Posts

Extra Credits I: COM Objects Attacking & Detecting

-
Image
Happy new year! Outside of the bread and butter of the DFIR of Windows, I haven't over explored what I'd deem more niche or old but tried and tested concepts that I believe are sometimes overlooked, so I've set out to research, test and share some findings; with this being the first. This is in no means an attempt to deep-dive, but enough for a logical understanding to explore further, or hopefully help detect and respond to exploitation of such features/protocols.  If you have any comments/additions or disagreements, I'm very open to discussion and to learn. Windows Component Object Model (COM)  If you are not interested in reading a summary on what COM actually is, or how it works skip to section " The "Offensive" Approach (How Hackers abuse COM Objects) "  where an initial summary of attacks, followed by a demo and some topics on detection and response can be seen. Windows Component Object Model (COM) in a simple term is a plug and play utility p...
Post a Comment
Read more

Tweet Before Trouble - Proactive Credential & Session Token Theft Detection through site clone monitoring

-
Image
A lot of work and effort has been put into deceptive technology, I don't really see it discussed much outside of honeypots (esp with the AI emulated environments etc.) and jars being flooded with the joy of the web. (This of course, being the nature of it, if everyone knows it is there, it is no longer deception ), but despite this, from an educational perspective, I've found aggregating a long list of information into actionable insights valuable to others, so here we are :) To ensure this isn't click-bait for a holy grail solution for Credential and/or  Session Token theft detection, I am highlighting the fact that attackers in some instances clone login pages (to your login portals especially) to make phishing and other social engineering attacks appear more legitimate. A Canary what? "Canarytokens are like motion sensors for your networks, computers and clouds. You can put them in folders, on network devices and on your phones. Place them where nobody should be pok...
Post a Comment
Read more

Velociraptor MCP

-
Image
With the MCP buzz still running hot I thought I would take some time to use and document one that really caught my eye recently. This MCP, was developed by @mgreen27  and I am very excited to see how it continues to grow. In this post, I’ll walk through how to spin up a Velociraptor MCP from this GitHub repo , explore what the protocol does under the hood, and demonstrate how you can contribute to or build on it yourself. Whether you're a threat hunter looking to streamline workflows or a DFIR practitioner building custom tooling, understanding and leveraging MCP will help you take full advantage of Velociraptor’s extensibility. Personal skippable waffle I am interested in seeing how the cybersecurity space adapts to MCPs (and AI as a whole..), I believe they should be used in conjunction ; i.e - you begin analysing the triage image or acquired artifacts whilst you run a simultaneous query targeting 'known-evil' or anything of the such - this provides us with quick wins...
Post a Comment
Read more