A blog for random thoughts. Sometimes for infosec as well. https://riccardoancarani.github.io/ All good things must come to an end - Introduction DISCLAMER: This post was done in collaboration with Devid Lana. You can find his blog here: https://her0ness.github.io In this third and last part of this series, we will dig deeper in the EDR’s update process and uncover some logic flaws that, ultimately, led us to the complete disarmament of... Tue, 07 Nov 2023 00:00:00 -0800 https://riccardoancarani.github.io/2023-11-07-attacking-an-edr-part-3/ https://riccardoancarani.github.io/2023-11-07-attacking-an-edr-part-3/ For less fun but even more profit - Introduction - Where we left off DISCLAMER: This post was done in collaboration with Devid Lana. You can find his blog here: her0ness - Attacking an EDR Part 2 Continuing from our last research, we pursued the exploration of the attack surface of the EDR solution under our scrutiny, STRANGETRINITY.... Thu, 14 Sep 2023 00:00:00 -0700 https://riccardoancarani.github.io/2023-09-14-attacking-an-edr-part-2/ https://riccardoancarani.github.io/2023-09-14-attacking-an-edr-part-2/ For some fun and a fair bit of profit - Introduction DISCLAMER: This post was done in collaboration with Devid Lana. You can find his blog here: https://her0ness.github.io This post is the first of what - we hope - will be a long series of articles detailing some common flaws that can be found on modern EDR products. By no... Thu, 03 Aug 2023 00:00:00 -0700 https://riccardoancarani.github.io/2023-08-03-attacking-an-edr-part-1/ https://riccardoancarani.github.io/2023-08-03-attacking-an-edr-part-1/ Riding the hype train to see if we can get something useful out of it - Mockingjay - What is old is new again There has been quite a lot of rumor recently around the release of a piece of research that discuss a new (?) process injection technique that evades EDRs (what does that even mean?). For reference, these are the blog post I am... Mon, 31 Jul 2023 00:00:00 -0700 https://riccardoancarani.github.io/2023-07-31-mockingjay-what-is-old-is-new-again/ https://riccardoancarani.github.io/2023-07-31-mockingjay-what-is-old-is-new-again/ Putting some sunscreen - Introduction File Replacement Task Replacement COM Handlers Detection Evasion References Introduction Reading FireEye’s UNC2452 writeup, I started to think about how to emulate them in purple teaming exercises. Despite the supply-chain bit is still a bit out of my reach, I noticed an interesting lateral movement vector that was used... Mon, 25 Jan 2021 00:00:00 -0800 https://riccardoancarani.github.io/2021-01-25-random-notes-on-task-scheduler-lateral-movement/ https://riccardoancarani.github.io/2021-01-25-random-notes-on-task-scheduler-lateral-movement/ The small traces left by donut shellcode - Intro Observations In-Memory PE AMSI Bypass Intro To deal with some rainy Sunday depression I decided to investigate how Donut operates in memory and to see what traces it leaves (if any). I’ve been using Donut for quite some time, and I find it extremely useful from an operator’s perspective... Sat, 10 Oct 2020 00:00:00 -0700 https://riccardoancarani.github.io/2020-10-10-donut-crumbs/ https://riccardoancarani.github.io/2020-10-10-donut-crumbs/ Introduction Attack Execution Detection Other Detections and Indicators References Introduction During a recent presentation I examined various ways of persisting within Active Directory (AD) and how every technique can be detected, using both intrinsic IoC of the specific technique or tooling default behaviour. One of the analysed attacks was the... Sat, 08 Aug 2020 00:00:00 -0700 https://riccardoancarani.github.io/2020-08-08-hunting-for-skeleton-keys/ https://riccardoancarani.github.io/2020-08-08-hunting-for-skeleton-keys/ Introduction Tools secretsdump.py wmiexec.py dcomexec.py Final Words Introduction During an attack, lateral movement is crucial in order to achieve the operation’s objectives. Primarly, two main strategies exist that would allow an attacker to execute code or exfiltrate data from other hosts after obtaining a foothold within an environment: Operate from... Sun, 10 May 2020 00:00:00 -0700 https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/ https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/ Playing Cat and Mouse With The Blue Team - Introduction Nowadays, we see a continuous increase of the adoption of the Elasticsearch Logstash Kibana (ELK) stack for security monitoring purposes. The functionalities of the ELK stack fit nicely the purpose of a SIEM; in fact, within few minutes it is possible to spin up a cluster and deploy the... Sat, 21 Mar 2020 00:00:00 -0700 https://riccardoancarani.github.io/2020-03-21-fooling-the-blue-team-abusing-insecure-elk/ https://riccardoancarani.github.io/2020-03-21-fooling-the-blue-team-abusing-insecure-elk/ Part 1 - GPOs and User Right Assignment - This series of posts was inspired by porterhau5’s work that can be found here: Extending BloodHound: Track and Visualize Your Compromise. 1. The Problem In a standard Active Directory assessment, a fundamental phase is the analysis of Group Policy Objects (GPOs). Usually, this activity is aimed at identifying the following:... Thu, 06 Feb 2020 00:00:00 -0800 https://riccardoancarani.github.io/2020-02-06-extending-bloodhound-pt1/ https://riccardoancarani.github.io/2020-02-06-extending-bloodhound-pt1/ hunt hunt hunt - Introduction In today’s post we’re going to create detections and hunt for the usage of the recent lateral movement technique called SCShell. In a nutshell, the SCShell technique is born from the limitation of lateral movement attacks like remote service creation that required the attacker to drop files on the... Mon, 16 Dec 2019 00:00:00 -0800 https://riccardoancarani.github.io/2019-12-16-hunting-for-scshell-usage/ https://riccardoancarani.github.io/2019-12-16-hunting-for-scshell-usage/ Jupyter all the things - Introduction As a penetration tester, I often rely on BloodHound to assist me in Active Directory engagements. However, after a few of them it was clear that I was repeating the same actions (hence the same queries) over and over again. I felt that doing this initial process manually was... Sun, 08 Dec 2019 00:00:00 -0800 https://riccardoancarani.github.io/2019-12-08-streamlining-bloodhound-analytics/ https://riccardoancarani.github.io/2019-12-08-streamlining-bloodhound-analytics/ Attackers' Economy (Part 1) - Introduction BloodHound was a revolution for evaluating Active Directory (AD) security and identifying unintended paths that could lead to the compromise of sensitive groups such as Domain Admins. The community has been using it successfully in many engagements and against highly secure environments. For those who’ve been living in a... Fri, 08 Nov 2019 00:00:00 -0800 https://riccardoancarani.github.io/2019-11-08-not-all-paths-are-equal/ https://riccardoancarani.github.io/2019-11-08-not-all-paths-are-equal/ Detecting Active Directory Enumeration - Intro This is another post to document my journey of learning Threat Hunting. In today’s post we’re going to perform threat hunting activities with the aim of hunting for AD domain enumeration. We’re going to heavily rely on FireEye’s SilkETW and we’ll search for suspicious LDAP queries generated by our... Sat, 19 Oct 2019 00:00:00 -0700 https://riccardoancarani.github.io/2019-10-19-hunting-for-domain-enumeration/ https://riccardoancarani.github.io/2019-10-19-hunting-for-domain-enumeration/ Today’s post will cover some of my experiments while practicing threat hunting. Specifically today we will cover hunting for malicious usage of msbuild.exe used by Covenant. I literally started last week, so forgive me if I’m not following logging best practices or some detections are very unreliable! It must be... Sat, 19 Oct 2019 00:00:00 -0700 https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/ https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/ Windows and Active Directory - Introduction Find Where We Have Access Local Group Membership - The Blind Approach Local Group Membership - Group Policy Objects Access to File Shares Access Control Lists MSSQL Access WMI Remote Service Creation Remote Desktop Protocol PowerShell Remoting Task Scheduler PsExec DCOM Password Spray Folder Redirection and Roaming Profiles RDP... Fri, 04 Oct 2019 00:00:00 -0700 https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/ https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/ Part 1 - This is going to be a quick walkthrough of how I would set up a Command and Control (C2) infrastructure using the following technologies: Terraform (https://www.terraform.io/) DigitalOcean (https://cloud.digitalocean.com) Cloudflare (https://www.cloudflare.com) Covenant (https://github.com/cobbr/Covenant) The aim of this post is mainly practicing building reliable and reusable C2 infrastructures for red team engagements.... Sat, 28 Sep 2019 00:00:00 -0700 https://riccardoancarani.github.io/2019-09-28-modern-c2-infra/ https://riccardoancarani.github.io/2019-09-28-modern-c2-infra/