Today I learned: SeManageVolumePrivilege While reading the HTB write-up for Certificate, I learned about SeManageVolumePrivilege. [1] A video by Grzegorz Tworek goes into great detail about how to abuse SeManageVolumePrivilege.[2] The privilege provides direct access to the

Coming back to Maester! Do you know about the awesome Conditional Access What-If tests? [1] The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test. I

What is Maester? [1] Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such an awesome tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed

SentinelOne published their analysis about PhantomCaptch. [1] One of the (many) interesting parts of this report is: "The script also disabled PowerShell command history logging via Set-PSReadlineOption -HistorySaveStyle SaveNothing as a means of evading forensic analysis." I

Today I learned: Using diskshadow to fetch the NTDS.dit. As mentioned several times, I love reading the HTB writeups from 0xdf because I always learn something new. Like here [1]: "To dump the domain hashes, I’ll want to get the C:\Windows\NTDS.dit file. Unfortunately, this file

Microsoft-Analyzer-Suite v1.7.0 released today! This update includes a new PowerShell script for analyzing Microsoft Service Principal Sign-In Logs.🚀 Check out the changelog for more information. Happy M365/Azure Threat Hunting! #M365 #Azure #EntraID #BEC #DFIR #Microsoft

Lately, I’ve talked about (alternative) forensic artifacts where the retention time might be higher than your classical Security Event Logs, or might not be the first artifact to be deleted in an "anti-forensics" operation by a threat actor. We recently used the

In various business email compromise (BEC) cases, we later discovered that although the customer had set up a conditional access (CA) policy to enforce multi-factor authentication, mistakes had been made during the implementation of said policies. For example, certain resources

We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors. One way they could regain root

Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical? "Active Directory Certificate Services (AD CS) is the backbone of

Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1]. In doing so, we found a

During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (RegistryEvent - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification

My colleague @p0w1_ keeps on finding flaws and vulnerabilities in EDRs, as if it were a stroll in the park 😂 well done - keep up the pace!

#BSidesBerlin Speaker Showcase @malmoeb will dissect Mythic—a modern macOS attack framework—covering C2 comms, persistence, OPSEC tricks, and detection paths. Get your tickets here👉 https://t.co/kJPlqQJTwI @SecurityBSides #RedTeam #macOS

Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away. Yes, you

In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1] The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.

My team colleague, Yann Malherbe, wrote an in-depth blog post about the Automation of VHDX Investigations with 🦖. Enjoy. https://t.co/UxCXtfJb4a

Nostalgia 😢

My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated: At the end of March, the first malicious login happened. The attacker continued to log in

Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation). "In addition to EDR