
NXDOMAIN responses. In addition, abnormal NXDOMAIN volume could highlight hosts
requesting malicious domains that are no longer active.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Look for hosts with high DNS request volume for multiple
subdomains of a single parent domain.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• A common method of communicating data is by including it in the
query string itself in place of the subdomain (commonly encoded using Base64).
Identifying requests of multiple suspicious subdomains for a specific domain
could help to highlight this method of communication.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Identify suspicious requests by reviewing queries of domains that
are abnormally long, or domains with a high level of entropy.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Hunting abnormal long queries with a high amount could help
identify encoded data hidden in query strings as well as evidence of
DGA domains.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Review endpoints process names for any unusually named processes
or processes that are not regularly seen generating logon requests.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Attackers can simply register new domains to evade detection by
threat intel lists. Identifying newly registered domains could help to easily
identify suspicious activity.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• DNS fluxing is a technique used by attackers to hide an
actual phishing or malware domain behind constantly changing
compromised hosts (IP) which are acting as proxies. To accomplish this, the
Time to Live (TTL) for DNS is set very low (close to 5 min) so that the changes
made in DNS will reflect quickly over the internet. Because it is constantly
changing, this makes it hard to identify, and take down the actual source.DNS
query for a domain, having a TTL less than 5-10 mins, should be one way to
hunt. Then getting different IP addresses for the same domain is also a way to
hunt.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Allowed Traffic on Port 53 Inbound Transition Control Protocol
(TCP), zone transfer and should only be allowed between primary and secondary
DNS servers. If zone transfer happens with an external IP/Domain which is
considered as a high alert.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• DNS Should Not Query Unusual Destinations, this often indicates
the potentially malicious traffic.</span></span></p>
Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com1tag:blogger.com,1999:blog-8774245130267339525.post-43347742327064814982022-06-19T02:48:00.003+10:002022-06-22T00:43:37.360+10:00Kerberoasting Attack and Detection<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><h2 lang="en-US" style="margin: 0in 0in 0in 0.375in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"><span style="font-weight: bold;">Kerberoasting</span></span> </span></span></h2><p lang="en-US" style="margin: 0in 0in 0in 0.375in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;">is a common
attack used by malicious actors once access is gained to a organization's
internal network and a domain account is compromised. Kerberoasting allows an
attacker to elevate their privileges by gaining access to passwords for service
accounts on the domain.</span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><br /></span></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: small;"><span style="font-family: verdana;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM9uBAQadPAw2BkBDNuZIbNqlQZ9dvz-GvJ01dh3WqbDX8ldbZGZQYkLgbwMR9bgPnTvitoljRRHhdQx-PEbBMEOC5j7T7F9j3IcUoq8RqQTc9GCHnRvkZEmntgODCFn_2_t2nhwxYN4Qzh5froGEe4Vp0wuNMvrA53VmV6f8TgLfv-LP44Nc9XjZjWQ/s1197/kerbaroasting.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="597" data-original-width="1197" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM9uBAQadPAw2BkBDNuZIbNqlQZ9dvz-GvJ01dh3WqbDX8ldbZGZQYkLgbwMR9bgPnTvitoljRRHhdQx-PEbBMEOC5j7T7F9j3IcUoq8RqQTc9GCHnRvkZEmntgODCFn_2_t2nhwxYN4Qzh5froGEe4Vp0wuNMvrA53VmV6f8TgLfv-LP44Nc9XjZjWQ/w400-h200/kerbaroasting.png" width="400" /></a></span></span></div><span style="font-size: small;"><span style="font-family: verdana;"><br /> </span></span><p></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"><span style="font-weight: bold;">Key Points </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">• Using Kerberoasting<span>
</span>attacker extracts service account credential hashes from Active
Directory for offline cracking by exploiting a combination of weak encryption
and poor service account password.<span> </span></span></span></p><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">Kerberoasting is effective because an attacker does not require domain
administrator credentials to pull off this attack and can extract service
account credential hashes without sending packets to the target. </span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"><span style="font-weight: bold;">Detecting Kerbaroasting: </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">Event ID: 4768 (Kerberos TGS Request) The Account Domain field is
DOMAIN FQDN when it should be DOMAIN.</span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;">
</span></span><div><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">Event ID “4769” with the vulnerable encryption RC4 “0x17” and “0x18”
types in Kerberoasting and ticket option 0x40810000.</span></span></li></ul>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"><span style="font-weight: bold;">Elements of a Kerberoasting Attack</span></span></span></span></p>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">Here is how a Kerberoasting attack works in practice:</span></span></p>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p>
<ul style="direction: ltr; margin-bottom: 0in; margin-left: 0.75in; margin-top: 0in; unicode-bidi: embed;" type="disc"><li lang="en-US" style="margin-bottom: 0px; margin-top: 0px; vertical-align: middle;"><span style="font-size: small;"><span style="font-family: verdana;"><span>To begin with, an attacker compromises
the account of a domain user. The user need not have elevated or
“administrator” privileges. The attacker authenticates to the domain.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="direction: ltr; margin-bottom: 0in; margin-left: 0.75in; margin-top: 0in; unicode-bidi: embed;" type="disc"><li lang="en-US" style="margin-bottom: 0px; margin-top: 0px; vertical-align: middle;"><span style="font-size: small;"><span style="font-family: verdana;"><span>When the malicious<span> </span>user is authenticated, they receive a
ticket granting ticket (TGT) from the Kerberos key distribution center
(KDC) that is signed by its KRBTGT service account in Active Directory.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="direction: ltr; margin-bottom: 0in; margin-left: 0.75in; margin-top: 0in; unicode-bidi: embed;" type="disc"><li lang="en-US" style="margin-bottom: 0px; margin-top: 0px; vertical-align: middle;"><span style="font-size: small;"><span style="font-family: verdana;"><span>Next, the malicious actor requests a
service ticket for the service they wish to compromise. The domain
controller will retrieve the permissions out of the Active Directory
database and create a TGS ticket, encrypting it with the service’s
password. As a result, only the service and the domain controller are
capable of decrypting the ticket since those are the only two entities who
share the secret.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="direction: ltr; margin-bottom: 0in; margin-left: 0.75in; margin-top: 0in; unicode-bidi: embed;" type="disc"><li lang="en-US" style="margin-bottom: 0px; margin-top: 0px; vertical-align: middle;"><span style="font-size: small;"><span style="font-family: verdana;"><span>The domain controller provides the
user with the service ticket that is then presented to the service, which
will decrypt it and determine whether the user has been granted permission
to access the service. At this point, an attacker may extract the ticket
from system memory, and crack it offline.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="direction: ltr; margin-bottom: 0in; margin-left: 0.75in; margin-top: 0in; unicode-bidi: embed;" type="disc"><li lang="en-US" style="margin-bottom: 0px; margin-top: 0px; vertical-align: middle;"><span style="font-size: small;"><span style="font-family: verdana;"><span>For password cracking, tools such as
Impacket, PowerSploit and Empire contain features that automate the
process: requesting service tickets and returning crackable ticket hashes
in formats suitable for submission to cracking tools such as John the
Ripper and Hashcat, which will pry plaintext credentials from vulnerable
hashes.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span><br /></span></span></div><div><span style="font-size: small;"><span style="font-family: verdana;"><span> </span><br /></span></span></div><div>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQf2J3vXekFiK10rGYdkoW-TZVi6nxT86KS6q-McT0yS8AxMTX04tcXK2CqK1MXpHbO66N50AEq4Y36H4riZ9UgNM5spg8ypMv9-n0TtwIK6EIwvCPINCk_Vi2GFb4rh-hilWlF0ub60Ds6WL5gB-PKKbOO1rbSYiNkEDAA0Dkkphzw2ZKZ39UGW90uQ/s989/Karbaroasting.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="652" data-original-width="989" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQf2J3vXekFiK10rGYdkoW-TZVi6nxT86KS6q-McT0yS8AxMTX04tcXK2CqK1MXpHbO66N50AEq4Y36H4riZ9UgNM5spg8ypMv9-n0TtwIK6EIwvCPINCk_Vi2GFb4rh-hilWlF0ub60Ds6WL5gB-PKKbOO1rbSYiNkEDAA0Dkkphzw2ZKZ39UGW90uQ/w400-h264/Karbaroasting.png" width="400" /></a></span></span></p>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p>
<p lang="en-US" style="margin-bottom: 0in; margin-right: 0in; margin-top: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"><span style="font-weight: bold;">Finding Golden and
Silver Tickets</span></span></span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><b><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"> </span></span></span></b></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><b><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;">
</span></span></span></b></p><p lang="en-US" style="margin: 0in; text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;"><b>Purpose: </b>Identify
suspicious TGT (Golden) and TGS (Silver) tickets by comparing the MaxTicketAge
from the domain policy to the difference in the StartTime and EndTime of the
cached authentication ticket.</span></span></p><p style="text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;">
</span></span></p><p lang="en-US" style="margin: 0in; text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;"><b>Data
Required :</b><b> </b>Remote
Access to collect susicious tickets OR</span></span></p><p style="text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;">
</span></span></p><p lang="en-US" style="margin: 0in; text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;">Schedule
task to write possible bad tickets to application event log for log/SIEM review</span></span></p><p style="text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;">
</span></span></p><p lang="en-US" style="margin: 0in; text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;"><b>Collection
Considerations :</b><b> </b>Consider
running local scripts and collecting the application event log rather than a
scan to reduce noise See here</span></span></p><p style="text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;">
</span></span></p><p lang="en-US" style="margin: 0in; text-align: left;"><span style="font-family: verdana;"><span style="font-size: small;">Analysis
Techniques:Comparative
time analysis of domain policy vs cached tickets</span></span></p>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #ffa400;"><span style="font-weight: bold;"> </span></span></span></span></p>
<p lang="en-US" style="margin-bottom: 0in; margin-right: 0in; margin-top: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;">Identify suspicious TGT (Golden) and TGS (Silver) tickets<span> </span></span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;">
</span></span></p><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;">Event ID:
4624 (Account Logon)</span></span></li></ul><span style="font-family: verdana;"><span style="font-size: small;">
</span></span></div><div><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;">The
Account Domain field is DOMAIN FQDN when it should be DOMAIN.</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;">Event ID:
4672 (Admin Logon)</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;">Account
Domain is blank & should be DOMAIN.</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;">Event ID:
4768 (Kerberos TGS Request)</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;">The
Account Domain field is DOMAIN FQDN when it should be DOMAIN.</span></span></li><li lang="en-US" style="margin-bottom: 0px; margin-top: 0px; vertical-align: middle;"><span style="font-family: verdana;"><span style="font-size: small;"><span><span>The Account Domain field is
blank when it should be DOMAIN</span></span></span></span></li></ul><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;"><span><span> </span></span></span><span style="font-size: small;"><span><span>The Account Domain field is
DOMAIN FQDN when it should be DOMAIN.</span></span></span></span></li></ul><ul style="text-align: left;"><li><span style="font-family: verdana;"><span style="font-size: small;"><span><span> </span></span></span><span style="font-size: small;"><span><span>Account Name is a different
account from the Security ID.</span></span></span></span></li></ul>
<p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p>
<p lang="en-US" style="margin-bottom: 0in; margin-right: 0in; margin-top: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span style="background-color: #e06666;"> <span style="font-weight: bold;">BloodHound </span></span></span></span></p>
<ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">BloodHound is an Active Directory (AD) reconnaissance tool.</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">BloodHound outputs results as JSON files</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">BloodHound can collect information about the following objects
(users, computers, groups, gpos)</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">BloodHound can archive collected a ZIP file</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">Hunt for Suspicious Process execution via Services.exe</span></span></li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-size: small;"><span style="font-family: verdana;">Hunt for Suspicious Process Injection</span></span></li></ul>
</div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-71144936391660632362022-06-19T02:21:00.004+10:002022-06-19T02:56:21.621+10:00Hacking , ATT&CK phase , kill chain and incident response phases <p>There are some common steps used by industry and most commons in Cyber field are listed below.<br /></p><h2 style="text-align: left;"><span style="background-color: #ffa400;"><b> HACKING Methodology (Steps) </b></span></h2><p>Footprinting (whois,nslookup) » </p><p>Scanning (Nmap,fping) » </p><p>Enumeration (dumpACL, showmount, Iegion, rpcinfo » </p><p>Gaining Access(Tcpdump) »</p><p>Escalating Privilege(John the ripper, getadmin) »</p><p>Pilfering (Rhosts. userdata, configtile. registry) » </p><p>Covering Tracks (zap, rootkits) »</p><p>Creating Backdoors (corn, at, startup folder, keylogger, rdp) »</p><p>Denial Of Service (synk4, ping Of death). </p><p> </p><h3 style="text-align: left;"><b><span style="background-color: #ffa400;">MITRE ATT&CK:</span></b></h3><p>Reconnaissance» </p><p>Resource Development » </p><p>Initial Access»
Execution »</p><p> Persistence »</p><p> Privilege Escalation » </p><p>Defense Evasion» </p><p>Credential Access » </p><p>Discovery »</p><p> Lateral Movement »</p><p> Collection »</p><p>Command and Control »</p><p> Exfiltration»</p><p> Impact.</p><p> </p><h3 style="text-align: left;"><b><span style="background-color: #ffa400;">CYBER KILL CHAN: </span></b></h3><p>Reconnaissance» <br /></p><p>Weaponization» <br /></p><p>Delivery » </p><p>Exploitation » <br /></p><p>Installation » <br /></p><p>Command and Control » <br /></p><p>Action and Objective .</p><p> </p><h3 style="text-align: left;"><span style="background-color: #ffa400;"><b>Incident Response: </b></span></h3><p>Identify »
Protect »
Detect »
Respond»
Recover. </p><h3 style="text-align: left;"><b><span style="background-color: #ffa400;">SANS Incident Response:</span></b></h3><p> Preparation »
Identification»
Containment »
Eradication »
Recovery »
Lesson Learned
</p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-12615424739477790622022-06-19T02:08:00.001+10:002022-06-19T02:57:19.876+10:00Web shells Detectting and Hardening servers against webshell<div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><br /></span></span></div><h2 style="text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span style="background-color: #ffa400;">web shells and its Challenges in detecting </span></span></span></span></h2><span style="font-size: small;"><span style="font-family: verdana;"><br /></span></span><div class="separator" style="clear: both; text-align: center;"><span style="font-size: small;"><span style="font-family: verdana;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkNHLKDvPW2oz42HUSuzEulFKhydQtW5tUGQIzI4A0l5Wfy4Zd2W-Y9Cgki47XFibYarRoixaEVGJhj-itHjFL_LYyNyJX0qIuTTFTLR-BGw1z6OcgZC_DNTHf2N7MreVH1qneB8dJ00CSBwVzIp5otgkp8wLQvkTTBXoxr2TcK_3asbPSfPUwGhf_2A/s605/webshell.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="340" data-original-width="605" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkNHLKDvPW2oz42HUSuzEulFKhydQtW5tUGQIzI4A0l5Wfy4Zd2W-Y9Cgki47XFibYarRoixaEVGJhj-itHjFL_LYyNyJX0qIuTTFTLR-BGw1z6OcgZC_DNTHf2N7MreVH1qneB8dJ00CSBwVzIp5otgkp8wLQvkTTBXoxr2TcK_3asbPSfPUwGhf_2A/w400-h225/webshell.png" width="400" /></a></span></span></div><h2 style="text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"></span></span></h2><div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>Web shells can be built using any of several languages that are popular
with web applications. Within each language, there are several means of
executing arbitrary commands and there are multiple means for arbitrary
attacker input. Attackers can also hide instructions in the user agent
string or any of the parameters that get passed during a web
server/client exchange.</span></span></span></div><div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span></div><div style="text-align: left;"><div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>When analyzing script, it is important to leverage
contextual clues. For example, a scheduled task called “Update Google”
that downloads and runs code from a suspicious website should be
inspected more closely.</span></span></span></div>
<p style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>With web shells, analyzing context can be a challenge because the
context is not clear until the shell is used. In the following code, the
most useful clues are “system” and “cat /etc/passwd”, but they do not
appear until the attacker interacts with the web shell:</span></span></span></p><p class="x-hidden-focus" style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>Another challenge in detecting web shells is
uncovering intent. A harmless-seeming script can be malicious depending
on intent. But when attackers can upload arbitrary input files in the
web directory, then they can upload a full-featured web shell that
allows arbitrary code execution—</span></span></span><wbr></wbr><span style="font-size: small;"><span style="font-family: verdana;"><span>which some very simple web shells do.</span></span></span></p>
<p style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>These file-upload web shells are simple, lightweight, and easily
overlooked because they cannot execute attacker commands on their own.
Instead, they can only upload files, such as full-featured web shells,
onto web servers. Because of their simplicity, they are difficult to
detect and can be dismissed as benign, and so they are often used by
attackers for persistence or for early stages of exploitation.</span></span></span></p>
<p style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>Finally, attackers are known to hide web shells in non-executable
file formats, such as media files. Web servers configured to execute
server-side code create additional challenges for detecting web shells,
because on a web server, a media file is scanned for server-side
execution instructions. Attackers can hide web shell scripts within a
photo and upload it to a web server. When this file is loaded and
analyzed on a workstation, the photo is harmless. But when a web browser
asks a server for this file, malicious code executes server side.</span></span></span></p><div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>
These challenges in detecting web shells
contribute to their increasing popularity as an attack tool. We
constantly monitor how these evasive threats are utilized in cyber attacks, and we continue to improve protections</span></span></span></div><p>
</p><p lang="en-US" style="color: #7030a0; margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span style="background-color: #ffa400;"><span style="font-weight: bold;"><br /></span></span></span></span></span></span></p><h3 lang="en-US" style="color: #7030a0; margin: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span style="background-color: #ffa400;"><span style="font-weight: bold;">Web shell: Finding Web Shells</span></span></span></span></span></span></h3><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Purpose:
Identify web shells (stand-alone|injected)</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Data
Required : Web server logs (apache, IIS, etc.)</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Collection
Considerations : Collect from all webservers, and ensure that parameters are
collected.</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>POST data
should be collected.</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>• For apache consider
using mod_security or mod_dumpio</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>• For IIS use Failed Request Tracing / Custom Logging</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Analysis
Techniques:</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Look for
parameters passed to image files (e.g., /bad.png?zz=ls</span></span></span></span></p><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span></p><h3 style="margin: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><b><span style="background-color: #ffa400;">Web logs things to notice</span></b></span></span></h3>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• User-Agent is rare</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• User-Agent is new</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• Domain is rare</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• Domain is new</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• High frequency of http connections</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• URI is same</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• URI varies but length is constant.</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• Domain varies but length is constant</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• Missing referrer</span></span></p>
<p style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span> </span>• Missing or same referrer to multiple
uri’s on single dest. </span></span></p>
<p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><h3 lang="en-US" style="margin: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span style="background-color: #ffa400;"><span style="font-weight: bold;">Endpoint detection strategies:</span></span></span></span></span></span></h3><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>• Look for creation of processes whose parent is the webserver
(e.g., apache, w3wp.exe); these will come from functions like:</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in 0in 0in 0.75in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>○
PHP functions like exec(), shell_exec(), etc.</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in 0in 0in 0.75in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>○
asp(.net) functions like eval(), bind(), etc.)</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in 0in 0in 0.375in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>• Looking for file additions or file changes (if you have a change
management process and schedule to easily differentiate 'known good') -- (using
something like inotify on linux (or FileSystemWatcher in .NET), to monitor the
webroot folder(s) recursively)</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><h3 lang="en-US" style="margin: 0in; text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><b><span><span><span style="background-color: #ffa400;">Other Notable things:</span></span></span></b></span></span></h3><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>IIS
instance (w3wp.exe) running commands
like ‘net’, ‘whoami’, ‘dir’, ‘cmd.exe’, or ‘query’, to
name a few, is typically a strong early indicator of web shell activity.</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Look for
suspicious process that IIS worker process (w3wp.exe), Apache HTTP server
processes (httpd.exe, visualsvnserver.exe), etc. do not typically initiate
(e.g., cmd.exe and powershell.exe)</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Look for
suspicious web shell execution, this can identify processes that are associated
with remote execution and reconnaissance activity (example: <span style="color: #e84c22;">“arp”, “certutil”, “cmd”, “echo”, “ipconfig”, “gpresult”,
“hostname”, “net”, “netstat”, “nltest”, “nslookup”, “ping”, “powershell”,
“psexec”, “qwinsta”, “route”, “systeminfo”, “tasklist”, “wget”, “whoami”,
“wmic”, etc</span>.)</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>lolbas:</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- rundll32.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- dllhost.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>tools:</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- net.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- powershell.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- ipconfig.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- CobaltStrike</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- BloodHound</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- nslookup.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>execution:</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- "T1055.012 - Process Injection:
Process Hollowing"</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- behavior: RUNDLL32 created ~20 instances
of DLLHOST without command-line arguments.</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>id: 1669ecb0-3a8a-4858-9efd-23e5c01ad643</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>type: Process Created</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>cmdLine:</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>- C:\\Windows\\System32\\dllhost.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>process:
C:\\Windows\\System32\\dllhost.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span><span> </span>parentProcess:
C:\\Windows\\System32\\rundll32.exe</span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span> </span></span></span></span></p><span style="font-size: small;"><span style="font-family: verdana;"><span><span>
</span></span></span></span><p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span>Attackers
need to execute tools. Look at Windows Event ID's 4688/592. Stack and look for
outliers. Group by execution time and user."</span></span></span></span></p>
<p lang="en-US" style="margin: 0in;"><span style="font-size: small;"><span style="font-family: verdana;"> </span></span></p>
<h2 style="text-align: left;"><span style="font-size: small;"><span style="font-family: verdana;"><span><span style="background-color: #ffa400;">Hardening servers against web shells</span></span></span></span></h2></div><span style="font-size: small;"><span style="font-family: verdana;"><span>
</span></span></span><p style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>A single web shell allowing attackers to remotely run commands on a
server can have far-reaching consequences. With script-based malware,
however, everything eventually funnels to a few natural chokepoints,
such as <i>cmd.exe</i>, <i>powershell.exe</i>, and <i>cscript.exe</i>. As with most attack vectors, prevention is critical.</span></span></span></p><div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>
</span></span></span></div><p style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>Organizations can harden systems against web shell attacks by taking these preventive steps:</span></span></span></p><div style="text-align: justify;"><span style="font-size: small;"><span style="font-family: verdana;"><span>
</span></span></span></div><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Identify and remediate vulnerabilities or misconfigurations in web
applications and web servers. Use Threat and Vulnerability Management to
discover and fix these weaknesses. Deploy the latest security updates
as soon as they become available.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Implement proper segmentation of your perimeter network, such that a
compromised web server does not lead to the compromise of the
enterprise network.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Enable antivirus protection on web servers. <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus">Turn on cloud-delivered protection</a> to
get the latest defenses against new and emerging threats. Users should
only be able to upload files in directories that can be scanned by
antivirus and configured to not allow server-side scripting or
execution.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Utilize the Windows Defender Firewall, intrusion prevention devices,
and your network firewall to prevent command-and-control server
communication among endpoints whenever possible, limiting lateral
movement, as well as other attack activities.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Check your perimeter firewall and proxy to restrict unnecessary
access to services, including access to services through non-standard
ports.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><span> </span></span></span><ul style="text-align: justify;"><li><span style="font-size: small;"><span style="font-family: verdana;"><span>Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.</span></span></span></li></ul><span style="font-size: small;"><span style="font-family: verdana;"><br /></span></span>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-41604448724036523012022-06-19T01:51:00.004+10:002022-06-19T02:58:39.626+10:00Social Engineering Red flags and Email investigation<p>
</p><h2 style="font-family: Calibri; font-size: 11pt; margin: 0in; text-align: left;"><span style="font-weight: bold;"><span style="background-color: #ffa400;">Social Engineering </span>-</span></h2><p style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold;"> </span>A single individual or
groups of people attempting to gain access to your systems by utilizing the
following methods.</p>
<p style="font-family: Calibri; font-size: 11pt; margin-left: .375in; margin: 0in;"> </p>
<p style="font-family: Calibri; font-size: 11pt; margin: 0in;">Relies on
interaction with humans, tricked into handing over credentials - humans are the
weakest link therefore they try Deceptive techniques into breaking in.</p><p style="font-family: Calibri; font-size: 11pt; margin: 0in;"> </p><p style="font-family: Calibri; font-size: 11pt; margin: 0in;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdaNYIpY1px8YMkjvPaO3nR9gIh_mLg5xfgfgU2yonAdMJYTdEPc62T4zy9L5xH5kNTfSVnJWoq1Hl4Svs79a_yVOt931Y9BIQ-lV1S0poNAvKWB4xR_P7mpwO6DoBYq3-XYiVmZpwfksfRxJibp2jmPWnVocstxZHzs0qVZGp4XvZIVprKqKaur1ccg/s1747/Watchout%20for%20scams.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1747" data-original-width="912" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdaNYIpY1px8YMkjvPaO3nR9gIh_mLg5xfgfgU2yonAdMJYTdEPc62T4zy9L5xH5kNTfSVnJWoq1Hl4Svs79a_yVOt931Y9BIQ-lV1S0poNAvKWB4xR_P7mpwO6DoBYq3-XYiVmZpwfksfRxJibp2jmPWnVocstxZHzs0qVZGp4XvZIVprKqKaur1ccg/w381-h640/Watchout%20for%20scams.jpg" width="381" /></a> <br /></p><p style="font-family: Calibri; font-size: 11pt; margin: 0in;"> </p><h3 style="font-family: Calibri; font-size: 11pt; margin: 0in; text-align: left;"><b><span style="background-color: #ffa400;"> Type of Social engineering Attacks :</span></b><br /></h3>
<ul style="text-align: left;"><li><span style="font-weight: bold;">Phishing</span> - malicious email - sends a link </li></ul>
<div><ul style="text-align: left;"><li><span style="font-weight: bold;">Spear-phishing</span> - targets individuals or
specific groups</li></ul>
</div><div><ul style="text-align: left;"><li><span style="font-weight: bold;">Email spoofing</span> - masquerading as someone else -
appear as someone you think you know.</li></ul>
</div><div style="text-align: left;"><ul style="text-align: left;"><li><span style="font-weight: bold;">Baiting</span> - entice victim to do something, leave
a usb lying around.</li></ul>
<ul style="text-align: left;"><li><span style="font-weight: bold;">Tailgating</span> - gain access by following an
employee through a door/gate.</li></ul>
<h3 style="font-family: Calibri; font-size: 11pt; margin-left: .375in; margin: 0in; text-align: left;"><br /></h3><h3 style="font-family: Calibri; font-size: 11pt; margin-bottom: 0in; margin-right: 0in; margin-top: 0in; text-align: left;"><b><span style="background-color: #ffa400;">Indicator or Red Flags to look for investigation:</span></b></h3><p style="font-family: Calibri; font-size: 11pt; margin-left: .375in; margin: 0in;"> <br /></p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZBpxjxeETgvD_wnSjcINBcjna31SkvHxTZRl4ejYQiAjFblq2FsMDntJqn5H1a20xz4qLI2igz5tmpv2o_q82M04zLgQRzGTqeRe_4_TdvD9nWda6YETAxUmfgISQLk7xwL4gDKDCnaFlMuUB5-fNxuhwQUBk9NWOLc-PZ4IBx9lJY9S3eMMUL6vGhA/s1280/Social%20Engineerng%20Red%20Flags.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="989" data-original-width="1280" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZBpxjxeETgvD_wnSjcINBcjna31SkvHxTZRl4ejYQiAjFblq2FsMDntJqn5H1a20xz4qLI2igz5tmpv2o_q82M04zLgQRzGTqeRe_4_TdvD9nWda6YETAxUmfgISQLk7xwL4gDKDCnaFlMuUB5-fNxuhwQUBk9NWOLc-PZ4IBx9lJY9S3eMMUL6vGhA/w400-h309/Social%20Engineerng%20Red%20Flags.jpg" width="400" /></a><br /> <br /><h3><br /></h3>
<h3 style="font-family: Calibri; font-size: 11pt; margin: 0in;"><b><span style="background-color: #ffa400;">Email Sphere phishing</span></b><span style="font-weight: bold;">:</span> In this
email fraud the perpetrator will ask for confidential and sensitive
information. This type of attack resembles with e-mail spoofing fraud but in
here in almost all cases the sender is someone trustworthy with an
authoritative position in the organization.</h3>
<p style="color: #e84c22; font-family: Calibri; font-size: 11pt; margin: 0in;"> </p>
<h3 style="font-family: Calibri; font-size: 11pt; margin: 0in; text-align: left;"><span style="background-color: #ffa400;"><b>Business email compromise</b></span> is when
criminals use email to abuse trust in business processes to scam organizations
out of money or goods.</h3><p style="font-family: Calibri; font-size: 11pt; margin: 0in;"> </p>
<h3 style="font-family: Calibri; font-size: 11pt; margin-bottom: 8pt; margin-top: 0pt; text-align: left;"><b><span style="background-color: #ffa400;">The Email forensic investigator </span></b>can use several
header fields to trace the email but it can be broadly categorized into the
following area of interest the investigator should look into:</h3>
<p style="font-family: Calibri; font-size: 11pt; margin-bottom: 8pt; margin-top: 0pt;">Sender's
SMTP Server (OUTGOING Mail Server) >></p><p style="font-family: Calibri; font-size: 11pt; margin-bottom: 8pt; margin-top: 0pt;"> Encrypted mail header >> </p><p style="font-family: Calibri; font-size: 11pt; margin-bottom: 8pt; margin-top: 0pt;">Typical To, From, Subject, and Date Lines >> </p><p style="font-family: Calibri; font-size: 11pt; margin-bottom: 8pt; margin-top: 0pt;">Mail transfer email client
information >></p><p style="font-family: Calibri; font-size: 11pt; margin-bottom: 8pt; margin-top: 0pt;">Various X-header information added by different SMTP
server and email clients during the whole email sending process.</p>
</div><div> <br />
</div>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-62416321871734978832022-06-18T22:36:00.008+10:002022-06-18T22:38:41.380+10:00CI/CD Pipelines and Automation<p><span style="font-family: verdana;">Modern web applications are built using modern continuous integration and deployment processes. </span></p><p><span style="font-family: verdana;"><br />This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.</span></p><p><span style="font-family: verdana;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW6REnt2canIeLPejQXsz6ewzvB4j7H0OwxkOKG_WuoKI6hSg7kmi2yNYPWGTHOhf-0bKbfFMng6HCnXWhKBQniXneHtdfK3-AMoh7Hj6OhmARXuGX_t6Y938pXpELLs0Chukkcw4zqH5jbRpJNB3U7k8Lz_0oOjuhi09Vj7cqvD_s7y6PnpRpnJwjgw/s2000/CICD.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="799" data-original-width="2000" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW6REnt2canIeLPejQXsz6ewzvB4j7H0OwxkOKG_WuoKI6hSg7kmi2yNYPWGTHOhf-0bKbfFMng6HCnXWhKBQniXneHtdfK3-AMoh7Hj6OhmARXuGX_t6Y938pXpELLs0Chukkcw4zqH5jbRpJNB3U7k8Lz_0oOjuhi09Vj7cqvD_s7y6PnpRpnJwjgw/w640-h256/CICD.png" width="640" /></a><br /><br /><span style="background-color: #cc0000;"><b>Control Name Priority </b> </span><br />3.1 CI/CD Pipeline 1 <span style="background-color: #ffa400;"><b><br /></b></span></span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description</b></span>: Implement a CI/CD pipeline </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b> Difficulty: </b></span> Medium </span></p><p><span style="font-family: verdana;"><br /><span style="background-color: #3d85c6;"><b>Control Name Priority </b></span><br />3.2 Application Environments 2 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description</b></span>: Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Difficulty: </b></span> Medium </span></p><p><span style="font-family: verdana;"><span style="background-color: #6aa84f;"><b>Control Name Priority </b> </span><br />3.3 Application Data Separation 3 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description: </b></span>Make sure that dev and test environments are not using the same data as production. If the use of live data is required then make sure that data is anonymized. </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Difficulty: </b></span> Difficult </span></p><p><span style="font-family: verdana;"><span style="background-color: #6aa84f;"><b>Control Name Priority </b></span> <br />3.4 CI/CD Administration 3 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description:</b></span> Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements</span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Difficulty: </b></span>Medium </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b><span style="background-color: #cc0000;">Control Name Priority </span></b></span><span style="background-color: #cc0000;"> </span> <br />3.5 Credential Store 1 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description: </b></span>Create a secure encrypted place to store senstive credentials like passwords, API keys, etc. </span></p><p><span style="font-family: verdana;"> <span style="background-color: #ffa400;"><b>Difficulty:</b></span> Medium </span></p><p><span style="font-family: verdana;"><span style="background-color: #cc0000;"><b>Control Name Priority </b></span> <br />3.6 Centralized Software Composition Analysis 1 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description:</b></span> Scan source code for vulnerable libraries and open source software from within a CD stage </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Difficulty:</b></span> Easy </span></p><p><span style="font-family: verdana;"><span style="background-color: #3d85c6;"><b>Control Name Priority </b> </span> <br />3.7 Centralized Static Code Analysis 2 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description:</b></span> Scan source code for vulnerabilities in the source code itself from within a CD stage </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Difficulty:</b></span> Easy </span></p><p><span style="font-family: verdana;"><span style="background-color: #3d85c6;"><b>Control Name Priority </b> </span> <br />3.8 Centralized Sensitive Data Analysis 2 </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description:</b></span> Scan source code for secrets, credentials, API keys and similar from within a CD stage </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Difficulty:</b></span> Easy </span></p><p><span style="font-family: verdana;"><span style="background-color: #6aa84f;"><b>Control Name Priority </b></span><br />3.9 </span><span style="font-family: verdana;"><span class="ILfuVd"><span class="hgKElc"><b>Dynamic Application Security Testing -</b></span></span>DAST </span><span style="font-family: verdana;"><span style="font-family: verdana;"> 3 </span> </span></p><p><span style="font-family: verdana;"><span style="background-color: #ffa400;"><b>Description:</b></span>Scan running application for vulnerabilities</span></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-53192242482204254542022-06-18T22:03:00.009+10:002022-06-19T02:59:32.659+10:00Azure Well Architected Security Review Checklist<h2 style="text-align: left;"><span style="font-size: x-small;"><span style="font-family: verdana;"> Here We have compiled for you a checklist for Azure Security.</span></span></h2><p><span style="font-size: x-small;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqoQY6LCZYPfAplkm7e3e4Rs5qs4M51SApPxh5ViBoGF-nOa9XDMa-q6A8LkRKMlA2n85NQaPVC28XV_nIV3H2mIUDQnD0hXAiKK1o2FDab_XhsSiVr6blbnJKL_Q89D7iCFAMICqFLCxE0ut7b41y6dITL6Jwu2xjf_FnbUBr8qjb6KL7jRJo5fXKQQ/s1208/Azure%20Security.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="653" data-original-width="1208" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqoQY6LCZYPfAplkm7e3e4Rs5qs4M51SApPxh5ViBoGF-nOa9XDMa-q6A8LkRKMlA2n85NQaPVC28XV_nIV3H2mIUDQnD0hXAiKK1o2FDab_XhsSiVr6blbnJKL_Q89D7iCFAMICqFLCxE0ut7b41y6dITL6Jwu2xjf_FnbUBr8qjb6KL7jRJo5fXKQQ/w400-h216/Azure%20Security.jpg" width="400" /></a></span></div><span style="font-size: x-small;"><br /></span><p></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><span style="background-color: #f9cb9c;"><span style="background-color: red;"><b>Priority: High Weight: 90 </b></span><br /></span></span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><b>Item No 1</b>: Classify your data at rest and use encryption<br /><b>Item No 2</b>: Implement Conditional Access Policies</span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><span style="background-color: red;"><b><span style="background-color: #e06666;">Priority: High Weight: 70 <span></span></span></b></span><br />Item No 3: Conduct periodic access reviews for the workload<br />Item No 4: Use only secure hash algorithms (SHA-2 family)<br />Item No 5: Discover and remediate common risks to improve Secure Score in Azure Security Center<br />Item No 6: Define a set of Azure Policies which enforce organizational standards and are aligned with the governance team<br />Item No 7: Use tools like Azure Disk Encryption, BitLocker or DM-Crypt to encrypt virtual disks<br />Item No 8: Deprecate legacy network security controls<br />Item No 9: Integrate network logs into a Security Information and Event Management (SIEM)<br />Item No 10: Data in transit should be encrypted at all points to ensure data integrity<br />Item No 11: Establish a designated group responsible for central network management<br />Item No 12: Build a security containment strategy<br />Item No 13: Evolve security beyond network controls<br />Item No 14: Periodically perform external and/or internal workload security audits<br />Item No 15: Establish lifecycle management policy for critical accounts<br />Item No 16: Standardize on modern authentication protocols</span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><span style="background-color: #6fa8dc;"><b>Priority: Medium Weight: 60</b></span><br />Item No 17: Configure web apps to reuse authentication tokens securely and handle them like other credentials<br />Item No 18: Ensure security team has Security Reader or equivalent to support all cloud resources in their purview<br />Item No 19: Synchronize on-premises directory with Azure AD<br />Item No 20: Implement identity-based storage access controls<br />Item No 21: Design virtual networks for growth<br />Item No 22: Use standard and recommended encryption algorithms<br />Item No 23: Assign permissions based on management or resource groups<br />Item No 24: Add planning, testing, and validation rigor to the use of the root management group<br /></span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><span style="background-color: #674ea7;"><b>Priority: Medium Weight: 50</b></span> <br /></span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;">Item No 25: Use managed identity providers to authenticate to this workload<br />Item No 26: Enforce password-less or Multi-factor Authentication (MFA)<br />Item No 27: Continuously assess and monitor compliance<br />Item No 28: Use identity services instead of cryptographic keys when available<br />Item No 29: Establish a designated point of contact to receive Azure incident notifications from Microsoft<br />Item No 30: Establish process and tools to manage privileged access with just-in-time capabilities<br />Item No 31: Implement role-based access control for application infrastructure</span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><span style="background-color: #6aa84f;"><b>Priority: Medium Weight: 40</b></span><br />Item No 32: Implement resource locks to protect critical infrastructure.</span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"></span></span></p><p><span style="font-size: x-small;"><span style="font-family: verdana;"><br /> </span></span></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0tag:blogger.com,1999:blog-8774245130267339525.post-48907531603114861982022-06-15T22:52:00.004+10:002022-06-18T22:42:00.431+10:00Mimikaz <p><span style="font-family: helvetica;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: helvetica;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWBYlogW0oy2Curi3mG6iyaIcf6gPUpePgGlbzCS2jT6VG1sdnL4BrVU7ouIC7HZybtuZifrDsvEKgZRnkKBn1S2X8LSsaVRmsFm2jALFc2jqfXNQbKL3w6Lt4sOXspg87z8C0kISt7hDfn1lLtlX9bMTHqOu6QkA0AQG-Ni5Ks0nwVPHCJYhCewzCPg/s275/download.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="275" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWBYlogW0oy2Curi3mG6iyaIcf6gPUpePgGlbzCS2jT6VG1sdnL4BrVU7ouIC7HZybtuZifrDsvEKgZRnkKBn1S2X8LSsaVRmsFm2jALFc2jqfXNQbKL3w6Lt4sOXspg87z8C0kISt7hDfn1lLtlX9bMTHqOu6QkA0AQG-Ni5Ks0nwVPHCJYhCewzCPg/w400-h266/download.png" width="400" /></a></span></div><span style="font-family: helvetica;"><b><br /></b></span><p></p><p><span style="background-color: #ffa400;"><b style="font-family: helvetica;">What is Mimikatz</b><span style="font-family: helvetica;">?</span></span></p><p><span style="font-family: helvetica;">If you’re into penetration testing and windows red teaming then you might have probably heard of mimikatz, but in case you’re wondering or have heard of the tool but don’t know what it does, let’s see what is mimikatz.</span></p><p><span style="font-family: helvetica;">Written in C-language, Mimikatz is a very powerful post-exploitation tool and as described by CrowdStrike CTO and Co-Founder, “The AK-47 of Cyber Attacks.” </span></p><p><span style="font-family: helvetica;">Some even claim mimikatz to be a Swiss Army Knife of Windows Credentials. Benjamin Delpy, who is the developer of this tool, claims that he created this tool to play with Windows Security. He maintains his own GitHub repository where he has provided the source code for the tool and updates it on a regular basis.</span></p><p><span style="background-color: #ffa400;"><b><span style="font-family: helvetica;">What can be done using Mimikatz?</span></b></span></p><p><span style="font-family: helvetica;">Although known widely for credential dumping, this is not the only thing that it can do. </span></p><p><span style="font-family: helvetica;">Mimikatz is also capable of assisting in lateral movements and privilege escalations. Attacks like Pass-the-Hash, Pass-the-Ticket, Over-Pass-the-Hash, Kerberoasting etc. can also be achieved with Mimikatz.</span></p><p><span style="background-color: #ffa400;"><span style="color: #1e202c; font-family: helvetica; letter-spacing: -0.005em;"><b>Mimikatz Attack Capabilities</b></span></span></p><p style="background-color: white; box-sizing: border-box; color: #3e3e3e; line-height: 1.5; margin-bottom: 1rem; margin-top: 0px;"><span style="font-family: helvetica;">Mimikatz has numerous modules that let attackers perform a variety of tasks on the target endpoint. Some of the more important attacks facilitated by the platform are:</span></p><ul style="background-color: white; box-sizing: border-box; color: #212529; margin-bottom: 1rem; margin-top: 0px; padding-left: 2rem;"><li style="box-sizing: border-box;"><span style="font-family: helvetica;"><span style="box-sizing: border-box; font-weight: bolder;">Pass-the-Hash</span>—obtains an NTLM hash used by Windows to deliver passwords. This allows attackers to reuse the password without having to crack the hash.</span></li></ul><br /><ul style="background-color: white; box-sizing: border-box; color: #212529; margin-bottom: 1rem; margin-top: 0px; padding-left: 2rem;"><li style="box-sizing: border-box;"><span style="font-family: helvetica;"><span style="box-sizing: border-box; font-weight: bolder;">Pass-the-Ticket</span>—Mimikatz was famously used to break the Kerberos protocol. It can obtain a Kerberos “ticket” for a user account and use it to login as that user on another computer.</span></li></ul><br /><ul style="background-color: white; box-sizing: border-box; color: #212529; margin-bottom: 1rem; margin-top: 0px; padding-left: 2rem;"><li style="box-sizing: border-box;"><span style="font-family: helvetica;"><span style="box-sizing: border-box; font-weight: bolder;">Kerberos Golden Ticket</span>—obtains the ticket for the hidden root account (KRBTGT) that encrypts all authentication tickets, granting domain admin access for any computer on the network.</span></li></ul><br /><ul style="background-color: white; box-sizing: border-box; color: #212529; margin-bottom: 1rem; margin-top: 0px; padding-left: 2rem;"><li style="box-sizing: border-box;"><span style="font-family: helvetica;"><span style="box-sizing: border-box; font-weight: bolder;">Kerberos Silver Ticket</span>—exploits Windows functionality that grants a user a ticket to access multiple services on the network (via the Ticket Granting Server or TGS). The Kerberos protocol may not check the TGS key, allowing attackers to reuse the key and impersonate the user on the network.</span></li></ul><br /><ul style="background-color: white; box-sizing: border-box; color: #212529; margin-bottom: 1rem; margin-top: 0px; padding-left: 2rem;"><li style="box-sizing: border-box;"><span style="font-family: helvetica;"><span style="box-sizing: border-box; font-weight: bolder;">Pass the Key</span>—obtains a unique key used by a user to authenticate to a domain controller. The attacker can reuse this key to impersonate the user.</span></li></ul><p><span style="background-color: #ffa400;"><b><span style="font-family: helvetica;">Anatomy of a Mimikatz Attack:</span></b></span></p><p><span style="font-family: helvetica;">Mimikatz abuses and exploits the Single Sign-On functionality of Windows Authentication that allows the user to authenticate himself only once in order to use various Windows services. </span></p><p><span style="font-family: helvetica;">After a user logs into Windows, a set of credentials is generated and stored in the Local Security Authority Subsystem Service (LSASS) in the memory. As the LSASS is loaded in memory, when invoked mimikatz loads its dynamic link library (dll) into the library from where it can extract the credential hashes and dumps them onto the attacking system, and might even give us cleartext passwords.</span></p><div class="separator" style="clear: both; text-align: center;"><br /></div><span style="font-family: helvetica;"><br /></span><p><span style="font-family: helvetica;"><br /></span></p><p><span style="font-family: helvetica;"><br /></span></p><p><br /></p>Faysal Hasanhttp://www.blogger.com/profile/11837891241239740342noreply@blogger.com0