Article
Collections
Cyber Labs
-
01
We’re All in This Together: The Case for Purple Teaming
Why should you consider a purple team? What can you gain from it, and how do you make it work for your organization?
-
02
Parsing ESXi Logs for Incident Response with QELP
Threat actors frequently target ESXi servers to disrupt business environments and deploy ransomware to encrypt datastores. Stroz Friedberg’s proprietary ESXi log parsing tool Quick ESXi Log Parser (“QELP”) can assist analysts with gaining insights about interesting events unfolding on ESXi servers.
-
03
Parsing Jenkins Configuration Files for Forensics and Fun
A new parsing tool for Jenkins® configuration files from Stroz Friedberg Digital Forensics and Incident Response enables efficient forensic examination during investigations.
-
04
Emerging Risks in Third-Party AI Solutions and How to Help Address Them
As the cyber threat landscape changes due the introduction of new threat surfaces from AI-driven solutions, ever-increasing sophistication of attacks, and pressure from regulatory bodies, increased collaboration is required within organizations to prioritize the most critical security initiatives.
-
05
Unveiling the Dark Side: Common Attacks and Vulnerabilities in Industrial Control Systems
Introduction to Industrial Cybersecurity. Industrial control systems are crucial for managing critical infrastructure. The growth of Industry 4.0 and Industrial Internet of Things (IIoT) heightens the vulnerability of these systems to cyber threats.
-
06
Mounted Guest EDR Bypass
The Mounted Guest EDR Bypass is a tactic used in cyber attacks to evade Endpoint Detection and Response (EDR) protections. This method involves removing EDR program files from a defenseless guest system on a hypervisor, enabling the deployment of ransomware without detection.
-
07
Optimizing Your Cyber Resilience Strategy Through CISO and CRO Connectivity
Combining forces between the Chief Information Security Officer and the Chief Risk Officer may better prepare your business for cyber challenges and provide a comprehensive insight into the exposures of the business.
-
08
Bypassing EDR through Retrosigned Drivers and System Time Manipulation
The Retrosigned Driver EDR Bypass is a novel modification of a technique employed by multiple ransomware groups to bypass EDR and limit visibility into malicious actions by abusing expired code signing certificates to load malicious kernel drivers.
-
09
DNSForge – Responding with Force
Introducing DNSForge, a novel attacker tactic for responding to name resolution requests made to the authoritative DNS server in an internal network landscape, achieving interception and reuse of system credentials without user interaction.
-
10
Unveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules
Stroz Friedberg identified a stealthy malware, dubbed “sedexp,” utilizing Linux udev rules to achieve persistence and evade detection. This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics.
-
11
Command Injection and Path Traversal in StoneFly Storage Concentrator
CVE-2024-30213, CVE-2024-31947: Blind Operating System Command Injection and Path Traversal in StoneFly Storage Concentrator
-
12
Adopt an AI Approach with Confidence, for CISOs and CIOs
This article provides an AI adoption approach for technology leaders chartered with the potentially risky decision. We provide an overview of strategic approaches for consideration, beyond mere technological implementation.
-
13
Responding to the CrowdStrike Outage: Implications for Cyber and Technology Professionals
This client alert provides an overview of the current global IT outage that is related to a CrowdStrike update. We provide an overview of CrowdStrike's response and guidance, and Aon Cyber Solutions' recommendations for affected clients.
-
14
DUALITY Part II - Initial Access and Tradecraft Improvements
This blog post discusses tradecraft improvements and how the same pipeline can be used for initial access.
-
15
Cracking Into Password Requirements
This blog post discusses new hashcat rule sets designed to crack passwords with minimum length and character class constraints, resulting in improved performance.
-
16
DUALITY: Advanced Red Team Persistence through Self-Reinfecting DLL Backdoors for Unyielding Control
This blog post introduces the concept of DUALITY, which is a methodology and pipeline for backdooring multiple DLLs on the fly so they are able to re-infect each other if infections are lost due to program updates.
-
17
Restricted Admin Mode – Circumventing MFA On RDP Logons
This blog post demonstrates the use of Restricted Admin mode to circumvent MFA in RDP as a red team tactic.
-
18
Detecting “Effluence”, An Unauthenticated Confluence Web Shell
Discovering Effluence, a unique web shell accessible on every page of an infected Confluence
-
19
Flash Loan Attacks: A Case Study
This blog post explains how flash loans work, their history, and their role in smart contract attacks. We then explore the first major flash loan attack, discuss current threats, and offer security best practices to prevent them.
-
20
Financially Motivated Criminal Group Targets Telecom, Technology & Manufacturing
This client advisory provides an overview of techniques and tactics attributed to a financially motivated criminal group that is actively targeting organizations across various industries.
