Cloning software

When cloning hard drives especially to upgrade the storage of a device. I found that using an older version of Macrium Reflect to be very useful.

References 

https://www.reddit.com/r/pchelp/comments/1b3xknx/any_truly_free_disk_cloning_software/

ScreenConnect launch parameters

I have found the referenced Anomali article and DFIR report very helpful when identifying ScreenConnect launch parameters. I haven't figured out what r and i does.

• e as session type, can be Support, Meeting, Access .
• y as process type, can be Guest or Host .
• h as the URI to the relay service’s URI.
• p as the relay service’s port.
• s as a globally unique identifier for client identification.
• k as the encoded encryption key, used for identity verification.
• t as the optional session name.

References:

https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies

Windows Package Manager (winget) it's amazing

Those coming from Linux have long used package managers, such as apt or rpm to install software. Package managers are great because you can install software from a trusted repository and simplifies the task of upgrading software to newer versions. 

For the longest time those on Windows did not have a built in OS package manager and have long relied 3rd party software such as Chocolatey or Ninite. In 2020, Microsoft released winget to help solve the problem of installing, upgrading, and removing 3rd party software on Windows.

Winget is great and hopefully will see more widespread adoption of this tool. I have also noticed that software installed through winget tends to not have PUP, or obnoxious add-ons. 

The Trust in Zero Trust

Opinions expressed are solely my own and do not express the views or opinions of my employer

Hafnium/UNC2452 used novel techniques that abused and took advantage of the adoption to cloud technologies without understanding the full implications and architecture.

Microsoft has made a push in recent years to Office 365 and as a result many organizations now have hybrid cloud environments, whether they know it or not.

How is this relevant to Zero-Trust? 

The spate of attacks has revealed weaknesses and tactics that pen-testers and adversaries can exploit against a hybrid cloud or zero trust environment. In a Zero trust environment there is still trust relationship between the Identity provider and Service provider. By attacking the cryptography protections in this trust relationship, UNC2452 was able to launch sophisticated attacks that often went undetected. Tokens generated by the Identity provider are trusted by the service provider. UNC2452 by forging tokens was able to abuse this trust relationship to bypass controls normally enforced when accessing Services. Through forged tokens they were able to short circuit the normal authentication piece by directly authenticating to the Service provide via tokens bypassing the Identity provider.

Great what does this mean? 

For defenders, it is important to get good AAA telemetry. This means getting good logging from your Identity provider, and Service provider. Logs to track authentication, authorization, and auditing. This is a lot easier said than done. 

Implementing zero trust can provide gains to an organization by lowering the overall risk by "reducing or removing implicit trust in networked systems by addressing network identity, endpoint health, and data flows." (NIST) However, it can also mean introducing a single point of failure. An attacker that can compromise the identity manager can gain access to multiple resources. If the identity provider is based in the cloud, how much trust do you place in them? What if your cloud identity provider was breached, what are the impacts to your organization? While I believe many cloud providers provide better patching and maintenance than organizations, the risk is non-zero.

References:

https://csrc.nist.gov/News/2022/planning-for-a-zero-trust-architecture-white-paper

Non-compete clauses

Recently the FTC has proposed a ban on most non-compete clauses. This is a great idea, if this ban gets enacted the US stands to benefits in multiple ways including, increased worker mobility, increased innovation, increased growth, and increased market competition.

Silicon Valley

The lack of enforcement of non-complete causes in California is one of the factors that have helped to create a vibrant technology sector in that state. Non-compete clauses are a method for employers to reduce the competition by making it hard to poach and recruit talent. Without non-competes start-ups in California are able to grow and thrive in the shadow of giant technology companies because they are able to better execute on their roadmaps and strategy. Organizations such as Zoom have been able to thrive in California by identifying a need in the market not met by larger technology companies. Large technology companies have been sued by the Federal government for illegally preventing employees from getting offers from competing firms. For example, Steve Jobs was sued by the Feds for a gentlemen's agreement with one of the founders at Google to stop the organization from poaching talent away from Apple.

Abuses of Non-complete clauses

Non-compete clauses have also been abused by employees by using overly broad language that prevents employees from leaving the firm, or going to the competition. For example, in healthcare non-complete clauses often will dictate a geographical radius. In dense metropolitans, such as New York or LA, a non-complete clause of 25 miles means you'll essentially need to find another job in another city. 25 miles can mean a 2 hour commuting radius in large crowded cities with traffic.

Non-complete clauses are un-American

Non-complete clauses go against the ideas of America. The US should be a nation that encourages competition, entrepreneurship, free markets, and the ability for employees to freely move if they find better opportunities elsewhere. The rise of non-complete clauses is allowing for many larger well-resourced organizations to reduce competition and continue their rent-seeking behavior. The continuation of this will reduce the economic growth of the country, and the limit opportunities of employees. 

References: 

https://money.cnn.com/2014/08/11/technology/silicon-valley-poaching-case/

Experience taking SANS SEC560 Network Penetration Testing and Ethical Hacking

 This is the first time I have taken an online SANS course. For motivated students, online learning can be just as effective as in-person courses. 

Overall, I enjoyed taking SEC560, the material was current and relevant to my job. Although I work blue team, there is a lot of value that could be gained by taking a pen testing course. There is tremendous overlap between the course material and the TTP's used by ransomware attackers. These include the following techniques I have read or observed attackers using. I particularly enjoyed the emphasis on targeting the NTDS.dit file. 

- Password attacks (password spraying, brute-force)

- NTDS.dit

- Domain attacks

    - Domain enumeration (bloodhound) 

    - Kerberos attacks (kerbroasting) 

Improvements to the course

I thought that the labs could have been more comprehensive. I would have enjoyed a bonus section that included more advanced topics in the course, including attacks against the domain such as kerbroasting, silver ticket, golden ticket attacks, AS-REP roasting, and AD CS attacks.

Remnux and VirtualBox Window Sizes

When importing the Remnux ova into VirtualBox you may notice that the window sizes are inappropriate in order to fix this you will need to install the VBox Guest additions.

In order to do this. Add an optical drive in VBox to the virtual machine. Then in the menu insert Vbox guest additions and install the software. 

Then you will need to follow the instructions on the website.

sudo mount /dev/sr0 /mnt/cdrom sudo /mnt/cdrom/VBoxLinuxAdditions.*