Tool Release – Principal Mapper v1.1.0 Update

Principal Mapper, or PMapper, is a tool and library for in-depth analysis with AWS Identity and Access Management, as well as AWS Organizations. PMapper stores data about AWS accounts and organizations, then provides options to query, visualize, and analyze that data. The library, written in Python, enables users to extend PMapper's functionality for other use-cases. … Continue reading Tool Release – Principal Mapper v1.1.0 Update →

Tool Release – Solitude: A privacy analysis tool

Created by Dan Hastings and Emanuel Flores Solitude is an open source privacy analysis tool that enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an … Continue reading Tool Release – Solitude: A privacy analysis tool →

Lending a hand to the community – Covenant v0.7 Updates

Introduction Covenant [1] is an open source .NET command and control framework to support Red Team operations, similar in many ways to the well-known Cobalt Strike threat emulation software. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration. It has two main agents/payloads: The Grunt, which is … Continue reading Lending a hand to the community – Covenant v0.7 Updates →

MSSQL Lateral Movement

Using discovered credentials to move laterally in an environment is a common goal for the NCC Group FSAS team. The ability to quickly and reliably use a newly gained set of credentials is essential during time-constrained operations. This blog post explains how to automate lateral movement via MSSQL CLR without touching disk* or requiring XP_CMDSHELL and how this can be prevented and detected.

Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures

In your emails, getting your hashes Capturing NetNTLM hashes from network communications is nothing new; a quick Google for 'Capture NTLM Hashes' throws up blog posts discussing the various ways to force SMB communications to an attacker and the numerous existing tools to capture the authentication attempt and extract the password hash. Sniffing SMB traffic requires elevated permissions … Continue reading Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures →

Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0

Depthcharge v0.2.0 is now available on GitHub and PyPi. This release introduces new “configuration checker” functionality and includes some major updates intended to improve usability. A tl;dr summary can be found in the CHANGELOG file. This blog post dives a bit more into the motivations for the changes, envisioned use-cases, and how this update fits … Continue reading Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0 →

Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures

HTTPSignatures is a PortSwigger Burp Suite extension that implements the Signing HTTP Messages draft-ietf-httpbis-message-signatures-01 specification draft document. What motivated my creation in this tool was the lack of an easy way to test applications and services using HTTP Signatures. This extension allows Burp Suite users to seamlessly test applications that require HTTP Signatures. What are … Continue reading Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures →

Tool Release – Carnivore: Microsoft External Assessment Tool

Carnivore is a tool for assessing on-premises Microsoft servers such as ADFS, Skype, Exchange, and RDWeb. Carnivore's functionality covers every stage an attacker would follow - from discovering relevant subdomains, to uncovering username format and username enumeration, to password spraying and additional post authentication activities for Skype such as retrieving the global address list or … Continue reading Tool Release – Carnivore: Microsoft External Assessment Tool →

Tool – Windows Executable Memory Page Delta Reporter

One true constant (until someone schools me) is that threat actors need executable memory of some kind to operate from for their endpoint implant even if fleeting. Given this we've released an open source Microsoft Windows Service that aims to facilitate detection of anomalous executable memory