Blog: Posts by Owen

Using Kibana and Packetbeat to map DNS queries

Overview: In this short post we’re going to show one visual method of mapping, and potentially identifying malicious DNS traffic within a network. We’re not going to walk through the configuration of Elastic, beats agents or Kibana and there is an assumption that UDP 53 traffic is being logged by Packetbeat on the endpoint(s). Visualisations:… Read More

An intro into abusing and identifying WMI Event Subscriptions for persistence

Overview: Windows Management Instrumentation (WMI) Event Subscriptions are one of many ways to establish persistence on a network. The technique, IDT1084 on Mitre ATT&CK, can be fairly discreet and has been used by APT29 to establish backdoors. We’re not going to dig into too much detail about WMI Event Subscriptions themselves, as some good material… Read More

Using Auditbeat and ELK to monitor GTFOBins binaries

At in.security our training courses are developed not only to provide the theory and hands-on understanding of a multitude of offensive techniques,  but with the added extra of being able to see, study and understand the attacks from a blue team perspective by viewing self-generated artefacts left within our in-LAB ELK stack. This type of… Read More

Lin.security – walkthrough

Lin.security was released a little over a month ago so as promised we have now published this detailed walkthrough. As such, this article does include spoilers! The idea of the challenge was to find and practise getting root on the host using many different methods – some are easier than others ???? If you want… Read More

Lin.security – practise your Linux privilege escalation foo

Here at in.security we wanted to develop a Linux virtual machine that is based, at the time of writing, on an up-to-date Ubuntu distro (18.04 LTS), but suffers from a number of vulnerabilities that allow a user to escalate to root on the box. This has been designed to help understand how certain built-in applications… Read More

in.security has landed!

It’s official, we’re live! As this is our first post under the guise of in.security let’s make some introductions. Both Will (@stealthsploit) and I (@rebootuser) have been working in IT and information security over the past decade or so and have been in a number of different roles, including systems administration, digital forensics, penetration testing,… Read More