Local Tech Repair

Ransomware’s New Playbook: How Qilin and Warlock Are Systematically Killing EDR from the Kernel Up

2026-04-06T17:51:00.000-07:00

It rarely starts with alarms. There’s no flashing warning, no obvious breach—just a valid login, often tied to a stolen credential, slipping quietly through the front door. From there, the attackers don’t rush. They don’t need to. In today’s ransomware landscape, groups like Qilin have learned that patience—and precision—delivers far greater impact than speed.

What follows isn’t chaos. It’s preparation.

Inside compromised environments, Qilin operators begin mapping systems, expanding access, and positioning themselves deeper within the network. Days can pass—nearly a week on average—before anything resembling ransomware activity even begins. By then, the real work is already done. The attack isn’t about getting in anymore. It’s about making sure nothing can stop what comes next.

The Moment Everything Goes Dark

At some point in that quiet window, a seemingly harmless file appears: msimg32.dll. It doesn’t raise suspicion. It doesn’t need to. Loaded through DLL side-loading, it executes under the cover of a trusted application—exactly where defenders are least likely to look.

But this file isn’t just another payload. It’s the beginning of the end for the system’s defenses.

The DLL acts as a loader, carefully preparing the environment for a second, hidden component—encrypted, embedded, and designed for one purpose: to dismantle endpoint detection and response (EDR) protections from the inside out. Before it ever reveals that payload, it gets to work quietly stripping away visibility.

It disables user-mode hooks. It suppresses Event Tracing for Windows. It obscures how code executes and how APIs are called. By the time the real payload is ready to run, the system is still functioning—but it’s no longer watching.

A Silent War at the Kernel Level

Then comes the shift that defines modern ransomware attacks.

Instead of fighting security tools, Qilin simply removes them.

Using a technique known as Bring Your Own Vulnerable Driver (BYOVD), the malware introduces legitimate—but exploitable—drivers into the system. One provides direct access to physical memory, effectively opening a path into the kernel. The other is far more targeted: it terminates processes tied to hundreds of EDR solutions across nearly every major vendor.

Before doing so, it quietly unregisters the monitoring callbacks those tools rely on. No alerts. No interference. Just silence.

At that point, the system hasn’t crashed. Nothing looks broken. But the security layer—the part designed to detect and stop threats—is gone.

By the Time You Notice, It’s Over

Only after defenses are neutralized does the final stage begin.

Data is staged. Files are exfiltrated. Backups are identified—or destroyed. And then, when everything is in place, the ransomware executes.

For the victim, this is the first visible sign that anything is wrong. But in reality, the attack is already complete. The encryption is just the closing act.

Qilin’s rise reflects how effective this approach has become. In recent months, it has emerged as one of the most active ransomware groups globally, responsible for a significant share of attacks, including a notable concentration in Japan. Its success isn’t built on novel exploits—it’s built on discipline, timing, and the ability to quietly dismantle defenses before pulling the trigger.

A Parallel Playbook: Warlock’s Expanding Arsenal

Qilin isn’t alone in this strategy.

The Warlock ransomware group has been following a similar path, targeting unpatched Microsoft SharePoint servers and refining its own approach to persistence and evasion. Like Qilin, it leans heavily on vulnerable drivers to disable security controls—but it doesn’t stop there.

Once inside a network, Warlock builds out a flexible toolkit designed to maintain control and move freely. Remote access tools establish persistence. Administrative utilities enable lateral movement. Legitimate platforms—developer tools, tunneling services—are repurposed to blend malicious activity into normal traffic.

PsExec is used to pivot between systems
RDP modifications allow multiple simultaneous sessions
Cloudflare tunnels and Visual Studio Code mask command-and-control traffic
Rclone facilitates quiet, efficient data exfiltration

Even their choice of vulnerable drivers evolves, swapping components as needed to maintain effectiveness and avoid detection patterns. It’s not a static toolkit—it’s an adaptable framework.

The Real Shift: Security Isn’t Being Bypassed—It’s Being Disabled

What ties these campaigns together is a fundamental shift in attacker mindset.

Traditional defenses were built on the assumption that threats would try to evade detection. But groups like Qilin and Warlock are proving that it’s often easier—and far more reliable—to simply remove detection entirely.

BYOVD attacks exploit a structural weakness: trusted drivers operating at the kernel level. Once abused, they provide a pathway to undermine the very tools designed to protect the system. And because those drivers are legitimate, they often slip past traditional controls without scrutiny.

What Defenders Need to Do Differently

Stopping this kind of attack requires shifting focus earlier in the intrusion—before the EDR killer is deployed, before kernel access is achieved, before visibility is lost.

Restrict driver loading to explicitly trusted and verified publishers
Monitor for unusual driver installation or loading behavior
Maintain aggressive patching of driver-level vulnerabilities
Invest in kernel-level telemetry and integrity monitoring

Because once that line is crossed—once attackers begin operating in the kernel—most traditional defenses are already out of the picture.

Europe Back in the Crosshairs: TA416 Revives PlugX Campaigns with OAuth Phishing Twist

2026-04-05T15:51:00.000-07:00

After nearly two years of relative silence across the region, a China-aligned cyber espionage group has re-emerged with precision, patience, and a quietly evolving toolkit—once again setting its sights on European governments and diplomatic networks, but this time with more refined tradecraft, stealthier delivery chains, and a renewed focus shaped by global geopolitical tensions.

Security researchers at Proofpoint have attributed the activity to TA416, a threat cluster with deep historical ties to well-known espionage operations including DarkPeony, RedDelta, and Vertigo Panda—groups that, depending on who you ask, blur into the broader ecosystem often associated with Mustang Panda and its many aliases.

🎯 A Quiet Return with Loud Intent

Since mid-2025, TA416 has resumed operations targeting **European Union and NATO-aligned diplomatic entities**, launching carefully orchestrated campaigns that combine reconnaissance and payload delivery in ways that feel both familiar and newly dangerous at the same time.

What makes this campaign particularly notable isn’t just who is being targeted—but how the attackers are adapting.

Across multiple waves, researchers observed a blend of:

Web bug–driven reconnaissance
Malware delivery via cloud-hosted archives
Abuse of trusted identity infrastructure like OAuth

…and perhaps most concerning, a willingness to continuously retool their infection chain mid-campaign, pivoting techniques just enough to stay ahead of detection while maintaining operational consistency.

🕵️ Reconnaissance First: The Web Bug Resurgence

Before a single payload ever touches disk, TA416 is watching.

Using web bugs—tiny, invisible tracking pixels embedded in phishing emails—the group quietly gathers intelligence on targets, collecting IP addresses, user agents, and email open timestamps, effectively confirming whether a target is both valid and engaged, all without raising alarms.

It’s simple, low-noise, and highly effective.

☁️ Living Off Trust: OAuth Abuse and Cloud Delivery

One of the more sophisticated pivots in this campaign involves abusing **Microsoft OAuth workflows**, a tactic that weaponizes trust itself.

Victims receive phishing emails containing links to legitimate Microsoft authorization endpoints. At a glance, everything appears normal—familiar domains, expected authentication prompts—but behind the scenes, the request triggers a redirect through a malicious chain, ultimately delivering a weaponized archive.

This technique, also highlighted in reporting from The Hacker News, allows attackers to:

Bypass traditional email security filters
Evade browser-based phishing protections
Exploit implicit trust in Microsoft infrastructure

And it works—because the initial interaction is, technically speaking, legitimate.

🧬 Infection Chain Evolution: From Turnstile to MSBuild

map from TheHackerNews {@}

TA416 hasn’t relied on a single method for long.

Over the course of the campaign, researchers observed multiple delivery mechanisms, including:

Fake Cloudflare Turnstile verification pages
OAuth redirect chains
Malicious archives hosted on:
- Microsoft Azure Blob Storage
- Google Drive
- Compromised SharePoint instances

But the most technically interesting evolution came in early 2026, when the group began leveraging MSBuild-based execution chains, a method that blends seamlessly into legitimate Windows development workflows.

Here’s where it gets clever—and a bit unsettling.

A downloaded archive contains:

A legitimate Microsoft MSBuild executable
A malicious C# project file (CSPROJ)

When executed, MSBuild automatically compiles the project file, which in this case acts as a loader, decoding embedded Base64 URLs, pulling down additional payload components, and executing them via a classic DLL side-loading chain.

It’s a layered approach that uses trusted binaries to execute malicious logic, making detection significantly more difficult.

🧠 PlugX: The Persistent Backbone

At the center of it all remains **PlugX**, a long-standing remote access trojan that continues to anchor TA416’s operations.

Despite constant updates and variations, its core capabilities remain consistent:

System reconnaissance
Payload delivery and execution
Command-and-control communication
Reverse shell access

Once deployed, PlugX establishes encrypted communication with its C2 infrastructure—but not before performing anti-analysis checks designed to evade sandboxing and endpoint detection tools.

It’s not flashy malware—but it doesn’t need to be. It’s reliable, adaptable, and deeply embedded in this threat actor’s playbook.

🌍 Expanding Scope: Middle East Enters the Picture

While Europe remains a primary focus, TA416 hasn’t limited its operations geographically.

Following the outbreak of tensions tied to the 2026 U.S.–Israel–Iran conflict, the group expanded its targeting to include Middle Eastern government entities, suggesting a broader intelligence-gathering objective aligned with real-world geopolitical developments.

This shift reinforces a pattern: TA416 doesn’t just operate opportunistically—it operates strategically.

🔄 A Pattern of Adaptation

The bigger story here isn’t just about PlugX or phishing—it’s about **adaptation over time**.

TA416 has demonstrated a consistent ability to:

Rotate infrastructure
Modify delivery chains
Blend into trusted ecosystems
Align targeting with geopolitical priorities

And perhaps most tellingly, similar activity clusters linked to Chinese cyber operations have shown a willingness to maintain long-term persistence, in some cases reappearing in compromised environments hundreds of days after initial access, underscoring a level of patience that most defenders simply aren’t prepared for.

⚠️ Final Thoughts

TA416’s resurgence is less of a return and more of an evolution—a reminder that modern espionage campaigns aren’t static operations, but living systems that adapt, learn, and quietly refine themselves over time, often just out of reach of traditional defenses, and almost always aligned with something much larger happening on the global stage.

For defenders, the takeaway is clear: trust is now part of the attack surface.

📚 Further Reading & Related Research

Axios Breach: Supply Chain Attack Delivers Cross-Platform RAT to Millions of Developers

2026-03-31T11:04:00.000-07:00

A sophisticated supply chain attack targeting the widely used Axios npm package has introduced a cross-platform Remote Access Trojan (RAT) affecting Windows, macOS, and Linux systems.

Malicious versions 1.14.1 and 0.30.4 were published using a compromised maintainer account, injecting a hidden dependency designed solely to execute a post-install malware dropper.

Developers are urged to immediately downgrade, remove affected dependencies, and rotate credentials if exposure is suspected.

A Trusted Library Turned Threat Vector

In one of the most impactful npm ecosystem attacks of 2026, threat actors successfully compromised the supply chain of Axios—a library with over 80 million weekly downloads across modern web applications.

Rather than modifying Axios directly, attackers took a more evasive route: injecting a malicious dependency named plain-crypto-js@4.2.1 into two newly published versions.

This dependency was never meant to be used in code. Its sole purpose was to execute a hidden postinstall script, silently deploying malware during package installation.

How the Attack Worked

image from TheHackerNews.com

The compromise began with the takeover of an npm maintainer account, allowing attackers to bypass CI/CD safeguards and publish malicious releases.

Compromised npm account used to publish malicious Axios versions
Injected dependency: plain-crypto-js@4.2.1
Malware triggered automatically via npm postinstall hook
No malicious code present in Axios source itself

This technique made detection extremely difficult, as traditional code reviews showed no suspicious changes in Axios.

Cross-Platform RAT Deployment

Once executed, the malicious installer deployed a sophisticated cross-platform Remote Access Trojan (RAT) tailored to the host operating system.

Attack Flow Overview

Image Attribution: Conceptual supply chain attack flow diagrams. Source: Various security research reports. Adapted from public analyses.

macOS: Downloads and executes a C++ RAT via AppleScript from a remote server
Windows: Uses PowerShell and VBScript to deploy a persistent RAT disguised as system binaries
Linux: Executes a Python-based RAT via shell commands running in the background

Each variant communicates with the same command-and-control (C2) infrastructure, using tailored payload delivery mechanisms per platform.

Stealth and Evasion Techniques

The attackers demonstrated a high level of operational maturity, implementing multiple anti-forensics techniques:

Self-deleting malware after execution
Replacement of package.json to remove evidence
Use of a clean decoy manifest (package.md)
No persistence on macOS/Linux (suggesting rapid data exfiltration)
Registry-based persistence on Windows systems

Notably, the malware maintained a 60-second beacon loop, enabling continuous command execution and system monitoring.

Timeline of the Attack

The operation was carefully staged and executed within hours:

March 30, 2026: Clean dependency version (4.2.0) published
March 30, 2026 (later): Malicious version (4.2.1) released
March 31, 2026: Axios versions 1.14.1 and 0.30.4 published with injected dependency
Within ~39 minutes: Both release branches compromised

Security researchers emphasized that this was a highly coordinated attack, not opportunistic in nature.

Indicators of Compromise (IOCs)

Developers and security teams should immediately check for the following artifacts:

macOS: /Library/Caches/com.apple.act.mond
Windows: %PROGRAMDATA%\wt.exe
Linux: /tmp/ld.py

Additionally, any presence of plain-crypto-js@4.2.1 should be treated as a strong indicator of compromise.

Response and Mitigation

If your environment may be affected, take immediate action:

Downgrade Axios to 1.14.0 or 0.30.3
Remove plain-crypto-js from dependencies
Rotate all credentials and secrets
Audit CI/CD pipelines for exposure
Block outbound traffic to the malicious C2 domain

Organizations should assume full system compromise if RAT artifacts are detected.

Why This Attack Matters

This incident highlights a dangerous evolution in supply chain attacks:

Abuse of trusted ecosystems like npm
Malware hidden in transitive dependencies
Execution triggered automatically during install
Cross-platform targeting at scale

Most importantly, it reinforces a critical lesson:

Even the most trusted dependencies can become attack vectors overnight.

Final Thoughts

The Axios supply chain attack is a stark reminder that modern software development pipelines are only as secure as their weakest dependency.

With attackers increasingly targeting package registries and CI/CD workflows, organizations must adopt stricter controls, including dependency auditing, runtime monitoring, and zero-trust principles within development environments.

As supply chain threats continue to evolve, vigilance—not trust—must become the default.

Additional Information & Further Reading

ClickFix Campaign Delivers Stealthy “DeepLoad” Malware to Hijack Browser Sessions

2026-03-30T19:42:00.000-07:00

A newly uncovered cyber campaign is drawing attention across the security community for its effective blend of social engineering, fileless execution, and stealth persistence. Researchers at ReliaQuest have identified a previously undocumented malware loader, dubbed DeepLoad, that is being distributed via the increasingly popular “ClickFix” tactic—an approach that relies on user interaction rather than software exploits to gain initial access.

The attack begins with a deceptive prompt that convinces users to copy and paste a malicious command into the Windows Run dialog, often under the pretense of fixing a system issue or completing a verification step. Once executed, the command launches PowerShell, which in turn leverages the legitimate Windows utility mshta.exe to retrieve and run an obfuscated payload. This technique allows attackers to bypass many traditional security controls by relying entirely on trusted system tools and user-initiated actions.

At the core of the campaign is DeepLoad’s sophisticated loader, which conceals its true purpose beneath layers of meaningless code and randomized variables. According to researchers, this obfuscation is likely generated with the assistance of artificial intelligence, enabling attackers to rapidly produce unique variants that are difficult for static detection engines to identify. Rather than dropping obvious malicious files to disk, the malware dynamically compiles components in memory using PowerShell’s Add-Type feature, creating temporary DLLs with randomized names that evade file-based detection.

Once active, DeepLoad takes deliberate steps to blend into the operating system. It disguises its activity within legitimate processes such as LockAppHost.exe, disables PowerShell command history to remove forensic evidence, and interacts directly with native Windows APIs instead of relying on monitored scripting functions. To further obscure its presence, the malware employs asynchronous procedure call (APC) injection, launching a trusted process in a suspended state, injecting malicious code into its memory, and then resuming execution—ensuring that no decoded payload is ever written to disk.

The ultimate objective of the campaign is credential theft, but the methods employed go beyond traditional password dumping. DeepLoad extracts stored browser credentials while also deploying a malicious browser extension capable of intercepting login data in real time. This allows attackers to capture active session information, significantly increasing the likelihood of successful account compromise even in environments with stronger authentication controls.

Persistence is another area where DeepLoad distinguishes itself. The malware leverages Windows Management Instrumentation (WMI) to establish covert event subscriptions that can silently re-execute the attack chain long after the initial infection. In observed cases, systems that appeared to be remediated were reinfected days later without any additional user interaction, highlighting the resilience of this approach and its ability to evade conventional detection mechanisms.

Adding to the threat, DeepLoad includes propagation capabilities that enable it to spread via removable media. When a USB device is connected, the malware copies itself using deceptive file names such as “ChromeSetup.lnk” or “Firefox Installer.lnk,” increasing the likelihood that unsuspecting users will execute the malicious payload on other systems.

The discovery of DeepLoad comes amid a broader wave of increasingly sophisticated malware loaders. Researchers have also pointed to emerging threats like Kiss Loader, which uses layered scripting techniques and cloud-hosted payload delivery to deploy remote access trojans. Together, these campaigns reflect a growing trend toward modular, multi-stage malware that relies heavily on legitimate tools, obfuscation, and user interaction to evade detection.

Security experts warn that DeepLoad exemplifies a shift in attacker strategy. Rather than exploiting software vulnerabilities, threat actors are focusing on manipulating users, blending malicious activity with normal system behavior, and maintaining long-term access through stealthy persistence mechanisms. As a result, traditional defenses that rely on signatures or known indicators are becoming less effective, underscoring the need for behavioral monitoring and deeper visibility into system activity.

In this evolving threat landscape, campaigns like DeepLoad demonstrate that the most effective attacks may no longer depend on sophisticated exploits, but instead on subtle deception and the abuse of trusted technologies already present within the operating system.

What Organizations Should Do Next

Defending against campaigns like DeepLoad requires shifting focus from traditional signatures to behavioral visibility and user awareness. Security teams should prioritize the following actions:

Restrict PowerShell abuse
- Enable script block logging and transcription
- Constrain or disable PowerShell where not required
Monitor for LOLBin activity
- Alert on suspicious use of mshta.exe, powershell.exe, and similar binaries
- Look for unusual parent-child process relationships
Audit and detect WMI persistence
- Regularly review WMI event subscriptions
- Alert on newly created or modified WMI consumers and filters
Harden browser security
- Restrict unauthorized browser extensions
- Monitor for unexpected extension installations across endpoints
Improve endpoint visibility
- Ensure EDR solutions track in-memory execution and injection techniques
- Watch for signs of APC injection and reflective DLL loading
Control removable media risks
- Disable or limit USB usage where possible
- Scan and block suspicious shortcut (.lnk) files
Invest in user awareness
- Train users to avoid running commands from untrusted prompts
- Reinforce that legitimate fixes never require copying commands into Run dialogs

As attackers continue to refine techniques like ClickFix and fileless execution, the line between legitimate system activity and malicious behavior is becoming increasingly blurred. Organizations that rely solely on prevention will struggle—those that invest in visibility, detection, and user education will be far better positioned to respond.

AdNauseam: The Ad Blocker That Fights Back

2026-03-29T17:15:00.000-07:00

In a web built on tracking, profiling, and behavioral data, most privacy tools play defense—blocking ads, limiting trackers, and trying to stay invisible. AdNauseam takes a far more aggressive stance. It doesn’t just avoid the system—it actively disrupts it.

Instead of simply hiding ads, AdNauseam quietly clicks them in the background, feeding ad networks a stream of misleading signals. The result is a browsing profile that looks active but means nothing—a deliberate act of data pollution in a system that depends on accuracy.

A Radical Idea with Deep Roots

Launched in 2014, AdNauseam emerged from research into “obfuscation”—the idea that privacy doesn’t always mean hiding, but sometimes means blending in with noise.

It builds on earlier projects like TrackMeNot, which generated random search queries to confuse tracking systems. AdNauseam takes that same concept and applies it directly to online advertising—arguably the most data-driven part of the modern web.

From the beginning, it wasn’t just a tool. It was a statement about who controls user data—and how easily that control can be challenged.

How It Works

On the surface, AdNauseam behaves like a traditional ad blocker. Underneath, it does something very different:

Ads are blocked from view
Clicks are automatically generated in the background
Tracking systems record those clicks as legitimate engagement

This breaks a core assumption in advertising technology: that clicks represent real human intent.

Instead, AdNauseam turns that signal into noise—making it harder for platforms to build accurate behavioral profiles or optimize targeting algorithms.

Collision with the Ad Industry

That approach has put AdNauseam on a direct collision course with the ad ecosystem. In 2017, Google removed the extension from the Chrome Web Store, citing policy violations.

The underlying issue is easy to understand. AdNauseam interferes with systems like Google AdSense, where advertisers pay per click and rely on clean data to measure performance.

By generating automated clicks, the extension introduces:

Distorted campaign metrics
Potential financial waste for advertisers
Uncertainty in platform reporting

Whether that behavior is labeled as fraud or protest depends largely on perspective—but either way, it exposes how fragile the system can be.

The Ethical Trade-Offs

AdNauseam lives in a gray area that few tools dare to occupy.

Supporters argue it’s a necessary response to a web built on surveillance:

It restores a degree of user control
It challenges opaque data collection practices
It turns passive browsing into active resistance

Critics, however, point out real downsides:

It generates intentionally misleading data
It may impact smaller publishers relying on ad revenue
It risks violating platform terms and trust models

It’s not just a technical tool—it’s a philosophical one, forcing users to decide where they stand.

Where It Stands Today

AdNauseam remains available, but its reach is limited. It’s largely absent from mainstream browser ecosystems and exists primarily as a niche, open-source project.

At the same time, broader changes—like stricter browser extension policies—are making tools like this harder to maintain and distribute.

Still, it persists, supported by a small but committed community that sees value in its mission.

Why It Still Matters

Even without mass adoption, AdNauseam highlights a deeper truth about the modern web:

Advertising systems depend on data they assume is trustworthy
That trust can be undermined more easily than expected
Users are no longer limited to passive privacy defenses

It raises a simple but powerful question:

What happens when users stop playing by the rules?

AdNauseam doesn’t just block ads—it challenges the foundation they’re built on.

Try It Yourself

Curious how it works in practice? You can learn more about AdNauseam and download it directly from the official site:

https://adnauseam.io/

Whether you see it as a privacy tool, an experiment, or a form of protest, AdNauseam offers a rare opportunity to experience a different kind of web—one where users don’t just avoid tracking, but push back against it.

Iran‑Linked Hackers Leak FBI Director’s Emails and Strike U.S. Firm

2026-03-28T11:54:00.000-07:00

Threat actors tied to Iran recently breached the personal email account of FBI Director Kash Patel and leaked private emails and photos online, marking a high‑profile intrusion that captured global attention.

In late March 2026, the pro‑Iranian hacking collective known as the Handala Hack Team publicly released hundreds of emails, personal photos, and other documents allegedly taken from Patel’s personal Gmail inbox — claiming that he will now find his name “among the list of successfully hacked victims.” (Reuters)

According to multiple outlets, including Reuters and Tom’s Guide, the FBI confirmed that the director’s personal email was targeted, but emphasized that the material leaked appears to be historical in nature and did not involve any government systems or classified information. (Tom’s Guide) Experts have noted that using a personal account for official tasks can increase exposure to attackers, and this incident highlights that risk even at the highest levels of law enforcement.

The group taking credit — Handala — is widely assessed by analysts to be a pro‑Iranian, pro‑Palestinian persona likely linked to Iran’s Ministry of Intelligence and Security (MOIS), and has been connected with a series of offensive operations that blend hack‑and‑leak tactics with political messaging. The campaign coincides with broader geopolitical tensions involving the United States, Israel, and Iran, and security observers suggest that Handala’s activities aim to embarrass U.S. leadership and signal retaliatory capability in cyberspace. (Wired)

In addition to the email leak, the same actor has claimed responsibility for a destructive cyberattack against medical device giant Stryker, which disrupted its global operations earlier in March. According to Reuters, Stryker reported that manufacturing and internal systems were affected, though its teams have since mostly restored normal operations. (Reuters) Independent reports indicate that compromised credentials, possibly obtained via information‑stealer malware, played a role in facilitating access to enterprise systems and the deployment of wiper‑style destructive malware against endpoints. (SecurityWeek)

Security researchers note that unlike financially motivated cybercrime groups, Handala’s campaign appears to emphasize disruption, psychological impact, and geopolitical messaging rather than direct financial gain. (The Hacker News) WIRED also reported that some claims by the group — like penetrating FBI systems — are unsubstantiated and part of a broader attention‑grabbing strategy designed to amplify fear and misinformation. (Wired)

Beyond high‑profile breaches, authorities say the Handala collective and affiliated Iranian cyber actors have employed a variety of tactics — including social engineering on messaging platforms to deliver malware, use of common communications services for command‑and‑control, and campaigns historically targeting journalists, dissidents, and opposition groups. (The Hacker News) The group’s activities have drawn direct attention from the U.S. Department of Justice, which recently seized several domains linked to MOIS‑aligned infrastructure and is offering a $10 million reward for information on key members, underscoring the seriousness with which U.S. policymakers view this expanding threat.

As the digital battlefield continues to evolve, these incidents highlight how state‑linked cyber actors can leverage both doxing and destructive malware to achieve strategic impact, reminding defenders that threat landscapes are increasingly multifaceted and politically charged. The use of legitimate administrative tools and compromised credentials in these operations also means defenders must be vigilant and proactive to prevent similar incursions in both public- and private‑sector networks.

⚠️ Defanged IoCs (Domains Linked to Handala Hack Team)

handala-hack[.]to — Handala’s primary publishing site for leaks
handala-team[.]to — Alternate clearnet domain resurfaced after domain seizures
justicehomeland[.]org — Seized domain linked to MOIS operations
karmabelow80[.]org — Another seized domain associated with Iranian threat personas
handala-redwanted[.]to — Additional seized domain used for propaganda and claimed hacks

TikTok Business Account Takeover via AitM Phishing and CAPTCHA Evasion

2026-03-27T15:23:00.000-07:00

A recent campaign leverages adversary-in-the-middle (AitM) phishing infrastructure to compromise TikTok for Business accounts by combining credential interception with anti-analysis controls.

The attack flow begins with social engineering designed to drive user interaction. Victims are directed to attacker-controlled infrastructure that impersonates either TikTok for Business authentication flows or recruitment-style portals mimicking legitimate corporate workflows. These pretexts increase engagement rates and reduce suspicion, particularly when combined with contextual elements such as scheduling interfaces or onboarding narratives.

A key technical component of the campaign is the use of a CAPTCHA challenge (Cloudflare Turnstile) as a gating mechanism. This serves multiple purposes:

Prevents automated security crawlers and sandbox environments from accessing the malicious payload Filters traffic to prioritize real user interaction Delays exposure of the phishing content until basic human verification is completed

Once the challenge is solved, the victim is proxied through an AitM framework. This infrastructure operates as a transparent relay between the user and the legitimate service, capturing authentication material in real time. Unlike traditional credential harvesting pages, AitM setups can intercept:

Session cookies Authentication tokens Multi-factor authentication (MFA) responses

This allows attackers to establish authenticated sessions without requiring persistent access to credentials, effectively bypassing MFA protections.

The phishing kits used in these operations are consistent with modern, modular AitM toolkits that dynamically generate target-specific templates and handle session replay. These kits often integrate TLS certificates and domain fronting techniques to improve legitimacy and reduce detection.

In parallel, a separate campaign demonstrates the continued evolution of initial access techniques through file-based delivery. This activity uses SVG (Scalable Vector Graphics) files as the initial vector. While typically treated as static image assets, SVG files can embed active content such as JavaScript, enabling execution when opened in compatible environments.

The infection chain in this case includes:

Delivery of a weaponized SVG attachment disguised as a business document Execution of embedded logic that triggers outbound network communication Retrieval of a secondary payload from a remote endpoint Execution of a compiled malware binary written in Go

The use of SVG provides several advantages:

Lower detection rates due to its classification as an image format Compatibility with multiple rendering environments (browsers, email clients) Ability to embed obfuscated script content

The retrieved payload exhibits characteristics aligned with ransomware-linked tooling, including overlaps in code structure and behavior with previously analyzed families. The use of Go as an implementation language further complicates analysis due to static compilation and cross-platform portability.

Across both campaigns, several themes emerge:

Increased reliance on traffic gating (CAPTCHA, filtering layers) to evade automated defenses Use of legitimate service impersonation combined with real-time proxying to defeat MFA Expansion of non-traditional file formats (e.g., SVG) as initial access vectors Modular, reusable infrastructure enabling rapid adaptation of phishing operations

These techniques reflect a shift toward blending user interaction requirements with layered evasion, making detection dependent on behavioral analysis rather than static indicators.

Math Matters in Cybersecurity: How Statistical Analysis and Anomaly Detection Help Protect Networks and Data

2023-04-05T11:24:00.003-07:00

Cybersecurity is a technical field that requires strong quantitative skills. Math is an important tool in cybersecurity, as it is used to create and maintain secure networks, protect data from attacks, and identify and prevent intrusions. Math also helps cybersecurity professionals to solve complex problems and keep networks and data secure

Some of the math-based concepts used in cybersecurity are:

Statistical analysis: This is the process of collecting, organizing, summarizing, and interpreting data to draw conclusions and make decisions. Statistical analysis can help with detecting malicious behavior or anomalies by analyzing network traffic data and identifying patterns, trends, outliers, and correlations that may indicate an attack or a compromise.
Anomaly detection: This is the technique that uses statistical methods to detect deviations from normal or expected behavior in network traffic data. Anomaly detection can help identify unknown or novel attacks that may not be detected by signature-based methods.
Binary math: This is a mathematical language that uses only the values “0” and “1” in combination.
Hexadecimal math: This is a math-based concept that allows you to count up to any one of 16 different options.
Boolean algebra: This has to do with the values of variables telling the truth.
Cryptography: This is the science of encrypting and decrypting data using mathematical techniques.

Math matters in cybersecurity because it helps cybersecurity professionals to perform their tasks effectively and efficiently. Math also helps cybersecurity professionals to develop critical thinking, problem-solving, and analytical skills that are vital for cybersecurity. An example of how a cybersecurity defender might use statistical analysis is monitoring the network traffic of an organization using a network forensic analysis tool. The tool collects and analyzes various data points, such as the source and destination IP addresses, ports, protocols, packet sizes, and response times of each connection. The tool also uses anomaly detection techniques to flag any suspicious or abnormal connections that may indicate a compromise.

One day, the defender notices that a connection from an internal host to an external IP address has been flagged as anomalous by the tool. The defender decides to investigate further and uses statistical analysis to compare the timing of the connection with other connections from the same host.

The defender calculates the mean and standard deviation of the time interval between each connection from the host in the past week. The defender then compares the time interval of the anomalous connection with the mean and standard deviation values.

The defender finds that the time interval of the anomalous connection is 60 minutes, which is more than three standard deviations below the mean time interval of 180 minutes. The defender also finds that the anomalous connection has been occurring regularly every 60 minutes for the past three days.

The defender concludes that the anomalous connection is likely a result of a compromise, as it shows a significant deviation from the normal behavior of the host. The defender suspects that the host has been infected by malware that is communicating with a command-and-control (C2) server using periodic connections with a fixed time interval to avoid detection.

The defender reports the finding to the security team and initiates a response plan to contain and remediate the compromise.

If you are interested in pursuing a career in cybersecurity, you may want to learn some basic math concepts that are relevant to the field. You can do this by reading books that cover topics such as statistical analysis, anomaly detection, binary math, hexadecimal math, Boolean algebra, cryptography, and more. These books will help you develop the quantitative skills needed for cybersecurity and prepare you for more advanced topics later on.

Practical Statistics for Data Scientists: 50+ Essential Concepts Using R and Python by Peter Bruce and Andrew Bruce: This book covers topics such as exploratory data analysis, correlation and regression, statistical machine learning methods, resampling techniques, clustering methods.
Network Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff and Jonathan Ham: This book covers topics such as network evidence acquisition tools and techniques, network protocols analysis tools and techniques.
The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick: This book covers topics such as social engineering tactics and techniques.
Cryptography Engineering: Design Principles and Practical Applications by Niels Ferguson et al.: This book covers topics such as cryptographic algorithms design principles.
The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography by Simon Singh: This book covers topics such as historical ciphers and codes.

generated by Microsoft's Bing GPT-4 AI

Threat Hunting: A Proactive Approach to Cybersecurity

2023-03-30T17:03:00.006-07:00

Cybersecurity is a constantly evolving field that requires defenders to keep up with the latest threats and techniques of attackers. Traditional security tools, such as firewalls, antivirus, and intrusion detection systems, are often reactive and rely on signatures or rules to detect known threats. However, these tools may not be enough to stop advanced persistent threats (APTs) that can evade detection and remain hidden in a network for months or even years.

That’s why threat hunting is becoming an essential skill for cybersecurity professionals who want to take a proactive approach to protecting their organizations. Threat hunting is the practice of actively searching for and identifying potential threats that may have bypassed the initial security defenses. Threat hunters use various tools and methods, such as threat intelligence, data analysis, machine learning, and hypothesis testing, to look for anomalies, patterns, indicators, or evidence of malicious activity in the network or system.

Threat hunting can provide many benefits for organizations, such as:

Reducing the dwell time and impact of attackers by discovering and eliminating them before they cause damage or exfiltrate data.
Improving the security posture and resilience of the organization by identifying and addressing vulnerabilities and gaps in the security controls.
Enhancing the security awareness and skills of the security team by learning from the attackers’ tactics, techniques, and procedures (TTPs) and applying best practices for threat hunting.
Increasing the confidence and trust of the stakeholders and customers by demonstrating a proactive and mature approach to cybersecurity.

If you are interested in learning more about threat hunting and how to become a successful threat hunter, you can start by following some of these steps:

Learn the basics of threat hunting methodologies, such as intelligence-based hunting , hypothesis-based hunting , and custom hunting. Intelligence-based hunting uses indicators of compromise (IoCs) from sources that gather threat intelligence. Hypothesis-based hunting uses questions or scenarios that reflect possible malicious activity or behavior based on various sources. Custom hunting adapts to the specific context and needs of the organization based on the knowledge of the environment, the assets, the users, the business processes, and the threat landscape.
Familiarize yourself with the common tools and platforms that support threat hunting, such as SIEMs , ELK stacks , YARA , Cuckoo Sandbox, etc. SIEMs are systems that collect and analyze security data from various sources. ELK stacks are platforms that enable data ingestion, processing, storage, and visualization. YARA is a tool that can classify and identify malware based on patterns and rules. Cuckoo Sandbox is a tool that can isolate and analyze suspicious files.
Practice your threat hunting skills by participating in online challenges, simulations, or competitions that provide realistic scenarios and datasets for threat hunting. Some of the open source websites that offer such opportunities are Hack The Box (https://www.hackthebox.eu/), TryHackMe (https://tryhackme.com/), CyberDefenders (https://cyberdefenders.org/), etc.
Join a community of threat hunters who can share their experiences, insights, and resources for threat hunting. Some of the open source websites that offer such communities are Reddit (https://www.reddit.com/r/threathunting/), SANS (https://www.sans.org/cyber-security-community/threat-hunting), Threat Hunting Academy (https://threathunting.academy/), etc.

You can also learn more by the following books from amazon

Practical Threat Intelligence and Data-Driven Threat Hunting by Rashaad Steward: This book covers the fundamentals of threat intelligence and threat hunting, as well as how to use various open source tools and platforms to collect, analyze, visualize, and share threat data. It also provides case studies and exercises to help you apply the concepts and skills in real-world situations.

Threat Hunting: A Practical Guide for Beginners by Chris Sanders: This book provides a step-by-step guide for beginners who want to learn how to perform threat hunting in their networks. It covers the basics of network security monitoring, data analysis, hypothesis generation, and investigation. It also introduces some of the most popular open source tools for threat hunting, such as Wireshark, Bro/Zeek, Suricata, ELK stack, etc.

The Threat Hunting Handbook: A Practical Guide for Security Analysts by David Bianco: This book offers a comprehensive and practical guide for security analysts who want to master the art and science of threat hunting. It covers the theory and practice of threat hunting methodologies, such as intelligence-driven hunting, hypothesis-driven hunting, anomaly-driven hunting, etc. It also explains how to use various open source tools and frameworks for threat hunting, such as YARA, MISP, TheHive/Cortex, etc.

Threat hunting is a rewarding and exciting career path for cybersecurity enthusiasts who want to challenge themselves and make a difference in protecting their organizations. By becoming a threat hunter, you can not only improve your own security skills but also contribute to the overall security of the cyberspace.

generated by Microsoft's Bing GPT-4 AI

How to Get Started with Network Forensics: A Practical Guide

2023-03-30T16:20:00.013-07:00

Network forensics is the science and art of investigating and analyzing network traffic data to discover and recover evidence of cyberattacks. It is a vital skill for anyone who wants to protect their network from hackers, malware, or data breaches. In this article, you will learn the basics of network forensics, such as what it is, why it is important, and how it works. You will also learn about the tools and techniques that network forensics experts use to capture, record, and analyze network packets. By the end of this article, you will have a solid foundation of network forensics knowledge and skills that you can apply to your own network or career. Let’s get started!

Network Forensics

Network forensics is a branch of digital forensics that deals with the analysis of network traffic for various purposes, such as investigating cybercrimes, detecting intrusions, or gathering information. Network forensics involves some basic concepts and techniques, such as:

Network protocols and models: These are the rules and standards that govern how data is transmitted and organized in a network. Examples of network protocols are TCP/IP, Ethernet, Wi-Fi, HTTP, etc. Network models are the conceptual frameworks that describe the layers and functions of network protocols. Examples of network models are OSI and TCP/IP.
Network traffic capture and analysis: This is the process of collecting and examining network data packets that flow through a certain point in the network. Network traffic capture can be done using tools such as Wireshark, tcpdump, etc. Network traffic analysis can be done using tools such as Snort, Bro, etc.
Network packets and headers: These are the units of data that are exchanged between network devices. A network packet consists of a payload (the actual data) and a header (the information that describes the source, destination, protocol, size, etc. of the packet).
Network flow and session data: These are the aggregated and summarized information about network traffic based on certain criteria, such as source and destination IP addresses, ports, protocols, timestamps, etc. Network flow data can be used to monitor network performance, detect anomalies, or identify patterns. Network session data can be used to reconstruct the communication between network devices or applications.
Network artifacts and indicators of compromise: These are the traces or evidence of network activity that can be used to infer or confirm the occurrence of a cyberattack or an intrusion. Examples of network artifacts are log files, DNS queries, HTTP requests, etc. Examples of indicators of compromise are malicious IP addresses, domains, URLs, signatures, etc.

Recommended Books on Network Forensics

Here are a few links to amazon.com books on network forensics that you may find useful:

Network Forensics by Ric Messier: This book provides a practical guide for IT and law enforcement professionals seeking a deeper understanding of cybersecurity. It covers topics such as network packet analysis, host artifacts, log analysis, intrusion detection systems, and more.
Network Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff and Jonathan Ham: This book teaches you how to follow the trail of a hacker through a network using real-world examples and case studies. It covers topics such as TCP/IP fundamentals, wireless hacking, web attacks, malware analysis, encryption cracking, and more.
Hands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools by Nipun Jaswal: This book helps you learn how to use various network forensic tools to investigate different types of attacks and find evidence. It covers topics such as packet capture and analysis tools, network flow analysis tools, malware analysis tools, honeypots and honeynets, and more.

Network Forensics Use Cases

Network forensics is the science of discovering and analyzing network data for various purposes, such as investigating cybercrimes, detecting intrusions, or gathering information. Network forensics can be applied in different scenarios, depending on the type and source of network data, the objectives and goals of the analysis, and the tools and techniques used. Here are some examples of network forensics use cases in different scenarios:

Malware Analysis

Malware analysis is the process of examining malicious software to understand its functionality, behavior, origin, and impact. Network forensics can be used to support malware analysis by capturing and analyzing network traffic generated by malware samples. This can help to identify malware communication protocols, command and control servers, exfiltration channels, infection vectors, and indicators of compromise. Network forensics can also help to correlate malware activity with other network events or artifacts to establish a timeline of infection or attribution of attackers.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools by Valentina Costa-Gazcón

Intrusion Detection and Prevention

Intrusion detection and prevention are the processes of monitoring and protecting a network from unauthorized or malicious access or activity. Network forensics can be used to enhance intrusion detection and prevention by providing evidence of network attacks or anomalies. Network forensics can also help to validate and fine-tune intrusion detection systems (IDS) or intrusion prevention systems (IPS) by analyzing their alerts, logs, or rules. Network forensics can also help to respond to intrusions by isolating or blocking malicious traffic, tracing back the source of attacks, or collecting forensic data for further investigation.

The Foundations of Threat Hunting: Organize and design effective cyber threat hunts to meet business needs by Chad Maurice, Jeremy Thompson, William Copeland, and Anthony Particini

Incident Response and Investigation

Incident response and investigation are the processes of responding to and investigating security incidents that affect a network or an organization. Network forensics can be used to support incident response and investigation by providing information about the nature, scope, impact, and root cause of incidents. Network forensics can also help to preserve and analyze network evidence for legal or regulatory purposes. Network forensics can also help to recover from incidents by restoring normal network operations, removing malicious artifacts, or implementing remediation measures.

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools by Valentina Costa-Gazcón

Threat Hunting and Intelligence

Threat hunting and intelligence are the processes of proactively searching for and analyzing potential threats or adversaries that target a network or an organization. Network forensics can be used to support threat hunting and intelligence by providing visibility into network activity and behavior. Network forensics can also help to identify unknown or emerging threats or adversaries by discovering new attack patterns, techniques, or indicators. Network forensics can also help to mitigate threats or adversaries by developing countermeasures, sharing threat intelligence, or collaborating with other security teams.

Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks by Chris Peiris, Binil Pillai, and Abbas Kudrati

Network Forensics Tools and Resources

Network forensics is the science of discovering and analyzing network data for various purposes, such as investigating cybercrimes, detecting intrusions, or gathering information. Network forensics requires various tools and resources to capture, record, and examine network traffic and events. Here are some of the tools that can be used for network forensics: Network Traffic Capture and Analysis Tools These are the tools that can be used to collect and inspect network data packets that flow through a certain point in the network. These tools can help to identify network protocols, sources and destinations, payloads, headers, timestamps, and other information about network traffic. Some of the popular tools for network traffic capture and analysis are:

• Tcpdump: A command-line tool that can capture and filter network traffic on Unix-based systems. It can save the captured traffic in a file that can be analyzed by other tools such as Wireshark or NetworkMiner.

• Wireshark: A graphical user interface tool that can capture and analyze network traffic on various platforms. It can display the captured traffic in a human-readable format, apply filters, decode protocols, and perform statistics1.

• NetworkMiner: A graphical user interface tool that can extract files, images, messages, certificates, and other artifacts from network traffic. It can also perform host analysis, geolocation, DNS lookup, and protocol identification.

Hands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools by Nipun Jaswal: This book helps you learn how to perform network forensics using various open source tools such as Wireshark, tcpdump, nmap, and more. It covers topics such as network data acquisition, packet analysis, network protocols, network attacks, malware analysis, and network forensics reporting.

Network Forensics Learning Paths and Opportunities

Network forensics is a fascinating and rewarding field that combines technical skills, analytical thinking, and investigative techniques. Network forensics professionals can work in various sectors such as law enforcement, government, military, private companies, or academia. They can also specialize in different areas such as network traffic analysis, network intrusion detection and prevention, malware analysis, network forensics reporting, and more. To become a network forensics professional, you need to have a solid foundation in networking concepts and protocols, as well as familiarity with various network forensic tools and methods. You also need to have a keen eye for details, a curious mind, and a problem-solving attitude. You can learn network forensics through various sources such as books, courses, certifications, webinars, podcasts, blogs, or online communities. Here are some of the books that can help you learn network forensics:

Network forensics is a growing and rewarding field that offers many opportunities for learning and career advancement. Network forensics professionals can work in various sectors and specialize in different areas of network security. To become a network forensics professional, you need to have a solid foundation in networking concepts and protocols, as well as familiarity with various network forensic tools and methods. You also need to have a keen eye for details, a curious mind, and a problem-solving attitude. You can learn network forensics through various sources such as books, courses, certifications, webinars, podcasts, blogs, or online communities. We hope that this article has given you some useful information and guidance on how to start or improve your network forensics journey. Happy hacking! .

generated by Microsoft's Bing GPT-4 AI

How to think Analytically

2021-01-15T11:44:00.002-08:00

One of the hardest things in being a defensive security analyst is being able to think with your analytical side of your brain. Training your self to think analytically will greatly help you be a great defensive security analyst.

So how are your analytical skills? Analytical thinking is difficult work and its a skill that you can improve upon. The nice thing though is that the more that you do it the easier it will be for you to think analytically. Though before we get into how you can improve thinking analytically lets define what analytics is and the process of thinking analytically (the process that analyst do). Per dictionary.com analytics is

Logic. the science of logical analysis. the analysis of data, typically large sets of business data, by the use of mathematics, statistics, and computer software: the patterns and other meaningful information gathered from the analysis of data

As an analyst we get paid to think about issues and try to figure out what is going on using this part of our brain. So it always good to improve that side of your brain. Some things we is as follows.

Be observant:
Be observant about what is going on in a situation. look for things that might have an effect on the flow of information that created an event. so for example if you have an IR for virus in email. Think about the different stages that caused that IR to pop and how it got into the organization. You might have exchange logs, bro logs, IDS logs, firewall logs, email IPS/virus scanner, desktop AV logs, etc depending on what stage the detection happened and you can investigate whats going on. In every day life just watching what is going on around you. Taking a moment when you are shopping and just watching people and the flow of people and how they are moving around you and how the operation of the store has things set up to manage the people. There are a lot of science around moving people through a store to get the most money out of them while their in store. being observant can help you realize how things are interconnected and the more you learn how they work together the easier it will be fore you to think through the logical steps on an issue.

Learn how things work:
When you start to become more observant you will start to learn how things work more and how things are interconnected. This is critical to being able to think analytically. Because it requires a lot of knowledge to lean on to process in logical steps how the applications and data work together. So if you are hacking a web application its important to know how the form your working with might have underlining security flaws that you can abuse. But as you learn more about how things work it will help you just that knowledge to go through the logical steps where something can be broken.

Ask questions:
One of the best attributes to an analyst is to ask questions. Never be afread to ask question. This will help you learn how things work and can help you think of things that the developers might not have thought about. This is a critial step in offensive security as it helps you process though potential ways to exploit a server that might not have been thought of. In defensive security it helps you ask your self things you might not know the answer to. Someone might see an AV alert and see that the the AV software removed it and end their investigation there. But you might go further and ask your self questions like "how did this file get here?", "are there other files that the AV missed?", "how can i be sure this system is secure now?", etc. Asking your self questions can help expand your own knowledge but can be uncomfortable ask it can cause you more work.

play out situations and solving problems:
Playing games in your head and trying to solve problems will help you learn more about how things work and just practice thinking about things. People don't naturally think because it takes effort. When you put the work in in solving issues it helps you improve in thinking about all the possabilities. If you get the chance to do root cause analysis it will help work though problems to find out what truely caused the issue. When ever you get a chance to problem solve jump at it. because the more you solve problems the easier it will be for you to think analytically.

Think about your decisions:
Thinking about your decisions is a great way to ask questions like "what if?". Thinking about your decisions might not be the easiest because a lot of times when we make a decision we want to put the situation behind us because why waste more time on something thats resolved? well it not a waste if it can help you improve and think of potential things that you might have missed in your intial analysis. Reworking things you have done before helps you find mistakes you might have made and improve your self and your work.

Working on your analytical side of your brain is something that can help you in all parts of your life. Analytical thinking is part of the greater critical thinking process. It doesn't matter what job you are in analytical thinking will help you improve and I highly recommend anyone work on improving this side of your brain as it can only benefit you. In the security world we live on analytical thinking and we need to excel at it to do well in the field. If your wanting to be an expert in the field then practice these things and you will get there in no time.

if your are looking for ways to improve your learning how things work we have a few articles here that can help.
if you are just starting out
College not required: A guide to starting in InfoSec
if your looking for more
Information Security Training

What I been up to

2019-05-21T10:55:00.001-07:00

Figured I would talk about what I been up to these past few years and why I haven't been posting much.

Over the past 3 years I have started doing a new IT security for a startup that has taken a lot of my processing cycles and haven't had much time to focus on creating new content on here. Along with the G+ change and trying to figure out were I would end up has kinda made me unmotivated to really continue creating articles. I tried to start over on MeWe after the G+ shutdown though that just been as hard to start from scratch again. Though even though I have one of the largest Technology groups on the site its a fraction of the 256k member community I had on G+. Though if you like to join here is a link.

Over the past few years I been focusing on a lot of different topics in life between moving and trying to figure out what I want to do. I have moved up quickly in my career to the point I am doing less technical work and more managerial and training new security professionals. This definitely has effected my motivation to post more as an INTJ it takes a bit out of me doing teaching. But with that note I was asked by my coworkers to try to start writing more and explaining complex problems in defensive security. So I am going to try to make an effort to write more and try to do some video tutorials or just podcast type of videos on youtube.

Hope that all this will help you all continue improving your skills as it will improve mine to do it.
Thanks,
Josh

Information Security Training

2017-07-18T12:50:00.000-07:00

Here is some training information for the cyber security analyst may need to know to be effective at monitoring the network of an organization. This is just a stripped down and formatted a little different than some of the other articles that I have written before. Lot of the resources will be the same.

Direct link:https://embed.coggle.it/diagram/WUfi54WDXgAB6iGY/71cb408b42237284e247877557b9e4a4835f81ad556bed46d8e9e2840a8e8230

Table of Content

Education Resources (general) 1

News. 1

Casual Reading. 2

Research. 2

Tools. 2

Education. 2

Threat Maps (pew pew pew) 2

Security Specific. 4

Python. 4

Regular Expressions. 4

Ruby. 4

Assembly. 4

Web. 5

Bash. 5

Powershell 5

Offensive Security/Red Team.. 6

Setting up Lab: 6

Learning Exploit process and testing: 6

For more additional resources for labs check out 6

Information Gathering: 6

Phase 1.1 - People and Organizational 7

Phase 1.2 - Infrastructure. 7

Analysis and Planning: 7

Vulnerability Identification: 7

Exploitation: 8

Dump Windows Password Hashes. 8

Windows Passing The Hash. 8

Windows Privilege Escalation. 8

Exploit Development: 8

Post Exploitation: 8

Linux Privilege Escalation. 9

Tunneling & Port Forwarding. 9

Reporting: 9

Standards: 10

Offensive Security Classes that aren't dedicated resources: 10

General Security sites: 10

Malware Analysis/Reverse Engineering. 11

Analysis: 11

Dynamic Analysis. 11

Static analysis. 11

Network Analysis. 11

Automated malware analysis: 12

online. 12

Distros. 12

Tools: 12

Book Recommendations. 13

Splunk. 13

Monitoring/IR/Network Forensics. 14

Pentesting. 14

Traditional Forensics. 15

Application Security. 15

Exploit Creation. 15

Web Security. 15

Mobile Security. 16

Reverse Engineering/Malware Analysis. 16

Education Resources (general)

Look at the subpages for a topic and resources for learning it.

News

· https://www.reddit.com/r/netsec/

· https://isc.sans.edu/

· http://www.tripwire.com/state-of-security/latest-security-news/

· https://securelist.com/

· http://www.securityweek.com/

· http://blog.onapsis.com/

· http://www.darkreading.com/rss_simple.asp

· http://blog.didierstevens.com/

· http://firmwaresecurity.com/

· http://feeds.feedburner.com/GrahamCluleysBlog

· http://feeds2.feedburner.com/HelpNetSecurity

· http://feeds.feedburner.com/infosecResources

· http://krebsonsecurity.com/

· http://blog.malwarebytes.org/

· http://www.malwaretech.com/feeds/posts/default

· http://blogs.technet.com/b/msrc/rss.aspx

· http://feeds.feedburner.com/NakedSecurity

· http://feeds.feedburner.com/PCSympathy?format=xml

· http://seclists.org/rss/pen-test.rss

· http://googleprojectzero.blogspot.com/feeds/posts/default

· http://securityblog.redhat.com/

· http://research.zscaler.com/feeds/posts/default

· https://www.schneier.com/blog/atom.xml

· http://securityaffairs.co/wordpress/feed

· https://www.pentestpartners.com/blog/

· https://www.trustwave.com/rss/SpiderLabs-Blog

· http://thehackernews.com/feeds/posts/default

· http://feeds.feedburner.com/tripwire-state-of-security

· http://threatpost.com/en_us/rss.xml

· http://feeds.feedburner.com/TroyHunt

· http://feeds.feedblitz.com/alienvaultotx

· http://blog.gentilkiwi.com/feed

· http://www.bulbsecurity.com/

· http://cybersecology.com/atom/

· http://davidjorm.blogspot.com/feeds/posts/default?alt=rss

· http://labs.detectify.com/rss

· http://www.hotforsecurity.com/blog/category/e-threats-2/feed

· http://kalypto.org/

· https://technet.microsoft.com/en-us/security/rss/advisory

· https://community.rapid7.com/community/metasploit/blog/feeds/posts

· https://www.blogger.com/feeds/2059619926966266961/posts/default

· http://blog.silentsignal.eu/

· http://blog.strategiccyber.com/

· http://opensecuritytraining.info/ChangeBlog/rss.xml

Casual Reading

· http://arstechnica.com/

Research

· http://www.cl.cam.ac.uk/research/security/

Tools

· https://www.alienvault.com

· https://regex101.com/

· https://malwr.com/

Education

· https://fedvte.usalearning.gov/
only available to USA Federal Employees but has free resources for them

Threat Maps (pew pew pew)

· https://www.stateoftheinternet.com/trends-visualizations-ip-reputation-client-reputation-for-website-security-global-map-of-attacking-ip-addresses.html

· https://www.fireeye.com/cyber-map/threat-map.html

Network Overview

Pcap Analysis & Network Hunting

Flow Analysis & Network Hunting

Introduction to Network Forensics

From USAlearning.gov

Cisco CCNA

Cisco CCENT

LAN Security Using Switch Features

Network Layer 1 & 2 Troubleshooting

Network Monitoring with Open Source Tools

SiLK Traffic Analysis

Wireless Network Security

Security and DNS

Securing the Network Perimeter

Advanced PCAP Analysis and Signature Development (APA)

Introduction and Layer 1

Layer 2 - Data Link

Layer 3 - Network, Part 1: Addressing & Masking

Layer 3 - Network, Part 2: Routing

Layer 3 - Network, Part 3: Communication

Layer 4 - Transport

Layers 5 & 6 - Session and Presentation

Layer 7 - Application

Inter-Layer Communication & Conclusions

Router Hacking Series

Wireless LAN Security and Penetration Testing Megaprimer

Scripting & Programming

Security Specific

Intro to Secure Coding	A short, focused primer related to secure coding.
Secure Coding

Python

Python Training	Codecademy's browser-based, interactive Python training.
Python Training	LearnPython.org's browser-based, interactive Python training.
Python Tutorials	Primal Security's InfoSec focused Python tutorials.
Offensive Python for Web Hackers	Create your own clients, tools, and test cases using Python.
Learn Python The Hard Way	Free digital copy of the third edition of Zed Shaw's Python book.
Python for Security Professionals

Regular Expressions

regex101.com helps explain what your regex does

regexone.com well walk you through tutorials to learn it.

Ruby

Ruby Training

Assembly

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration

Introductory Intel x86-64: Architecture, Assembly, Applications, & Alliteration

Introduction to ARM

Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration

Advanced x86: Virtualization with Intel VT-x

Advanced x86: Introduction to BIOS & SMM

Assembly Language Megaprimer for Linux

Windows Assembly Language Megaprimer

Web

PHP - Introduction

PHP - Syntax & Variables

PHP - Operators

PHP - Flow Control

Basic Web Security

Installing Apache & PHP

Bash

Scripting Introduction & Linux Review

Variables & Parameters

Flow Control

Parsing & Scripting

Practical Uses & Conclusion

Powershell

Introduction to PowerShell

Cmdlets

Scripting, Variables and Syntax

Flow Control

Practical Uses & Conclusion

No Tools No Problem Building a PowerShell Botnet – Christopher Cambell

Grey Hat Powershell – Ben0xA

Practical PowerShell Programming for Professional People – Ben0xA

Powershell Fu with Metasploit – Ben Turner & Dave Hardy

Building an empire with Powershell -Will Schroeder & Justin Warner

From USAlearning.gov

Introduction to Windows Scripting

Advanced Windows Scripting

Offensive Security/Red Team

Setting up Lab:

Learning Exploit process and testing:

Vulnerable web Service

Broken Web Application

Setting up a Penetration Testing Labs

https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project

https://code.google.com/p/owaspbwa/

https://www.mavensecurity.com/web_security_dojo/

http://hackingdojo.com/dojo-media/

http://informatica.uv.es/~carlos/docencia/netinvm/

http://www.bonsai-sec.com/en/research/moth.php

http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

http://sourceforge.net/projects/lampsecurity/?source=navbar

https://www.hacking-lab.com/index.html

http://sourceforge.net/projects/virtualhacking/files/

http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

http://www.dvwa.co.uk/

http://sourceforge.net/projects/thebutterflytmp/

http://magikh0e.ihtb.org/pubPapers/

For more additional resources for labs check out

http://www.amanhardikar.com/mindmaps/Practice.html

Information Gathering:

Penetration Testing Information Gathering

https://en.wikipedia.org/wiki/Open-sourceintelligence

http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-1-social-networks/

http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-%E2%80%93-part-2-blogs-message-boards-and-metadata/

http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-3-monitoring/

http://www.slideshare.net/Laramies/tactical-information-gathering

http://www.infond.fr/2010/05/toturial-footprinting.html

Phase 1.1 - People and Organizational

http://www.spokeo.com/

http://www.spoke.com/

https://www.xing.com/

http://www.zoominfo.com/

https://pipl.com/

http://www.zabasearch.com/

http://www.searchbug.com/

http://skipease.com/

http://addictomatic.com/

http://socialmention.com/

http://entitycube.research.microsoft.com/

http://www.yasni.com/

http://www.glassdoor.com/index.htm

https://connect.data.com/

https://searchwww.sec.gov/EDGARFSClient/jsp/EDGAR_MainAccess.jsp

https://www.tineye.com/

http://www.peekyou.com/_

EDGAR

Phase 1.2 - Infrastructure

http://uptime.netcraft.com/

http://www.shodanhq.com/

http://www.domaintools.com/

http://centralops.net/co/

http://whois.webhosting.info/

https://www.ssllabs.com/ssltest/analyze.html

https://www.exploit-db.com/google-hacking-database/

http://www.my-ip-neighbors.com/

https://tools.digitalpoint.com/

Analysis and Planning:

Vulnerability Identification:

Introduction to Vulnerability Assessment

Introduction To Using The Nessus Vulnerability Scanner

OpenVas Tutorial

https://www.cybrary.it/course/advanced-penetration-testing/ select module 5

Nessus

Nmap scripting engine

Metasploit

Webapp, xampp, webdav, nikto

Directory transversals

Corelan Exploits – Corelan Team

Opensecurity Training Playlist – Opensecurity training

Primal Security Exploit Tutorials – Primal Security

FuzzySecurity Tutorials – FuzzySecurity

Metasploit exploit development – Rapid7

Jumping into exploit development – Sneakerhax

Moving past Metasploit writing your first exploit – Calvin Hedler

Post Exploitation:

Post Exploitation Hacking

Powerup: A usage guide – harmj0y

Metasploit Local Exploit Suggester: Do Less, Get More! – Rapid7

My 5 Top Ways to Escalate Privileges – SpiderLabs

Basic Linux Privilege Escalation – g0tmi1k

Encyclopedia Of Windows Privilege Escalation – Brett Moore

Windows Attacks AT is the new black – Mubix (Rob Fuller) & Carnalownage (Chris Gates)

Windows Privilege Escalation Fundamentals – Fuzzysecurity

Post Exploitation Wiki – Mubix

Post Exploitation 2.0 Veil-Pillage Defcon 22 – Harmj0y

I Hunt Sys Admins – Harmj0y

Tactical Post Exploitation – Carlos Perez

Abusing Active Directory in Post Exploitation – Carlos Perez

Pillage the Village Redux – John Strand and Ed Skoudis

Operating in the Shadows – Carlos Perez

Linux Privilege Escalation

http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://www.rebootuser.com/?page_id=1721

http://www.rebootuser.com/?p=1758

http://www.rebootuser.com/?p=1623

http://insidetrust.blogspot.nl/2011/04/quick-guide-to-linux-privilege.html

Tunneling & Port Forwarding

https://www.sans.org/reading-room/whitepapers/testing/tunneling-pivoting-web-application-penetration-testing-36117

https://highon.coffee/blog/reverse-shell-cheat-sheet/

https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

http://staff.washington.edu/corey/fw/ssh-port-forwarding.html

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html

http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html

http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html

http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html

http://www.offensive-security.com/metasploit-unleashed/Portfwd

http://www.offensive-security.com/metasploit-unleashed/Pivoting

http://www.howtoforge.com/reverse-ssh-tunneling

http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.htmla_

Reporting:

Reporting Standards

Dradis

https://www.youtube.com/watch?v=tH01_5-Tkg0

magictree

Metasploit report generation

CobaltStrike Reports

Standards:

Pentest Standards

Offensive Security Classes that aren't dedicated resources:

Penetration Testing and Ethical Hacking

Security+

Red Teaming Basics - older

Advanced Threat Tactics -newer

Cryptography

Understanding Cryptology: Core Concepts

Understanding Cryptology: Cryptanalysis

Advanced Penetration Testing

CASP

CISSP

Intro to Malware Analysis and Reverse Engineering

Metasploit

Social Engineering and Manipulation

Android Forensics & Security Testing

Introduction to Vulnerability Assessment

Certified Information Systems Security Professional (CISSP)® Common Body of Knowledge (CBK)® Review

Metasploit Unleashed

General Security sites:

SecurityTube.net

Exploit Database

Hacking Tutorials

Information Security tools and resources

Malware Analysis/Reverse Engineering

Analysis:

Intro to malware analysis and reverse engineering

Dynamic Analysis

Dynamic Malware Analysis

Static analysis

Reverse Engineering Malware

Network Analysis

Intro to Network Forensics

Flow analysis and Network Hunting and videos can be found here

PE and Elf file Structure

Malware Researchers Handbook

Automated malware analysis:

https://www.cuckoosandbox.org/

online

https://www.payload-security.com/

https://www.virustotal.com/

https://malwr.com/

Distros

SIFT

Remnux

Tools:

RegShot is for comparing differences in registry and filesystem from clean state to after malware was installed to see what happened.

WinAPIOverride helps you follow the injection process of dlls and api calls for a running process to see what it did and where it went.

wireshark to identify network traffic and if it is calling out.

netstat is a built in tool in windows to tell what connections and ports are open on the computer. common command is netstat -anob

sysinternals suite has lots of tools like process monitors and what not to help identify what is going on on the computer.

Gmer can help detect hidden files and rootkits that may be hiding.

virtual box is important for keeping malware isolated. granted other VMs could work to as long as you can limit them to the host network and can't get out to compromise other machines.

CFF Explorer Suite is a tool to explore the PE file and DLLs. this will help you explore a exe file and what dlls that it is loading or has packaged with it.

Sigcheck helps you check and verify the signatures on files to see if a dll is signed by microsoft or vendor or if its unsigned and not legitimate file.

attrib command is very useful for changing attributes via command line.

API Monitor is a way to track and monitor applications that track api calls.

Book Recommendations

Splunk

Splunk Developers Guide (Released 5/2015 - ISBN 1785285297)

Splunk Essentials (Released 2/2015 - ISBN 1784398381)

Building Splunk Solutions, 2nd Edition (Released 10/2015 - ISBN 1514615746)

Splunk Operational Intelligence Cookbook (Released 10/2014 - ISBN 1849697841)

Implementing Splunk, 2nd Edition - (Released 7/2015 - ISBN 1784391603)

Monitoring/IR/Network Forensics

Data-Driven Security: Analysis, Visualization and Dashboards (Released 3/2014 - ASIN B00MXHAU8A)

Network Security Through Data Analysis: Building Situational Awareness (Released 2/2014 - ISBN 1449357903)

The Practice of Network Security Monitoring (Released 8/2013 - ISBN 1593275099)

Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems (Released 7/2011 - ISBN 1593272669)

Applied Network Security Monitoring: Collection, Detection, and Analysis (Released 12/2013 - ISBN 0124172083)

Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan (Released 5/2015 - ISBN 1491949406)

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks (Released 4/2005 - ISBN 1593270461)

The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk (Released 8/2012 - ISBN 007179039X)

Security Operations Center: Building, Operating, and Maintaining your SOC (Released 11/2015 - ISBN 0134052013)

Network Forensics: Tracking Hackers through Cyberspace (Released 6/2012 - ISBN B008CG8CYU)

Wireshark 101: Essential Skills for Network Analysis (Released 2/2013 - ISBN 1893939723)

Pentesting

Nmap Network Scanning: The Official Project Guide to Network Discovery and Security Scanning (Released 1/2009 - ISBN 0979958717)

Hacking Exposed 7: Network Security Secrets and Solutions (Released 8/2012 - ISBN 0071780289)

Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition (Released 1/2015 - ISBN 0071832386)

The Browser Hacker's Handbook (Released 3/2014 - ISBN 1118662091)

Metasploit: The Penetration Tester's Guide (Released 7/2011 - ISBN 159327288X)

Traditional Forensics

Real Digital Forensics: Computer Security and Incident Response (Released 10/2005 - ISBN 0321240693)

Forensic Discovery (Released 1/2005 - ISBN 0321703251)

Windows Forensic Analysis Toolkit, 4th Edition (Released 4/2014 - ISBN 0124171575)

The Art of Memory Forensics (Released 7/2014 - ISBN 1118825098)

File System Forensic Analysis (Released 3/2005 - ISBN 0321268172)

Application Security

The Art of Software Security Assessment (Released 11/2006 - ISBN 0321444426)

A Bug Hunter's Diary (Released 11/2011 - ISBN 1593273851)

Fuzzing: Brute Force Vulnerability Discovery (Released 7/2007 - ISBN 0321446119)

Exploit Creation

Hacking: The Art of Exploitation, 2nd Edition (Released 2/2008 - ISBN 1593271441)

The Shellcoder's Handbook: Discovering and Exploiting Security Holes, 2nd Edition (Released 8/2007 - ISBN 047008023X)

Web Security

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition (Released 9/2011 - ISBN 1118026470)

The Tangled Web: A Guide to Securing Modern Web Applications (Released 11/2011 - ISBN 1593273886)

Mobile Security

Android Hacker's Handbook (Released 3/2014 - ISBN 111860864X)

Android Security Internals: An In-Depth Guide to Android's Security Architecture (Released 11/2014 - ISBN 1593275811)

iOS Hacker's Handbook (Released 5/2012 - ISBN 1118204123)

Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It (Released 1/2012 - ISBN 1449318746)

Reverse Engineering/Malware Analysis

The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler (Released 7/2014 - ISBN 1593272898)

Reversing: Secrets of Reverse Engineering (Released 4/2005 - ISBN 0764574817)

Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation (Released 2/2014 - ISBN 1118787315)

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Released 3/2012 - ISBN 1593272901)

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code (Released 11/2010 - ISBN 0470613033)


Cyber Security Analyst Mind Map

Splunk Extreme Search - xsCreateDDContext & xsWhere

2016-10-30T17:21:00.002-07:00

Splunk has the ability to do some very impressive searches to help with statistical analysis. Some of those functions are not very well documented by Splunk's own internal documentation. I am going to go over a few commands and how they can be used.

To start off, if you haven't heard of, or used extreme search in Splunk, here is some documentation. Extreme search is meant to provide dynamic thresholds and context awareness, when doing searches for IR, key indicators, and more.

Let's go over how to use a build own context and concepts. A "concept" is an idea represented by a concept. What this an mean for example is Very Low, Low, Normal, High, and Extreme. So instead of saying, in a search, > n you can say "is above High" to define your search. A "Context" is a collection of terms that form a view of knowledge.

One of the commands I like a lot is xsCreateDDContext (side note if you search for this you get 2 results... this article will make 3). The xsCreateDDContext builds a data driven context which contains concepts based on a variety of methods of mapping qualitative semantics to the data.

Here is a simple example of this. You can create rolling statistical analysis of our windows security events and create a standard deviation chart for each event code by computer.

example of this could be the following:

index=winevents source="WinEventLog:Security" earliest=-30d@d latest=-1d@d | fields _time, ComputerName, EventCode | bin span=1d _time |stats count as Event_Code_Count by ComputerName, EventCode | `context_stats(Event_Code_Count,EventCode)` |eval min=0 | xsCreateDDContext name=Event_Code_Count_by_ComputerName_1d type=domain terms=`xs_default_magnitude_concepts` class=EventCode scope=app

It checks your windows security events over the last 30, days then takes the time, computername, and eventcode. then it will do stats on these, with buckets of 1 day spans and count. From there, the context_stats goes through and does just your standard deviation charts, based on the event code count and the event code. This will provide a lot of statistics. Since personally I want the min to be 0, I am overriding the statistics to be 0. From there, I am going to create the data driven context. Do a domain type and define the class and the terms.

Define more terms because Splunks documentation is bad.

type: can be one of two things
average_centered - Centers the context on the average and uses size. to scale term sizes
domain - the default, centers the set on (max-min)/2 and scales the context to cover the whole domain
class: a comma separated list of classes
We could provide all the event codes that windows could generate or, as I did above, just populate the list from the field, which has some downsides but is easier.

Now that we created this context, let's view it.
|xsDisplayContext Event_Code_Count_by_ComputerName_1d by 517

We should see a chart that looks something like this (this is just an example, not what above code would generate)

This is great; and we can use this information in other searches like IR searches to create alerts for security analysts, when something goes to the extreme, for your specific organization.

Here is how to create an IR type of search.
index=winevents source="WinEventLog:Security" |fields _time, ComputerName, EventCode | bin span=1d _time |stats count as Event_Code_Count by ComputerName, EventCode| xsWhere Event_Code_Count FROM Event_Code_Count_by_ComputerName_1d by EventCode is above High

This search pulls up a day worth of logs and searches for ComputerNames that have abnormally extreme amount of a particular Security EventCode. Since this is abnormal for your Organizations Environment, over the last 30 days, you will probably want to find out what is causing it. Is it just a new software that is failing? Or is it because of a compromise; or is it just a bug in the system?

Extreme search allows you to leverage simple statistical analysis, and make it more dynamic and tuned for your organizations environment.

Happy Hunting,
Local Tech Repair Admin

PS:
Please comment with questions and I can answer where I can. I am a certified Splunk admin, but I do not work for Splunk so if you have detailed questions it may be best to ask Splunk support. If you learn something useful, please let the community know, so we can all learn to build better defenses.

I will probably write an article on how to leverage Machine Learning for your environment, to better detect security anomalies and leverage it for threat hunting.

How to create notable events via correlation search/manually in Splunk

2016-08-21T17:22:00.000-07:00

One of the main things that you can do with Splunk Enterprise Security is dealing around the Incident Review dashboard. You can customize this to be the most helpful to you when doing threat hunting. One of the ways is to automate your searches to create notable events automatically so that you don't have to continually look for them.

To be able to create a Correlation Search you will want to go to ES -> Configure -> Content Management

From there you will want to Create New Content -> Correlation Search

From this we need something to put in it.
Lets take a simple example of detecting brute forcing in the network that falls outside of normal activity in the network.
Lets say we searched Splunk to find out what our statistics would be over a 90 day period to give it a good baseline for our organization.
index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=* |bin _time span=1h | stats count by _time | stats perc80(count), perc95(count), perc99(count), perc99.9(count), avg(count)
The 99.9th percentile would be 12900 which is fairly anomalous happening so shouldn't trigger to often less something is actually happening being it a miss configuration or actual attack, both would be useful to know.
We then could create a correlation search with that information.
index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=* | stats count | where count > 12900 | `get_event_id` | `map_notable_fields`

With that information we can start filling out the correlation search details.
Name: excessive login failures
Description: Detected a high number of login failures
Search: index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=* | stats count | where count > 12900 | `get_event_id` | `map_notable_fields`
Start Time: -65m
End Time: -5m
Cron Schedule: 0 * * * *

Check Create Notable Event
Fill out the information there like you would want it to show up in IR.
Title: excessive login failures
Description: Detected a high number of login failures
Security Domain: Access
Severity: what ever you feel it should be
Drill Down Search: index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=*

If you use the Risk Scoring you can fill out that information to further give more weighting to it.

Once this is saved Splunk will start to create IR events whenever the threshold of our where statement is passed.

Another thing you can do is creating Notable Events arbitrarily. You can do this in 2 different ways. First you can go to ES -> Configure -> Incident Management -> New notable Event
This will give you the raw information needed to create one.

Next would be to use an event from a search. Once you have your search and events back you can expand the event and click on the Event Actions -> Create Notable Event which will bring you to the same screen as before. This allows you to create IR events that can be feed into a investigation or just help spread the work around and keep track of things that may not currently have a correlation search built for it yet.

Hope this helps you with your Splunking.

Ethical Hacking Bookmarks

2016-04-03T19:25:00.002-07:00

Since Null byte group had a user get their wonderful post down and things really don't disappear from the internet after they been up here is their bookmark post of wonderful links for ethical

So here is the article by author Dox Sec who looks to have disappeared. Original
My security bookmarks collection.
All that things I need to pass OSCP, i think =)
Contents
Security Blogs
Security Forums
Tor Onion Links
Security Methodologies
Training/Classes/Video
Pentest Tools
Pentest Lab ISO-VMs
Metasploit
Net Scanners
Man-in-the-middle attack
Phase 1 - Reconnaissance: Information Gathering before the Attack
Phase 1.1 - People and Orginizational
Phase 1.2 - Infastructure
Phase 1.2 - Tools
Phase 2 - Enumeration: Finding Attack Vectors
Phase 3 - Exploitation: Verifying Security Weaknesses
Dump Windows Password Hashes
Windows Passhing The Hash
Windows Previlige Escalation
Linux Previlige Escalation
Tunneling & Port Forwarding
XSS Cheat Codes
WebShells
SQLi General Resources
MySQLi Resources
MSSQLi Resources
Oracle SQLi Resources
Postgres SQLi Resources
SQLite Resources
RFI/LFI Tutorials
NASM Tutorial
Buffer Overflow Tutorial
Exploit Development
Exploits and Shellcodes
Reverse Engineering
OS Cheat Sheets and Script Syntax
Passwords Wordlists, Hashes, Tools
InfoSec Hiring
IT Certifications
Links Collections
Books
Security Blogs
My Security OPML

Security Forums
http://securityoverride.org/forum/index.php
https://www.hackthissite.org/forums/index.php
https://www.ethicalhacker.net/forums/index.php
https://evilzone.org/
http://forum.antichat.ru/
https://forum.xeksec.com/
https://rdot.org/forum/
https://forum.zloy.bz/
https://forum.reverse4you.org/
https://rstforums.com/forum/
http://www.truehackers.ru/forum/index.php
http://garage4hackers.com/forum.php
https://www.hellboundhackers.org/
http://www.lockpicking101.com/
https://www.xploitworld.com/index.php

Tor Onion Links
http://www.hiddenwiki.info/

Security Methodologies
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://www.pentest-standard.org/index.php/Main_Page
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
http://yehg.net/lab/pr0js/misc/wasarg_owasp-tgv4_with_ref.php
http://www.social-engineer.org/
http://projects.webappsec.org/w/page/13246927/FrontPage

Training/Classes/Video
https://exploit-exercises.com
https://www.cybrary.it/cyber-security/
http://www.irongeek.com/i.php?page=videos/aide-winter-2011
https://lab.pentestit.ru/pentestlabs/3
https://trailofbits.github.io/ctf/
http://ctf.forgottensec.com/wiki/?title=Main_Page
http://smashthestack.org/
http://ctf.hcesperer.org/
https://www.google.com/calendar/feeds/noge7b1rg2dg4a8kcm1k68vbjg@group.calendar.google.com/public/basic
https://www.google.com/calendar/embed?src=pe2ikdbe6b841od6e26ato0asc@group.calendar.google.com&gsessionid=OK
https://crypto.stanford.edu/cs155/
https://www.offensive-security.com/metasploit-unleashed/
http://www.irongeek.com/i.php?page=videos/metasploit-class
http://www.securitytube.net/
http://resources.infosecinstitute.com/
https://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html
https://www.youtube.com/watch?v=Sye3mu-EoTI
https://www.youtube.com/watch?v=GPjcSxyIIUc
https://www.youtube.com/watch?v=kPxavpgos2I
https://www.youtube.com/watch?v=pnqcHU2qFiA
http://www.securitytube.net/video/7640
https://www.youtube.com/watch?v=y2zrEAwmdws
http://www.securitytube.net/video/7735

Pentest Tools
https://github.com/pwnwiki/pwnwiki.github.io
https://github.com/sbilly/awesome-security
https://github.com/paragonie/awesome-appsec
https://github.com/enaqx/awesome-pentest
https://github.com/kahun/awesome-sysadmin#security
http://beefproject.com/
https://xsser.03c8.net/
https://code.google.com/p/fuzzdb/
https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=Statements
http://w3af.org/
https://code.google.com/p/skipfish/
https://www.sans.org/reading-room/whitepapers/testing/fuzzing-approach-credentials-discovery-burp-intruder-33214
https://www.securityninja.co.uk/hacking/burp-suite-tutorial-the-intruder-tool/
http://www.justanotherhacker.com/projects/graudit.html
https://packetstormsecurity.com/files/tags/tool

Pentest Lab ISO-VMs
http://www.amanhardikar.com/mindmaps/PracticeUrls.html
https://www.kali.org/
https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
http://blackarch.org/
https://code.google.com/p/owaspbwa/
https://www.mavensecurity.com/web_security_dojo/
http://hackingdojo.com/dojo-media/
http://informatica.uv.es/~carlos/docencia/netinvm/
http://www.bonsai-sec.com/en/research/moth.php
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
http://sourceforge.net/projects/lampsecurity/?source=navbar
https://www.hacking-lab.com/index.html
http://sourceforge.net/projects/virtualhacking/files/
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
http://www.dvwa.co.uk/
http://sourceforge.net/projects/thebutterflytmp/
http://magikh0e.ihtb.org/pubPapers/

Metasploit
http://resources.metasploit.com/
http://netsec.ws/?p=262
http://seclists.org/metasploit/
https://www.offensive-security.com/metasploit-unleashed/Introduction/
http://www.offensive-security.com/metasploit-unleashed/Msfvenom
https://community.rapid7.com/community/metasploit/
http://www.securitytube.net/video/711?q=METASPLOIT
https://en.wikibooks.org/wiki/Metasploit
https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html
https://github.com/rapid7/metasploit-framework/wiki/Meterpreter
https://www.blackhat.com/presentations/bh-dc-10/Egypt/BlackHat-DC-2010-Egypt-UAV-slides.pdf

Net Scanners
https://nmap.org/
https://nmap.org/nsedoc/
http://www.securitytube.net/video/931
https://nmap.org/nsedoc/
http://www.openvas.org/
http://www.tenable.com/products/nessus-vulnerability-scanner
https://www.rapid7.com/products/nexpose/compare-downloads.jsp
http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf

Man-in-the-middle attack
http://www.linuxsecurity.com/docs/PDF/dsniff-n-mirror.pdf
http://media.techtarget.com/searchUnifiedCommunications/downloads/Seven_Deadliest_UC_Attacks_Ch3.pdf
https://packetstormsecurity.com/papers/wireless/cracking-air.pdf
https://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-sam_bowne-hijacking_web_2.0.pdf
http://www.leetupload.com/database/Misc/Papers/Asta%20la%20Vista/18.Ettercap_Spoof.pdf
http://bandwidthco.com/nf.html
http://articles.manugarg.com/arp_spoofing.pdf
http://academy.delmar.edu/Courses/ITSY2430/eBooks/Ettercap(ManInTheMiddleAttack-tool).pdf
http://www.ucci.it/docs/ICTSecurity-2004-26.pdf_

Phase 1 - Reconnaissance: Information Gathering before the Attack
https://en.wikipedia.org/wiki/Open-sourceintelligence
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-1-social-networks/
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-%E2%80%93-part-2-blogs-message-boards-and-metadata/
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-3-monitoring/
http://www.slideshare.net/Laramies/tactical-information-gathering
http://www.infond.fr/2010/05/toturial-footprinting.html

Phase 1.1 - People and Orginizational
http://www.spokeo.com/
http://www.spoke.com/
https://www.xing.com/
http://www.zoominfo.com/
https://pipl.com/
http://www.zabasearch.com/
http://www.searchbug.com/
http://skipease.com/
http://addictomatic.com/
http://socialmention.com/
http://entitycube.research.microsoft.com/
http://www.yasni.com/
http://www.glassdoor.com/index.htm
https://connect.data.com/
https://searchwww.sec.gov/EDGARFSClient/jsp/EDGAR_MainAccess.jsp
https://www.tineye.com/
http://www.peekyou.com/_

Phase 1.2 - Infastructure
http://uptime.netcraft.com/
http://www.shodanhq.com/
http://www.domaintools.com/
http://centralops.net/co/
http://whois.webhosting.info/
https://www.ssllabs.com/ssltest/analyze.html
https://www.exploit-db.com/google-hacking-database/
http://www.my-ip-neighbors.com/

Phase 1.2 - Tools
OSINT Tools
http://www.edge-security.com/theharvester.php
http://www.edge-security.com/metagoofil.php
http://www.paterva.com/web6/
https://www.sans.org/reading-room/whitepapers/privacy/document-metadata-silent-killer-32974
http://www.sno.phy.queensu.ca/~phil/exiftool/
http://www.darkoperator.com/blog/2009/4/24/metadata-enumeration-with-foca.html

Phase 2 - Enumeration: Finding Attack Vectors
http://securitysynapse.blogspot.be/201308_01_archive.html
https://hackertarget.com/attacking-wordpress/
https://code.google.com/p/pentest-bookmarks/wiki/BookmarksList
http://www.0daysecurity.com/penetration-testing/enumeration.html
https://github.com/n3ko1/WrapMap
https://cirt.net/Nikto2
http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/
http://seclist.us/autoenum-nmap-enumeration-and-script-scan-automation-script.html
http://code.stephenmorley.org/articles/xampp-version-history-apache-mysql-php/
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
http://www.iodigitalsec.com/windows-null-session-enumeration/
https://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html
https://github.com/isaudits/autoenum
http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
http://www.iodigitalsec.com/windows-null-session-enumeration/
http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html
http://www.madirish.net/59
http://www.enye-sec.org/en/papers/web_vuln-en.txt_

Phase 3 - Exploitation: Verifying Security Weaknesses
http://pwnwiki.io
http://download.vulnhub.com/pentesterlab/phpinclude_and_post_exploitation.pdf
http://ru.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd
https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf
https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell_

Dump Windows Password Hashes
http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html

Windows Passhing The Hash
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/

Windows Previlige Escalation
https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-All_roads_lead_to_SYSTEM.pdf(https://labs.mwrinfosecurity.com/system/assets/760/original/WindowsServices-_All_roads_lead_to_SYSTEM.pdf)_
http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/
https://github.com/0xdeafbeef/PSSecSnapshot
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
http://www.youtube.com/watch?v=kMG8IsCohHA
http://www.youtube.com/watch?v=8xJaaQlpBo
http://www.greyhathacker.net/?p=738
http://bernardodamele.blogspot.ru/2011/12/dump-windows-password-hashes.html

Linux Previlige Escalation
http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://www.rebootuser.com/?page_id=1721
http://www.rebootuser.com/?p=1758
http://www.rebootuser.com/?p=1623
http://insidetrust.blogspot.nl/2011/04/quick-guide-to-linux-privilege.html

Tunneling & Port Forwarding
https://www.sans.org/reading-room/whitepapers/testing/tunneling-pivoting-web-application-penetration-testing-36117
https://highon.coffee/blog/reverse-shell-cheat-sheet/
https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
http://staff.washington.edu/corey/fw/ssh-port-forwarding.html
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html
http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html
http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
http://www.offensive-security.com/metasploit-unleashed/Portfwd
http://www.offensive-security.com/metasploit-unleashed/Pivoting
http://www.howtoforge.com/reverse-ssh-tunneling
http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.htmla_

XSS Cheat Codes
http://www.xenuser.org/xss-cheat-sheet/
https://gist.github.com/sseffa/11031135
https://html5sec.org/

WebShells
http://www.r57shell.net/
https://github.com/b374k/b374k
https://github.com/epinna/weevely3

SQLi General Resources
http://www.w3schools.com/sql/sqlinjection.asp
http://sqlzoo.net/hack/
https://information.rapid7.com/rs/rapid7/images/R7%20SQL_Injection_Cheat_Sheet.v1.pdf
http://websec.ca/kb/sql_injection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://www.unixwiz.net/techtips/sql-injection.html
http://www.sqlinjectionwiki.com/
http://sqlmap.org/
https://packetstorm.sigterm.no/papers/cheatsheets/sqlmap-cheatsheet-1.0-SDB.pdf
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://bobby-tables.com/

MySQLi Resources
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
http://resources.infosecinstitute.com/backdoor-sql-injection/

MSSQLi Resources
http://evilsql.com/main/page2.php
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

Oracle SQLi Resources
http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet

Postgres SQLi Resources
http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet

SQLite Resources
https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet

RFI/LFI Tutorials
https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/
http://www.hackersonlineclub.com/lfi-rfi
https://0xzoidberg.wordpress.com/category/security/lfi-rfi/

NASM Tutorial
http://ccm.net/faq/1559-compiling-an-assembly-program-with-nasm

Buffer Overflow Tutorial
http://www.madirish.net/142
http://n01g3l.tumblr.com/post/49036035399/linux-crossfire-v1-90-buffer-overflow
http://resources.infosecinstitute.com/author/nikhil-kumar/
http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156
http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html
http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148
https://tehaurum.wordpress.com/2015/06/22/exploit-development-stack-buffer-overflow/
http://proactivedefender.blogspot.ru/2013/05/understanding-buffer-overflows.html
https://forum.reverse4you.org/showthread.php?t=1371
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html
http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
http://thepcn3rd.blogspot.ru/2015/07/freeftpd-108-seh-stack-based-overflow.html

Exploit Development
https://www.corelan.be/index.php/articles/
http://www.fuzzysecurity.com/tutorials.html
https://code.google.com/p/it-sec-catalog/wiki/Exploitation
http://www.myne-us.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
https://www.ethicalhacker.net/columns/heffner/smashing-the-modern-stack-for-fun-and-profit
http://x9090.blogspot.ru/2010/03/tutorial-exploit-writting-tutorial-from.html
http://ref.x86asm.net/index.html
https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/
https://forum.reverse4you.org/showthread.php?t=1371

Exploits and Shellcodes
https://www.exploit-db.com/
https://packetstormsecurity.com/
http://www.securityfocus.com/bid
https://nvd.nist.gov/
http://osvdb.org/
http://www.secdocs.org/
http://www.cvedetails.com/
https://cve.mitre.org/
http://www.windowsexploits.com/
http://farlight.org/index.html?type=shellcode
http://shell-storm.org/shellcode/

Reverse Engineering
https://www.cyberguerrilla.org/blog/what-the-blackhats-dont-want-you-to-know-series/
http://fumalwareanalysis.blogspot.ru/p/malware-analysis-tutorials-reverse.html
http://www.woodmann.com/TiGa/idaseries.html
http://visi.kenshoto.com/viki/MainPage
http://www.radare.org/r/
http://www.offensivecomputing.net/
http://www.oldapps.com/
http://www.oldversion.com/
https://www.exploit-db.com/webapps/
http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx

OS Cheat Sheets and Script Syntax
https://www.owasp.org/index.php/CheatSheets
http://www.cheat-sheets.org/
http://ss64.com/nt/
https://rstforums.com/forum/22324-hacking-tools-windows.rst
https://en.wikipedia.org/wiki/IPv4subnettingreference
http://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/
http://shelldorado.com/shelltips/beginner.html
http://mywiki.wooledge.org/BashPitfalls
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
http://www.robvanderwoude.com/ntadmincommands.php
https://www.sans.org/security-resources/sec560/netcatcheatsheetv1.pdf
https://countuponsecurity.files.wordpress.com/2015/06/jtr-cheatsheetimg.png
https://danielmiessler.com/study/tcpdump/
http://www.infosecwriters.com/Papers/nessusNMAPcheatSheet.pdf

Passwords Wordlists, Hashes, Tools
http://www.irongeek.com/i.php?page=videos/password-exploitation-class
https://cirt.net/passwords
http://h.foofus.net/?pageid=55
http://foofus.net/?pageid=63
http://hashcrack.blogspot.ru/
http://www.onlinehashcrack.com/
http://www.md5this.com/
http://contest-2010.korelogic.com/wordlists.html
https://packetstormsecurity.com/Crackers/wordlists/
http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html
https://wiki.skullsecurity.org/Passwords
https://www.sans.org/reading-room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation-33283
https://www.sans.org/reading-room/whitepapers/testing/crack-pass-hash-33219
https://nmap.org/ncrack/
http://www.openwall.com/john/
http://ophcrack.sourceforge.net/
https://inquisb.github.io/keimpx/
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/_

InfoSec Hiring
Reddit Thread Q3 2015
Reddit Thread Q2 2015
ShmooCon Hiring List 2015
SANS
Careers Stackoverflow
PenTester Salary
San Francisco InfoSec Jobs
Infosecinstitute.com
Inspiredcareers.org/

IT Certifications
http://certs.infosecinstitute.com/

Links Collections
http://in-addr.nl/security-links.php
http://ser-storchak.blogspot.ru/p/blog-page16.html
Reddit NetsecStudents Wiki
https://www.vulnhub.com/resources/

Books
Security Books at Amazon
A Bug Hunter's Reading List
An Application Security Reading List

Videos:

----End of his article------

all in all this is a great article worth keeping on the web as it helps bring resources in one place for people.

If you like to take a look at my resources list check out the article here.

please share

Protecting your Android device and your Privacy

2016-03-12T21:13:00.003-08:00

Its been a while since I have written about how to protect your self from the prying eyes of government. So if your trying to protect your self against the NSA, GCHQ, or who ever here are some things that you can do to help protect yourself.

Since those 3 characters agencies mass surveillance pick up a lot of innocent peoples private data that never go away or GCHQ where they are legal to hack your data. So since the main area that is been popular for governments resiliency is your mobile phone here are some things you can do to help protect them.

Operating system:
This would be a modified android OS that is stock with some additional features.
CyanogenMod has a lot of improvements over stock android and is controlled by community and not by corporate google who may be forced to try to put back doors in their OS.

From there you will want to be on the latest version of the operation system because you will want to have the app protection with permissions that android 6 and above have and you will want to be using full hard drive encryption on the device. To protect against governments forcing Google or Apple from unlocking the device you will want to not install the Google Play store on the phone just to be sure they can't force it to be unlocked.

Apps:
For additional security, and to help protect your information from theft while the device is on and not locked down, you can use an app called Cryptonite. This may seem like over doing it but just in case someone gets on the device or they hack the device it self then you have an additional step of protection.
Communication on the devices is also very important to have.
Email:
using an app called OpenKeychain will help you protect your connections with strong pgp encryption. so even if they force your email provider to hand over your emails they will be encrypted and not able to be read.
Messaging and Calling:
The easiest way and with the least trouble is using an app called Signal. Signal has data voice calling and encrypted text messages. It keeps the texts encrypted on your device and not just in transit. You have additional protection by being able to put a password on the application it self that will lock the app so even if someone gets your phone unlocked and tries to get into your messages its secure. You can have private calls to your loved ones and know that they are secure and that getting messages that are not modified by anyone.
Browsing the Web:
Firefox: using plugins for HTTPS everywhere, noscript, and adblocker. these will greatly increase your security. ensuring your get the security you need with encryption to the server, preventing random javascript from running that may attack your device and preventing rogue ads that may try to attack you.

From there you can also try additional steps to keep private using some other apps. There are tools like Orbot which is the tor network, F-Droid which will give you access to the ip2 network, or vpn access from companies like Private Internet Access who don't keep logs. Or if you like to set up and use your own open vpn and tunnel it over a ssh tunnel to make it look like normal https traffic then there are these 2 applications TLS/SSL Tunnel and OpenVPN or if you want to be different you can go with a vpn like shadowsocks.

Password Management:
Password management is very hard for a lot of people. I find having a password manager the easiest thing that syncs between my devices. you can use a program like passwordsafe and have it sync the encrypted password file between your many devices. This will help with if any website gets compromised like they do quite often then your password that got leaked is only 1 password and does not compromise anything else for you.
I also use 2 step verification for every account that supports it which I seriously think about not using a service if they do not support it and probably the best app for that is the Authenticator app which is produced by Google.

I hope these apps will help you secure your android device down more than it currently is and help you become safer and less likely to be compromised.

Thanks for reading and please share with others so they can learn also.
Local Tech Repair Admin

Facebook Never deleted my account after years

2015-10-17T08:19:00.000-07:00

So after over a year after deleting my #Facebook account and not signing into it. My wife wanted me to get back on. When I deleted my Facebook I went through all the trouble of doing it properly.

So I go there to create an account because we'll a year+ later it should have been deleted. And now I find out that my email is already in use. This is extremely frustrating to me that they refused to delete my account after so many years.

So I went to sign in with the old password and Yep there is my account.

The first thing I get is a Facebook survey asking if I believe that Facebook cares about its users. Well the answer to that is I strongly disagree. Facebook is like a bad stalker that will hoard onto your information even after you jumped through all their hoops and you gave them the months they needed to remove it and still they did not.

Again #Facebook is very frustrating.

#Facebookdontcare

Using powershell to check if password is going to expire

2015-10-14T12:34:00.002-07:00

Using powershell to create a script to check if the clients password is going to be expiring in the next 5 days.

I love powershell and just like creating random tools with it. here is a script that can be set as a task on the clients computer to run each day. This helps fix a problem with windows where the popup notifying the user their password is going to expire in x amount of days not showing up because the end user is not login in.



<#

.SYNOPSIS

    Checks if user password is with in 5 days of expiring

.DESCRIPTION

    

    Created by Joshua Millikan

    Website:http://localtechrepair.blogspot.com

    Date: 10/14/15

    version: 1.00

    This script is designed to check if the account is with in 5 days of expiring and then emails them with instructions on how to reset. 

     

#>



#grabs current user information

$getusers = get-aduser $env:USERNAME -Properties * 

#grabs todays date

$date = Get-Date

#checks the number of days between the last password set and todays date. 

$numberofdays = New-TimeSpan -Start $getusers.PasswordLastSet -end $date

#grabs the domain policy for passwords

$domainpolicydays = Get-ADDefaultDomainPasswordPolicy | select maxpasswordage

#grabs the amount of days from maxpasswordage

[int]$policydays = $domainpolicydays.maxpasswordage.Days

#removes as our 5 day warning

$policydays += -5

#checks if password never expiring is checked. (it should never be checked less service account)

if ($getusers.PasswordNeverExpires -eq $False){

#checks if the number of days is greater than or policy warning

if ($numberofdays.Days -ge $policydays){



$body = "Hello " +$env:USERNAME + "<br /><br /> your password will be expiring soon please change your password.<br /> You can do this by hitting ctrl + alt + del and selecting Change Password<br /><br /> Report from Admin"

Send-MailMessage -to $getusers.EmailAddress -from $getusers.EmailAddress -Subject "Password Expiring soon" -SmtpServer "mail.pacificorp.com" -BodyAsHtml $body

}

}

This script is pulling a lot of user enviorment information to determine who to check. the email it sends will be from them selves this can be changed to say the companies service desk/help desk. also the instructions can be changed if you prefer them going to a self help portal or what not.

Hope you enjoy,
Local Tech Repair Admin

Information Security (InfoSec) Software, Books, and Resources

2015-09-17T19:30:00.000-07:00

Security training and resources. I am creating this post mostly to help myself keep track of all the different infosec resources, applications, and study material for exams like Comptia Security+, CEH, CISSP, OSCP, and others. This is a resource for offensive security practices and tools. This list will be updated as time goes on.

%Updated on 11/18/15%

Index

Software:

Probably the number one of all the software out there Metasploit is one of the top exploit deployment and research tool. It helps you quickly deploy and expedite the exploiting process.
Armitage/Cobalt Strike are both tools to help leverage the Metasploit Framework to quickly and show examples of how to quickly and quietly leverage and suggest exploits to get access to network resources. All these resources require and are based off of the complexity of the metasploit framework. So if you know how to use metasploit very well you may find that these tools will just expedite your exploiting speed and help have a graphical place to work in. Though metasploit has its own Pro version that does close to the same thing.
Subterfuge Framework will help you leverage and run a Man In the Middle Attack with out needing to worry about configuring sslstrip, arp poisioning, harvesting credentials, blocking vpn tunnels, and much more. Subterfuge allows you to build plugins onto subterfuge just like Metasploit Framework does.
Maltego is there for helping you gather information on people and companies. This will help you gather information on what is out there in your corporation and you will find those that you can later try to exploit to get into the corporation. The program will help you make a threat picture of your company or another company.
Recon-ng is a recon tool to help you speed up finding information on the web. For instance there is a module to search the web on a email and compare it against the different dumps of password and email. some more basic uses of recon-ng can be found here.
Nessus is a software that will help you do vulnerability scan your network computers. This will help you determine which security patches are missing, configuration, and compliance problems. There is a wide array of plugins that can help you find more exploits not patched in your network and avoid compliance problems and breaches later down the road.
Nexpose is just like Nessus and helps you know what your assets in your corporation have vulnerabilities. Nexpose proactively scans your environment for misconfigurations, vulnerabilities, and malware and provides guidance for mitigating risks.
OpenVAS is a open source vulnerability scanner on the market. So if your looking for a free vulnerability scanner like that of nexpose or nessus then this would be your tool.
SET is a toolkit that will help you perform advanced attacks against the human element in an organization.
Both cryptohaze and oclhashcat are both great GPU based tools to help speed up the cracking process a lot. You can see what the difference is in our previous article on it.
Wireless auditing, Aircrack-ng, Pyrit, and reaver-wps are all great tools to help you get the edge on the wireless network. These allow you to do a wide variety of attacks on the wifi and the inherent trust of the different wifi systems. All these tools help you get into the network and from there you use other tools.

Reaver how to

WPS Cracking with Pyrit
WEP Cracking - Getting it setup on ubuntu
Wifite is an auditing suite for wep,wps, wpa and the likes. this tools is probably the easiest tool out there for auditing and automation. This tool is built into nethunter toolset.
a guide and more details on how these attacks work can be found here

sslstrip is a tool to help you when your doing a man in the middle attack on a client. After you have poisoned them and having their network connection going through you for internet. sslstrip helps strip all ssl for their connections and turns them into http requests allowing you to grab the information that they are sending be it passwords or other sensitive information.
sslscan is a tool that will go through a website and see what types of ssl/tls that the site accepts. this way you can see if there are weaknesses known to the web servers encryption.
Nmap you can't go into security with out hearing about nmap it is used in a lot of tools for port scanning and identifying OS of their computers. This is a very loud tool and can easily be identified on a network traffic and on host logs. so it is best to pipe the scans though a botnet so that they can not identify who is attacking them. Also it is useful to learn how to use the tool and not just do a full scan on everything. identify the OS then use the knowledge of your exploits to selectively scan the ports that they may have vulnerabilities in them.
Yersinia is a tool to attack the protocol layer to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems
nikto2 is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers
Wapiti this framework is different than a lot of web vulnerability scanners as it does not look at the source code to find places to inject. it looks at the app it self and then tries to find places to inject. this just gives a different way of looking for places to inject.
Aircrack-ng is one of the top tools used for cracking wifi and doing attacks on wifi. This tool is used in many underlining script and programs that attack wifi. If you are going to attack a wifi you can't not know about aircrack-ng.
PwnSTAR is a tool developed by SilverFoxx/Vulpi. The tool speeds up the process of creating an evil maid attack and then doing a MiTM attack on the clients. some examples on how it can run on Kali linux can be found on the Kali Linux forum

THC Hydra is a great tool if you need to run a dictionary attack on platforms from over 30 different protocals. THC Hydra is extremely fast at attacking telnet, smb, databases, ftp and much more.
wireshark is a go to default for me when it comes to packet sniffing of network and analysis of packets on a network. wireshark is a must have tool to learn if your wanting to know what is going across the wire and there are many plugins to it to help you do many other things. Though wireshark does have its own vulnerabilities so best only run it on networks that you trust or on machines you don't care about.
sqlmap tool will help you when trying to find exploits in web applications and getting access to the back end database. Though this does not mean that if will find the exploit for you all the time so best to learn how to do the sql injection your first and use this tool to help speed up the exploit development for the web site.
sqlninja another tool for website injections and penetration testing. This also is not the solve all solution to finding exploits on web applications but this greatly increases speed of penetration testing and also gaining access to the database server. So once you have discovered a sql injection in your web application you can use the sqlninja tool to help you exploit it and gain access.
BBQSQL this ds another automated sql testing tool. Haven't used it yet to here is explanation from kali group"It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast."
Veil-Framework is a anti virus bypassing framework. This allows you to install and run a virus on a computer with out being detected by the anti virus vendors. This gives you different methods of injection into ram so that you can get a reverse shell and then disable AV and others.
powersploit using powersploit to speedup your pentest. this is a great way to bypass some ways if the domain administrators lock down other areas of the OS but leave powershell open to be used.
PowerView another powershell tool to help survey the network and help you gain lateral movement.
Burp Suite or Zed Attack Proxy both allow you to audit packets before they are sent and modify them on the fly.
WebScarab is another proxy web application testing tool this is a little more useful if your a programmer and want to test more items directly with the application.
w3af is the www attack framework. so another great tool in the bunch for web test.
ws attacker framework is a modular framework for web services penetration testing. It is a free and easy to use software solution, which provides an all-in-one security checking interface with only a few clicks.
Smartphone Pentest Framework is a framework to make it easier to launch attacks against smartphones. Think it as SET for smartphones.
Overpass the Hash/Mimikatz is a method for getting the hash dump on a domain controller and then creating a Golden Ticket so that you can privileged escalate to a different user
Incagnito if your needing to get the tokens for the accounts on the computer.
BeEF: is a penetration testing tool that focuses on the web browser. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.
Dradis: is a tool to help effectively manage information that you gather. parses a lot of the output for lots of different security tools so that you get the information you need quickly and managing multiple pen tests at one time.
MagicTree MagicTree is a penetration tester productivity tool. It is designed to allow easy and straightforward data consolidation, querying, external command execution and (yeah!) report generation
Additional list of tools and descriptions can be found here at Blackarch Linux

Books:
Security Training books are always a good stop shop for information though nothing beats practicing it. You will always have your coding books and what not though i am going to skip those and go towards the specialty books and the cert books.

Rootkits: Subverting the Windows Kernel This book is the foundation of my learning on how rootkits work and the ideas around them. This may be an older book but it is well worth the read and learning from it every day. It was far above my head when I first picked it up and still am learning from it.. It used to be the author of Rootkits.com before the site went down.
Hacking Exposed is another book that has been bringing the world of network security secrets and solutions to the masses. This book has been around for a while now and they are in their 7th in the series and have made other series around it for mobile and others.
If your going for your Security+ Certification then you may want to pick up a study book for it. If you are looking for a study book and software test then you can't beat the new compTIA Security+ bundle this has the pre assessment tests and also pdfs, videos and everything that you need to learn about it.. Other good resources are wikibooks.
Basic Security Testing with Kali Linux is a book well exactly what it title is about. If your wanting to learn Kali Linux for basic security testing and start off with an offensive security for your security in depth then start out with an offensive security book like this.
lots of books

Some of the books that I personally on my jurney to learning more about computers and security. some of these where free from professors

Information Security Risk Analysis
CompTIA Security+ Training Kit
Information Security Illuminated
Fundamentals of Secure Computer Systems
Virtual Private Networking: A Construction, Operation and Utilization Guide
CWNA Guide to Wireless LANs
Windows Server 2012 R2 Pocket Consultant
Active Directory® Administrator's Pocket Consultant
Cybersecurity Operations Handbook
Everyday Scripting with Ruby: For Teams, Testers, and You
Murach's Oracle SQL and PL/SQL for Developers
HTML, XHTML, and CSS Bible
Head First PHP & MySQL -- side note i love this series for those that are starting out as they are very good at logically going through the process for those that are hands on learning styles.
Linux Unwired
Mapping Security: The Corporate Security Sourcebook for Today's Global Economy

Websites:

SecurityTube.net is a great resource to watch and learn new security information. They have videos from a lot of the different security conferences, training programs, groups of videos for things like metasploit, assembly learning, exploit research, and more. Their goal is to bring quality InfoSec learning to the general public for free. They also have a newer Certification program and a very reasonable training program.
Cybrary.it/ is a website with a few classes for information security like "python for security professionals" and "post exploitation hacking"
Exploit Database is a good way to keep up on exploits that are coming out and them being organized in good fashion. This helps you see actual code for the vulnerability and how you can use that vulnerbility that was published and exploit it. Great place to learn how to write exploits and use them or learn about which ones are out there.
CVE There may not be an exploit written for metasploit for a vulnerability though you can find lots of the publicly known vulnerabilities out there and help you speed up the process of writing new exploits for vulnerabilities that come out.
Rainbow tables sadly rainbow tables are still useful for a lot of websites and even large company websites that for some odd reason do not salt their passwords. so you may find running these against your hash may find good results.
Links to other Great security related websites. http://www.techexams.net/forums/off-topic/51719-best-security-websites.html this form has a wide range of websites from ethical hacking network to sectools.org to government websites.
SecTools is a great website to help you find more and review documentation and install guides for things like nmap and other security tools int he industry.
OpenSecurityTraining is a wide range of Security related topics and training for free to the info security industry.
SkillSet.com is a good website for testing your knowledge of CEH and CISSP certification exams that you may be trying to pass after learning all these topics on this page.
IT_Sec_Catalog for exploitation. this has links to many old and new articles on exploitation and learning how to do exploitation. Great resource for those learning to hack.
Anarchy resources - WARNING! This website is not per say the most trusted source. so take extra security measures when accessing information on this website. resources may be infected and more. I put it here because it has more of the blackhat hacking side of information security training. so suggested only visit website behind network firewall on separate subnet of your rest of your network and in a vm and monitor your traffic on the network to make sure nothing escapes the network. So with that said I can't guarantee the safety or legal information on the website but its a good resource to understand how people think and history of hacking. Though this website has a huge resource of other information in the sub directories. also murdercube has almost the same collection.
Kernel Level Programing Site helping you learn how to program modules for the kernel. This is an essential beginning to learning how to program and make your own kernel RATs.
EDGAR is used for gathering public information on a organization to help find weaknesses.
webdns, ping, and other onlinetools: domaintools, CentralOps, and digitalpoint
Reverse Engineering Malware

https://zeltser.com/reverse-malware-cheat-sheet/
http://www.herdprotect.com/downloads.aspx Anti-Malware Scanner is a fast and free Windows desktop program which detects malicious threats, spyware and adware by utilizing 68 industry anti-malware scanners.
https://remnux.org/ virtual application that is used to reverse engineer malware and analyse how malware works.
list of free automated malware analysis tool sanboxes. these online tools will try to determine what it does and how. https://zeltser.com/automated-malware-analysis/
SIFT workstation is a tool kinda like the remnux though more aimed at investigating what happened.

Red Teaming basics if your just starting to get into red teaming then this is a series for you. Goes over the basics of red teaming and how as a offensive security professional you can think of how an attacker would exploit my network. Only negative is that its coming from a heavy cobalt strike perspective of a tool. though still a great starting point.
Hacking Team Dump of knowledge. This has a huge list of resources, books, and topics on hacking and how a pay for service for governments taught their staff on how to hack.
Cyber aces has tutorials on basics linux, windows, networking, powershell scripting, bash, and web scripting. If your looking at stating out in these areas this may be a good place to start to get a general understanding of them.
Hacking Tutorials has a list of tutorials on hacking. "We will be posting beginner Hacking Tutorials about hacking with Kali Linux and other operating systems to show home and office users how easy it often is to breach security and bad passwords. We will be covering subjects like Wifi hacking, fingerprinting, vulnerability scanning, malware and exploiting, penetration testing and ethical hacking."
Metasploit Unleashed is a guide and free online materials for learning the materials framework and how to do pen-testing through the framework. it is a good read if you have not done it.
Windows internals

Mobile apps:

Hackers Reference and InfoSec Reference are both good solutions to learning security topics on the go. They go over different tools, news, and really everything about infosec and hacking. Great source while your wanting quick information to get your mind going till you get home.
Wifi Protector will help you stay safe while on open wifis and on your own personal one. It will alert you to ARP poisoning on the network. So if someone on the network is saying that they are the router and trying to do a man in the middle attack then you will be alerted and you can set it to auto kick you off.
WifiKill is a easy way to implement a ARP poisoning from your android phone. Find out where people are surfing the web and denying those that are using to much bandwidth. So if you spot someone downloading using torrents then you can stop them so they don't take all the bandwidth.
FlashCard Machine is not really a security tool though it is great for using to study. They allow you to download flashcards from a global shared database. So you can find infosecurity and certification flash cards. This can help you study and learn from others. You can also test your self against these cards. I have found CISSP, Security+, and CEH flash cards that help me study when i am on the go.
Nethunter is a build of cyanogenmod and combining kali linux arm to make it run. nethunter gives you some easy scripts to work with external wifi card and then run evil ap, evil usb, and the likes. Comes with working metasploit and is able to be leveraged in a small platform on the go. This is more than a tool but more of a OS and tool set to work with.
DriveDroid allows you to plugin your droid to a computer and use it to boot a linux live cd via it. This allows you to leverage your phone as a mobile OS and store everything on your phone and use the computers hardware. slight difference than using nethunter which uses the mobile hardware.

Hacking Prevention:

IPS/IDS

Snort is a great open source IDS and IPS system. If your setting up a network at home or wanting to test your exploits against a network and see what attacks get picked up by snort rules and what not. This is good to help detect attacks, prevent them, and learn to get around IDS/IPS systems.
Suricata is an open source IPS/IDS able to use snort rules also.

applocker you should use applocker to white list all applications that are allowed to load on your network. This video is a great explanation. https://www.youtube.com/watch?v=tYFVVY8GX24
Blocking Java User Agent at the proxy level so that you can control all java that is deployed and used on your network. White list good domains.
EMET is a enhanced mitigation experience toolkit that is designed to help users defense against cyberattacks. The software is free though can be complicated to deploy but this help break a lot of malware requiring them to use another bypass.
ADAudit Plus aka auditing both good and bad logins. This allows you to see if the local admin was used to login to multiple computer at one time.
Microsoft Baseline Security Analyzer. Helps you stay on top of patches for microsoft products and the applications that run on them.

Defense Websites

CyberCrime has links to reports and documentation to help with computer crime. Different reports from the FBI for the years on computer crime

Malware Analysis Tools

RegShot is for comparing differences in registry and filesystem from clean state to after malware was installed to see what happened.
WinAPIOverride helps you follow the injection process of dlls and api calls for a running process to see what it did and where it went.
wireshark to identify network traffic and if it is calling out.
netstat is a built in tool in windows to tell what connections and ports are open on the computer. common command is netstat -anob
sysinternals suite has lots of tools like process monitors and what not to help identify what is going on on the computer.
Gmer can help detect hidden files and rootkits that may be hiding.
Remnux is a OS designed at analyzing the malware.
SIFT is another suite by SANS to help analysis of malware.
virtual box is important for keeping malware isolated. granted other VMs could work to as long as you can limit them to the host network and can't get out to compromise other machines.
CFF Explorer Suite is a tool to explore the PE file and DLLs. this will help you explore a exe file and what dlls that it is loading or has packaged with it.
Sigcheck helps you check and verify the signatures on files to see if a dll is signed by microsoft or vendor or if its unsigned and not legitimate file.
attrib command is very useful for changing attributes via command line.
API Monitor is a way to track and monitor applications that track api calls.

Guides to starting in Infosec

College not required: A guide to starting in InfoSec
Penetration Test Information Gathering
more to come

Thanks for reading, Local Tech Repair Admin I will be adding a lot more to this article and also breaking more articles on more specific topics about Info Security and Offensive Security to help my self study and get my knowledge out there for others to learn more quickly from all my searching. PS if you have good tools or what not that you think would go great on here let me know in comments and i will look at adding it to the site.

Penetration Test Information Gathering

2015-09-15T10:13:00.002-07:00

After taking many classes on Advanced penetration testings i find that many of these classes are very basic when it comes to their subjects. So here are some resources to better round off your penetration testing in more depth than just the basics that most of these "Advanced" classes go through.

So we will be starting with information gathering/recon/competitive intelligence all these topics have the same type of concept and are all legal or very gray area to do. At this stage we are not in anyway attacking your target. This is where you will be spending majority of your time.

A good standard to go off of is the pentest standards that can be found here. The goal of information gathering is to learn everything you can about your target before starting any kind of attack at all.

before we start gathering any information we will want to define our scope of what we are testing and looking at. at this we will want to check out what ip ranges we are looking at and what is actually in our scope. we want to be checking for things like content delivery networks, load balancers, IPSs, and really anything we can get our hands on. enumerating the domain to check for sub domains, pages, job descriptions, and employee comments will all help us get information on the network, technologies, versions, attack targets, etc.

some tools are commonly used are google, bing (particularly ip:ipaddress), dnstools.com, passiverecon, halberd, and more. Depending on what item your looking for you will have different tools for it. Probably one of the largest tools for connections between information is the tool maltego. This will help gather and connect all the information your gathering together an build relationships between them. The developers of Maltego have a list of 6 tutorials to get you going here. I would highly suggest learning maltego and learning it well especially if you have any Social engineering you have to do (hint you always do).

Key thing is keeping a central location that your team or just you can put the information together. Dradis is a large corroborative

after gathering some targets and what not you can start mapping the actual systems you find that are in scope. things like nmap are commonly used. some key things is always exporting data so that it can be imported into your database system. the -oA appended to the end of your nmap scan will give you the 3 major formats to be imported into places like Metasploit and other. This will help you with services and targets that you have known good vulnerabilities for and greatly speedup the vulnerability assessment. Some things to learn are the different type of stealth scans and advantages and disadvantages to each. some IDS systems will have signatures for nmap scans but most likely these are going to be lost in the ether specially done from the out side because nmap scans are so common its hard to tell its you vs others. But with that said its still good to know the things and a good article of learning about the art of port scanning is here. Another nice thing about nmap is that you can script out these scans. so you do it once and you can have them set up working for other engagements which can be found here. Another port scanner that is not nmap would be Metasploit. Metasploit has its own auxiliary modules for scanning. A list of the different scanners and modules in Metasploit can be found here. for example auxiliary/scanner/discovery/arp_sweep will allow you to do an arp sweep to discover computers.

after discovery you move to threat modeling and determining what vulnerabilities may be on the services and hosts we discovered. Since most of this probably passes from legal line to gray area only do this on services you own as you may bring down something during a scan. some popular tools for this are Nessus, openvas, Nexpose, Nikto, and many more found here.
If your using nessus then I would highly suggest using it with in Metasploit so that you can easily import the results straight into the Metasploit Database and be able to quickly find vulnerabilities based off those scans that you can quickly test if they are actually vulnerable.

Tools:
bing.com - ability to use ip: to check for shared hosting
google.com - ability to use Google Dorks to check common problems
passiverecon - general recon plugin to speed up recon
halberd - detecting load balancing
dnstools - whois, ip ranges, detect shared hosting, etc.
tracert the ability to ping and traceroute from different contents and not from your ip
wafwoof - helps detect what application firewall
nmap gold standard for network scanning
metasploit - gold standard for exploit launching
recon-ng -more information can be found here
Nessus, very common vulnerability scanner
openvas, - free open source vulnerability scanner you should be aware of
Nexpose, same creators of metasploit but for vulnerability scanning.
Nikto - web vulnerability scanner.

This is s a quick overview of information gathering that you will get in most of these "Advanced" classes. Though this is the basics that you will need to know to actually do your job as a pentester.

Let me knwo what tricks/tips/ and tools you prefer for information gathering during a pentest.

PS: search youtube for examples on how to use each an you will find loads of resources.

Remedy 7.x, 8.x and possibly 9.x login password decoder

2015-09-11T07:43:00.001-07:00

So recently I have been doing some QA for a BMC Remedy product that my work is starting to work with. One thing i noticed right away is that the cipher that they use is extremely bad and basically plain text.

So here is how it works. when you go to the login page for a remedy product when you sign in there is a javascript that encodes the password field to a ciphered text. BMC suggests always using HTTPS with their products to make sure its secure though it is disabled by default. You can find more on their Best Practice Security guidelines here. https://docs.bmc.com/docs/display/public/ars81/General+security+guidelines

Here is the javascript cipher that is used in their products.



function getScrambledPassword(pwd) {

    var cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm'];

    var result="";

    if (pwd == null)

        pwd = "";

    pwd = encodeURIComponent(pwd);

    //alert("encoded password: " + pwd);

    for(var i=0;i<pwd.length;i++) {

            var cc = pwd.charCodeAt(i);

        result += cipher[Math.floor(cc/16)] + cipher[cc%16];

    }

    //alert("scrambled password: " + result);

    return result;

}

what this code does it takes the inputed password then does a urlencode and brakes it down into char codes and then passes that on to some math. so for instance
input @
encodeuricomponent = %40
for each charactor in the encoded uri charactor we get 37 52 48
so for each the cipher is calculated and picked
for instance the first time it goes through it uses 37
so math.floor of 37/16 = 2
the 2nd item in the cipher is z
then it adds cipher 37 mod 16 = 5
cipher 5 = b
so from the first encoded uri charactor we get zb
and then it repeats for the next encoded uri charactor
this gives us the encoding
zbhxhk

so what this means for decoding is 2 things because the math rounds down we can't really get the key code that way but because they were doing a mod on this it gives us the remainder anyways.

so here is an PoC python decoder for the Remedy cipher.
import os
import urllib
print "Welcome to the BMC Remedy password decoder"
password = raw_input('Enter Password hash: ')
cipher = ['k', 's', 'z', 'h', 'x', 'b', 'p', 'j', 'v', 'c', 'g', 'f', 'q', 'n', 't', 'm']
decryptedpass = ""
num = 0
while num < len(password):
    ciphernum = cipher.index(password[num])
    encodednum = ciphernum * 16
    num = num+1
    ciphernum = cipher.index(password[num])
    encodednum += ciphernum
    decryptedpass += chr(encodednum)
    num = num +1
print urllib.unquote(decryptedpass)

What this means as an attack vector:

With in many organizations their users are very used to continuing even if they get a https warning about certificate because people generally think the company is keeping them safe.

If an attacker gets into a organization and then does a MiTM attack using a SSLstrip the attacker could in turn gather all of IT users credentials or even some. This would greatly increase the attackers speed of penetrating the organization.

If you use remedy please request that the vendor fix this issue. This has been around for some time and has been posted in other going back years and still have not been fixed.
for example
http://rewtdance.blogspot.com/2012/05/bmc-remedy-password-descrambling.html
http://myitpath.blogspot.com/2010/09/reversing-remedy-passwords.html

are 2 that popup on the first page

- Local Tech Repair Admin

College not required: A guide to starting in InfoSec

2015-08-19T11:44:00.002-07:00

So recently I had someone tell a community member that you needed to go to school like everyone else and pay to learn infosec. For some reason this bugged me because I really only see college degree as a rubber stamp for HR I would like to tell you that is a lie and here is why.
*Updated 12/15/15*

College is very rarely needed for learning especially if you’re self-motivated. Basically all college will do is open doors for some companies that management think they must have it. This is the computer age and knowledge is not learned in the class rooms with $100Ks in debt and loss of 4 years of income.

If you’re self-motivated and have a passion for learning start here!

If you never done Linux before:
intro to linux
linux+

If you never done pentesting before:
ethical hacking class
advanced penetration testing

networking overview:
network+
ccna

Nmap

TCP/IP

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks

Psychology:

The Art of Deception: Controlling the Human Element of Security

Social Engineering: The Art of Human Hacking

For programming topics to get you a strong foundation.
java, python, php, powershell, bash, javascript, c, and assembly
There are many websites out there to learn programming languages here are 2 links for assembly

assembly primer linux
assembly primer windows
Regular Expression
This is a part of programming that is commonly used to help identify hard to detect data. so you can detect paterns in code. This is great when it comes to defensive side and writing rules based off regular expression.
regex101.com helps explain what your regex does
regexone.com well walk you through tutorials to learn it.

Kernel Review

Introduction Intel x86

Introduction Intel x86-64

Introduction to ARM

Linux Kernel Level Programming

Defensive and SOC training
Intro to Network Forensics
Flow analysis and Network Hunting and videos can be found here
Intro to malware analysis and reverse engineering
Dynamic Malware Analysis
Practical Malware Analysis
Reverse Engineering Malware
Blue Team Handbook

Malware analysis tools can be found here.

Learning Exploit process and testing:

Vulnerable web Service

Broken Web Application

Setting up a Penetration Testing Labs

For more additional resources for labs check out

http://www.amanhardikar.com/mindmaps/Practice.html

Standards for penetration testing a good resource for learning them are at the bellow link.

http://www.pentest-standard.org/index.php/Main_Page

Network Security Assessment: Know Your Network

I would also take a deep look at powershell and other advanced windows services.

Windows Internals (Developer Reference)

The key is finding an area in infosec you like and become the expert for that area.

If you’re interested in more resources for learning, you can check out the bellow link for resources of websites, books, mobile, tools and more.
http://localtechrepair.blogspot.com/2014/01/information-security-software-books-and.html

Nethunter 2 metasploit Database [*] postgresql selected, no connection.

2015-08-18T12:11:00.001-07:00

Nethunter 2 getting posgresql working with metasploit. If your in metasploit and are checking the status of db_status and are getting error that [*] postgresql selected, no connection.

to resolve the issue you will want to set up the database for metasploit. Resolution steps are as follows.

open nethunter android app
start metasploit service
launch kali shell in terminal
service postgresql start
cd /usr/share/metasploit-framework
./msfdb init
msfconsole
db_status

this should fix the issue and show as connected to msf now.

Share if anyone is wondering how to get this fixed.

- Local Tech Repair Admin

Flagship Smartphone Specs 2015 - OnePlus 2, Galaxy S6 edge, HTC One M9, and Nexus 6

2015-07-28T09:39:00.000-07:00

I am not a big fan of comparing specs on things though I figured why not do one anywho.

For those of you that do not know the OnePlus 2 just got announced last night and today we get to see the specs for the OnePlus 2. so since they claim to be a flagship killer which is kinda funny but non the less good phone.

So here is the specifications compared to the flag ships out there.

some of the flagship phones are galaxy s6 edge, HTC One M9, and Nexus 6.

Galaxy S6 Edge:

lets first look at the Galaxy s6 edge costs ~$730 from Amazon.com for the unlocked international version with 64 GB hard drive.
Specs:

Display: 5.1 inches (~71.7% screen-to-body ratio) - 1440 x 2560 pixels (~577 ppi pixel density)
CPU: Quad-core 1.5 GHz Cortex-A53 & Quad-core 2.1 GHz - Exynos 7420
OS: Android OS, v5.0.2 (Lollipop)
Internal Memory: 64GB, 3 GB RAM
Camera: 16 MP, 2988 x 5312 pixels, optical image stabilization
Battery: 2600 mAh

HTC One M9:
The HTC brand has gotten some heavy following around the one line. I have not tried out the newer one series I had the older one xl series a before the revamped the one line. This phone comes in at ~$720 from Amazon.com
Specs:

5.0-inch LCD, HD 1080 x 1920, Super LCD3 capacitive touchscreen with Capacitive Multi touch panel 441PPI
Rear Camera: 20.7 Mega-Pixel, Automatic simultaneous video and image recording, geo-tagging, face/smile detection, HDR, panorama
Qualcomm MSM8994 Snapdragon 810 Quad-core 1.5 GHz Cortex-A53 & Quad-core 2 GHz Cortex-A57
MicroSD card slot (up to 128 GB)
Internal Memory: 64GB, 3GB RAM
Battery: 2840 mAh

Nexus 6:
The nexus line is known for its simplistic just basic android experience. This gives it a lot of compatability with other OSs like Cyangenmod which is a huge. This phone will cost you ~$550 from amazon.com
Specs:

Display: 5.96” 2560x1440 QHD AMOLED display (493 ppi)
Battery: 3220 mAh
Processor: 2.7GHz Qualcomm Snapdragon 805 with quad-core CPU (APQ 8084-AB), Adreno 420 GPU
Internal Memory: 64GB, 3GB RAM
Camera: 13MP IMX 214 Image Sensor

OnePlus 2:
OnePlus is a newish chines company that made a hit phone with the oneplus one phone. which I personally use and like. It is not a perfect phone but for the price point it was the best out there. OnePlus may want you to think that it is a flagship killer but in reality its a midrange phone. The one plus 2 also hits the same price point. The OnePlus 2 will cost you around ~$330 if you can get your hands on a invite. https://oneplus.net/2/
Specs:

Display: 5.5" 1080p Full HD (1920 x 1080 pixels), 401 PPI
GPU: Adreno™ 430
Internal Storage: 64GB, 4 GB RAM LPDDR4
Camera: 13 Megapixel (1.3um), Front: 5 Megapixel

though what may be different than almost every other phone on the market is they are upping the phone port to the USB C type of port. this will give the phone faster data transfer rates and more power for charging.

so all in all what do you think? will the OnePlus be able to compete with the big leage like they did with the OnePlus One?