❌

Reading view

How To Deploy Windows Optics: Commands, Downloads, Instructions, and Screenshots

Jordan Drysdale & Kent Ickler // TL;DR Look for links, download them. Look for GPOs, import them. Look for screenshots, for guidance. Sysmon + Windows Audit Policies + Event Collectors […]

The post How To Deploy Windows Optics: Commands, Downloads, Instructions, and Screenshots appeared first on Black Hills Information Security, Inc..

  •  

Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation

This is the third in a three-part series of blog posts discussing how to abuse Kerberos delegation! If you haven't already, feel free to read the first blog post, as they discuss the Kerberos authentication process and how delegation plays an important role in solving the double-hop problem, and how to abuse unconstrained delegation.

The post Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation appeared first on Black Hills Information Security, Inc..

  •  

Abusing Delegation with Impacket (Part 2): Constrained Delegation

This is the second in a three-part series of blog posts discussing how to abuse Kerberos delegation! If you haven't already, feel free to read the first blog post, as it discusses the Kerberos authentication process and how delegation plays an important role in solving the double-hop problem.

The post Abusing Delegation with Impacket (Part 2): Constrained Delegation appeared first on Black Hills Information Security, Inc..

  •  

Abusing Delegation with Impacket (Part 1): Unconstrained Delegation

In Active Directory exploitation, Kerberos delegation is easily among my top favorite vectors of abuse, and in the years I’ve been learning Kerberos exploitation, I’ve noticed that Impacket doesn’t get nearly as much coverage as tools like Rubeus or Mimikatz.

The post Abusing Delegation with Impacket (Part 1): Unconstrained Delegation appeared first on Black Hills Information Security, Inc..

  •  

Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2)

But what if we need to wrangle Windows Event Logs for more than one system? In part 2, we’ll wrangle EVTX logs at scale by incorporating Hayabusa and SOF-ELK into my rapid endpoint investigation workflow (β€œREIW”)!Β 

The post Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) appeared first on Black Hills Information Security, Inc..

  •  

DomCat: A Domain Categorization Tool

DomCat is a command-line tool written in Golang that helps the user find expired domains with desirable categorizations.

The post DomCat: A Domain Categorization Tool appeared first on Black Hills Information Security, Inc..

  •  

Wrangling Windows Event Logs with Hayabusa & SOF-ELKΒ (Part 1)

In part 1 of this post, we’ll discuss how Hayabusa and β€œSecurity Operations and Forensics ELK” (SOF-ELK) can help us wrangle EVTX files (Windows Event Log files) for maximum effect during a Windows endpoint investigation!

The post Wrangling Windows Event Logs with Hayabusa & SOF-ELKΒ (Part 1) appeared first on Black Hills Information Security, Inc..

  •  

Microsoft Store and WinGet: Security Risks for Corporate Environments

The Microsoft Store provides a convenient mechanism to install software without needing administrator permissions. The feature is convenient for non-corporate and home users but is unlikely to be acceptable in corporate environments. This is because attackers and malicious employees can use the Microsoft Store to install software that might violate organizational policy.Β 

The post Microsoft Store and WinGet: Security Risks for Corporate Environments appeared first on Black Hills Information Security, Inc..

  •  

Stop Spoofing Yourself! Disabling M365 Direct Send

Remember the good β€˜ol days of Zip drives, Winamp, the advent of β€œOffice 365,” and copy machines that didn’t understand email authentication? Okay, maybe they weren’t so good! For a […]

The post Stop Spoofing Yourself! Disabling M365 Direct Send appeared first on Black Hills Information Security, Inc..

  •  

Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite

In this blog, I’m going to walk you through how to get started with airodump-ng and some of the techniques that you can use to home in on access points of interest.

The post Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite appeared first on Black Hills Information Security, Inc..

  •  

Detecting ADCS Privilege Escalation

Active Directory Certificate Services (ADCS) is used to manage certificates for systems, users, applications, and more in an enterprise environment. Misconfigurations in ADCS can introduce critical vulnerabilities into an enterprise Active Directory environment.

The post Detecting ADCS Privilege Escalation appeared first on Black Hills Information Security, Inc..

  •  

Vulnerability Scanning with NmapΒ 

Nmap, also known as Network Mapper, is a commonly used network scanning tool. As penetration testers, Nmap is a tool we use daily that is indispensable for verifying configurations and identifying potential vulnerabilities.

The post Vulnerability Scanning with NmapΒ  appeared first on Black Hills Information Security, Inc..

  •  

Getting Started with NetExec: Streamlining Network Discovery and Access

One tool that I can't live without when performing a penetration test in an Active Directory environment is called NetExec. Being able to efficiently authenticate against multiple systems in the network is crucial, and NetExec is an incredibly powerful tool that helps automate a lot of this activity.

The post Getting Started with NetExec: Streamlining Network Discovery and Access appeared first on Black Hills Information Security, Inc..

  •  

How to Use Dirsearch

Dirsearch is an open-source multi-threaded β€œweb path discovery” tool first released in 2014. The program, written in Python, is similar to other tools such as Dirbuster or Gobuster, and aims to quickly find hidden content on web sites.

The post How to Use Dirsearch appeared first on Black Hills Information Security, Inc..

  •  

Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot

In my journey to explore how I can use artificial intelligence to assist in penetration testing, I experimented with a security-focused chat bot created by Jason Haddix called Arcanum Cyber Security Bot (available on https://chatgpt.com/gpts). Jason engineered this bot to leverage up-to-date technical information related to application security and penetration testing.

The post Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot appeared first on Black Hills Information Security, Inc..

  •  

Why Use a Macro Pad?

Compression is everywhereβ€”in files, videos, storage, and networksβ€”so it’s only natural it should also be in your workflow too. You can β€œcompress” a series of tedious, repetitive tasks requiring multiple steps and several configurations into a single button press with a macro pad such as the Stream Deck or a fully software-customizable mechanical keyboard.Β 

The post Why Use a Macro Pad? appeared first on Black Hills Information Security, Inc..

  •  

Espanso: Text Replacement, the Easy Way

Espanso is a powerful cross-platform and open-source text replacement (or text expander) tool. At a simple level: it replaces what you type with something else.

The post Espanso: Text Replacement, the Easy Way appeared first on Black Hills Information Security, Inc..

  •  
  •  

Offline Memory Forensics With Volatility

Volatility is a memory forensics tool that can pull SAM hashes from a vmem file. These hashes can be used to escalate from a local user or no user to a domain user leading to further compromise.

The post Offline Memory Forensics With Volatility appeared first on Black Hills Information Security, Inc..

  •  
❌