Blog

What the Heck PsExec!

We were talking internally about the infamous PsExec during a recent delivery of our Defending Enterprises training when we stumbled across this tweet from BlackMatter23. Service creation and related events can be caught using existing methods, but having an accurate correlation between service creation and deletion events would allow even more activities to be reliability… Read More

What Can We Do About Ransomware?

A ransomware attack can be potentially devastating to a business or organisation. Essentially, it means that your important files are being held captive and will not be released unless you pay a price. More and more of these attacks are happening every year, and their success rate means that they are an attractive option for… Read More

Secure [email protected] Tips for World Password Day!

Passwords continue to be one of the main contributors in compromise and cyber attack. We frequently identify and exploit password vulnerabilities during our security assessments and this was one of the driving factors behind our Active Directory Password Audit service. Although NIST revised their password security guidance a few years ago, mass adoption is still… Read More

Detecting Lateral Movement via WinRM Using KQL

Over the past few months we’ve been looking a little more into the detection methods we might use to identify strange activity within a given environment. A lot of this research stems from questions asked by our clients following a technical engagement, or questions from students that have taken our Hacking Enterprises training. With the… Read More

Keeping CISOs in the loop with the latest cybersecurity news

Keeping up to date with latest news and attacks in cybersecurity is not only a must for individuals involved in the IT security sector, but for everyone. It is an ever evolving field and attackers are always finding new and inventive ways to exploit companies and individuals alike. It’s not easy for the ‘non-techie’ individuals… Read More

Breaking into the cyber security industry

In this blog, our newest addition to the team, Rehan Bari, discusses his experiences breaking into the industry… I’m going to discuss one of the most debated topics on social media with regard to cybersecurity: Breaking into the cybersecurity industry. “There is a shortage of people in this field”. You must have heard that everywhere too, right?… Read More

Using Kibana and Packetbeat to map DNS queries

Overview: In this short post we’re going to show one visual method of mapping, and potentially identifying malicious DNS traffic within a network. We’re not going to walk through the configuration of Elastic, beats agents or Kibana and there is an assumption that UDP 53 traffic is being logged by Packetbeat on the endpoint(s). Visualisations:… Read More

An intro into abusing and identifying WMI Event Subscriptions for persistence

Overview: Windows Management Instrumentation (WMI) Event Subscriptions are one of many ways to establish persistence on a network. The technique, IDT1084 on Mitre ATT&CK, can be fairly discreet and has been used by APT29 to establish backdoors. We’re not going to dig into too much detail about WMI Event Subscriptions themselves, as some good material… Read More

Using Auditbeat and ELK to monitor GTFOBins binaries

At in.security our training courses are developed not only to provide the theory and hands-on understanding of a multitude of offensive techniques,  but with the added extra of being able to see, study and understand the attacks from a blue team perspective by viewing self-generated artefacts left within our in-LAB ELK stack. This type of… Read More

Lin.security – walkthrough

Lin.security was released a little over a month ago so as promised we have now published this detailed walkthrough. As such, this article does include spoilers! The idea of the challenge was to find and practise getting root on the host using many different methods – some are easier than others ???? If you want… Read More

Analysing CVE-2018-13417 for files, hashes and shells

CVE-2018-13417 was released this August that disclosed an out-of-band XXE vulnerability in the SSDP/UPnP functionality of the XML parsing engine in the popular Vuze Bittorrent client. The latest version, 5.7.6.0 was found to be vulnerable however it’s likely earlier versions are also affected. Exploitation of this vulnerability allows unauthenticated attackers on the same network to read arbitrary files… Read More

A cr4cking g00d time – walkthrough

Warning: This post contains spoilers! It’s been a few weeks since we released A cr4cking g00d time and we’d first like to thank everyone who gave it a go. We’ve received great feedback and are very pleased to hear that people have attained new levels of password cracking-fu in the process. Well done to @hops_ch… Read More