A lot of mud slinging on InfoSec twitter lately; I wanted to flip the script a bit and highlight the blogs, tools, talks etc that I keep coming back to on a regular basis, both as a defender and general InfoSec professional. Thread..
Start-ATHProcessHerpaderp was added to AtomicTestHarnesses w/ some extended capabilities from the original PoC.
As I reimplemented @jxy__s's awesome capability and PoC, I came to appreciate both the novelty and reliability of the technique so much more.
github.com/redcanaryco/Atomi…
The third part of my Paving The Way to DA series is live blog.zsec.uk/path2da-pt3/ this time talking about how #PassTheHash works, while it is an older technique it certainly still works in environments! Added extras at the end linking to @0x616e6874's posts about Ansible!
We've noted our findings after a couple of years auditing #Windows#Defender Attack Surface Reduction events.
Hopefully it will help anyone considering block mode.
Being able to use the credential stealing/lsass rule was the surprise for me.
medium.com/palantir/microsof…
There's a lot going around about analyzing Azure AD environments for compromise and risky/rogue permissions lately. Most focus on logs, but if there are no (more) logs or you just want to review AAD as a blue teamer, here is how ROADrecon (github.com/dirkjanm/ROADtool…) can help:
Sysinternals' update for Sysmon and Procmon. Process image tampering events added to sysmon (detect process hollowing for example) docs.microsoft.com/en-us/sys…