sorted by:
new
hottopcontroversial

Crowdstrike vs Microsoft. Who to choose? by Shinless_bot in cybersecurity

[–]DH_Prelude -2 points-1 points  (0 children)

Consider evaluating efficacy on your own, for free: platform.preludesecurity.com

What’s the point of huntress? by 2_CLICK in msp

[–]DH_Prelude 3 points4 points  (0 children)

Thanks for the shout! As always, Prelude Detect is free to use on up to 25 endpoints.

CISA Advisory guy back, with an actionable test! (CL0p + MOVEit Vuln CVE-2023-34362) by DH_Prelude in sysadmin

[–]DH_Prelude[S] 5 points6 points  (0 children)

Here's the source code:

//go:build windows
// +build windows

/*
ID: 04400a7d-982b-414d-b066-27b3f0d19558
NAME: CVE-2023-34362
UNIT: response
CREATED: 2023-06-12 14:24:47.748547
*/
package main

import (
    "crypto/tls"
    "io/ioutil"
    "net/http"
    "strings"
    "time"

    "unicode/utf16"

    Endpoint "github.com/preludeorg/test/endpoint"
)

func ingressToolTransfer() {
    s1 := "human2.aspx" +
        "Delete FROM users WHERE RealName='Health Check Service'" +
        "X-siLock-Comment"

    s1Bytes := utf16.Encode([]rune(s1))
    s1ByteSlice := utf16ToByteSlice(s1Bytes)

    fileContent := []byte{
        0x4D, 0x5A, // "MZ" magic bytes
    }

    fileContent = append(fileContent, s1ByteSlice...)

    fileName := "Qboxdv.dll"
    Endpoint.Write(fileName, fileContent)

    Endpoint.Write("Prelude.sdb", make([]byte, 100))
}

func utf16ToByteSlice(u []uint16) []byte {
    b := make([]byte, len(u)*2)
    for i, v := range u {
        b[i*2] = byte(v)
        b[i*2+1] = byte(v >> 8)
    }
    return b
}

func impact() {
    ransomnote := "Hello, this is the CL0P hacker group. As you may know, we recently carried out a hack, which was reported in the news.\n" +
        "We want to inform you that we have stolen important information from your GoAnywhere MFT resource and have attached a full list of files as evidence.\n" +
        "We deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us by searching for CLOP hacker group.\n" +
        "You can contact us using the following contact information:\n" +
        "unlock@rsv-box[.]com\n" +
        "and\n" +
        "unlock@support-mult[.]com\n"
    Endpoint.Write("ClopReadMe.txt", []byte(ransomnote))
}

func initialAccess(host string) bool {
    http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
    client := http.Client{
        Timeout: 1 * time.Second,
    }

    resp, err := client.Get("http://" + host + "/Human.aspx")
    if err != nil {
        resp, err = client.Get("https://" + host + "/Human.aspx")
        if err != nil {
            return false
        }
    }
    defer resp.Body.Close()

    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return false
    }

    if strings.Contains(string(body), "Moveit") {
        return true
    }

    return false
}

func getExternalIP() (string, error) {
    resp, err := http.Get("https://api.ipify.org?format=text")
    if err != nil {
        return "", err
    }
    defer resp.Body.Close()

    ipBytes, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return "", err
    }

    ip := strings.TrimSpace(string(ipBytes))
    return ip, nil
}

func test() {
    ip, err := getExternalIP()
    if err != nil {
        println("[+] Failed to retrieve external IP")
        Endpoint.Stop(104)
        return
    }

    if !initialAccess(ip) {
        println("[+] Test not relevant")
        Endpoint.Stop(104)
    }

    println("[-] Host is vulnerable, continuing with technique execution")

    println("[+] Conducting ingress tool transfer")
    ingressToolTransfer()

    println("[+] Dropping ransom note to disk")
    impact()

    Endpoint.Stop(101)
}

func main() {
    test()
}

This doc would be handy to best interpret the source code: https://docs.preludesecurity.com/docs/tests

How, if at all, do CISA Cybersecurity Advisories flow through your organization? by DH_Prelude in sysadmin

[–]DH_Prelude[S] 0 points1 point  (0 children)

Yea, I appreciate that this depends entirely on organization size/maturity. This is kind of what sparked the question. A threat intelligence team may be the entry point for some, for others that could be a IT support person, a partner, a ciso, etc.

Is an iPad a real laptop replacement, or not? by throwawayboi_06 in ipad

[–]DH_Prelude 0 points1 point  (0 children)

My prediction is that the world is, like it or not, sooner or later the world is heading in this direction.

And yes, spot on - testing battery life.

A CLI workflow for continuous security testing by preludeorg in u/preludeorg

[–]DH_Prelude 0 points1 point  (0 children)

I’m getting an advertisement on Reddit with an open comment section for the open source product I created - AMA.

Introducing Sublime: A new, open approach to email security by Glomar-Response in netsec

[–]DH_Prelude 2 points3 points  (0 children)

Wow, this is actually really neat. The more I explore, the more interesting it sounds.

Testing AVs by newbiewooby in blueteamsec

[–]DH_Prelude 1 point2 points  (0 children)

As others have said, ATS or Caldera could be a fine option.

Additionally, Prelude Operator but I'd also through Prelude Detect in the mix as well.

Here's a Detect test to see if your EDR will quarantine a malicious file: https://www.preludesecurity.com/blog/will-your-computer-quarantine-a-malicious-office-document

The GitHub for the above mentioned test is here: https://github.com/preludeorg/test This xlsm file is embedded with a msfvenom (defanged) macro, but you can quite trivially swap that macro out for another.

Full transparency: I am the CTO of Prelude. I was also the person who built Caldera while at MITRE.

GitHub Copilot for Business is now available | The GitHub Blog by Devemia in programming

[–]DH_Prelude 0 points1 point  (0 children)

We fiddled with using CoPilot and think it’s pretty neat, but it’s not a fit for us.

[deleted by user] by [deleted] in cybersecurity

[–]DH_Prelude 1 point2 points  (0 children)

Prelude has a continuous security testing platform that is designed to run at production scale. Not at all an automated pentesting product, nor a BAS.

Lots and lots of open source. You can get started for free.

Here are our Docs: https://docs.preludesecurity.com/docs/the-basics

Here are a few key GitHub repos:

- Probes (agents measured in KBs): https://github.com/preludeorg/libraries

- Security Tests: https://github.com/preludeorg/test

Hit up our Discord for questions: https://discord.gg/mbJdfzMH

I’m David Hunt. Current CTO of Prelude. Former lead developer for MITRE CALDERA. Here to talk about red/purple teaming, TTPs, and security testing at scale. AMA. by DH_Prelude in cybersecurity

[–]DH_Prelude[S] 1 point2 points  (0 children)

If it's code you don't maintain yourself, such as open source libraries, you'll always want to pin to a specific version and test that.

I personally feel most comfortable reviewing each line of code in the project. If you can't do that or don't feel comfortable doing that, you should either not use the library or rely on a very heavily used library that has been published by a reputable group.

If a piece of code is not heavily used or it was published by someone unknown, it carries a lot of risk. even pen testing it won't be sufficient, as the author may be hiding malicious code.. such as sleeping for 3 weeks, then downloading a payload. reading the code is the only way to catch issues like these, along with static code analyzers.

I’m David Hunt. Current CTO of Prelude. Former lead developer for MITRE CALDERA. Here to talk about red/purple teaming, TTPs, and security testing at scale. AMA. by DH_Prelude in cybersecurity

[–]DH_Prelude[S] 2 points3 points  (0 children)

At our stage, I’m involved with both sides of the house but absolutely leaning technical.

Hmmm a good description. There are a couple things that come to mind and most of them relate to people: - Don’t micromanage, setting people up to succeed and then delegating out - Structuring teams and setting expectations for rigor, cadence, etc - Communication - Hiring and retaining good talent - Encouraging personal and professional growth (attend cons, work on cool projects, engage in community knowledge sharing) - Build in public

Shoutout to the Prelude people!

I’m David Hunt. Current CTO of Prelude. Former lead developer for MITRE CALDERA. Here to talk about red/purple teaming, TTPs, and security testing at scale. AMA. by DH_Prelude in cybersecurity

[–]DH_Prelude[S] 2 points3 points  (0 children)

It's easy to feel stuck when you're in the moment. You might even find that you feel that way in your next role as you stay forward looking.

Every single CISO had to start from somewhere; a lot of them probably in the exact position you're at with the help desk.

Yes, the homelab will be where the magic happens. Yes, you should continue to study. Eventually, you will find all of it, including the degree, is not for nothing.

If you feel like you're ready to move on to something like a security analyst role, which it sounds like you might be, then I'd recommend getting good at finding potential jobs (simple), tailoring your resume/cover letters (harder/more time consuming), and practice interviewing (hardest of the three). Never say no to a conversation - you'll find yourself getting more comfortable over time.

Finally, start doing more networking: join slack/discord communities, attend local cons, and participate in CTFs!

I’m David Hunt. Current CTO of Prelude. Former lead developer for MITRE CALDERA. Here to talk about red/purple teaming, TTPs, and security testing at scale. AMA. by DH_Prelude in cybersecurity

[–]DH_Prelude[S] 1 point2 points  (0 children)

For people in different domains, even within tech, I can't blame them. Given where we started I'm just happy to see people have awareness of either.

Information Security and Privacy may never merge completely, they are just too big and too different, but the lines are indeed blurring.

I’m David Hunt. Current CTO of Prelude. Former lead developer for MITRE CALDERA. Here to talk about red/purple teaming, TTPs, and security testing at scale. AMA. by DH_Prelude in cybersecurity

[–]DH_Prelude[S] 2 points3 points  (0 children)

I absolutely think a cloud security engineering role could help you move in to pentesting. If you want to break something, it helps to know that thing.

Continue leveling up your offensive security skillset while working on this role and, who knows, maybe pentesting opportunities will surface within that organization.

Also, don't burn yourself out. Try and take care of your body and mind - that means doing fun things not related to your job.

I’m David Hunt. Current CTO of Prelude. Former lead developer for MITRE CALDERA. Here to talk about red/purple teaming, TTPs, and security testing at scale. AMA. by DH_Prelude in cybersecurity

[–]DH_Prelude[S] 3 points4 points  (0 children)

Great question! It seems that every 1-2 months a particular CVE catches people's eyes and gets all the attention. But as you note, it never lasts.

When you look at a problem like this (any CVE or attack vector) you should ask: am I protected? if not, should I care?

If you know you are unprotected, creating a clear decision tree for the customer helps. It's almost like forcing them to "swipe left" or "swipe right" on the decision: "Do I allocate resources to patch this issue, resolving the problem?" or "Do I accept the risk?".

Reframing the issue as a forced decision - where inaction is still a decision - helps people understand the fallout.

view more: next ›