This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. Because of the way accounts are commonly configured, this could often enable an attacker to take … Continue reading Syncing yourself to Global Administrator in Azure Active Directory
Export corrupts Windows Event Log files
Exported .evtx files may contain corrupted data - Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged, but applications … Continue reading Export corrupts Windows Event Log files
Getting in the Zone: dumping Active Directory DNS using adidnsdump
Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any … Continue reading Getting in the Zone: dumping Active Directory DNS using adidnsdump
mkYARA – Writing YARA rules for the lazy analyst
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code … Continue reading mkYARA – Writing YARA rules for the lazy analyst
PsiXBot: The Evolution Of A Modular .NET Bot
PsiXBot: The Evolution Of A Modular .NET Bot Summary In this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The malware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include the logging of keystrokes … Continue reading PsiXBot: The Evolution Of A Modular .NET Bot
Identifying Cobalt Strike team servers in the wild
How an anomalous space led to fingerprinting Summary On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an "extraneous space". This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past … Continue reading Identifying Cobalt Strike team servers in the wild
Your trust, our signature
Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario … Continue reading Your trust, our signature
Phishing – Ask and ye shall receive
During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to … Continue reading Phishing – Ask and ye shall receive
Bokbot: The (re)birth of a banker
This blogpost is a follow-up to a presentation with the same name, given at SecurityFest in Sweden by Alfred Klason. Summary Bokbot (aka: IcedID) came to Fox-IT’s attention around the end of May 2017 when we identified an unknown sample in our lab that appeared to be a banker. This sample was also provided by … Continue reading Bokbot: The (re)birth of a banker
Introducing Team Foundation Server decryption tool
During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft's Team Foundation Server (TFS). TFS can be used for developing code, version control and automatic deployment to target systems. This blogpost provides two tools to decrypt sensitive information that is stored in the TFS … Continue reading Introducing Team Foundation Server decryption tool
