To Catch a Hacker in My Home Lab – Atreides

Introduction This blog post will walk you through how to answer the questions that are contained in my Atreides scenario located here: https://github.com/medmondson44/dune/tree/main/atreides. The Jupyter Notebook file is located there. The blog post will go through the initial access vector, situational awareness commands that were run, persistence mechanism used, how privilege escalation to System was […]

Read More To Catch a Hacker in My Home Lab – Atreides

Detecting mshta in a Home Lab

Today I wanted to do a quick blog post on how to test your security tools to find the Windows binary mshta.exe downloading a malicious .hta file. My setup is an Elastic Stack VM, a Windows endpoint configured with Elastic’s endpoint agent. In addition, I used a Parrot security VM as my attacking machine and […]

Read More Detecting mshta in a Home Lab

SSH Tunnelling

In today’s blog post I wanted to talk about Secure Shell (SSH) and some of its powerful features. We will start with some of the basics such as what it is, what it does, and then more advanced concepts such as how an adversary can use it to hide themselves, through multiple layers of cloud […]

Read More SSH Tunnelling

Create Elastalert Rules with Sigma

Today I wanted to do a quick blog post on how to use the tool Sigma to create Elastalert rules, for alerting purposes for your Elastic Stack instance.  Sigma So, first things first, what is Sigma? According to the official Github site, “Sigma is a generic and open signature format that allows you to describe […]

Read More Create Elastalert Rules with Sigma

Target Package: APT 18

Target Package: APT 18 Summary: APT 18 is a threat group that has been in operation since at least 2009. A broad overview of how they operate consists of usually sending their victims a phishing email which will download a Remote Access Trojan (RAT). Some of their observed persistence mechanisms have been using registry run […]

Read More Target Package: APT 18

Detecting MITRE ATT&CK Technique: Part 2 – T1003.001 (LSASS Memory)

Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using rundll32.dll and the comsvcs.dll to dump the memory from LSASS. You can find out how my environment is setup in part1 of this series: https://marcusedmondson.com/2020/07/29/detecting-mitre-attck-technique-t1218-010-regsvr32/ So now let’s cover how MITRE ATT&CK describes […]

Read More Detecting MITRE ATT&CK Technique: Part 2 – T1003.001 (LSASS Memory)