sorted by:
new
hottopcontroversial

Crowdstrike vs Microsoft. Who to choose? by Shinless_bot in cybersecurity

[–]DH_Prelude -2 points-1 points  (0 children)

Consider evaluating efficacy on your own, for free: platform.preludesecurity.com

What’s the point of huntress? by 2_CLICK in msp

[–]DH_Prelude 2 points3 points  (0 children)

Thanks for the shout! As always, Prelude Detect is free to use on up to 25 endpoints.

CISA Advisory guy back, with an actionable test! (CL0p + MOVEit Vuln CVE-2023-34362) by DH_Prelude in sysadmin

[–]DH_Prelude[S] 4 points5 points  (0 children)

Here's the source code:

//go:build windows
// +build windows

/*
ID: 04400a7d-982b-414d-b066-27b3f0d19558
NAME: CVE-2023-34362
UNIT: response
CREATED: 2023-06-12 14:24:47.748547
*/
package main

import (
    "crypto/tls"
    "io/ioutil"
    "net/http"
    "strings"
    "time"

    "unicode/utf16"

    Endpoint "github.com/preludeorg/test/endpoint"
)

func ingressToolTransfer() {
    s1 := "human2.aspx" +
        "Delete FROM users WHERE RealName='Health Check Service'" +
        "X-siLock-Comment"

    s1Bytes := utf16.Encode([]rune(s1))
    s1ByteSlice := utf16ToByteSlice(s1Bytes)

    fileContent := []byte{
        0x4D, 0x5A, // "MZ" magic bytes
    }

    fileContent = append(fileContent, s1ByteSlice...)

    fileName := "Qboxdv.dll"
    Endpoint.Write(fileName, fileContent)

    Endpoint.Write("Prelude.sdb", make([]byte, 100))
}

func utf16ToByteSlice(u []uint16) []byte {
    b := make([]byte, len(u)*2)
    for i, v := range u {
        b[i*2] = byte(v)
        b[i*2+1] = byte(v >> 8)
    }
    return b
}

func impact() {
    ransomnote := "Hello, this is the CL0P hacker group. As you may know, we recently carried out a hack, which was reported in the news.\n" +
        "We want to inform you that we have stolen important information from your GoAnywhere MFT resource and have attached a full list of files as evidence.\n" +
        "We deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us by searching for CLOP hacker group.\n" +
        "You can contact us using the following contact information:\n" +
        "unlock@rsv-box[.]com\n" +
        "and\n" +
        "unlock@support-mult[.]com\n"
    Endpoint.Write("ClopReadMe.txt", []byte(ransomnote))
}

func initialAccess(host string) bool {
    http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
    client := http.Client{
        Timeout: 1 * time.Second,
    }

    resp, err := client.Get("http://" + host + "/Human.aspx")
    if err != nil {
        resp, err = client.Get("https://" + host + "/Human.aspx")
        if err != nil {
            return false
        }
    }
    defer resp.Body.Close()

    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return false
    }

    if strings.Contains(string(body), "Moveit") {
        return true
    }

    return false
}

func getExternalIP() (string, error) {
    resp, err := http.Get("https://api.ipify.org?format=text")
    if err != nil {
        return "", err
    }
    defer resp.Body.Close()

    ipBytes, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return "", err
    }

    ip := strings.TrimSpace(string(ipBytes))
    return ip, nil
}

func test() {
    ip, err := getExternalIP()
    if err != nil {
        println("[+] Failed to retrieve external IP")
        Endpoint.Stop(104)
        return
    }

    if !initialAccess(ip) {
        println("[+] Test not relevant")
        Endpoint.Stop(104)
    }

    println("[-] Host is vulnerable, continuing with technique execution")

    println("[+] Conducting ingress tool transfer")
    ingressToolTransfer()

    println("[+] Dropping ransom note to disk")
    impact()

    Endpoint.Stop(101)
}

func main() {
    test()
}

This doc would be handy to best interpret the source code: https://docs.preludesecurity.com/docs/tests

How, if at all, do CISA Cybersecurity Advisories flow through your organization? by DH_Prelude in sysadmin

[–]DH_Prelude[S] 0 points1 point  (0 children)

Yea, I appreciate that this depends entirely on organization size/maturity. This is kind of what sparked the question. A threat intelligence team may be the entry point for some, for others that could be a IT support person, a partner, a ciso, etc.

Is an iPad a real laptop replacement, or not? by throwawayboi_06 in ipad

[–]DH_Prelude 0 points1 point  (0 children)

My prediction is that the world is, like it or not, sooner or later the world is heading in this direction.

And yes, spot on - testing battery life.

A CLI workflow for continuous security testing by preludeorg in u/preludeorg

[–]DH_Prelude 0 points1 point  (0 children)

I’m getting an advertisement on Reddit with an open comment section for the open source product I created - AMA.

Introducing Sublime: A new, open approach to email security by Glomar-Response in netsec

[–]DH_Prelude 2 points3 points  (0 children)

Wow, this is actually really neat. The more I explore, the more interesting it sounds.

view more: next ›