Dripping a Little Honey in Your Environment

Today I wanted to talk about using the deception technology called New-HoneyHash.ps1. This is a tool that was inspired by Mark Baggett and authored by Matt Graeber, that will inject fake credentials into the lsass.exe process. This can be effective at finding attackers who are dumping the lsass process in your environment in order to […]

Pivoting with SSH Tunnels and Plink

Today I wanted to do a blog post on pivoting with SSH tunnels and using Plink to forward connections to other computers, once you have a foothold in an environment. For this scenario, I used two Virtual Private Servers (VPS’s), my Kali VM, and my ESXi lab environment consisting of an Elastic Stack VM running […]

PrintNightmare and SSH Tunnels for Fun

Today I wanted to cover a subject that has been covered many times before, but writing about the techniques and tools I am learning helps me solidify my knowledge so here we go. Today’s post will be about, testing out the PrintNightmare exploit in my homelab through dynamic and remote SSH tunnels. I got the […]

To Catch a Hacker in My Home Lab – Atreides

Introduction This blog post will walk you through how to answer the questions that are contained in my Atreides scenario located here: https://github.com/medmondson44/dune/tree/main/atreides. The Jupyter Notebook file is located there. The blog post will go through the initial access vector, situational awareness commands that were run, persistence mechanism used, how privilege escalation to System was […]

Detecting mshta in a Home Lab

Today I wanted to do a quick blog post on how to test your security tools to find the Windows binary mshta.exe downloading a malicious .hta file. My setup is an Elastic Stack VM, a Windows endpoint configured with Elastic’s endpoint agent. In addition, I used a Parrot security VM as my attacking machine and […]

To Catch a Hacker in My Home Lab – Noabar

Today I wanted to write a blog post to answer the questions to the Noabar scenario located here: https://github.com/medmondson44/dune. A little background on what Noabar is, this is a Windows machine in my home lab that I attacked to create artifacts. There is a README file that has some question that can be answered based […]

SSH Tunnelling

In today’s blog post I wanted to talk about Secure Shell (SSH) and some of its powerful features. We will start with some of the basics such as what it is, what it does, and then more advanced concepts such as how an adversary can use it to hide themselves, through multiple layers of cloud […]

Data Driven Analysis – My Approach

So today my thoughts have been centered around data driven analysis. What is it? Why should it be used? How to implement it? So in this post I wanted to cover these topics as well as a PowerShell script I use to collect and parse data from offline Windows event logs or online. I will […]

Windows Persistence Mechanics – DLL Search Order Hijacking

Today I was thinking about persistence as it relates to threat hunting, and I have come to the conclusion, attackers adding persistence to your environment is the perfect chokepoint to find attacker activity. In this blog post, part 1 in a series I will be doing on Window’s persistence I am going to give you […]

Threat Hunting with Jupyter Notebooks – Part 1: Connect to Elasticsearch

So today I wanted to talk about threat hunting with Jupyter Notebooks. I will cover what a Jupyter Notebook is. I will also cover what Elasticsearch is, this will be where the data we analyze is located. We will look at how to connect to our Elasticsearch instance, get it formatted in a way that […]