Tales of Windows detection opportunities for an implant framework

Slides from a fifteen minute lightening talk on detection opportunities for implant framework behaviour on Windows.

Detecting anomalous Vectored Exception Handlers on Windows

We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous

Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads

We prototyped a Windows Installer Package Canary to help detect certain first stage trade craft. The ultimate goal being to alert for those threat actors targeting security products through uninstallation.

Deception Engineering: exploring the use of Windows Service Canaries against ransomware

We prototyped a Windows Service Canary to help detect and respond to certain pre-ransomware trade craft. The ultimate goal being to alert and minimize the impact of ransomware deployments.

Building an RDP Credential Catcher for Threat Intelligence

We wanted to build a mechanism to capture all the passwords used (successful or not) against RDP to ascertain potential sources of credential theft and if they are organisation specific. This post provides the background on an approach and the steps to build such a system.

Tool – Windows Executable Memory Page Delta Reporter

One true constant (until someone schools me) is that threat actors need executable memory of some kind to operate from for their endpoint implant even if fleeting. Given this we've released an open source Microsoft Windows Service that aims to facilitate detection of anomalous executable memory

Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902

CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. This blog looks at the root causes of both the exploit paths discovered which boil down to subtle configuration issues and differences in behavior between Apache httpd and Apache Tomcat when dealing with an uncommon URI element called matrix (or path) parameters.

Experiments in Extending Thinkst Canary – Part 1

The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the first in a series detailing our experiments in extending the product.

Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often

tl;dr Today we've released a whitepaper on the key techniques that continue to enable us to breach the largest and most sophisticated organisations on the planet. Organisations that prioritize these areas, and the mitigations we outline, will thwart attacks while making threat actors work harder and ultimately fail more often. Objective The purpose of this … Continue reading Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often →

IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e

Earlier last month saw the publication an IETF draft NCC Group co-wrote with the UK's National Cyber Security Center titled 'Indicators of Compromise (IoCs) and Their Role in Attack Defence'