www.inversecos.com
Open in
urlscan Pro
142.250.186.115
Public Scan
Submitted URL: http://www.inversecos.com/
Effective URL: https://www.inversecos.com/
Submission: On September 17 via manual from SE — Scanned from DE
Effective URL: https://www.inversecos.com/
Submission: On September 17 via manual from SE — Scanned from DE
Form analysis 1 forms found in the DOM
https://www.inversecos.com/search
<form action="https://www.inversecos.com/search" target="_top">
<div class="search-input">
<input aria-label="Search this blog" autocomplete="off" name="q" placeholder="Search this blog" value="">
</div>
<input class="search-action flat-button" type="submit" value="Search">
</form>Text Content
Skip to main content INVERSECOS POSTS OFFICE365 ATTACKS: BYPASSING MFA, ACHIEVING PERSISTENCE AND MORE * Get link * Facebook * Twitter * Pinterest * Email * Other Apps September 16, 2021 APTs are actively attacking Office 365 (O365) – finding mechanisms to bypass MFA and to impersonate users regardless of whether you reset their passwords. When I was looking through the Mitre mapping of O365 attacks , I noticed that it didn’t include many methods of intrusion and actions on objectives that can occur with O365. In conversations with several clients, I couldn’t help but notice that there’s still a heavy focus on “endpoint” style attacks and not much resource / thought put into attacks that can occur in the cloud. Attacking O365 gives an attacker many benefits… it allows an attacker to impersonate users, alter MFA settings, register malicious devices, access Teams messages, download sensitive emails, access SharePoint, OneDrive, register malicious applications and various other actions that could allow them to maintain persistence in your environment. This blog post explores the various ways O365 can be attacked. I will be writing a Part II follow up that describes the me Post a Comment Read more BACKDOOR OFFICE 365 AND ACTIVE DIRECTORY - GOLDEN SAML * Get link * Facebook * Twitter * Pinterest * Email * Other Apps September 02, 2021 Backdoors can bypass all MFA requirements put in place by an organisation. Earlier this year, I worked an engagement with an APT group that had a keen interest on the client’s Office 365 environment, where this group found a way to bypass authentication controls to access the environment. Given that most clients either have a hybrid authentication model set-up or are fully in the cloud – I think it’s important that most blue teams / defenders / hunters are aware of the various techniques threat actors are using against Azure AD. Compromise of the AD FS server token-signing certificate could result in access to the Azure/Office365 environment by the attacker. By default, this certificate is valid for a year and will allow an attacker to log into Azure/Office365 as any user within AD regardless of any password resets and MFA. The implication of this, is that the attacker maintains persistence and has a means to re-enter into the environment, escaping detection. This blog post will cover 2 comments Read more HOW TO BUILD A CRYPTO TOKEN IN UNDER 10 MINUTES (ECR-20) * Get link * Facebook * Twitter * Pinterest * Email * Other Apps May 15, 2021 With the rise of Doge and other Ethereum based tokens (NFTs, $UNI, $LINK....) I figure there would be many people wanting to learn how to use Solidity to build their own meme (or non-meme) tokens. This blog post will show you step-by-step how to do this within 10 minutes. If you find this content helpful, please feel free to send me some DOGE @ DRwU8cc4F5MsC9egz2yKfqCFUQr5VpMQ51. What is a token? Crypto "coins" like Bitcoin (BTC) are generally used as "money" or a unit of value and are stored on the coin-specific blockchain. Tokens are built on these existing blockchains (on top of the Ethereum/Neo/etc blockchain). This blog post will be showing you how to build an Ethereum-based token (ECR-20). Tokens are most commonly used with a dApp (decentralised application). For example, with Enjin , you can use your tokens to purchase in-game assets on the virtual marketplace. These can be characters, plots of land or assets like trees or other digital assets. NFTs are us 1 comment Read more FORENSIC ANALYSIS OF ANYDESK LOGS * Get link * Facebook * Twitter * Pinterest * Email * Other Apps February 10, 2021 Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer. There are two locations for where AnyDesk logs are stored on the Windows file system: %programdata%\AnyDesk\ad_svc.trace %appdata%\Anydesk\ad.trace The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed. Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log: Remote IP where the actor connected from File transfer activity Locating the Remote IP Connecting to AnyDesk Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake: info 2021-02-04 23:25:10.500 lsvc 9988 2 comments Read more SUCCESSFUL 4624 ANONYMOUS LOGONS TO WINDOWS SERVER FROM EXTERNAL IPS? * Get link * Facebook * Twitter * Pinterest * Email * Other Apps April 30, 2020 If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624. If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation. The reason for this is because when a user initiates an RDP or SMB c 10 comments Read more NEW PYROGENIC JAR-BASED MALWARE CAMPAIGN - INDICATORS OF COMPROMISE * Get link * Facebook * Twitter * Pinterest * Email * Other Apps November 08, 2019 A new JAR-based phishing campaign has been seen delivered to Australian companies with the intent of credential stealing Office 365 account passwords as well as passwords stored in the browser. This campaign appears to have first occurred late September 2019 - November 2019. Initial Infection This campaign is delivered via a phishing email to corporate account users with an image of a PDF file which contains an embedded hyperlink If a user clicks on the image of the PDF they are taken to the first C2 domain - in this instance it was to https://caygionghocviennongnghiep1.com/FRA.html which resulted in a download of the malicious JAR file 'BankPaymAdviceVend_LLCRep.jar' to the downloads folder: User interaction is then required in order to execute the malware. Once execution occurs, the following process chain occurs where javaw.exe is spawned. The javaw.exe process is stopped in memory and two DLLs are dropped into the AppData/Local/TEMP folder, loaded and then de Post a Comment Read more MALWARE ANALYSIS: SLINGSHOT APT EXPOSED FROM 6 YEARS OF HIDING * Get link * Facebook * Twitter * Pinterest * Email * Other Apps March 13, 2018 Designed for cyber espionage, Slingshot APT (Advanced Persistent Threat) has hidden from researchers for over 6 years and has infected at least 100 hosts worldwide in the Middle East and Africa. The malware used exploits on Mikrotik routers and has been listed as one of the most sophisticated attacks discovered rivalling Project Sauron (nation-state funded malware) and Regin (the malware that infiltrated Proximus Group ). Due to the sophisticated nature of Slingshot APT, Kaspersky Labs report suspects the malware has received significant resource and financial backing and was the result of a highly-targeted attack plan. Slingshot APT is able to log user data, collect open windows, keystrokes and network data among other functionalities. Slingshot APT works by replacing a legitimate Windows DLL ( scesrv.dll or spoolsv.exe ) related to Virtual File System, with a malicious one. There are two embedded loaders in Slingshot in the case of the first loader failing, the second loade 3 comments Read more More posts Powered by Blogger REPORT ABUSE MY BOOK * How to get a job in cybersecurity earning over six figures : Zero to Cyber Hero inversecos Visit profile LINA LAU Principal IR Consultant @ Secureworks formerly ANZ IR Lead @ Accenture. Blogging about APTs, TTPs and all things tech SOCIAL * Twitter * LinkedIn SEARCH BLOG ARCHIVE * September 20212 * May 20211 * February 20211 * April 20201 * November 20191 * March 20181 * December 20171 * October 20172 * June 20172 Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit Messwerten zur Leistung und Sicherheit für Google freigegeben. So können Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die Qualität des Dienstes gewährleistet werden.Weitere InformationenOk