#hack100days: day 52 : Spent more time on CRTO, got through several sections. If something talks lsass, there's a Windows Event 4656 generated. These events don't make it into Windows Defender ATH. KQL that *might* help can be found here: https://infosec.exchange/@scottlink/109922158743618879 (CS may not have like my KQL, so trying the link.) (Lsass does get started in the normal day-to-day of things, filter out it itself being the process, look for things trying to operate on it.) #redteam #blueteam #GetSmart #CoSoSec
#hack100days: day 51 : Spent some time going through CRTO. First two sections down. Spun up a new kali box to play around with some of the tooling covered in recon section. Reckon I'll do a once through the material before getting lab time and going after the lab exercises. #RedTeam #infosec #cososec
#hack100days : days 43 & 44 : Forgot to post yesterday. Modified a BadUSB/Rubber Ducky script to run PowerShell and feed a file. Helping out a #BlueTeam analyst w/that one. Helped myself for a future #RedTeam exercise. Also spend some time w/'hello, world', Rust, and Windows OS. Baby steps, time will tell w/that one. Tried out a different format for attack trees, but haven't tried it out on anyone yet. #InfoSec #LabItUp #CamelCaseTags4OnScreenReaders #CoSoSec
#hack100days : day 42 : Listened in on N00bie Tuesday by Alh4zr3d@twitter. Someone mentioned Zero Point Security has a "Rust for n00bs" [[https://training.zeropointsecurity.co.uk/courses/rust-for-n00bs]] class. I'm a n00b, so ran full-tilt into that rabbit hole. An inexpensive introduction. Rust has some interesting quirks. Tried it out on MacOS. Next up, Windows. #InfoSec #LearnToCode #Rust #CoSoSec
#hack100days : day 41 : Tinkered around with Docker some more. Experimenting with building an image w/enumeration tools. Getting rust onto the system for feroxbuster has me a bit stymied. #infosec #enumeration #cososec
#hack100days : day 40 : Took a crack at today #HtB new release, interface. Web app, natch. Started my process and used the usual tools. Didn't get very far at all. Based on tech found, did some research and found an article about one of the components. Calling it a day though and will take a look tomorrow. #ctf #infosec #cososec
#hack100days : day 39 : *Now* I have a working virtual gateway in my virtual lab. Ubuntu w/iptables rules, ftw. Next, write a "shields up/shields down" script governing rules for the inside LANs. Time to grind on payloads! Ah, and it's beer o'clock. #redteam #labitup #infosec #cososec
#hack100days : day 38 : Not much direct hacking today. Read a couple of articles on Azure/M365 hacking. A family friend is making a career transition to software development. Their code made it into GitHub, so I looked through it to practice code-review skills-ish. #infosec #cososec
#hack100days : day 37 (delayed report) : More work on the lab. Migrated target vm from old hacktop to new. Poked at virtual firewall some more to get the lab network sorted. #labitup #infosec #cososec
#hack100days : day 36 : More work on lab infra. Followed this cookbook on dockerizing CobaltStrike: https://ezrabuckingham.com/blog/containerizing-red-team-infra/ Worked! Docker networking is still a little weird for me, so I need to figure out how the beacons are going to get there. The client piece worked, so halfway there. Still need to test the fw--it seems to be grabbing my laptop's IP, which creates network weirdness. May bail and use something I'm more familiar with. #redteam #labitup #infosec #cososec
#hack100days : day 35 : Worked on the hacktop lab. Created a "Private" net for the targets to reside in. Build an OPNSense virtual firewall to govern access between the "External" net--where the attacking hosts are going to reside--and the target network. ...maybe I should rename them. Skimmed the DNS section of the OPNSense manual. Maybe DNSmask let's me try out DNS C2? Next step is to move my target vm from the old hacktop to the new and test fw config. #labitup #redteam #infosec #cososec
#hack100days : day 34 : Spent some time playing around with https://github.com/initstring/cloud_enum #infogathering #redteam #infosec #cososec
#hack100days : day 33 : Looked at some open-source projects from fortynorthsecurity.com Came across them looking for CobaltStrike info. PersistAssist (https://github.com/FortyNorthSecurity/PersistAssist) looks interesting. It's written in C#, so I took some time to look through the code to see if it makes any kind of sense to me. Maybe tinkering with that would be a good way to start getting acquainted. I think I want to play around with Egress-Assess (https://github.com/FortyNorthSecurity/Egress-Assess) a bit, as well. #redteam #infosec #cososec
#hack100days : day 32 : Moved C2 server vm from old hacktop to new hacktop. Updated the vm. Went looking for resources for aggressor scripts and C2 profiles. Near and intermediate planned exercises will use https, but the use of DNS is still looking too much like a dark art. I've got the pieces I can put together to do it, but I'm still fuzzy on how to put them together. It isn't urgent, so I'll block a couple of days down the road to lab it up. #lab #redteam #infosec #cososec
#hack100days : day 31 : Forgot to post yesterday. Pretty busy day. Got caught up on @thegrugq newsletters--I was a couple of days behind. Also read a recent Bellingcat newsletter and article. Octosuite looks interesting: https://www.bellingcat.com/resources/2023/01/20/octosuite-a-new-tool-to-conduct-open-source-investigations-on-github/ Might be useful for internal appsec and dfir teams, as well. #infosec #cososec
#hack100days: day 30d : Pretty busy day, putting pressure on hacking for myself. Looked into "coding". Red Teamers have to code? I'm down with bash and fairly comfortable with python and PowerShell. After looking at CobaltStrike, I can kind of connect the dots. So, nim, .Net/C#, go, rust? I'm not diving into c/c++, looked at Kernighan and Ritchie ages ago and it didn't take. Thinking about .Net/C#, it is the "guts" of PowerShell and Windows. #redteam #coding #cososec
#hack100days: day 29d : Bashed at new hacktop's wifi. Going in to work tomorrow, chance to isolate issue to laptop or my network and their interaction--other devices are behaving as expected. Watched a bit of @Alh4zR3d@twitter's N00bie Tuesday. Also found this site: https://www.zaproxy.org/docs/docker/webswing/ Which means I don't have to pollute the new hacktop w/Java! Another opp to get more touches w/#docker. #infosec #labitup #cososec
#hack100days : day 27d : Took another look at the #hackthebox new release. Making some progress. #ctf #infosec #cososec
#hack100days : day 26d : New release on #hackthebox, but it's not coming easily. Found a thing to help with enumeration, but I need to do some more reading on php to get to the next bit. #ctf #infosec #cososec
#hack100days : day 25d : New hacktop from work today. Setting it up, trying stuff out. WSL is still sub-optimal. Gonna work on getting more facile w/Docker and Ubuntu's Multipass. Oh, something interesting... ...an EICAR dropped into a WSL image doesn't get flagged by Defender. #labitup #infosec #cososec
Muddling through.