MSSQL Lateral Movement

Using discovered credentials to move laterally in an environment is a common goal for the NCC Group FSAS team. The ability to quickly and reliably use a newly gained set of credentials is essential during time-constrained operations. This blog post explains how to automate lateral movement via MSSQL CLR without touching disk* or requiring XP_CMDSHELL and how this can be prevented and detected.

Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures

In your emails, getting your hashes  Capturing NetNTLM hashes from network communications is nothing new; a quick Google for 'Capture NTLM Hashes' throws up blog posts discussing the various ways to force SMB communications to an attacker and the numerous existing tools to capture the authentication attempt and extract the password hash. Sniffing SMB traffic requires elevated permissions … Continue reading Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures

Using SharePoint as a Phishing Platform

Introduction The rise of endpoint protection and the use of mobile operating systems has created additional challenges when targeting corporate users with phishing payloads designed to execute code on their endpoint device. Credential capture campaigns offer an alternative chance to leverage remote working solutions such as VPNs or Desktop Gateways in order to gain access … Continue reading Using SharePoint as a Phishing Platform

CloudWatch: Amazon Web Services & Shellshock

Introduction As more of our services move to rented virtual servers, applying centralised protective monitoring becomes more of a challenge. Offerings such as Assuria’s Cloud Security Suite and Splunk’s Storm show the demand for elastic and easily configurable monitoring that can be deployed on cloud provisioned infrastructure. Amazon has responded to these services by creating … Continue reading CloudWatch: Amazon Web Services & Shellshock